Info Security

Subscribe to Info Security  feed
Updated: 11 min 47 sec ago

Ghanaian Women Cautioned Against Sharing Nudes

Wed, 10/13/2021 - 19:11
Ghanaian Women Cautioned Against Sharing Nudes

A cybersecurity official in the Ghanaian police force has cautioned women and girls against using digital devices to take and share intimate pictures. 

The assistant commissioner of police, Dr. Gustav Herbert Yankson, who is the director of the Cybercrime Unit at the CID Headquarters of the Ghana Police Service, gave the warning while speaking at an event in Accra that commemorated the 2021 International Day of the Girl Child.

“Do not take nude pictures or videos of yourself and do not share such contents to your partner, not even your husband," said Yankson. 

"The problem is the phone could be hacked, stolen or get damaged and may need to be taken to the repair shop, and before you know it, your nudity is circulating everywhere."

Sharing nudes online, including on social media platforms, can result in a fine of between $5,200 and $10,000 for Ghanaians.

Under the country's Cybersecurity Act 2020, an individual who publishes indecent images of children or adults can be imprisoned for up to 25 years. 

The law also stipulates that an individual convicted of threatening to circulate a victim's nude photos or videos unless they receive a payment from the victim can be sentenced to between 10 and 25 years in prison. 

In April, Ghanaian actress Akuapem Poloo was sentenced to 90 days in prison for the publication of “obscene material and domestic violence.”

Police arrested Poloo over a picture that she posted to her Instagram feed in June 2020. The image showed Poloo taking a bath with her seven-year-old son.

It was accompanied by the message: "I’m naked in front of you because this is how naked I was giving birth to you, so in case you find me naked lying somewhere don’t pass by me but rather see me as your mom who brought you to life. Happy birthday to you @sonof_poloo."

In an interview with Onua TV's Captain Smart, the actress said she did not realize what she had done was a crime and had never heard of anyone being arrested for it. 

"When we were children, we bathed with our mothers. I saw my mother's nakedness," said Poloo. 

Categories: Cyber Risk News

Ultimatum for Booter Service Users

Wed, 10/13/2021 - 17:50
Ultimatum for Booter Service Users

Dutch police have written to customers of an on-demand booter service to dissuade them from committing cybercrimes.

Booter services, also known as booters, are on-demand DDoS (Distributed-Denial-of-Service) attack services that can be used to bring down websites and networks by overloading or “stressing” IP addresses with data traffic. 

During an ongoing investigation into, Dutch police discovered the details of 29 individuals who had purchased booter services offered for sale on the website. 

In an attempt to deter the site's customers from launching DDoS attacks, the police took the civilized action of writing to them, warning them to stop using the service or face prosecution.

In a statement issued October 11, the police wrote: "The letter recipients – from all over the country – are associated with a purchase on the website, where illegal DDoS attacks were sold. 

"The aim of the letter is to inform the recipients about the criminality and consequences and also to offer them alternatives."

Recipients were told that committing cybercrimes could result in "a conviction, criminal record and the loss of your computer and/or laptop."

The letter read: "We have registered you in our system and you will now receive a final warning. If new similar facts arise in the future, we will prosecute."

The letter goes on to encourage the booter buyers to "improve your skills in a legal way," and lists websites including HackTheBox, which gives hackers the chance to win prizes while building up their cybersecurity skills. 

"Not only can companies lose customers and/or revenue," said the police, but "a DDoS attack can also have major social, disruptive consequences. Companies also often incur considerable financial damage due to the repair costs."

Dutch police began investigating last year after receiving a report from a game server hosting platform that was struck by a DDoS attack originating from the site.  

"In addition, dozens of reports were received from other companies and authorities," stated the police. 

On July 30, 2020, the police searched the homes of two 19-year-old men who are suspected of being involved with the website and seized electronic devices, including computers and cellphones.

Categories: Cyber Risk News

University of Sunderland Hit by Suspected Cyber-Attack

Wed, 10/13/2021 - 09:50
University of Sunderland Hit by Suspected Cyber-Attack

A UK university has suffered a suspected cyber-attack, causing "extensive IT issues."

The University of Sunderland revealed the incident on its official Twitter account this morning, which stated: "our telephone lines, website and IT systems are still down." The institution first reported it was experiencing IT problems yesterday (12 October) and has now said it "has all the hallmarks of a cyber-attack."

A local newspaper, the Sunderland Echo, reported that all online classes had been canceled, and staff members faced difficulties accessing their emails. In addition, the University of Sunderland's official website remains down.

The university said that it is working with the police to try and resolve the problem and will continue face-to-face teaching as much as possible.

The full statement read: "We intend to continue face to face teaching as far as possible and will continue to update our staff and students, as well as continue working with the police.

"We take the security of our systems extremely seriously and we will resolve this as quickly as we can. We ask that prospective students direct message any inquiries in the meantime and that current students email [email protected].

"Thank you for your patience."

The suspected cyber-incident follows a surge of attacks targeting schools, universities and colleges during the COVID-19 crisis. These include damaging attacks on two other universities in the North-East of England last year, Newcastle University and Northumbria University. And in April 2021, the University of Hertfordshire and the University of Portsmouth suffered network outages lasting days after ransomware threat actors struck.

It appears cyber-criminals view this sector as an easier target following digital transformation efforts during the pandemic, including the shift to remote learning. In July, the UK's National Cyber Security Centre (NCSC) updated its guidance on ransomware following a spate of attacks on the education sector.

