Cyber Risk News
In the latest sorry COVID-19 scam, fraudsters are impersonating financial institutions to steal from Americans expecting stimulus checks from the US federal government.
Following the outbreak of the novel coronavirus, many Americans have been furloughed, fired, or had their hours or workload reduced as businesses across the country closed and lockdown measures were implemented.
To soften the economic blow dealt by the deadly virus, the US Senate approved a $2tn stimulus package on March 25.
Knowing that people all across America are now waiting to receive a government check, threat actors have swooped in to exploit the situation.
Researchers at Abnormal Security have detected an attack in which scammers impersonating a major financial institution are asking victims to verify their financial details before their stimulus funds can be released.
"These attackers created a convincing email and landing page that appeared to come from a major financial institution," wrote researchers.
"The email sent by the attackers claims that this financial institution has placed the funds on hold until the user can sign in and 'verify account ownership' so they can be released."
The email contains a link to a fake website that appears to be from a legitimate financial institution.
"The URL is masked with a link, and the real URL takes victims to a site hosted at 'https://theruncoach.icu/home.php,' which attackers likely control and will use to steal the login credentials for this financial institution from victims," wrote researchers.
Should recipients of the email fall victim to this attack, the login information for their banking account will become compromised.
In a bid to appear authentic, the attackers also inserted other genuine links into the email, including one that took users to the impersonated financial institution's real privacy statement.
"The landing page was similarly elaborate, appearing almost exactly like the true bank landing page," wrote researchers.
"Recipients would be hard-pressed to understand that this was, in fact, a site designed specifically to steal their credentials."
Researchers would not name which financial institution the scammers they observed were pretending to be associated with.
"Please keep in mind that, although these attackers were impersonating one specific financial institution for this attack, they have already launched attacks impersonating many other financial institutions," said the researchers.
New research has found that the Linux platform has been under attack from Chinese threat groups for a decade.
The "Decade of the RATs Research Report," published today by BlackBerry, reveals how five Chinese APT groups targeted Linux servers, Windows systems, and mobile devices running Android in a prolonged cross-platform attack.
Researchers said that they are confident that the APT groups "are likely comprised of civilian contractors working in the interest of the Chinese government who readily share tools, techniques, infrastructure, and targeting information with one another and their government counterparts."
Historically, the Linux platform has been overlooked from a security perspective.
"One of the main reasons there aren’t many security tools for Linux is because there are relatively few Linux machines in the world (roughly 2%), therefore it’s a tough way for companies to make money,” Eric Cornelius, chief product architect at BlackBerry, told Infosecurity Magazine.
"Security products and services are not as widely deployed for Linux platforms as they are for the more popular Windows and Mac platforms."
Cornelius added that a prevailing assumption that Linux is more secure because it is open source "is just not the case."
Asked what currently overlooked platforms could become "the Linux of the future" from a cybersecurity perspective, Cornelius said: “The most obvious one is mobile. As the 'Mobile Malware' report that we released this past fall points out, security vendors have only recently started deploying products to address a problem that governments and government-backed groups have been getting away with for a decade or more, with relative impunity.
“Attitudes about adware are the source of another area of concern, as more and more APT groups disguise their malware as adware, thinking that it can fly under the radar and receive low priority if caught. We’ve also seen an uptick in the abuse of legitimate cloud service providers whose infrastructure is being co-opted by attackers to carry out their operations.”
By exposing a threat that has emerged from the past, the new research is bad news for security professionals, already stretched by dealing with current and predicted threats.
Asked how professionals should split their attention when it comes to countering attacks, Cornelius said: “It's a process, not an exact science. But too often, the security industry and network defenders fixate on the next and the newest and forget to look back to see how past threats have evolved. As the old adage goes, 'Those who cannot remember the past are condemned to repeat it.'”
Police in the Philippines have charged 32 people with disseminating false information regarding the COVID-19 health crisis.
The Philippine National Police Anti-Cybercrime Group (PNP-ACG) said that 8 of those arrested allegedly spread fake rumors about the novel coronavirus orally around their local neighborhoods. The remaining 24 suspects are accused of using social media platforms to circulate falsehoods about the deadly virus.
Among the suspects is public school teacher Juliet Espinoza, who wrote on Facebook on March 27 that food supplies in General Santos City were running low. According to Philstar Global, Espinoza allegedly urged the public to seize food that was being stored in a gym.
