Info Security
Biden Administration Cancels $10bn JEDI Contract
The Biden administration has announced the cancellation of a $10bn massive cloud-computing contract awarded to Microsoft.
After Microsoft won a lengthy bidding process for the Joint Enterprise Defense Infrastructure (JEDI) cloud contract in 2019, competing contractor Amazon Web Services (AWS) complained that the decision wasn't fair.
Yesterday the DoD issued a statement declaring that the contract had passed its sell-by date and was no longer relevant.
"The Department has determined that, due to evolving requirements, increased cloud conversancy, and industry advances, the JEDI Cloud contract no longer meets its needs," read the statement.
It continued: "The Department continues to have unmet cloud capability gaps for enterprise-wide, commercial cloud services at all three classification levels that work at the tactical edge, at scale. These needs have only advanced in recent years with efforts such as Joint All Domain Command and Control (JADC2) and the Artificial Intelligence and Data Acceleration (ADA) initiative."
At the same time as the JEDI Request for Proposals (RFP) was trashed, the DoD announced its intention to seek proposals from AWS and Microsoft Corporation to fulfill a new multi-cloud/multi-vendor Indefinite Delivery-Indefinite Quantity (IDIQ) contract called the Joint Warfighter Cloud Capability (JWCC).
The DoD said it would consider proposals from other firms if they were capable of meeting the brief.
"JEDI was developed at a time when the Department’s needs were different and both the CSP's technology and our cloud conversancy was less mature," said John Sherman, acting DoD chief information officer.
"In light of new initiatives like JADC2 and AI and Data Acceleration (ADA), the evolution of the cloud ecosystem within DoD, and changes in user requirements to leverage multiple cloud environments to execute missions, our landscape has advanced and a new way ahead is warranted to achieve dominance in both traditional and non-traditional warfighting domains."
Alex Rossino, a federal market research analyst at Deltek, commented that having more than one cloud contractor could create challenges.
"The complicating factor in all of this is the issue of interoperability between the new systems," noted Rossino.
"The DoD will need to ensure that the data in one cloud can be easily accessible to the other."
In its first seven months, the Biden administration has cancelled the Keystone XL pipeline, DoD border contracts, oil and gas exploration leases, and Justice Department contracts with private prisons.
Biden Administration Cancels $10bn JEDI Contract
The Biden administration has announced the cancellation of a $10bn massive cloud-computing contract awarded to Microsoft.
After Microsoft won a lengthy bidding process for the Joint Enterprise Defense Infrastructure (JEDI) cloud contract in 2019, competing contractor Amazon Web Services (AWS) complained that the decision wasn't fair.
Yesterday the DoD issued a statement declaring that the contract had passed its sell-by date and was no longer relevant.
"The Department has determined that, due to evolving requirements, increased cloud conversancy, and industry advances, the JEDI Cloud contract no longer meets its needs," read the statement.
It continued: "The Department continues to have unmet cloud capability gaps for enterprise-wide, commercial cloud services at all three classification levels that work at the tactical edge, at scale. These needs have only advanced in recent years with efforts such as Joint All Domain Command and Control (JADC2) and the Artificial Intelligence and Data Acceleration (ADA) initiative."
At the same time as the JEDI Request for Proposals (RFP) was trashed, the DoD announced its intention to seek proposals from AWS and Microsoft Corporation to fulfill a new multi-cloud/multi-vendor Indefinite Delivery-Indefinite Quantity (IDIQ) contract called the Joint Warfighter Cloud Capability (JWCC).
The DoD said it would consider proposals from other firms if they were capable of meeting the brief.
"JEDI was developed at a time when the Department’s needs were different and both the CSP's technology and our cloud conversancy was less mature," said John Sherman, acting DoD chief information officer.
"In light of new initiatives like JADC2 and AI and Data Acceleration (ADA), the evolution of the cloud ecosystem within DoD, and changes in user requirements to leverage multiple cloud environments to execute missions, our landscape has advanced and a new way ahead is warranted to achieve dominance in both traditional and non-traditional warfighting domains."
Alex Rossino, a federal market research analyst at Deltek, commented that having more than one cloud contractor could create challenges.
"The complicating factor in all of this is the issue of interoperability between the new systems," noted Rossino.
"The DoD will need to ensure that the data in one cloud can be easily accessible to the other."
In its first seven months, the Biden administration has cancelled the Keystone XL pipeline, DoD border contracts, oil and gas exploration leases, and Justice Department contracts with private prisons.
Most Insider Data Breaches Aren't Malicious
The majority of insider data breaches are non-malicious, according to new research released today by American cybersecurity software company Code42 in partnership with Aberdeen Research.
The report Understanding Your Insider Risk and the Value of Your Intellectual Property found that at least one in three (33%) reported data breaches involve someone with authorized access to the impacted data.