Commenting on the story, Danny Lopez, CEO at Glasswall Solutions, said: "Reports of universities being the victim of cyber-attacks have become increasingly common over the last 18-months. It's concerning considering the extensive damage caused by lost data – for both students and staff – and access to vital educational services. The cyber-attack will inevitably have a significant impact on productivity. In addition, just as the new university term begins, students and staff have lost access to their campus network, which will undoubtedly affect teaching and access to study resources. 

"Educational institutions should adopt a 'defense-in-depth' approach to cybersecurity, as advised by the NCSC. This means using multiple layers of defense with several mitigations, which creates more opportunities to detect malware and prevent it from doing widespread harm to the institution."

Categories: Cyber Risk News

Password-Stealing Attacks Surge 45% in Six Months

Wed, 10/13/2021 - 09:15
Password-Stealing Attacks Surge 45% in Six Months

Attacks using password-stealing malware have surged by 45% over the past six months, highlighting the continued need for additional log-in security measures, according to Kaspersky.

The Russian AV vendor analyzed incidents of Trojan-PSW – a specialized stealer capable of gathering login and other account information.

It noted 160,000 more targets in September 2021 than April, with the total number reaching nearly half a million. That’s an increase of 45%.

“As statistics show, logins, passwords, payment details and other personal data continue to be an attractive target for cyber-criminals and they remain a popular commodity on the dark market,” explained Kaspersky security expert, Denis Parinov.

“For this reason, we encourage internet users to take extra steps to protect your accounts. For example, by using multi-factor authentication (MFA) methods. Increased scammer activity using password stealers also suggests the need for users to be more careful, not to follow unverified links and to use an updated security solution.”

Most US insurers now mandate MFA as a minimum security standard to qualify for coverage. In fact, last month, it was revealed that the tech CEOs who met President Biden for a recent White House summit claimed MFA could thwart as much as 90% of attacks.

However, it’s not a panacea. One-time passwords generated by text message can be intercepted via SIM swapping and other techniques. For that reason, Microsoft last year urged organizations to move away from MFA methods relying on phone networks and towards authentication apps.

Kaspersky has also seen a sharp rise in overall attempts to compromise users. It noted an increase from 24.8 million attempts in Q3 2020 to 25.5 million in the third quarter of 2021, a rise of almost 30%.

Categories: Cyber Risk News

Microsoft Patches Multiple Zero-Day Bugs

Wed, 10/13/2021 - 08:49
Microsoft Patches Multiple Zero-Day Bugs

Microsoft fixed 74 new CVEs yesterday, including several zero-day vulnerabilities, one of which is being actively exploited in the wild.

Zero-day bug CVE-2021-40449 is a Win32k elevation of privilege vulnerability in Windows affecting Windows 7 and Server 2008 up to Windows 11 and Server 2022. It has reportedly been exploited by Chinese threat actors known as “IronHusky.”

“Microsoft only rated the vulnerability as “important” by their severity scoring system, which is a good example of why organizations need to focus on vulnerability remediation based on risk,” argued Ivanti senior director of product management, Chris Goettl.

“A risk-based approach to vulnerability management takes into account more real-world indicators such as known exploited, public disclosure, and usage trends by threat actors to better understand what exposures you should be focusing on first.”

Microsoft also fixed three publicly disclosed (zero-day) flaws which have had proof-of-concept code released, giving attackers a head-start in crafting exploits for them.

These are CVE-2021-41338, a security feature bypass vulnerability in Windows AppContainer Firewall; Windows kernel elevation of privilege bug CVE-2021-41335; and Windows DNS remote code execution vulnerability CVE-2021-40469.

There was also an updated fix for CVE-2021-33781, a security feature bypass flaw in Azure AD. This vulnerability was initially resolved in the July Patch Tuesday but has been updated to fix Windows 10 v1607, Server 2016 and Windows 11.

Elsewhere, Adobe updated Acrobat, Reader, Connect, Reader Mobile, Commerce, Campaign Standard and ops-cli.

“The updates for Adobe Connect (APSB21-91) and ops-cli (APSB21-88) include critical CVEs with a CVSS base score of 9.8 out of 10,” explained Goettl.

“Adobe Acrobat and Reader (APSB21-104) resolves the most CVEs out of the line-up. A total of four CVEs, two of which are rated as Critical with CVSS scores of 7.8 were resolved in this update.”

Categories: Cyber Risk News

Customers On Alert as E-Commerce Player Leaks 1.7+ Billion Records

Wed, 10/13/2021 - 08:12
Customers On Alert as E-Commerce Player Leaks 1.7+ Billion Records

A Brazilian e-commerce firm has unwittingly exposed close to 1.8 billion records, including customers’ and sellers’ personal information, after misconfiguring an Elasticsearch server, according to researchers.

A team at SafetyDetectives led by Anurag Sen made the discovery in June and quickly traced the leak back to Hariexpress — a firm that allows vendors to manage and automate their activity across multiple marketplaces, including Facebook and Amazon.

Although the firm replied to the researchers just four days after they alerted it to the leak in early July, it was subsequently uncontactable. Infosecurity is currently trying to confirm if the issue has been fixed or not.

The server was left unencrypted with no password protection in place. It contained 610GB of data, including customers’ full names, home and delivery addresses, phone numbers and billing details. Also exposed were sellers’ full names, email and business/home addresses, phone numbers and business/tax IDs (CNPJ/CPF).