Another suspect, Vicente Cañonera, posted a list of people he said had contracted COVID-19 on Facebook to help in contact tracing.
The 32 accused hail from Quezon City, Eastern Visayas, Calabarzon, Mimaropa, Western Visayas, Zamboanga peninsula, and Caraga. The crimes they are charged with allegedly took place from March 9 to April 5.
Police have charged the suspects with the unlawful use of means of publication and unlawful utterance under Article 154 of the Revised Penal Code and with violation of Republic Act 10175 or the Anti-Cybercrime Prevention Act.
ACG director Brig. Gen. Dennis Agustin asked the public not to share or post on social media any fake information about the COVID-19 outbreak that might create panic and confusion.
“The ACG will be relentless in taking countermeasures on misinformation and spread of fake reports by conducting cyber patrol operations on social media and other online platforms,” Agustin said.
As of Monday, coronavirus had claimed the lives of 163 people in the Philippines, according to Bloomberg. The total number of people with a confirmed case of COVID-19 in the country was 3,660.
On April 5, Al Jazeera reported that a 63-year-old man had been shot dead by police in the Philippines after threatening police and village officials at a coronavirus checkpoint with a scythe. The man, who was allegedly under the influence of alcohol, became violent after being cautioned by a village health worker to wear a face mask.
Earlier today, Philippines president Rodrigo Duterte opted to continue the lockdown currently in place on the republic's main island of Luzon until April 30.
Internet traffic saw a major spike in March, but it will scale in the face of increased user demand.
Speaking as part of the Akamai Edge conference, delivered as a virtual summit, Tom Leighton, CEO and co-founder of Akamai, said that COVID-19 is creating major changes in lifestyles, as the internet was intended to make our lives manageable.
“We are operating at a larger scale,” Leighton said, acknowledging that questions exist about whether the internet is ready to scale such demands “and handle applications that we rely on today.”
Leighton said that over the last four weeks global traffic has grown by 30%, whilst a normal growth would be 3%. “If we go back to 2019 and the same period, it declined by 1%, and this growth is in one month where there were no big sporting events,” he said. “We’re doing everything online now and there's been growth in a short period of time.
Leighton also said that there had been a peak in traffic of 167 Tbps, compared to 82 Tbps in March 2019.
Looking at the current state of security for remote working employees, Leighton explained that the “bad guys have been working remotely for years and know we’re vulnerable, they know we have got a lot on our minds and are taking advantage of it.”
He identified the four best defense strategies against attacks to be:
- Protect against DDoS attacks where there is resource exhaustion and sites are taken down
- Use application security and bot management, to stop your content from being corrupted and stop your site being taken over
- With people working at home, consider a zero trust approach as users working remotely is a major issue for access
- Consider page integrity and data being stolen from users, such as in the Magecart attacks
Asked if the internet will scale under current demand, Leighton said it would, but he warned it is under pressure “and especially in core data centers and that is where we help to deliver content into the network and at the edge where there is more bandwidth.”
UK businesses could save up to £8.3bn by purchasing cybersecurity products and services from a more diverse range of suppliers, according to a study by Cynapse. It suggests that shopping around for cybersecurity services, thereby democratizing the market, would be hugely beneficial to UK companies.
Currently, businesses tend to turn to big firms for their cybersecurity needs. It is estimated that 76% of the UK cybersecurity market is controlled by just 10% of companies, equating to £6.3bn out of an overall £8.3bn. However, the market is changing rapidly, now encompassing over 1200 companies with a new startup joining the industry every week.
In a new study, Cynapse has found that smaller companies offer similar products and services at lower costs, in some instances saving businesses up to 40%. If firms utilize smaller cybersecurity suppliers in this way, it could potentially save them up to £8.3bn, according to Cynapse.
Cynapse is a London-based cybersecurity startup that offers companies free access to cyber-experts to better understand what their requirements are. It therefore believes it has a key role in unlocking the market, enabling businesses to find better value for money for their cybersecurity services.
The company stated: “Cynapse launched in March 2020 with the goal of providing a wider view of the cybersecurity market, tailored to individual customers’ needs.”
In its breakdown of the UK cybersecurity market, Cynapse showed that there are 122 large firms compared to 1099 medium, small and micro companies. The 122 large companies generate an estimated annual revenue of £6.3bn compared to £2bn among the rest. There are a total of 42,855 people employed in the UK cybersecurity sector, of which 27,746 work for the larger companies.