A key finding of the report was that 78% of those insider data breaches involved unintentional data exposure or loss rather than any malice. Researchers observed employees repeatedly taking actions that put valuable company data at risk while fulfilling their day-to-day work responsibilities.
The daily average of data-exposure events by trusted insiders per user was 13 and included moving corporate files to untrusted locations via email, messaging, cloud or removable media.
While such breaches are unlikely to be caused by malice, they can still have a significant financial impact on a business. The study found the cost per year of breaches from insiders can reach up to 20% of annual revenue.
Businesses are struggling to maintain data security as most of them do not have consistent, centralized visibility over their own digital environments. Researchers found that 75% of organizations lack the tools necessary to track how much enterprise file movement their organization has and to monitor how frequently valuable files are exposed by legitimate users carrying out their daily tasks.
Another key finding of the research was that in 2020 a breach was four and a half times more likely to happen on an endpoint than on a server.
"Data stewardship has become a boardroom imperative. And while insider risk is not a new problem in security, managing it effectively in today’s open and collaborative business climate with enough resources is,” said Joe Payne, Code42’s president and CEO.
“We know that one out of three data breaches involves an insider, though it’s likely much higher. Important ideas and key IP encompass much more than just the company crown jewels. It includes the very digital and portable information like source code, customer lists and salary structures – data that when taken can leave a devastating impact on a company’s competitive position and bottom line.”
Most Insider Data Breaches Aren't Malicious
The majority of insider data breaches are non-malicious, according to new research released today by American cybersecurity software company Code42 in partnership with Aberdeen Research.
The report Understanding Your Insider Risk and the Value of Your Intellectual Property found that at least one in three (33%) reported data breaches involve someone with authorized access to the impacted data.
A key finding of the report was that 78% of those insider data breaches involved unintentional data exposure or loss rather than any malice. Researchers observed employees repeatedly taking actions that put valuable company data at risk while fulfilling their day-to-day work responsibilities.
The daily average of data-exposure events by trusted insiders per user was 13 and included moving corporate files to untrusted locations via email, messaging, cloud or removable media.
While such breaches are unlikely to be caused by malice, they can still have a significant financial impact on a business. The study found the cost per year of breaches from insiders can reach up to 20% of annual revenue.
Businesses are struggling to maintain data security as most of them do not have consistent, centralized visibility over their own digital environments. Researchers found that 75% of organizations lack the tools necessary to track how much enterprise file movement their organization has and to monitor how frequently valuable files are exposed by legitimate users carrying out their daily tasks.
Another key finding of the research was that in 2020 a breach was four and a half times more likely to happen on an endpoint than on a server.
"Data stewardship has become a boardroom imperative. And while insider risk is not a new problem in security, managing it effectively in today’s open and collaborative business climate with enough resources is,” said Joe Payne, Code42’s president and CEO.
“We know that one out of three data breaches involves an insider, though it’s likely much higher. Important ideas and key IP encompass much more than just the company crown jewels. It includes the very digital and portable information like source code, customer lists and salary structures – data that when taken can leave a devastating impact on a company’s competitive position and bottom line.”
Over 170 Scam Cryptomining Apps Charge for Non-Existent Services
Security researchers have discovered over 170 Android apps that have scammed tens of thousands of cryptocurrency enthusiasts into paying for non-existent services.
Lookout Threat Lab revealed that 25 of the fraudulent apps were even listed on the official Google Play marketplace.
It separated them into two groups, BitScam and CloudScam, although all use similar business models and the same coding and design.
Both families of scam apps promise the user access to cryptocurrency mining services, capitalizing on a recent spike in the valuation of digital currencies and widespread interest from consumers hoping to make a quick buck.
Those behind the apps are estimated to have made around $350,000 from their victims by charging for the initial app download and subsequent ‘virtual hardware’ or ‘subscription upgrades’ that claim to increase coin mining rates.
In reality, the apps offer nothing under the surface, according to Lookout application security researcher Ioannis Gasparis.
“After successfully logging in, a user is greeted with an activity dashboard that displays the available hash mining rate as well as how many coins they have ‘earned.’ The hash rate displayed is typically very low in order to lure the user into buying upgrades that promise faster mining rates,” he explained.
“After analyzing the code and network traffic, we also discovered the apps display a fictitious coin balance and not the number of coins mined.”
Users are not allowed to withdraw coins until their account balance has hit a minimum level, which is impossible as balances are frequently reset to zero.
“What enabled BitScam and CloudScam apps to fly under the radar is that they don’t do anything actually malicious,” said Gasparis. “In fact, they hardly do anything at all. They are simply shells to collect money for services that don’t exist.”
These apps have scammed around 96,000 victims. Although Google Play has removed the offending titles, dozens more remain on third-party app stores, Lookout warned.