SafetyDetectives could not confirm the total number of those affected due to the size of the trove and the potential for duplicate email addresses.

“A data breach of this magnitude could easily affect hundreds of thousands, if not millions of Brazilian Hariexpress users and e-commerce shoppers. Hariexpress’ leaked server’s content could also affect its own business,” it claimed.

“We cannot know whether unethical hackers have discovered Hariexpress’ unsecured Elasticsearch server. Users, couriers, consumers, and Hariexpress itself should understand the risks they could face from this data breach.”

These include phishing and social engineering attempts built around legitimate user and business details, tax rebate and returns scams using CPF information, and even theft of items from the homes of customers who ordered high-value goods.

There’s also a potential for digital extortion in cases where customers have bought potentially embarrassing items. The researchers highlighted one anonymous shopper who purchased a “penis pump,” for example.

Brazil’s data protection law, the Lei Geral de Proteção de Dados (LGPD), apparently gives regulators the power to fine companies a maximum of 2% of the previous year’s revenue for serious infractions, up to 50 million Brazilian reals ($10m).

Categories: Cyber Risk News

Security Serious Unsung Heroes 2021 Winners Announced

Wed, 10/13/2021 - 08:01
Security Serious Unsung Heroes 2021 Winners Announced

The winners of the sixth annual Security Serious Unsung Heroes Awards were unveiled last night during an entertaining ceremony at St. Bart’s Brewery in London.

The lively event was compered by award-winning screenwriter, author, comedian, actor and worldwide speaker on fraud and identity theft, Bennett Arron. Last year's ceremony was streamed virtually due to the COVID-19 pandemic.

The awards are designed to recognize the efforts of UK cybersecurity professionals and teams in helping advance the country’s cyber protections and raise awareness of security issues.

Yvonne Eskenzi, lead organiser of Security Serious Week and co-founder of Eskenzi PR, commented: “Cybersecurity and the people within this industry are often not given the recognition and appreciation they deserve.

“By hosting this event, we are shining a light on all the hard work that goes on behind the scenes to protect organizations from the threat of cybercrime. Thanks to our fantastic sponsors, we were able to host an amazing party at no charge to our attendees and acknowledge all the incredible and talented people in this industry!”

The judging panel for the awards was comprised of Brian Higgins from Comparitech, Oliver Pickup, award-winning writer,  Yvonne Eskenzi and Infosecurity Magazine's very own editor, Eleanor Dallaway.

The winners across all categories were as follows:

  • Cyber Writer – Andy Gill
  • Best Security Awareness Campaign – Talion RansomAware
  • Data Guardian – Emily Overton
  • Best Educator – Winner: Jackie Riley; Highly Commended: Lorna Armitage and Andrea Cullen, CAPSLOCK
  • Godfather/Godmother of Security –  Colonel John Doody
  • Best Ethical Hacker / Pentester – Dale Pavey and Guy Morley from NCC Group
  • Apprentice/Rising Star – Winner: Jenny Codes; Highly Commended: Daniel Dodds
  • Security Leader/Mentor – Marilise de Villiers
  • Security Avengers – Winner: CyberNews Research Team; Highly Commended:  Sainsbury’s
  • CISO Supremo – Alison Dyer

After being crowned ‘Godfather of Security’, Colonel John Doody said: “I am emotionally overwhelmed and humbled to be selected for this prestigious award. I am in my 63rd year in the profession, including my total commitment to the national cybersecurity posture, and will continue to serve the nation as long as I am able. Cybersecurity is the biggest growth profession in the UK and I am so privileged to be recognized for my dedicated evangelism on the subject.”

Categories: Cyber Risk News

Nukegate CEO Imprisoned for Fraud

Tue, 10/12/2021 - 20:38
Nukegate CEO Imprisoned for Fraud

The former CEO of failed South Carolina electric and natural gas public utility SCANA Corporation (SCANA) has been sent to federal prison after pleading guilty to conspiracy to commit mail and wire fraud.

Evidence presented to a South Carolina Court showed that 66-year-old Kevin B. Marsh intentionally defrauded rate-payers while overseeing and managing SCANA’s operations. 

Marsh made false and materially misleading statements about the progress of the company's building projects so that SCANA could obtain and keep rate increases imposed on its rate-paying customers and qualify for up to $2.2bn in tax credits.

One of the projects impacted by the fraud was the erection of two nuclear reactors at the V.C. Summer Nuclear Station in Fairfield County. Construction on the $10bn project began in 2013 but was abandoned in 2017 after delays and errors caused costs to skyrocket.

Court filings showed that Marsh stuck rigidly to stating that the project would be completed in 2020 and would therefore meet the deadline set to receive $1.4bn in federal tax credits. 

Prosecutors detailed how the former CEO and chairman of SCANA's board of directors lied about the progress of the project repeatedly in calls, press releases, and presentations. 

“Due to this fraud, an $11 billion nuclear ghost town, paid for by SCANA investors and customers, now sits vacant in Jenkinsville, South Carolina,” said Acting US Attorney Rhett DeHart. 

The project's failure, which became known as “Nukegate,” gutted SCANA and its subsidiary, South Carolina Electric & Gas, which were bought out by Dominion Energy of Virginia in 2019.