A new report from the Ponemon Institute has revealed that just 24% of organizations focus on optimizing cyber-attack prevention capabilities, despite 70% of security professionals believing that the ability to effectively prevent attacks strengthens security posture.
The research report, The Economic Value of Prevention in the Cybersecurity Lifecycle, sponsored by Deep Instinct, compiled survey responses from over 600 IT and IT security practitioners within organizations and revealed that a large percentage of companies prioritize cyber-attack detection and containment over prevention methods.
For example, according to respondents, whilst 79% of security budgets are being allocated to detection, containment, recovery and remediation activities, just 21% gets dedicated to prevention, even with 80% of those polled stating that prevention is the most difficult thing to achieve in the cybersecurity lifecycle.
The study determined that effective adoption of a preventative solution, when compared to the current spending of security departments and the cost of attacks, would result in significant cost reductions and require lower overall investment.
“This study shows that the majority of companies are more effective at containing cyber-attacks after they happen because it is perceived to be more accountable. This explains why cybersecurity budgets focus on containing attacks rather than preventing them, as well as the increased rate of breaches despite investments in cybersecurity solutions,” said Dr Larry Ponemon, the Chairman and founder of the Ponemon Institute.
“Prevention of cyber-attacks is perceived to be too difficult, but as companies continue to suffer revenue losses due to cyber-breaches, we expect budgets to start allocating increased resources to preventative solutions.”
Guy Caspi, CEO and co-founder of Deep Instinct, added that most companies still operate under a policy of ‘assume breach,’ believing that it is more pragmatic to contain a cyber-attack after penetration.
“This is no longer an economically viable long-term strategy,” he said. “The value of prevention is clear – for any type of attack, prevention saves significant time and money.”
Rising threat levels and remote working challenges stemming from the COVID-19 pandemic are putting increased pressure on IT security professionals, according to new data from Check Point.
The vendor polled over 400 respondents from global organizations with over 500 employees to better understand the current challenges facing security teams.
It revealed that 71% of security professionals had reported an increase in security threats or attacks since the start of the virus outbreak. Phishing (55%), malicious websites (32%), malware (28%) and ransomware (19%) were cited as the top threats.
These have been exacerbated by home working challenges, with 95% of respondents claiming to be under new pressures.
Top among these was providing secure remote access for employees (56%) and scalable remote access solutions (55%). However, nearly half (47%) of respondents complained that home workers using shadow IT solutions represented a major problem.
These challenges are only going to grow, according to the research.
Some 61% of security pros said they are concerned about the cyber-risks involved in making rapid changes to enable remote working, and over half (55%) felt remote access security needed to be improved. A further 49% said they’re concerned about the need to scale-up endpoint security for home workers.
“Cyber-criminals will always seek to capitalize on the latest trends to try and boost the success rates of attacks, and the coronavirus pandemic has created a perfect storm of a global news event together with dramatic changes in working practices and the technologies used by organizations,” argued Rafi Kretchmer, head of product marketing at Check Point.
“This has meant a significant increase in the attack surface of many organizations, which is compromising their security postures.”
According to recent figures, the volume of detected online threats jumped 37% month-on-month in March, while one vendor observed a 600% increase in phishing attacks from the end of February to the end of March.
The SANS Institute last month released a Security Awareness Work-from-Home Deployment Kit to help organizations support secure home working.
INTERPOL has been forced to issue an alert to global police about the heightened risk of ransomware attacks on hospitals and other front-line organizations as they battle the COVID-19 pandemic.
The law enforcement organization said it issued a Purple Notice to all 194 member countries, highlighting the scale of the threat. Its Cybercrime Threat Response team claimed to have detected a “significant increase” in attempted ransomware attacks.
“As hospitals and medical organizations around the world are working non-stop to preserve the well-being of individuals stricken with the coronavirus, they have become targets for ruthless cyber-criminals who are looking to make a profit at the expense of sick patients,” said Interpol secretary general Jürgen Stock.
“Locking hospitals out of their critical systems will not only delay the swift medical response required during these unprecedented times, it could directly lead to deaths. INTERPOL continues to stand by its member countries and provide any assistance necessary to ensure our vital healthcare systems remain untouched and the criminals targeting them held accountable.”
To help out, INTERPOL said it is providing technical support and advice on how to protect key medical infrastructure.
The primary threat vector appears to be phishing emails spoofed to appear as if sent from trusted government sources, it said.