Over 170 Scam Cryptomining Apps Charge for Non-Existent Services
Security researchers have discovered over 170 Android apps that have scammed tens of thousands of cryptocurrency enthusiasts into paying for non-existent services.
Lookout Threat Lab revealed that 25 of the fraudulent apps were even listed on the official Google Play marketplace.
It separated them into two groups, BitScam and CloudScam, although all use similar business models and the same coding and design.
Both families of scam apps promise the user access to cryptocurrency mining services, capitalizing on a recent spike in the valuation of digital currencies and widespread interest from consumers hoping to make a quick buck.
Those behind the apps are estimated to have made around $350,000 from their victims by charging for the initial app download and subsequent ‘virtual hardware’ or ‘subscription upgrades’ that claim to increase coin mining rates.
In reality, the apps offer nothing under the surface, according to Lookout application security researcher Ioannis Gasparis.
“After successfully logging in, a user is greeted with an activity dashboard that displays the available hash mining rate as well as how many coins they have ‘earned.’ The hash rate displayed is typically very low in order to lure the user into buying upgrades that promise faster mining rates,” he explained.
“After analyzing the code and network traffic, we also discovered the apps display a fictitious coin balance and not the number of coins mined.”
Users are not allowed to withdraw coins until their account balance has hit a minimum level, which is impossible as balances are frequently reset to zero.
“What enabled BitScam and CloudScam apps to fly under the radar is that they don’t do anything actually malicious,” said Gasparis. “In fact, they hardly do anything at all. They are simply shells to collect money for services that don’t exist.”
These apps have scammed around 96,000 victims. Although Google Play has removed the offending titles, dozens more remain on third-party app stores, Lookout warned.
Kremlin Hackers Reportedly Breached Republican National Committee
State-backed Russian hackers reportedly breached the Republican National Committee (RNC) last week, although the party denies any data was stolen.
Two people familiar with the matter told Bloomberg of the attack, which is thought to have come from APT29 (Cozy Bear), a notorious Kremlin hacking group that was blamed for the 2016 info-stealing raid on the Democratic National Committee (DNC).
The group was also pegged for the SolarWinds campaign and separate raids targeting IP related to COVID-19 vaccine development.
The RNC said that third-party IT services partner Synnex was breached over the July 4 holiday weekend, but no data was taken.
“We immediately blocked all access from Synnex accounts to our cloud environment,” chief of staff Richard Walters reportedly claimed.
“Our team worked with Microsoft to conduct a review of our systems and after a thorough investigation, no RNC data was accessed. We will continue to work with Microsoft, as well as federal law enforcement officials, on this matter.”
In a brief statement, long-term Microsoft distributor Synnex said it had been conducting a thorough security review.
“Synnex … confirms it is aware of a few instances where outside actors have attempted to gain access, through Synnex, to customer applications within the Microsoft cloud environment,” it added.
“These actions could potentially be in connection with the recent cybersecurity attacks on managed service providers.”
Those attacks are a single ransomware campaign that hit US software firm Kaseya and its downstream customers over the same weekend. However, that attack is believed to have been carried out by financially motivated cyber-criminals rather than a state-backed entity.
John Hultquist, VP of analysis at Mandiant Threat Intelligence, said parties are ideal targets for espionage actors looking for political, military, and economic intelligence.
“Though these organizations have been famously involved in aggressive hack and leak campaigns, more often than not, Russian hackers and others target them to quietly gather intelligence,” he added.
Kremlin Hackers Reportedly Breached Republican National Committee
State-backed Russian hackers reportedly breached the Republican National Committee (RNC) last week, although the party denies any data was stolen.
Two people familiar with the matter told Bloomberg of the attack, which is thought to have come from APT29 (Cozy Bear), a notorious Kremlin hacking group that was blamed for the 2016 info-stealing raid on the Democratic National Committee (DNC).
The group was also pegged for the SolarWinds campaign and separate raids targeting IP related to COVID-19 vaccine development.
The RNC said that third-party IT services partner Synnex was breached over the July 4 holiday weekend, but no data was taken.
“We immediately blocked all access from Synnex accounts to our cloud environment,” chief of staff Richard Walters reportedly claimed.
“Our team worked with Microsoft to conduct a review of our systems and after a thorough investigation, no RNC data was accessed. We will continue to work with Microsoft, as well as federal law enforcement officials, on this matter.”
In a brief statement, long-term Microsoft distributor Synnex said it had been conducting a thorough security review.
“Synnex … confirms it is aware of a few instances where outside actors have attempted to gain access, through Synnex, to customer applications within the Microsoft cloud environment,” it added.
“These actions could potentially be in connection with the recent cybersecurity attacks on managed service providers.”
Those attacks are a single ransomware campaign that hit US software firm Kaseya and its downstream customers over the same weekend. However, that attack is believed to have been carried out by financially motivated cyber-criminals rather than a state-backed entity.