In February, Marsh pleaded guilty to conspiracy to commit wire and mail fraud and to obtaining property by false pretenses. He was sentenced on October 7 to two years in prison followed by three years of supervised release and fined $200K. Marsh has already paid $5m in restitution.

Felony guilty pleas have been obtained from SCANA's former executive vice president Stephen Byrne and from Carl Churchman, former Westinghouse Electric Corporation vice president and the project director of the V.C. Summer Nuclear project. 

Jeffrey Benjamin, former Westinghouse Electric Company senior vice president, has been charged in a sixteen-count felony criminal indictment.

Categories: Cyber Risk News

Google Creates Cybersecurity Action Team

Tue, 10/12/2021 - 18:52
Google Creates Cybersecurity Action Team

Google is bringing together a bevy of in-house experts to form a new cybersecurity advisory team.

In a statement released earlier today, Google announced the creation of its new Google Cybersecurity Action Team, which it says will have "the singular mission of supporting the security and digital transformation of governments, critical infrastructure, enterprises, and small businesses."

In pursuit of this mission, the team will provide services in four key areas: strategic advisory, trust and compliance, security customer and solutions engineering, and threat intelligence and incident response. 

"Customers need a consistent approach to preparing for and defending against cybersecurity threats," said Phil Venables, vice president and CISO at Google Cloud and founder of the Google Cybersecurity Action Team. 

"Our comprehensive suite of security solutions delivered through our platform and amplified by the Google Cybersecurity Action Team will help protect organizations against adverse cyber events with capabilities that address industry frameworks and standards."

One of the new team's jobs will be to advise customers on their security strategies, including educational content and transformation workshops. 

"This function will advise customers on the structure of their digital security transformation and provide program management and professional services support," said Google.

Another role of the team will be to simplify customers' "compliance journey" through trust and compliance services that map Google's global compliance certifications to industry control frameworks.

The team will also be involved with the delivery of threat briefings, preparedness drills, incident support, and rapid response engagements.  

Rosa Smothers, former CIA cyber-threat analyst and technical intelligence officer, now a senior vice president at KnowBe4, told Infosecurity Magazine that the formation of the new Google team would help organizations tackle the rising threat of ransomware. 

"In light of the NSA director Nakasone's recent remarks that within the next 5 years we'll see ransomware attacks on a daily basis, this team can serve as a bulwark – a part of any company's overarching defense in-depth strategy – against threat actors," said Smothers.

She added: "This is a great opportunity for companies utilizing Google Cloud. The company takes their security seriously."

Categories: Cyber Risk News

RealDefense Acquires STOPzilla

Tue, 10/12/2021 - 17:51
RealDefense Acquires STOPzilla

Antivirus and anti-malware brand STOPzilla has been acquired by California holding company RealDefense

The deal was announced earlier today and marks RealDefense's fourth acquisition in the security sector. Other brands in the RealDefense portfolio include IOLO, MyCleanID, MyCleanPC, USTechSupport, CyberDefender, VirusFix, and WarrantyStar.

To complete the acquisition of STOPzilla, RealDefense partnered with Corbel Capital Partners, a $500m structured debt firm based in Los Angeles.

STOPzilla was founded by iS3 Corporation in 2001 as a popup blocker. This initial program evolved into anti-malware software, and in the last few years, the company developed antivirus protection and STOPzilla Optimizer. 

The brand is based in Santa Monica, California, and states on its website that it has protected over 9 million users worldwide. 

STOPzilla’s AntiVirus program includes a web filter, scan module, enhanced malware detection engine, and smart file cache to defend against infection. STOPzilla’s AntiMalware works with the AntiVirus program to block, detect, and remove malware.

The brand's Optimizer program promises to speed up PC performance and reduce system crashes by decluttering and performing advanced, automatic repairs plus system and registry backup. 

“For the last twenty years, it’s been an honor and privilege to provide an award-winning software product to users around the globe,” said Robert Scaduto, president and co-founder of STOPzilla. “STOPzilla customers are in great hands with an impressive RealDefense team.”

Also headquartered in Santa Monica, RealDefense provides device optimization/security software and remote desktop technical support services to customers globally. The company takes an active approach in managing operations at its portfolio companies and provides them with development and marketing support.

“We are excited to offer RealDefense’s suite of products to STOPzilla customers and continue to provide valuable privacy, security and optimization services,” said Gary Guseinov, CEO, RealDefense. “The STOPzilla team has done an amazing job building the company over the past 20 years and we are confident that we can continue to improve on the brand’s success.”

According to BusinessWire, in its most recent four acquisitions, RealDefense has achieved average revenue gains of 25% within the first 30 days.

Categories: Cyber Risk News

NCSC CEO: Ransomware the "Most Immediate Threat" Facing UK Businesses

Tue, 10/12/2021 - 11:33
NCSC CEO: Ransomware the "Most Immediate Threat" Facing UK Businesses

NCSC CEO Lindy Cameron has warned UK businesses that ransomware “is the most immediate cyber threat” they face.

During a speech at Chatham House’s cyber conference, Cameron made the remarks, marking one year since she was appointed head of the UK government agency. She cited numerous examples of the real-world damage caused by ransomware attacks in the past year. This includes the attack on Ireland’s Health Service Executive, which led to “months of disrupted appointments and services” and the disruption to vital services at Hackney Borough Council in the UK due to its IT systems being forced offline for months. In addition, she highlighted the notorious attack on Colonial Pipeline in the US, leading to significant fuel shortages across the East Coast.