The news comes just days after Microsoft warned several dozen hospitals in a “first-of-its-kind notification” that their gateway and VPN appliances are vulnerable to ransomware groups scanning for exposed endpoints.
A study from the Vanderbilt University and the University of Central Florida published last year warned that data breaches at hospitals led to 36 additional deaths per 10,000 heart attacks per year.
It added that ransomware outages “might have an even stronger short-term negative relationship with patient outcomes than the long-term remediation efforts studied here.”
Huge GDPR fines set to be levied by the UK regulator against British Airways and Marriott International have been delayed again as it considers representations from the multi-nationals.
BA owner the International Airlines Group (IAG) claimed in its Annual Report for last year that it has made “extensive representations” to the Information Commissioner’s Office (ICO) following its notice of intent to fine last July.
“As part of its procedures, the ICO will seek the views of other EU data protection authorities,” it continued.
“The ICO initially had six months from issuing the Notice of Intent to British Airways within which it could issue a penalty notice, which has been extended through to May 18 2020, to allow the ICO to fully consider the representations and information provided by British Airways.”
Unsurprisingly, the airline’s directors believe any fine should be “considerably lower” than the original £183.4m.
Meanwhile, a statement issued by Marriott cited by a leading data protection lawyer revealed: “We mutually agreed with the ICO to an extension of the regulatory process until June 1 2020.”
The hotel group was due to be fined £99m after a breach of 339 million customer records first notified in November 2018, while BA was on the hook for a Magecart attack which compromised 500,000 customers’ financial information.
The same legal expert, Mischon de Reya data protection advisor Jon Baines, argued that the current COVID-19 crisis may mean those fines never now materialize, given that the ICO’s own guidance is for an erring company's “ability to pay” to be considered when calculating a fine.
“As a public authority, the ICO has a general public law duty to take into account relevant factors when arriving at decisions. It is strongly arguable that if it failed to take into account the current effect, and the likely future effect, of COVID-19 on BA’s and Marriott’s finances, then any decision to issue a fine would be vulnerable to appeal or a successful application for judicial review,” he added.
“When the ICO announced its intent to serve these fines last year, some commentators questioned whether they would ever be served in the amount proposed, given the huge sums involved and the likelihood that the controllers would make strong representations against. No one could have predicted, however, that a public heath pandemic would come to be a major factor in deciding the issue.”
A COVID-19 app officially approved by the government of Colombia has been found to contain vulnerabilities.
On March 9, Colombia's president, Ivan Duque, announced the launch of the CoronApp-Colombia app as a way for Colombians to send health updates and receive coronavirus news. Researchers found that the app, which has over 100,000 users, exposes user data.
"The CoronApp-Colombia app had a vulnerability where it was sending Personal Health Information (PHI) and Personally Identifiable Information (PII) data in plaintext," said Zack Allen, director of threat intelligence at ZeroFOX.
"This includes passport numbers, passwords, and self-disclosed health information."
Researchers found another app in use in Italy, released in beta testing mode, was recompiled with a backdoor and was "actively infecting victims."
Asked if governments, instead of setting up new apps, should look to partner with existing apps to get the word out quickly and more safely, Allen said: "This is a fantastic demonstration of private and public industry working together, and I think it would be a great approach, granted the people trust these apps. It all depends on who wants to inherit the risk.
"Many social media sites, for example, have COVID-19 splash pages and notifications for information, but having a large tech company hold all your data may have the same effects as government-sanctioned apps."
Unwilling to rely on TV and radio alone to communicate with citizens during the current health crisis, governments across the world have rushed out COVID-19 apps.
"Mobile app usage is one of the faster ways to get information to citizens, but it comes at a cost," said Allen. "Governments inherit the risk of deploying code quickly and efficiently, and citizens have to trust that their privacy and protection are top of mind.
"In my personal opinion, I'd like to see informational sources such as websites be used with a mobile-friendly website view. I would not install apps that use Bluetooth for tracking myself and others."
Asked if he personally uses any COVID-19 apps, Allen said: "I am primarily visiting the WHO and CDC websites on a daily basis. After reviewing about 30 of these apps, I would be hesitant to install them at this time."
A California property management company has been targeted by data thieves operating out of the San Diego area.
An online database belonging to Wolfe & Associates, Property Services, was compromised by cyber-criminals in a data breach that may have occurred as many as six months ago.
The company was unaware that a breach had taken place until it was notified by the Santa Barbara Police Department on March 5.