John Hultquist, VP of analysis at Mandiant Threat Intelligence, said parties are ideal targets for espionage actors looking for political, military, and economic intelligence.
“Though these organizations have been famously involved in aggressive hack and leak campaigns, more often than not, Russian hackers and others target them to quietly gather intelligence,” he added.
US: We May Take Unilateral Action Against Russian Cyber-Criminals
The White House has issued another strongly worded warning to the Putin administration: the US will take action against cyber-criminals living in Russia if the Kremlin doesn’t.
Press secretary Jen Psaki explained that the two countries are continuing “expert-level” talks in the wake of the meeting between Presidents Biden and Putin last month. Another talk focused on ransomware is scheduled for next week.
“I will just reiterate a message that these officials are sending,” she added. “As the President made clear to President Putin when they met, if the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own.”
The news comes in the wake of a major new supply chain attack on US software provider Kaseya, which has affected around 1500 downstream organizations via their managed service providers (MSPs).
The attackers are said to have used the REvil/Sodinokibi variant, whose authors purportedly speak Russian, not least because the malware is coded not to infect any organizations residing in former Soviet countries.
However, given the large number of global affiliate groups using ransomware today, it’s far from clear whether this attack was launched by a Russian gang, even if the malware can be traced back there.
Psaki acknowledged this in the press briefing.
“The intelligence community has not yet attributed the attack. The cybersecurity community agrees that REvil operates out of Russia with affiliates around the world, so we will continue to allow that assessment to continue,” she said.
“But in our conversations — and we have been in touch directly — we are continuing to convey that message clearly.”
Biden revealed on Saturday that he had ordered the intelligence community to provide a “deep dive” on precisely what happened.
In the meantime, the official advice for any affected organizations continues to be to shut down any VSA servers and follow the mitigation steps from the Cybersecurity and Infrastructure Security Agency (CISA) issued over the weekend.
In related news, Kaseya explained in an update yesterday that its planned restoration of the VSA SaaS service had been delayed.
“During the VSA SaaS deployment, an issue was discovered that has blocked the release. Unfortunately, the VSA SaaS rollout will not be completed in the previously communicated timeline,” it noted.
“We apologize for the delay and R&D and operations are continuing to work around the clock to resolve this issue and restore service.”
Hacker’s Mom Puts End to 10-Month Cyber-bullying Campaign
A cyber-bullying campaign waged against a sixth grader from North Carolina for nearly a year appears to have been curtailed following its discovery by the abuser's mom.
For ten months, 12-year-old Wilson resident Jaylen White was on the receiving end of abuse so severe that he changed schools in a fruitless attempt to escape it and began having suicidal thoughts.
The cyber-bullying was reported by White and his mother, Sheleen White, to school officials at Wilson Prep when it began disrupting White's remote learning.
After the school failed to solve the problem, White was enrolled at Elm City Middle School, where he switched to strictly offline learning.
“They (the school) deleted his account, and we went to paper packets all year,” said Sheleen White.
White's mother reported the online abuse to her internet provider and to law enforcement officials, but the cyber-bullying campaign continued, with the perpetrator hacking into White's PlayStation account and ruining his games.
Intimidating messages left by the cyber-bully would flash up on the screen while the Whites were watching movies on Netflix.
One such message read: "I will stop if you kill yourself I promise."
White's tormentor sent other messages stating that he knew where his victim was living.
The Whites were also targeted with frequent fake 911 calls known as swatting attacks that brought emergency services to their home. Law enforcement agencies told the Whites that they did not possess the necessary equipment to be able to trace the calls.
White became so distraught by the cyber-bullying that he considered taking his own life.
“I remember him crying and saying, ‘Mom if I just do it, maybe they’ll leave us alone,’ ” Sheleen White told CBS17 News.
“My child is being broken down to the point he is ready to leave the earth because someone is bothering him."
Last week, two new messages seemingly from the cyber-bully, appeared while the Whites were watching Netflix.
"I won't hack you anymore. My mom caught me hacking you," read the first message, while the second one said, "She told me to apologize. I'm sorry for hacking you. Imma [sic] gonna disconnect from your stuff."
Since the messages were sent, the cyber-bullying has stopped. Sheleen said she wants to see whoever was behind the bullying caught and punished.
Official Formula 1 App Hacked
Fans of Formula One International auto racing were sent strange messages over the holiday weekend after the sport's official app was hacked.
Forbes reports that the messages received by users of the F1 app over the July Fourth weekend are believed to be linked to a targeted cyber-attack.
A spokesperson for F1 stated that no customer data is believed to have been compromised during the incident.
Two push notifications were sent out, the first of which, delivered at around 8pm CEST on Saturday, only contained the message "foo." Programmers have been known to use the metasyntactic variable "foo" as a placeholder for a value that can change, depending on conditions or on information passed to the program.