These examples show why ransomware is the most immediate threat to UK businesses and most other organizations, “from FTSE 100 companies to schools; from national infrastructure to local councils.”

It is the latest in several warnings made by Cameron about the recent threat of ransomware.

Cameron said many organizations “have no incident response plans, or ever test their cyber defenses.”

This needs to change, with the NCSC expecting ransomware attacks to continue growing for the foreseeable future. This issue is exacerbated by increasingly sophisticated methods being employed by some groups, such as multi-extortion attacks, which in addition to closing down an organization’s systems and data, the attackers threaten to publish exfiltrated data on the dark web.

Unfortunately, “we expect ransomware will continue to be an attractive route for criminals as long as organizations remain vulnerable and continue to pay,” continued Cameron, who warned that “paying ransoms emboldens these criminal groups – and it also does not guarantee your data will be returned intact, or indeed returned at all.”

“Paying ransoms emboldens these criminal groups – and it also does not guarantee your data will be returned intact, or indeed returned at all”

She acknowledged the role of governments in tackling ransomware gangs, but noted how challenging it is for law enforcement is in this area due to criminals being able to operate “beyond our borders.” Therefore, organizations need to do much more to enhance their cybersecurity and incident response measures. “Do you know what you would do if it happened to you? Have you rehearsed this? Have you taken steps to ensure your systems are the hardest target in your market or sector to compromise? And if you’d even contemplate paying a ransom, are you comfortable that you are investing enough to stop that conversation ever happening in the first place?” Cameron asked.

In the speech, Cameron also pointed the finger at the Russian state’s “cyber aggression,” and for harboring ransomware gangs. “In addition to the direct cyber security threats that the Russian state poses, we – along with the NCA – assess that cyber-criminals based in Russia and neighboring countries are responsible for most of the devastating ransomware attacks against UK targets,” she outlined.

Commenting on Cameron’s words, Chris Ross, SVP, International, Barracuda Networks comments: “It’s right for the NCSC to identify ransomware as the biggest threat facing UK business, these attacks have the potential to completely paralyze any organization, hijacking critical data and forcing many to handover large sums of money to break free.

“The days of businesses hoping for the best and assuming they won’t fall victim to a ransomware attack are well and truly over, and urgent action needs to be taken to prevent such threats and ensure the necessary backup support is in place to protect compromised data.”

Torsten George, cybersecurity evangelist, Absolute Software, said: “Ransomware is without doubt the biggest threat facing UK businesses and remains a frighteningly effective tool for leaving organisations of all sizes completely at the mercy of cyber-criminals. The risks have dramatically increased with the rise of remote working, with millions of people mixing home and work devices to answer emails and share company data, making it easier for employees to fall victim to scam emails which contain hostile threats.”

During Cameron’s address, she also discussed the threat posed by China in the digital space and the growing danger of supply chain attacks.

Categories: Cyber Risk News

Over 90% of Firms Suffered Supply Chain Breaches Last Year

Tue, 10/12/2021 - 10:10
Over 90% of Firms Suffered Supply Chain Breaches Last Year

Some 93% of global organizations have suffered a direct breach due to weaknesses in their supply chains over the past year, according to BlueVoyant.

The cybersecurity services company polled 1200 IT and procurement leaders responsible for supply chain and cyber-risk management from global companies with 1,000+ employees to compile its report: Managing Cyber Risk Across the Extended Vendor Ecosystem.

It revealed the average number of breaches experienced in the past 12 months grew from 2.7 in 2020 to 3.7 in 2021 – a 37% year-on-year increase.

Although the percentage of companies that don’t consider third-party risk a priority has fallen from 31% last year to 13% in 2021, the number who admit they have no way of knowing if an incident has occurred in their supply chain rose from 31% to 38%.

In addition, while 91% of respondents said budgets were increasing this year to help tackle the risk, investments don’t seem to be making an impact.

Typical pain points highlighted by the report include:

  • Managing false positives and large data volumes.
  • Prioritizing risk.
  • Understanding the company’s own risk position.

“Budget increases demonstrate that firms are recognizing the need to invest in cybersecurity and vendor risk management. However, the wide yet consistent array of pain points suggests that this investment is not as effective as it needs to be,” argued BlueVoyant global head of third-party cyber-risk management, Adam Bixler.

“This, tied to the lack of visibility, monitoring and senior-level reporting, underscores a need for further improvement when approaching third-party cyber risk, in order to reduce the exposure of data before attackers take advantage of this.”

Supply chain risk has been abundantly evident over the past year, with big-name campaigns such as the SolarWinds breaches and the ransomware attacks on Kaseya customers highlighting the threat to organizations.

Organizations must evolve their third-party risk management from static questionnaires to continuous monitoring and rapid action to tackle critical new vulnerabilities, BlueVoyant claimed.

Categories: Cyber Risk News

Euro Police Disrupt $17m Fake Investment Scheme

Tue, 10/12/2021 - 09:19
Euro Police Disrupt $17m Fake Investment Scheme

European police have disrupted a significant financial crime organization said to have made at least €15m ($17m) by tricking investors.

Between May 2019 and September 2021, the criminal network reportedly lured German investors via adverts on social media and elsewhere, supported by over 250 newly registered domain names.

As part of the scam, two call centers were reportedly set up in the Bulgarian capital of Sofia, where around 100 employees were required to pose as financial advisors and try to sell fake binary options — a type of financial betting.

