Info Security

Subscribe to Info Security  feed
Updated: 2 hours 12 min ago

Texan Arrested for Cyber-stalking Realtors and Threatening Their Kids

Tue, 01/14/2020 - 15:38
Texan Arrested for Cyber-stalking Realtors and Threatening Their Kids

A Texas man has been arrested on suspicion of sending perverse and threatening text messages to real estate agents across America.

Lubbock resident Andy Castillo allegedly used multiple phone numbers and an app to mask his identity when cyber-stalking as many as 100 realtors in up to 22 different states. 

The 56-year-old is accused of sending pornographic images to agents along with sexually explicit text messages soliciting sex. It is further alleged that Castillo attempted to solicit sex from some agents' children. 

Castillo is accused of downloading photographs of agents' kids from social media and sending the pictures to the agents, along with chilling descriptions of his desire to sexually assault their children.

All the real estate agents targeted in this particularly disturbing cyber-stalking case are women. 

Detective Joseph Scaramucci said Castillo "was searching the top 10 realtors in different cities" and "saving female realtors' photographs right off the internet with their contact information."

Castillo was arrested in his apartment last week and taken into custody by McLennan County Sheriff's Office (MCSO). Authorities seized two cellphones and an electronic tablet belonging to Castillo.

Deputies allege that just five minutes prior to his arrest, Castillo sent lewd and threatening messages to people in San Francisco and New Orleans.

McLennan County sheriff Parnell McNamara said the MCSO began investigating Castillo in late December 2019 after receiving complaints from seven Waco-based realtors about pornographic images and messages that they had received from unknown numbers.

The results of the investigation suggest Castillo sent sexually explicit and threatening messages to women in at least twenty cities in ten different states. However, McNamara said Castillo could have stalked hundreds of women in up to 22 states and that he is expecting further victims to come forward.

Currently, Castillo is accused of cyber-stalking agents throughout Texas, including in Amarillo, El Paso, Lubbock, San Antonio, and Waco. The Texan is facing a second-degree felony charge of criminal solicitation with intent to commit aggravated sexual assault of a child.

Police are investigating reports of similar cyber-stalking behavior that have been filed in Tucson, Arizona; Anaheim, Berkeley, Irvine, San Jose, and Santa Clara, California; Broward County and Daytona Beach, Florida; New Orleans, Louisiana; Reno, Nevada; Albany and Manhattan, New York; Belfort, South Carolina; Seattle, Washington; and Washington, D.C.

Categories: Cyber Risk News

Most Firms Still on Windows 7 as Support Deadline Arrives

Tue, 01/14/2020 - 12:30
Most Firms Still on Windows 7 as Support Deadline Arrives

Two-thirds of UK businesses and two-fifths of US firms are still running Windows 7, according to new research released on the day the operating system, and Windows Server 2008, reach their end-of-support deadline.

Organizations that fail to upgrade their operating systems or invest in costly extended support from Microsoft will no longer receive patches from the vendor, exposing themselves to unnecessary cyber risk, according to Kollective, which issued the research.

“It took many businesses up to three years to move from XP to Windows 7 and we can expect a similar timeline for the move to Windows 10. While a lot of companies have migrated the majority of their systems away from Windows 7, being “almost there” isn’t good enough,” argued Jon O’Connor, solution architect at Kollective.

“It only takes a handful of unsecured devices to launch a full-scale cyber-attack, so having even one or two Windows 7 PCs on your network could pose a serious risk. IT teams need to know for certain that every single device on their networks is off of Windows 7 — but the reality is that most simply don’t know.”

As if to emphasize the potential risks of staying on unsupported operating system versions, news emerged this week that Microsoft is shipping a fix today for a critical flaw in a core Windows component, which could have wide-ranging consequences if left unpatched. The bug is so bad that reports suggest Redmond has already secretly supplied the patch to high-value customers.

Carl Wearn, head of e-crime at Mimecast, urged organizations to ensure they have third-party security tools in place to help shield any exposure to threats.

“As organization’s move their operations to the cloud, legacy support issues like this will likely become a thing of the past in the next 10 to 15 years, but as Windows 7 remains in use across many organisations at present people should be aware of the increased vulnerability which this OS will now experience as it is no longer supported,” he continued.

“Ensuring good cyber hygiene and the use of fallback facilities, as-well as ensuring the updating of a good antivirus solution, becomes even more critical to an organization if it continues to use an unsupported OS.”

Trend Micro argued that “virtual patching,” or intrusion prevention technology, can also help in these circumstances, by protecting unsupported and unpatched operating systems.

“Speaking to numerous businesses over recent weeks, a worryingly high number are prepared to adopt a wait-and-see policy following the end of Server 2008 support on 14 January 2020,” argued VP of sales, Ross Baker.