App users were then sent a not so confusing but more worrying message that read “Hmmmm, I should check my security.. :)”
The unsettling incident, which prompted F1 to launch an investigation, appeared to end there.
Speaking to ESPN, an F1 spokesperson said that probe into the incident “confirms that this targeted attack was limited to the Push Notifications Service.”
The spokesperson went on to say that F1 will “continue to investigate, review and improve safety measures but, at this time, have no reason to believe that any customer data has been accessed during this incident.”
The hack raised some concern among the app's users. One user, Jonathan Koziel, left a two-star review for the app on July 3 along with the statement: "This review isn't of the app itself, its [sic] honestly great and it works beautifully though the ads can be annoying. Anyways, [sic] I want to raise a security concern.
"A couple mins before writing this I got a notification that said "Hmmm, you should check your security.. :)" If anyone can get back to me I would greatly appreciate it."
"While this hack may only have resulted in a mischievous message being sent to users, it certainly had the potential to be much worse," commented Emsisoft's Brett Callow.
"In-app messages could, for example, be used to create very convincing phishing campaigns. If a message were well-crafted, users would have little reason to question it. The moral here is really that folks should be suspicious about everything."
Earlier this year, an augmented reality app operated by the Williams F1 team was disrupted due to a cybersecurity incident.
The team had intended to reveal its 2021 challenger, the FW43B, via the app on March 5, but removed the app from online stores after it was hacked.
BA Settles with Data Breach Victims
Compensation is to be paid to thousands of victims of a large-scale data breach at British Airways (BA).
A legal claim was filed against the airline over a security incident that began in June 2018. Data belonging to around 420,000 people was compromised in a cyber-attack that went undetected for more than two months.
Between June 22 and September 5, 2018, a malicious actor gained access to an internal BA application through the use of compromised credentials for a Citrix remote access gateway.
The breach impacted personal data belonging to British Airways staff and to its customers in the United Kingdom, in the EU, and in the rest of the world. Magecart, a form of digital skimming code, was used by the attacker to collect and steal payment card information, names, and addresses.
An investigation by the Information Commissioner's Office (ICO) found the security measures put in place by British Airways to protect the vast quantities of personal data being processed were inadequate.
In a penalty notice issued to BA in October 2020, the ICO stated: "After gaining access to the wider network, the attacker traversed across the network. This culminated in the editing of a JavaScript file on BA's website (www.britishairways.com).
The edits made by the attacker were designed to enable the exfiltration of cardholder data from the 'britishairways.com' website to an external third-party domain (www.BAways.com) which was controlled by the attacker."
BA, which is a subsidiary of International Airlines Group, was initially slapped with a record-breaking fine of £183m by the ICO for violating GDPR. The fine was later reduced to £20m.
While settling the legal claim brought by some of the data breach victims, British Airways did not admit any liability.
The airline has kept the terms of the settlement under wraps, so it is unclear how much each plaintiff will receive.
BA said it was "pleased we've been able to settle the group action."
Earlier this year, the compensation claim against British Airways was described by a law firm as "the largest group-action personal-data claim in UK history," involving more than 16,000 victims.
Industry Must Drive Forward International Collaboration on Cyber
The cybersecurity industry needs to push forward global collaborative efforts to combat cyber-threats. This was the message from a panel discussion during the UK Cyber Security Association’s One Day Summit Event.
Governments need to play a major role in facilitating alignment in this area. Still, the panelists believe the industry associations, who operate in and fully appreciate the increasingly dangerous cyber-threat landscape, must take the initiative for real progress to begin. Professor Lisa Short, director & co-founder of P&L Digital, emphasized that the digital world is borderless, and “the attacks we’re seeing have a global impact.” Despite this, countries are largely still operating in silos regarding cybersecurity, favoring a “nationalistic approach.” She added that as of yet, there hadn’t been a significant global event focused on cybersecurity among major world leaders. “We haven’t seen the 193 nations of the UN, the G7 or the G20 get up with industry experts and have a discussion on what can be done at a global level.”
Chris Windley, co-director of UK Cyber Security Association, noted that while there is much more governments can do to foster collaboration, “we can’t really wait for them, we have to act right now and communicate globally and cooperate.” He believes it requires the leadership and insights of industry organizations like the UK Cyber Security Association and the Cybersecurity Global Alliance to force change.
Short concurred, stating that government machinery is traditionally slow, and left to its own devices, cannot keep up with fast-moving and agile cyber-threat actors. Additionally, she said that most decision-makers do not have the technical knowledge required to enact the proper steps in this space. “Unless they start to have collaborative discussions with industry organizations, who’ve got very deep networks with a multidisciplinary approach, then they won’t address the challenges at the pace of change that we require,” she commented.