Working from scripts, the call center operatives used pre-written messaging to nudge their victims into releasing more funds. However, most were not aware they were involved in a scam, according to Europol.

The criminal gang behind the scam took the money invested by these 'clients' and pocketed it, so that they didn't receive any payment of winnings or credit balance updates following their investment.

It's unclear where the scam's ringleaders were based, but the criminal network is said to have been connected to a Ukrainian company.

An action day on October 6 saw involvement from law enforcement and judicial authorities in Bulgaria, Cyprus, Germany, the Netherlands and Ukraine, supported by Europol and Eurojust.

It resulted in eight house searches in Ukraine, Bulgaria and Cyprus, the questioning of 17 individuals in Bulgaria, the arrest of one "high-value target" in Cyprus and the seizure of important assets including phones, electronic equipment, bank accounts and data back-ups.

The investigation has also so far led to 246 criminal proceedings across 15 German federal states.

Investment fraud was the third-highest money-maker for cyber-criminals last year, according to data from the FBI.

It revealed that these scams made them over $336m, on the back of just 8700 victims.

Cryptocurrency fraud is typically a big driver of this criminal activity. Earlier this year, the founder of two crypto hedge funds pleaded guilty to defrauding investors out of around $100m.

Categories: Cyber Risk News

Ukraine Police Cuff Botnet Herder Who Controlled 100K Machines

Tue, 10/12/2021 - 08:45
Ukraine Police Cuff Botnet Herder Who Controlled 100K Machines

Ukrainian law enforcers have arrested a suspected botnet herder responsible for controlling an automated network of around 100,000 compromised machines to launch DDoS and other attacks.

The Security Service of Ukraine (SSU) claimed the resident of Ivano-Frankivsk also used the botnet to launch spam campaigns, scan for vulnerabilities in websites to exploit, and brute-force users’ email passwords.

He’s said to have found and communicated with customers for his services on encrypted channels like Telegram and closed underground forums, and received the payment through platforms banned in Ukraine like WebMoney.

The National Security and Defence Council of Ukraine imposed sanctions on the Russian firm back in 2018.

Unfortunately for the individual, he registered his real address with WebMoney, enabling SSU officers to find him pretty easily.

He now faces charges under Part 2 of Article 361-1 of the Criminal Code of Ukraine, which relates to the creation, distribution, or sale of malicious software or hardware; and interference with the work of computers, automated systems, and computer or telecoms networks.

Police are currently looking through the equipment seized at the property to find out more.

Ukrainian law enforcers have had a busy time over recent years, as the country continues to harbor more than its fair share of threat actors.

In February last year, police arrested suspected members of the Egregor ransomware group. A few months later, in June, six suspected members of the notorious Clop ransomware gang were cuffed in Ukraine.

Then in October, two “prolific ransomware operators” were arrested in the country after an international law enforcement operation.

Those arrests come in stark contrast to law enforcement activity in Russia, where the state appears to give its blessing to cybercrime activity as long as it is targeted at victims outside the country.

Categories: Cyber Risk News

Couple Arrested Over Sale of Nuclear Secrets

Mon, 10/11/2021 - 21:18
Couple Arrested Over Sale of Nuclear Secrets

A married couple from Maryland has been arrested on suspicion of selling secret information about the design of nuclear-powered warships. 

Jonathan and Diana Toebbe, both of Annapolis, were arrested in Jefferson County, West Virginia, by the FBI and the Naval Criminal Investigative Service on Saturday, October 9. 

It is alleged that 42-year-old Naval nuclear engineer Jonathan Toebbe, with the help of his 45-year-old wife, sold information classified as Restricted Data to an undercover FBI agent who they believed was a representative of a foreign power.

The complaint affidavit alleges that on April 1, 2020, Jonathan Toebbe sent a package to a foreign government containing a sample of Restricted Data along with instructions for establishing a covert relationship to purchase more of it.

Toebbe allegedly corresponded with an undercover agent posing as a representative of that government for months before agreeing to exfiltrate Restricted Data and sell it for thousands of dollars in crypto-currency. 

After receiving a $10,000 advance payment, Toebbe and his wife allegedly arranged to leave an SD card containing the data at a pre-arranged location in West Virginia on June 26.

While his wife allegedly acted as a lookout, Toebbe allegedly performed the dead drop by hiding an encrypted SD card in a peanut butter sandwich and leaving it at a site agreed upon with the agent.

The agent retrieved the card and paid Jonathan Toebbe $20,000 for the encryption key. The card was found to contain Restricted Data related to submarine nuclear reactors. 

On August 28, Jonathan Toebbe allegedly made a second dead drop, this time concealing an SD card in a pack of chewing gum and accepting a payment of $70,000 from the undercover agent. 

The FBI arrested Jonathan and Diana Toebbe on October 9, after he placed a third SD card at a pre-arranged location in West Virginia. 

The Toebbes have been charged in a criminal complaint alleging violations of the Atomic Energy Act. The couple, who have two children, are due to appear before a federal court in Martinsburg, West Virginia, tomorrow.

Following her arrest, Diana Toebbe has been suspended from her job as a humanities teacher at the private Key School in Annapolis.

Categories: Cyber Risk News

US Imprisons Man Who Exploited Children Via Social Media

Mon, 10/11/2021 - 18:35
US Imprisons Man Who Exploited Children Via Social Media

A sexual predator who used social media apps to victimize minors has been sent to prison in the United States.