In a statement released on April 3, Wolfe & Associates said that it was now working with the police "to determine the extent of the information that was obtained."
Police advised Wolfe & Associates that thieves may have obtained a wide variety of data belonging to the company's customers. This information could include rental applications that contain personal information such as name, date of birth, Social Security number, driver’s license number, and home address.
"The Santa Barbara Police Department has been investigating the matter and informed us that the thieves likely used 'strong-arm' tactics to force breaching of security measures that were in place," said a spokesperson for Wolfe & Associates.
"On March 23, 2020, the police provided us with information about the identity of potentially affected applicants, including a list of their email addresses. Notice has been sent to those individuals."
The company said that "people applying for apartments in Isla Vista after February of 2018, 2019 and 2020" have not been impacted by the breach.
The culprits behind the attack, after targeting online databases belonging to several companies, have now been arrested.
A spokesperson for Wolfe & Associates said: "According to the police, the suspects appear to have a history of obtaining personal information and using it to submit fraudulent insurance claims, among other things."
Wolfe & Associates manages over 30 Isla Vista properties, many of which are rented to students.
A fourth-year University of California student who leased with Wolfe & Associates from 2016 to 2018 told Daily Nexus: “The main concern is the cosigners. If my data was breached, my parents are my cosigners so the likelihood of their socials being taken as well are very high.”
Since learning of the breach, Wolfe & Associates has transitioned their website onto an entirely new platform that includes an integrated and secured system for collecting, processing, and storing applications.
Police in Australia have arrested two men in connection with a $2.6m BEC (business email compromise) scam involving phony invoices.
The men are believed to be part of a syndicate responsible for emailing businesses with invoices doctored to divert transferred funds into the scammers' personal bank accounts.
In two early-morning raids carried out on April 2, New South Wales Police arrested a 29-year-old in Zetland, whom they believe to be the leader of the syndicate, and a 30-year-old in Roseberry.
Police seized computers, phones, drugs, $5,000 AUS, and $12,400 USD from two properties.
The 29-year-old is believed to have successfully gained more than $1.6m from illegal scams, which ran from mid-2018 until early 2020. His attempts to gain a further $1m didn't pan out.
His alleged partner in crime was arrested for supporting the syndicate, drug charges, and handling the proceeds of crime.
“These arrests are a timely reminder for all individuals and businesses to have strong cybersecurity measures in place for protection,” said commander of the NSW Cybercrime Squad, Detective Superintendent Matthew Craft.
“During this investigation, officers uncovered a criminal network targeting hard-working Australian businesses through a series of sophisticated email scams."
The syndicate allegedly stole money from businesses across a range of industries, which included property development, finance, construction, and other trades.
Police said the scammers didn't restrict their activities to one single region.
“Victims of cybercrime offences are not limited by state and territory borders and police will allege this syndicate targeted companies right across the country,” said Craft.
Last year, NSW police charged three other people in connection with the same criminal syndicate.
Australian businesses lost an estimated $60m to business email compromise scams in 2018 alone.
Earlier this year, Canterbury Olympic Ice Rink in southwest Sydney was conned out of $77k in a BEC scam. The rink's finance department received an invoice for a new ice resurfacer that contained changed payment details. As a result, the rink's payment for the new equipment ended up going to an anonymous criminal’s bank account in Hungary.
Brute forcing accounts with weak and guessable passwords, and exploitation using the EternalBlue vulnerability remain among the top 10 findings in penetration tests.
According to research by Lares, the most frequently encountered vulnerabilities and attack vectors during engagements in the past six months have remained exactly the same as in it's previous report, which came out in July last year.
Its latest report analyzed the similarities between hundreds of engagements throughout 2019 and the following list represents the most frequently observed penetration test findings encountered:
- Brute forcing accounts with weak and guessable passwords
- Excessive file system permissions
- WMI lateral movement
- Inadequate network segmentation
- Inappropriate access control
- Post-exercise defensive control tuning
- Malicious multi-factor enrolment or MFA bypass
- Phish-in-the-Middle (PiTM)
In an email to Infosecurity, Lares COO Andrew Hay said that a mix of the top findings are seen in “nearly every engagement.” He said: “Our analysis concludes that regardless of industry or vertical, these findings are evident in most environments we assess.”
Hay also confirmed that the top five findings are still prevalent, whilst implementations of the bottom five were described as “inadequate, inappropriate and ineffective.” Hay added that “those controls were either partially implemented but not tuned correctly, improperly implemented and not correctly hardened during initial deployment, or insufficiently monitored when the control capability exists.”