“This amounts to an extreme hedging of bets and something we would definitely not recommend.”

Some organizations may not be able to upgrade to new OS versions if they have compatibility issues with business-critical legacy applications, or, for example, if Windows has been embedded in OT systems by a manufacturer, added VP of security research, Rik Ferguson.

Categories: Cyber Risk News

Texas School District Loses $2.3m in Phishing Raid

Tue, 01/14/2020 - 10:50
Texas School District Loses $2.3m in Phishing Raid

A Texas school district has found out the hard way that phishing attacks remain a serious financial threat to organizations of all shapes and sizes, losing an estimated $2.3m in a recent scam.

Manor Independent School District took to Twitter to post official confirmation that the FBI is currently investigating the incident.

“This investigation is still ongoing and although there are strong leads in the case we are still encouraging anyone with information to contact Detective Lopez at the Manor Police Department,” it added.

According to reports, three separate fraudulent transactions took place in November last year following the phishing attack, although there are few other details to go on.

The news comes as school districts in the US battle against a growing threat from ransomware.

Data released by Armor in December 2019 revealed that 72 districts had been impacted during the year, affecting an estimated 1039 schools nationwide. Separate findings from Emisoft released at the end of the year claimed as many as 1224 schools may have been affected.

Javvad Malik, security awareness advocate at KnowBe4, argued that employee error needs to be addressed more effectively by organizations at risk of phishing attacks.

“Cyber-criminals will attack organizations with the intention of getting the highest return on investment. Usually this translates into social engineering attacks, which are in essence cons against people to do things against the interest of the company,” he added.

“This usually occurs in the form of phishing emails, but can also be SMS messages or phone calls. Therefore, organizations should take time to invest in security awareness and training so that they can be better-prepared to identify and report any suspicious activity.”

Ed Macnair, CEO of Censornet, argued that in failing to mitigate the risk of phishing, the Texas school district also potentially exposed its 10,000 pupils to data theft.

“There is no doubt about the importance of training employees to recognize these modern phishing techniques. Unfortunately, emotions often take over from reason in these situations and no amount of training can account for this,” he added.

“Employee awareness therefore needs to be combined with a robust, multi-layered approach to email security. Traditional pattern matching technologies are useless against modern techniques and organizations need to combine algorithmic analysis, threat intelligence and executive name checking to efficiently protect themselves.”

Categories: Cyber Risk News

Aussie Bushfires Donation Site Hit by Magecart Thieves

Tue, 01/14/2020 - 09:42
Aussie Bushfires Donation Site Hit by Magecart Thieves

A website set-up to accept donations for victims of the devastating Australian bushfires has become a victim itself — of digital skimming code designed to harvest card details.

Security researchers at Malwarebytes took to Twitter to reveal the problems that hit the unnamed donations site, which was raising money for those affected by fires in Lake Conjola that have destroyed scores of homes.

In such Magecart-style attacks, hackers typically inject malicious JavaScript into payment pages to harvest card and personal data as it is entered in by shoppers, or in this case, donators to a worthy cause. It is then exfiltrated to an external domain under the attackers’ control.

It’s a tried-and-tested method for data theft that lands the attackers with a complete set of information for each victim, worth more on the dark web than individual components.

In this incident, the malicious script in question was identified as “ATMZOW” and the known bad domain it exfiltrated data to was spotted as vamberlo[.]com.

Replying to the post on Twitter, Troy Mursch of security firm Bad Packets claimed that the same malicious script had been identified targeting an additional 39 separate websites.

Deepak Patel, security evangelist at PerimeterX, argued that Magecart attackers have hit new lows with this latest raid.

“Given the lack of visibility into such client-side attacks, the website owners often find out about the data breach days or weeks after the code injection. This extended time allows skimmers to monetize the stolen cards to the fullest extent,” he explained.

“Any site that processes user PII and accepts payments should take steps to shore up their application security by tracking and monitoring first- and third-party code execution on their sites in real time.”

RiskIQ last year claimed to have identified over two million Magecart detections in the wild — a sign of its growing popularity among black hat data thieves.

Categories: Cyber Risk News

US to Axe Drone Fleet Containing Chinese Tech

Mon, 01/13/2020 - 16:21
US to Axe Drone Fleet Containing Chinese Tech

The US government is planning to ground a fleet of nearly 1,000 drones it fears could be compromised by the People's Republic of China (PRC).

As reported by the Financial Times yesterday, the Interior Department is halting the use of over 800 drones that contain parts developed in the PRC. 

The decision to ground the unmanned flying fleet was triggered by concerns that the Chinese parts could be utilized by the PRC government for the purpose of spying on the activities of the United States.