A critical aspect of this approach is for the industry to educate governments on just how serious a problem cyber-threats are and the potentially catastrophic impact they may have. James Castle, founder of Global Cyber Security Alliance, said governments need to start treating this thing as an act of terrorism,” adding that “once we have achieved that then the government will be able to start working with organizations.”
Once governments are working more closely with industry and treating cyber-threats with the seriousness they deserve, they can develop the necessary global infrastructure to foster collaboration. For example, Short advocated developing an international communication system, enabling intelligence to be rapidly passed between governments and organizations, in the same way as there are tsunami and terror warnings. “I don’t think there’s enough communication occurring when there’s intelligence known about potential movements in this space, potential attacks that have occurred and letting the rest of the world know in a much quicker way,” she outlined.
The cyber industry must be at the forefront of such an approach, according to Short. “We need to take this seriously and start to communicate and pass intelligence between organizations around the world.”
Bishakha Jain, senior cybersecurity consultant at IBM India, agreed that communication is key to global collaboration but cautioned that “there has to be a strategy in place.” To communicate effectively between different countries and organizations, “governments need to join hands with everyone to build it together.”
While there is a long way still to go in this space, Windley said that given the surge in high-profile cyber-attacks over the past year or so, we are seeing signs that governments are starting to take the issue more seriously. This includes measures recently introduced by US President Joe Biden in this area, such as an executive order mandating zero trust for all federal government software suppliers.
Brits Lose Over £1bn in Fraud So Far This Year
Brits have lost over £1bn to fraud and cybercrime in the first six months of 2021, according to money.co.uk’s latest Quarterly Fraud and Cyber Crime Report.
The analysis revealed that 81,018 fraud and cybercrime-related police reports were issued in Q2 2021, with UK residents experiencing a total loss of £382.3m due to these crimes. Interestingly, this represents a significant decrease compared with Q1 2021, when there were 137,695 reports. The personal finance advisory firm believes this decline is due to the easing of COVID-19 lockdown restrictions in Q2, as this reduced online activities.
However, financial losses per average victim were £176 higher in Q2 compared to Q1, at £4719.
The most common type of fraud and cybercrime in Q2 was related to online shopping and auctions, comprising one in five police reports (14,868). Victims lost a total of £11.9m to these types of activities.
The number of reports fell by half compared to Q1, which could be due to the reopening of non-essential retail in Q2, thereby reducing the volume of e-commerce transactions. Average losses per victim were 29% higher in Q2 than Q1 (£800 vs. £618).
According to the report, crimes relating to financial investments, share sales, or boiler room fraud proved to be most costly to victims in Q2. A total of 1309 victims lost £35.8m to these activities in this period, equating to £26,585 per person.
Dating scam victims also experienced heavy losses, at £13,558 each on average.
Breaking down the figures by age, Brits aged 30-39 were most commonly hit by fraud and cybercrime, making up 13,172 reports and a total of £37m lost.
Elderly UK residents (aged 70 and above) were more likely to fall victim to computer software and other advance fee frauds than any other age category. This population lost £34.2m to these crimes in Q2, with an average of £6,118 lost per case.
James Andrews, personal finance expert at money.co.uk, said: “Brits have lost more than £1bn as a result of fraudulent and cybercrimes, showing the extent fraudsters have taken advantage of online shoppers during the national lockdown.
“But it’s encouraging to see that cases have decreased significantly in the second quarter of the year, as life has started heading back towards normality. Still, with millions of pounds lost, it’s vital that individuals are aware of what they should be doing to protect themselves against fraudsters.”
Japan Looks to Boost Military Cyber Experts Amid Security Threat
The Japanese military is set to add hundreds of new cybersecurity specialists to its forces in the face of aggression from hostile nations, according to a new report.
Ministry of Defense plans seen by Nikkei revealed that there were 660 such personnel in the country’s Self Defense Forces (SDF) at the end of fiscal 2020. However, the plan is to increase this figure to 800 by the end of March 2022 and over 1000 by the end of 2023.
A single unit will also be created to look after unified cybersecurity for all three branches of the Japanese military — land, sea and air — in a bid to boost efficiency.
Such expertise is sorely needed in the face of increasing hostility from Chinese and Russian state-backed hackers and organized cybercrime.
In May last year, the government revealed it was investigating a potentially serious breach of national security after prototype plans for a hypersonic missile may have been stolen from Mitsubishi Electric.
The firm was purportedly bidding for a contract for the next-generation military technology, which has plunged the US, Russia and China into yet another arms race.
Sensitive employee data was also taken from the industrial giant by state operatives, it was reported.
According to a recent report from the British think-tank the International Institute for Strategic Studies, Japan lies at the bottom of a global “cyber power” ranking.
Despite its reputation for innovation, the country struggles to match the Five Eyes nations due to constitutional constraints on data collection, the report claimed. It was assessed as Tier Three, the lowest of the three-grade scale.