Jacob Blanco, of Fresno, California, used several ruses to manipulate children as young as six years old into producing sexually explicit material and then sharing it with him.

Using apps including (now TikTok), Kik and Snapchat, the 29-year-old offender posed as a child modeling agent or pretended to be a minor himself to deceive his victims.

Police became aware of Blanco's illegal activity in March 2017 after being contacted by the parents of a six-year-old child. The parents alerted authorities after discovering that their child had communicated with another user on and had created sexually explicit images at the request of that user. 

An investigation into the incident led law enforcement to Blanco, and a search warrant was obtained to search his residence and digital devices. That search revealed that Blanco had successfully persuaded and coerced multiple minors to create sexually explicit material.

In May 2020, Blanco pleaded guilty to five counts of sexual exploitation of a minor and receipt and distribution of material involving sexual exploitation of minors. 

"Blanco admitted, as part of his plea agreement, that he communicated with at least 50 minors and asked for and received sexually explicit images from many of them," said the Department of Justice's Office of Public Affairs in a statement released October 8. 

On Friday, Blanco was sentenced to 55 years in prison followed by a lifetime of supervised release. 

Acting US Attorney Phillip Talbert for the Eastern District of California said: “The fact that the defendant used social media to sexually exploit the victims serves as a reminder that the internet can be a dangerous place especially for children.”

Blanco's sentencing comes a month after the National Center on Sexual Exploitation (NCOSE) urged TikTok to do more to protect minors using its platform. 

Lina Nealon, director of corporate and strategic initiatives at NCOSE, said: "Under an account we created as a 13-year-old, we were easily able to find videos promoting OnlyFans, as well as other pornography and prostitution sites, despite the fact that this type of material is against TikTok’s Community Guidelines."

Categories: Cyber Risk News

Hospital Hacker Steals Patients’ Data

Mon, 10/11/2021 - 17:24
Hospital Hacker Steals Patients’ Data

Data belonging to patients of a hospital in New Mexico has been deleted by an unknown cyber-attacker. 

The IT network of San Juan Regional Medical Center in Farmington was breached by an unauthorized individual in September last year. The attack was reported to the United States Department of Health and Human Services' Office for Civil Rights on June 4 as a network server security incident impacting 68,792 individuals. 

In a statement released on October 7, the hospital said that it had launched an investigation after identifying unauthorized access to its network on September 8, 2020.

The hospital said: "Upon learning of the issue, SJRMC immediately took steps to secure the network and mitigate against any additional harm. After an extensive forensic investigation, we determined that as part of this incident, an unauthorized individual removed information from our network September 7–8, 2020."

SJRMC undertook a manual review of the files that had been removed in the cyber-attack. The hospital discovered on July 13, 2021, that those files had contained "the personal and protected health information of certain patients."

The hospital said on October 7 that it is notifying the patients whose data was affected by the incident. Information compromised in the incident includes names, dates of birth, Social Security numbers, driver’s license numbers, passport information, financial account numbers, health insurance information, and medical information (diagnosis, treatment, medical record number, patient account number). 

"This incident does not impact all SJRMC patients, and not all information was impacted for all individuals. SJRMC is now notifying individuals so that they can take steps to protect their information," said the hospital.

SJRMC has not found any evidence to suggest that the compromised data has been misused. The hospital said that the attack did not involve ransomware. 

"Nevertheless, in addition to providing this website notice, SJRMC is sending notification to all affected patients for whom we have enough information to determine a physical address. We have also set up a dedicated call center," said the hospital.

Individuals whose Social Security numbers were in the files removed during the cyber-attack are being offered complimentary credit monitoring services.

Categories: Cyber Risk News

Android Phones Sharing Significant User Data Without Opt-Outs

Mon, 10/11/2021 - 14:30
Android Phones Sharing Significant User Data Without Opt-Outs

Android mobile phones are undertaking significant data sharing without offering opt-outs for users, according to a new report by researchers at Trinity College Dublin and the University of Edinburgh.

The authors said the scale of data transmission taking place is far beyond what is to be expected, raising major privacy concerns.

For the study, the team analyzed six variants of the Android OS to determine the amount of data they are sending to developers and third parties with pre-installed system apps, such as Google, Microsoft, LinkedIn and Facebook. The phones manufacturers included in the study were Samsung, Xiaomi, Huawei, Realme, LineageOS and /e/OS.

All of the developers, with the exception of e/OS, collected a list of all the apps installed on a handset. The researchers noted this information is potentially sensitive, as it can reveal user interests, such as sexual orientation or political views, e.g., a Republican news app.

The Xiaomi handset was revealed to be sending details of all app screens viewed by users to Xiaomi, including when and for how long each app is used. This data appeared to be sent outside Europe to Singapore. The Huawei handset sent tech giant Microsoft details of app usage, including when the user is writing a text or using the search bar.

Four firms – Samsung, Xiaomi, Realme and Google – were shown to collect long-lived device identifiers, such as the hardware serial number and user-resettable advertising identifiers. This data allows a new identifier value to be trivially re-linked back to the same device when a user resets an advertising identifier.

Additionally, the researchers noted that third-party system apps from companies such as Google, Microsoft, LinkedIn and Facebook are pre-installed on most handsets analyzed and silently collected data without opt-out. This even occurs when the phone is minimally configured and the handset is idle.