A total of 810 remotely controlled quadcopters were grounded in October 2019 pending an investigation into their security. Now officials have warned that the PRC government has the ability to access images captured by the drones together with their location data. 

The Times was informed of the plan to permanently ground the fleet by two individuals who had been party to a briefing on the subject. Documents obtained by the paper indicate that the proposal has met with objections from various agencies.   

“Unmanned aircraft systems are a unique tool that fit into this mission and allow us to make high-quality surface observations at a fraction of the price of manned aircraft operations,” an Interior Department staff member wrote in an email obtained by the Times

The grounding has not yet been officially approved by Interior Secretary David Bernhardt. However, the Times' sources have said that it is likely that Bernhardt will take the drones out of service, reserving them for training purposes and providing assistance in emergency scenarios such as tackling wildfires. 

Drones are already used by the Interior Department as a cheaper and safer alternative to tracking natural resources, mapping terrain, inspecting dams, and monitoring wildfires with manned aircraft. 

An all-American drone designed and manufactured completely in the United States is still years away from becoming a reality, according to the Times' official sources. 

Legislation banning the US government from using drones manufactured by countries deemed to be "non-cooperative" with America is currently being considered by Congress. The two pieces of legislation proposed are the American Drone Security Act in the Senate and the Drone Origin Security Enhancement Act in the House.

Categories: Cyber Risk News

#THIREurope: How Target Improved its Threat Hunting Capabilities

Mon, 01/13/2020 - 15:45
#THIREurope: How Target Improved its Threat Hunting Capabilities

A threat hunting team can be better enabled when given the time and interest to focus on what it wants.

Speaking at the SANS Institute Threat Hunting and IR Europe conference in London, David Bianco, principal engineer, cybersecurity and Cat Self, lead information security analyst, Target, explained how the threat hunting team was evolved at the company.

Bianco said that Target had the idea to develop the threat hunting team “into something more modern, as we had the same program for several years.” 

Looking at the existing program, the company asked what was working well and what was not working as well, and assessed what else could be accomplished. Self said that by working with level 2 and 1 analysts and engaging them on what they were frustrated by and what they would like to make changes on, they were able to determine three ways to improve the threat hunting efforts:

  • Program focus – change focus to align with what Target needed the program to do
  • Operational consistency – so they know how things are running
  • Hunt topic strategy – to gain a layer of strategy on top of hunting

“The program was created to find new incidents that had been missed,” Bianco added, saying that over time the focus of the program shifted and moved from finding incidents and ensuring visibility, to being a source of knowledge transfer between SOC analysts.

He said that human scale detection cannot be relied upon, and the “number one goal was to tweak the focus from finding incidents to figuring out how to do better at automated detection.”

Self also said that an analyst would determine and research a topic as well as carry out associated work and writing, on top of the full-time job, and this was being done for one week in an eight-week cycle. “It was asking too much to do all the work,” she said.

Bianco said the concept was changed to include a mix of long term projects and special requests, as well as asking the analysts what they wanted to hunt on.

They concluded by recommending a working strategy which includes hiring threat hunters, allowing them time to prepare and doing threat hunting effectively to find what is not known and not being exploited, and to avoid “hitting everyone everywhere.”

Categories: Cyber Risk News

TSA Desires "Cybersecurity by Design"

Mon, 01/13/2020 - 15:12
TSA Desires "Cybersecurity by Design"

The United States Transport Security Administration (TSA) has publicly announced that it's on a "quest to merge cybersecurity and information technology."

Instead of cybersecurity's being an add-on or afterthought, the TSA wants the industry to adopt a culture of "cybersecurity by design" when dreaming up and manufacturing security equipment. 

The transport-focused sub-tier of the Department of Homeland Security has not taken on this mission alone, but rather says that it's acting with the support of America's airport facilities. 

The joint call for a new mindset from the security industry was announced in a special notice on January 7.

"The purpose of this special notice is to inform [the] industry of TSA's and airport facilities' quest to merge
cybersecurity and information technology," wrote the TSA.

"This and future notifications will provide [the] industry with ongoing meeting overviews and actions that specifically address information security and security screening technologies."

Along with its desires for an integrated approach, the TSA listed 17 key requirements for the information security and security screening technologies industry, with the aim of ensuring all parties are working toward a common goal.

Demonstrable "cybersecurity by design" for security equipment topped a list that also called for password control that allows airport operators to change system-level passwords and the vetting of all maintenance personnel, both local and remote, via background checks. 

Systems must be updatable as vulnerabilities are discovered, and security assessment tools should run on devices to scan for them. In addition, systems must ensure the unique identification of people, activity, or equipment access and be able to audit, analyze, and monitor events.