Alongside the new cyber recruits to the SDF, Japan’s defense ministry is also hiring experts from outside companies like NTT and LAC to work as part-time advisors.
A new cybersecurity training course was recently introduced at the Ground Self-Defense Force’s engineering school, and another program may be set up in collaboration with NTT, according to the report.
Suspected Cyber-Criminal "Dr Hex" Tracked Down Via Phishing Kit
Security researchers have revealed how patient detective work enabled them to trace and identify a suspected prolific cyber-criminal, who was finally arrested in May.
A two-year investigation into the individual, who often went by the online moniker “Dr Hex,” ended when Interpol’s Operation Lyrebird swooped on the man in Morocco earlier this year.
Group-IB’s Threat Intelligence team claimed the individual was active since 2009 and allegedly responsible for phishing, defacing, malware development, fraud, and carding, resulting in thousands of unsuspecting victims. These included customers of French telecoms companies, banks and other multinationals.
The trail began when the threat intelligence team identified and deanonymized a phishing kit that was used to target a French bank. It found that almost every script used in the kit featured the name “Dr Hex” and an email address.
That email led them to a YouTube channel signed up under the same name, and in turn to an Arabic crowdfunding platform, which revealed another name associated with the individual. This name was apparently used to register two domains created using the email from the phishing kit.
“Using its patented graph network analysis technology, Group-IB researchers built a network graph, based on the email address from the phishing kit, that showed other elements of the threat actor’s malicious infrastructure employed by him in various campaigns along with his personal pages,” Group-IB said.
“A total of five email addresses associated with the accused were identified, along with six nicknames, and his accounts on Skype, Facebook, Instagram, and YouTube.”
Further analysis of this digital footprint revealed that from 2009 to 2018, the threat actor defaced over 130 web pages while also posting on underground platforms — indicating he was involved in malware development.
The research helped Interpol and Moroccan police finally track down the individual.
“This is a significant success against a suspect who is accused of targeting unsuspecting individuals and companies across multiple regions for years, and the case highlights the threat posed by cybercrime worldwide,” comments Interpol executive director of police services, Stephen Kavanagh.
“The arrest of this suspect is down to outstanding international investigative work and new ways of collaboration both with Moroccan police and our vital private sector partners such as Group-IB.”
REvil Group Demands $70 Million for 'Universal Decryptor'
The group behind the crippling supply chain ransomware attack on a US software company has reportedly demanded $70 million in return for a 'universal' decryption key, as researchers claim there could be thousands of global victims.
It’s believed that the REvil strain was used to compromise Kaseya’s VSA IT management software, although which ransomware affiliate is unknown.
However, as reported by the BBC, there has been surprise at the group’s request that the money be paid in Bitcoin, which is an easier to trace cryptocurrency than Monero.
In fact, individual ransom requests with affected organizations are apparently still being made in Monero, but the latest $70 million demand for a decryptor for all victims was issued in Bitcoin.
It’s unclear how many organizations are affected. The original estimate from Kaseya of “fewer than 40” was yesterday revised upwards to “fewer than 60.”
Many of these are managed service providers (MSPs) whose customers were affected. The software maker estimates around 1,500 downstream organizations of this sort were impacted — all of whom run its on-premises product.
Among these unlucky organizations are 500 Coop supermarkets in Sweden, 11 schools in New Zealand and two Dutch IT firms.
A report from Kaspersky yesterday claimed as many as 5000 attack attempts had been made in 22 countries since July 2.
The attack's impact may have been exacerbated as it was timed to coincide with the July 4 holiday weekend in the US, meaning many IT security professionals were off duty.
However, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) jointly released guidance for affected MSPs and their customers.
For the former, the advice included downloading Kaseya’s VSA Detection Tool, which is designed to scan systems for any indicators of compromise (IoCs).
Christos Betsios, cyber operations officer at Obrela, pointed out that REvil predecessor Gandcrab compromised Kaseya in the past to infect MSPs and their customers.
“The key is always to be prepared for the worst-case scenario, even if proper patch management and vulnerability management programs are in place, we are not secure anymore,” he added. “Attackers will continue to try to compromise big software vendors and distribute their malicious code via them.”
Attacks on UK Firms Fall for First Time in Three Years
Recorded cyber-attacks against UK businesses have fallen for the first time since 2018, although hybrid working practices represent an ongoing risk, according to new data from Beaming.
The business ISP has been analyzing malicious traffic targeting its customers since 2016, in order to better understand the threat landscape.
It claimed that threat volumes dropped by 9% year-on-year in the second quarter of 2021, bringing them down to levels similar to Q1 2021 when businesses suffered just over 157,000 attacks each on average.
However, businesses should not let their guard down: Beaming customers were each hit by an average of 160,610 attempts to breach their systems in Q2 2021, which amounts to an attack every 49 seconds.