The fourth finding was unpatched instances of MS17-010, which enabled the WannaCry and NotPetya attacks of 2017. Lares said that despite this vulnerability being resolved, many organizations have yet to deploy this patch or disable SMBv1. “We observed slightly less EternalBlue during the second half of 2019, but we still encounter it quite frequently,” Hay said.
Commenting, Travis Biehn, principal security consultant at Synopsys, said that these sorts of issues come down to a server (or, maybe tens or even hundreds of ‘those servers’) that nobody maintains. He argued: “Perhaps it has been online for a decade, the individual or team that used to manage it is no longer with the company, or somehow it runs software that nobody on the team fully understands: this server may also be home to software that is mysteriously responsible for maintaining a large percentage of revenue.”
Biehn said often fixing these sorts of flaws ends up near the bottom of the pile year after year, and as a result attackers love such servers. “After establishing a foothold on the internal network, say a Linux server, they may hunt for that one Windows XP machine that’s still online. In doing so, there’s no need to worry about next generation anti-virus, EDR, logging, or a nosy sys-admin.”
The Department of Justice (DoJ) has warned that Zoombombers could receive a prison sentence if found and convicted, as the COVID-19 pandemic forces meetings online.
The number of daily meeting participants on Zoom has risen from 10 million in December last year to a staggering 200 million by March, the firm revealed last week. However, users who fail to pay attention to their privacy settings may find their meetings disrupted by uninvited guests.
Reports have emerged of meetings interrupted by live-streams of adult content, and threatening language.
“You think Zoombombing is funny? Let’s see how funny it is after you get arrested,” warned Matthew Schneider, US attorney for Eastern Michigan. “If you interfere with a teleconference or public meeting in Michigan, you could have federal, state or local law enforcement knocking at your door.”
The charges, punishable by fines or even imprisonment, could include disrupting a public meeting, computer intrusion, using a computer to commit a crime, hate crimes, fraud, or transmitting threatening communications.
The DoJ reiterated best practice advice for video conferencing users including the following: change screen-sharing to “host only,” don’t share meeting ID on social media, keep software on the latest version, update corporate home working policies and don’t make meetings public.
Zoom has also been trying to educate users on how to keep the Zoombombers out. It now generates a password automatically for all new meetings, and the use of personal meeting ID for new meetings is switched off by default, meaning a one-time code will be issued.
Users are also encouraged to enable: “waiting room” which means attendees can’t join unless a host selects them individually from a list and a feature which allows the host to put any attendee on hold.
However, the firm was criticized last week after researchers easily found user meeting recordings stored online without a password. They blamed the Zoom default naming convention for files.
Hackers are attempting to compromise Docker servers en masse via exposed APIs in order to spread cryptocurrency mining malware, according to researchers.
Aqua Security claimed to have tracked the organized campaign for several months, revealing that thousands of attempts to hijack misconfigured Docker Daemon API ports are taking place almost every single day.
“In this attack, the attackers exploit a misconfigured Docker API port to run an Ubuntu container with the kinsing malicious malware, which in turn runs a cryptominer and then attempts to spread the malware to other containers and hosts,” it explained.
The Ubuntu container itself is designed to disable security measures and clear logs, and kills applications on the system including any other malware, as well as downloading the kinsing malware designed to mine for digital currency on the compromised Docker host.
Once kinsing is downloaded it tries to connect with C&C servers in Eastern Europe, with a different server used for each function. It then attempts to spread laterally across the container network, by collecting and using SSH credentials.
“Using the information gathered, the malware then attempts to connect to each host, using every possible user and key combination through SSH, in order to download the aforementioned shell script and run the malware on other hosts or containers in the network,” said Aqua Security.
The cryptominer itself, kdevtmpfsi, is designed to mine for Bitcoin.
DevSecOps teams must up their response to run least privilege access policies, scan images, look for anomalies in user behavior and invest in cloud security tools to enforce policies, argued the vendor.
Containers are increasingly on the front line when it comes to enterprise cyber-threats. Last year researchers found over 40,000 misconfigured Kubernetes and Docker containers online.
It’s not all about user error; in April 2019 Docker Hub, the world’s largest container image library, discovered unauthorized access to its platform affecting 190,000 accounts.
Researchers have discovered thousands of private Zoom recordings exposed online, in another blow to the firm’s security credentials as it struggles to support a huge surge in users.