Interestingly, the privacy-focused e/OS variant of Android was observed to transmit virtually no data.

Prof Doug Leith, chair of computer systems at the School of Computer Science and Statistics, Trinity College Dublin, commented: “I think we have completely missed the massive and ongoing data collection by our phones, for which there is no opt out. We’ve been too focused on web cookies and on badly-behaved apps.  

“I hope our work will act as a wake-up call to the public, politicians and regulators. Meaningful action is urgently needed to give people real control over the data that leaves their phones.”

Dr Paul Patras, associate professor in the School of Informatics, University of Edinburgh, said: “Although we’ve seen protection laws for personal information adopted in several countries in recent years, including by EU member states, Canada and South Korea, user-data collection practices remain widespread. More worryingly, such practices take place “under the hood” on smartphones without users’ knowledge and without an accessible means to disable such functionality. Privacy-conscious Android variants are gaining traction though and our findings should incentivize market-leading vendors to follow suit.”

Commenting on the research, Niamh Muldoon, global data protection officer at OneLogin, warned many phone developers could be facing the prospect of large fines if changes are not made. "This research is really interesting as it highlights the risk and financial business impact of not investing in a robust privacy program, which is something that not all businesses pay attention to.

“The business impact is the financial cost associated with legal fees and potential privacy regulatory fines as a result of not adhering to GDPR compliance requirements. There are also financial implications with employee compensation if found that the privacy of their data was not adhered to both from a business collection purpose and/or if adequate protection controls were not in place leading to the result of their data being breached.”

Categories: Cyber Risk News

Most Insurers Mandate MFA, But Premiums Are Still Soaring

Mon, 10/11/2021 - 09:49
Most Insurers Mandate MFA, But Premiums Are Still Soaring

US cyber-insurers are increasing premiums and lowering coverage limits despite mandating stricter security controls as a pre-requisite for coverage, according to a new report.

The US Cyber Market Outlook from wholesale insurance broker Risk Placement Services warns that providers have been “battered” by higher-than-anticipated recent losses and are now generally charging much more for less coverage.

“Over the past year, we’ve seen the challenges of the COVID-19 pandemic and increasing frequency and severity of ransomware attacks put pressure on the US cyber liability market,” said RPS national cyber practice leader Steve Robinson.

“While this market dynamic developed quickly, within a matter of months, longstanding underwriting issues in this market, as well what had been a growing mismatch between exposures and underwriting, helped to create the current situation and the imbalance between coverage supply and demand.” 

Sectors hit hard over the past year, including education, government, healthcare, construction and manufacturing, have seen premiums increase by 300% or more at renewal time. This is even if corporate policyholders have the right set of security controls in place.

Such controls are becoming increasingly widespread, according to RPS. Multi-factor authentication (MFA) is now described as a “must-have” to even qualify for coverage.

Insurers are finding other ways to reduce their risk of losses, the report claimed.

“Insurance companies are incorporating the same scanning technology used by hackers into their own underwriting process. This allows them to assess an organization’s perimeter security and also develop a metric-based estimate for a potential cyber-attack,” it claimed.

“These scanning tools can be used to identify unused, vulnerable open ports that could provide a bad actor with a network entry point.”

The RPS findings are backed by other research this year. A Government Accountability Office (GAO) study from May claimed that take-up of cyber-specific insurance policies had doubled to around half (47%) in 2020, but that successful attacks had also led to rising premiums and reduced coverage limits for some.

Categories: Cyber Risk News

Banking Insider Accused of Role in $1m BEC Scheme

Mon, 10/11/2021 - 09:19
Banking Insider Accused of Role in $1m BEC Scheme

Three men including one former bank employee have been indicted by a federal grand jury for their alleged role in a business email compromise (BEC) conspiracy.

Onyewuchi Ibeh, 21, of Bowie, Maryland, Jason Joyner, 42, of Washington, DC and Mouaaz Elkhebri, 30, of Alexandria, Virginia, were charged with money laundering and aggravated identity theft, according to a superseding indictment late last week.

According to the court documents, they’re said to have targeted firms of all sizes across the globe between January 2018 and March 2020.

After phishing their way into employee accounts, they would allegedly conduct months-long reconnaissance before stepping in at the crucial moment when a supplier invoice was expected by the victim company — substituting their own highly convincing request for payment.

Faked domains mimicking those of the supplier were employed to add legitimacy to their communications with the victim organization.

At least five businesses lost over $1.1m in total over the period, with the co-conspirators laundering the funds through dozens of bank accounts, according to the Department of Justice (DoJ).

Each man is said to have played a particular role in the scheme.

Ibeh apparently managed the money laundering process, directing the others to open accounts which he used to wire money around the world. Joyner allegedly withdrew criminal proceeds in cash and delivered it to the other two. Elkhebri is said to have opened accounts in the name of both co-conspirators and victims, using his position as a bank employee to do so.

Elkhebri worked for Bank of America and TD Bank during the period.

Ibeh and Joyner are charged with conspiracy to commit money laundering and money laundering — and each faces a maximum penalty of 20 years in prison. Elkhebri is charged with conspiracy to commit money laundering, money laundering, false entries in a bank’s books, and aggravated identity theft — charges which carry a maximum of 52 years.

According to Accenture, the cost of cyber-attacks carried out by malicious insiders jumped 15% in 2019 to reach $1.6 million per organization, on average.

Categories: Cyber Risk News