Although these will largely be low-level, automated threats, there’s still the potential to cause damage if defenses aren’t configured correctly — especially as organizations adapt to a new hybrid way of working.
Beaming managing director, Sonia Blizzard, explained that a surge in cyber-attacks early last year coincided with the first lockdown, indicating threat actor efforts to exploit under-protected home workers.
“Attacks have fallen to near pre-pandemic levels as more people returned to their workplaces, but businesses are still in the firing line and face new attacks every minute. We continue to urge caution,” she warned.
“Home and hybrid working remains a permanent fixture for lots of firms. Many of their people will access company data and IT systems via personal devices and unmanaged domestic internet connections. These new normal working practices are inherently insecure and increase the risk of a breach.”
Blizzard urged businesses to revisit their security strategy if they allow home working to minimize cyber risk.
Phishing emails designed to trick distracted home workers, exploits for unpatched software including VPNs, and hijacking of RDP endpoints protected by weak or breached passwords have been common tactics used to target remote working staff over the past year.
Most attacks from Q2 2021 were traced back to computers in China, followed by the US, India and Russia, Beaming said.
US the Only Top Tier Cyber-power
The United States of America stands alone as the only "top tier" cyber-power nation, according to a new research paper by the International Institute for Strategic Studies (IISS).
The London-based think tank assessed the cyber-prowess of 15 countries around the world for two years before ranking them into tiers according to their global state cyber-capacity.
To gauge the cyber-power of each country, IISS examined a range of cyber capabilities, including the strength of the digital economy, core cyber-intelligence capability, cybersecurity and resilience, security functions, maturity of intelligence, and integration of cyber facilities with military operations.
The United States, despite falling victim to a swathe of cyber-attacks including recent assaults on the Colonial Pipeline and meat processor JBS, was the only country deemed advanced enough to occupy the top tier.
"Since the late 1990s the US has moved more decisively than any other country to defend its critical information infrastructure in cyberspace, but it also recognizes that the task is extremely difficult and that major weaknesses remain," noted IISS.
Researchers found that the offensive cyber capabilities of the United States "are more developed than those of any other country," but also noted that "these capabilities have not yet been demonstrated at their full potential."
In the second tier are the United Kingdom, Australia, and Canada, which together with the US and New Zealand make up the members of the Five Eyes (FVEY) intelligence alliance.
Appearing in tier two also are Russia, France, and the People's Republic of China. Occupying the third tier are India, Japan, Malaysia, North Korea, Iran, and Vietnam.
The report concluded that China, which boasts the world's second largest economy after the United States, suffers from poor security and weak intelligence analysis when it comes to cyber-power.
IISS predicts that it will be another ten years at least before the PRC is able to give cyber-powerhouse United States a run for its money.
The Institute found that while Russia and China have successfully carried out sophisticated cyber-offensives, both countries had holes in their cybersecurity that put them at a disadvantage compared to the countries in tiers one and two.
Zero-day Exploit Found in Adobe Experience Manager
A zero-day vulnerability has been discovered in a popular content management solution used by high-profile companies including Deloitte, Dell and Microsoft.
The bug in Adobe Experience Manager (AEM) was detected by two members of Detectify’s ethical hacking community. If left unchecked, the weakness allows attackers to bypass authentication and gain access to CRX Package Manager, leaving applications open to remote code execution (RCE) attacks.
"With access to the CRX Package Manager, an attacker could upload a malicious package in Adobe Experience Manager to leverage it to an RCE and gain full control of the application," said a Detectify spokesperson.
Detectify Crowdsource members Ai Ho (@j3ssiejjj) and Bao Bui (@Jok3rDb) uncovered the vulnerability and named it AEM CRX Bypass.
The pair found that several large organizations were affected by the bug, including Mastercard, LinkedIn, PlayStation and McAfee.
The vulnerability occurs at CR package endpoints and can be remediated by blocking public access to the CRX consoles.
A Detectify spokesperson explained: "The CRX Package Manager is accessed by bypassing authentication in Dispatcher, Adobe Experience Manager’s caching and/or load balancing tool.
"Dispatcher checks user’s access permissions for a page before delivering the cached page and is an essential part of most – if not all – AEM installations. It can be bypassed by adding a lot of special characters in combination in the request."
Security researcher Bao Bui is a former CTF player of the Meepwn CTF Team who started hunting bug bounties around a year ago. Security engineer and developer Ai Ho has been active on the bug bounty scene for two years, building his own bug-catching tools and sharing them on GitHub.
The zero-day flaw was reported to Adobe, who swiftly released a patch for it. The AEM CRX Bypass zero-day was then implemented as a security test module on Detectify’s platform.
"Since it went live in May 2021, around 30 instances of the AEM CRX Bypass vulnerability have been in customers’ web applications," said a Detectify spokesperson.
Detectify's scans for more than 80 unique AEM vulnerabilities have generated over 160,000 hits in total so far.