Former NSA researcher Patrick Jackson told The Washington Post that he was able to find the videos via a simple cloud storage search.
Many of them were apparently stored in Amazon Web Services (AWS) S3 buckets without passwords, and because the Zoom default naming convention is relatively easy to guess, they were simple to find.
One search for videos named in this way apparently revealed 15,000 separate recordings, some of them containing highly sensitive information.
These ranged from elementary school remote classes, featuring the faces of students, to private therapy sessions, business meetings including financial details and even a beauty therapist demonstrating to students how to give a Brazilian wax.
Zoom allows users to record and save meetings to its own cloud service, but it also offers customers the choice of saving videos to their preferred location, without a password.
It’s the latter type that appear to have been exposed, with experts arguing that the firm should mitigate the issue by forcing users to create a unique file name when saving videos.
In a statement, Zoom clarified that it offers users a “safe and secure” way to store their recordings.
“Zoom meetings are only recorded at the host’s choice either locally on the host’s machine or in the Zoom cloud,” it said.
“Should hosts later choose to upload their meeting recordings anywhere else, we urge them to use extreme caution and be transparent with meeting participants, giving careful consideration to whether the meeting contains sensitive information and to participants' reasonable expectations.”
The news comes after a tough week for the video conferencing platform, which has seen daily meeting participants grow from 10 million in December to roughly 200 million in March.
CEO Eric Yuan listed a range of measures the firm was taking to improve privacy and security including: patches for three new zero-day bugs, the removal of the Facebook SDK in its iOS client, after privacy complaints and clarification of new default settings to help prevent “Zoombombing.”
Yuan also announced a “feature freeze” which will see all engineering resources shifted to focus on trust, safety and privacy issues.
Google published reports today that use aggregated phone location data to show how closely lockdown regulations are being followed around the world.
The company said its COVID-19 Community Mobility Reports would "provide insights into what has changed in response to work from home, shelter in place, and other policies aimed at flattening the curve of this pandemic."
The reports use aggregated, anonymized data gathered from cell phones to chart movement trends over time. Specifically, they reveal how busy popular destinations such as shops, parks, recreation spaces, grocery stores, pharmacies, transit stations, residential areas, and workplaces have been since the majority of countries asked people to stay at home.
Initially, the reports will cover 131 countries and regions and show trends that have emerged over several weeks, with the most recent data included at least 48 hours old.
Today's reports show a traffic comparison over a five-week period between February 16 and March 29.
Data gathered from the UK shows that visits to transport station are down 75%, while 85% fewer people are frequenting public recreation places such as restaurants, cafes, and movie theaters.
In Italy, where around 14,000 people have died after contracting the novel coronavirus, strict lockdown measures have resulted in 94% fewer people in shops, restaurants, and cafes, and parks have seen footfall drop by 90%.
By contrast, in Sweden, where no strict measures have been introduced to keep people in their homes, Google found that 18% fewer people were in work, 24% fewer were using recreational spaces, and use of transport stations had dropped by 36%.
Only data from users who have turned on the Location History setting will be used to create the reports. Currently, this setting is turned off by default.
People who have location history turned on can turn it off at any time from their Google account and can also delete location history data directly from their timeline.
Google says the reports will not intrude on the privacy of individual people, because "no personally identifiable information, like an individual’s location, contacts or movement, is made available at any point."
A threat group is using gift cards, sweet-faced teddy bears, and the United States Postal Service to carry out a new physical phishing campaign.
The deceptive ruse has been identified as the work of FIN7, otherwise known as the Navigator Group and the Carbanak Group.
Victims receive a new furry friend in their mailbox together with a gift card, a malicious USB drive, and a fake letter purporting to be from the customer relations department of Best Buy. The scam lures victims into plugging the bad drive into their computer with the promise of a freebie.
The letter states: "Best Buy company thanks you for being our regular customer for a long period of time, so we would like to send you a gift card in the amount of $50. You can spend it on any product from the list of items presented on a USB stick."
After discovering the scam, the Federal Bureau of Investigation issued a flash alert warning to businesses.
“Recently, the cybercriminal group FIN7, known for targeting such businesses through phishing emails, deployed an additional tactic of mailing USB devices via the United States Postal Service (USPS). The mailed packages sometimes include items like teddy bears or gift cards to employees of target companies working in the Human Resources (HR), Information Technology (IT), or Executive Management (EM) roles,” warned the FBI.
The USB device used by FIN7 is a commercially available tool known as a "BadUSB" or "Bad Beetle USB" device. Schemes that make use of such malicious USBs are known as "Bash Bunny" attacks.
Sticking with the animal theme, similar attacks, which rely on the victim's using a malicious USB stick that is in reality a malicious USB keyboard preloaded with keystrokes, are called "Rubber Ducky" attacks.
According to MITRE, FIN7 is a financially motivated threat group that has primarily targeted the US retail, restaurant, and hospitality sectors since mid-2015, often using point-of-sale malware. In 2017, the group became known for sending stores and corporate offices a string of food poisoning complaints with malicious attachments in a threat campaign dubbed FINdigestion.
A bill permitting the use of facial recognition technology with certain restrictions has been signed into law in Washington State.
Governor Jay Inslee signed the new bill on March 31 after it was passed by the Washington State House of Representatives on March 12 by a vote of 27 to 21 in favor. The new law will come into effect next year.
The new legislation will limit the "unconstrained use of facial recognition services by state and local government agencies" because it "poses broad social ramifications that should be considered and addressed."
Under the new law, state and local government agencies "may use facial recognition services to locate or identify missing persons, and identify deceased persons, including missing or murdered indigenous women, subjects of Amber alerts and silver alerts, and other possible crime victims, for the purposes of keeping the public safe."
Before developing, procuring, or using facial recognition technology, a state or local government agency must file a notice of intent with a legislative authority and produce an accountability report.
The new legislation has won the support of Microsoft president Bill Smith, who praised it in a recent blog post.
"This balanced approach ensures that facial recognition can be used as a tool to protect the public, but only in ways that respect fundamental rights and serve the public interest,” wrote Smith.
Washington's state agencies are not permitted to use facial recognition based on a person’s “religious, political or social views or activities,” or “participation in a particular noncriminal organization or lawful event,” or “actual or perceived race, ethnicity, citizenship, place of origin, immigration status, age, disability, gender, gender identity, sexual orientation or other characteristic protected by law.”
Use of facial recognition technology in the United States is not currently governed by any federal rules. Washington is the first state to pass legislation to allow the constrained use of facial recognition technology, while elsewhere in America, some have moved to ban it.
In 2019, San Francisco, Oakland, and Berkeley, California, and the Boston, Massachusetts, suburbs of Somerville and Brookline all moved to ban the use of the new technology.
Zoom has announced a freeze on new features as it grapples with emerging security and privacy issues, including three new security bugs revealed this week.
The video conferencing app has been catapulted into the mainstream after widespread COVID-19 government lockdowns across the globe force home working and schooling on a massive scale. The number of daily meeting participants has grown from 10 million in December to roughly 200 million in March, according to the firm.
However, this has led to increased scrutiny of the platform: researchers this week published details of a new vulnerability in the Zoom Windows client which could be exploited to steal user passwords, and two flaws in the macOS app which could be abused to remotely install malware or eavesdrop on users.
These follow discoveries of serious vulnerabilities in the product last year.
Although Zoom CEO Eric Yuan revealed in a post on Thursday that the firm had promptly patched all three bugs disclosed this week, concerns persist about the platform’s approach to security and privacy.
Organizations as diverse as the UK’s Ministry of Defence, SpaceX and NASA have banned employees from using the tool, and there has been widespread criticism after the firm appeared to mislead users into thinking their video meetings were end-to-end encrypted, when in fact they aren’t.
Yuan apologized for that, and clarified several steps that the firm is taking to improve privacy, including removing the Facebook SDK in its iOS client, after reports emerged that it was sending user data to the social network, even for non-Facebook users.
It has also permanently removed an “attention tracker” feature which critics claimed could allow employers to spy on their staff.
Zoom has also been trying to educate users into following best practices like not sharing meeting IDs online, and using protective features on the platform which could prevent “Zoombombing” — incidents where uninvited guests join and disrupt meetings.
Going forward, the firm will enact a “feature freeze” in order to devote all engineering resources to security and privacy issues. It will also carry out a comprehensive review with third-party experts to improve security in consumer use cases, and engage with security leaders via a new CISO council.
“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived,” Yuan argued.
“These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform. Dedicated journalists and security researchers have also helped to identify pre-existing ones. We appreciate the scrutiny and questions we have been getting – about how the service works, about our infrastructure and capacity, and about our privacy and security policies.”