To protect supply-chain integrity, a complete list of all software and hardware making up screening equipment will be required from vendors.

Vendors are also expected to protect screening algorithms from compromise with systems that issue alerts when accessed. Steps must also be taken to prevent unauthorized physical access—via USB ports, for example.

"Sharing these requirements with [the] industry and the public will: Increase security levels; raise the bar of cybersecurity across screening solutions; provide vendors an opportunity to demonstrate their cybersecurity credentials; and provide an aligned approach across the industry—making it easier for vendors to adapt to end user requirements," wrote the TSA.

Categories: Cyber Risk News

Seattle to Host Major New Cybersecurity Event

Mon, 01/13/2020 - 14:30
Seattle to Host Major New Cybersecurity Event

The verdant city of Seattle is to host a new three-day event dedicated to cybersecurity and the cloud.

CSA SECtember will feature in-depth training sessions, networking opportunities, and the chance to interact with a score of global experts. 

The event is the brainchild of global non-profit the Cloud Security Alliance (CSA), which is headquartered in Seattle. The organization is known around the world for its popular cloud security provider certification program, the CSA Security, Trust & Assurance Registry (STAR).

The inaugural SECtember will go down at the Sheraton Grand Seattle hotel from September 14 to 17, 2020. 

"Seattle is well-established around the world as the center of cloud computing, and with the introduction of SECtember, it can be the focal point of cybersecurity, as well," said Jim Reavis, CEO and co-founder, Cloud Security Alliance.

A major focus of the event will be to educate the industry on key trends and issues affecting the cloud and cybersecurity industry. Close attention will also be paid to where and how cybersecurity and the cloud intersect.  

Reavis said: "In 2020, cloud computing is now the primary mode of computing around the world and is also the foundation for cybersecurity writ large and the means by which we secure all forms of computing, such as the Internet of Things."

According to Reavis, the CSA's new September spectacular is unlikely to be a one-off event. 

He said: "CSA is making a permanent commitment to bring this signature event to our home city on an annual basis, which is rapidly becoming a magnet for companies in the technology and cloud space.” 

Attendees of the first ever SECtember will be spoiled for choice when it comes to training opportunities. Courses already confirmed include the Certificate of Cloud Security Knowledge (CCSK) Foundation (1 day), CCSK Plus (2 days) along with CCSK Plus AWS and Azure, Cloud Governance & Compliance (1 day), Advanced Cloud Security Practitioner (2 days), and Certificate of Cloud Auditing Knowledge (2 days).

Though the event is primarily educational, the CSA has factored in a little playtime. 

"SECtember will bring together thought leaders from five continents to provide a global perspective on strategic cloud and cybersecurity issues and will provide state-of-the-art educational activities," said Reavis.

"While the topic of our conference is serious, we guarantee that the event will also be fun."

Categories: Cyber Risk News

#THIREurope: APT Groups Now Using Similar Tools in Espionage and Cybercrime Attacks

Mon, 01/13/2020 - 13:30
#THIREurope: APT Groups Now Using Similar Tools in Espionage and Cybercrime Attacks

Speaking at the SANS Institute Threat Hunting and IR Europe conference in London, Tom Hall, principal consultant for incident response and Mitch Clarke, incident response consultant UK&I, at Mandiant, talked about lessons learned from the APT41 detection last summer, and how tools are being used by different threat actors.

The speakers said that they believed that APT41 are “sponsored by the Chinese government” and not part of the state’s offensive operations, and the group have been seen conducting espionage operations during daytime working hours, and doing “cybercrime activities” in the evening. This includes targeting healthcare and telco companies for IP theft.

Clarke explained that the group “flip the infrastructure and use it for cybercrime and non espionage tasks” and this has involved stealing source code and certificates, and in the day job they flip back to espionage and use those certificates to sign malware to run in their operations.

Hall explained that APT41 have used stolen certificates to sign tools and hide from incident responders and forensic investigators. “It is not a case of if it is signed you can trust it.”

However, in attacks conducted by the APT34 group, the Mandiant researchers said that another tool called “SEASHARPEE,” which comprises of a loader and embedded payload, was used as a second stage webshell.

Hall explained that SEASHARPEE has “anti-forensic capabilities and extended functionality dependent on the sample” and while they were first seen in APT34 intrusions in October 2015, the APT34 toolsets were leaked and reported in April 2019 and were reported as being used by the APT27 attackers in 2019.

Clarke said that the presence of this particular type of malware shows that attribution cannot be completely relied upon, as you need to keep an open mind for who or what is being used and for which activity.

“Just because it is signed, it doesn’t mean it is trusted,” Clarke said. “You can add malicious certificates into root stores and an invalid cert would be available in the store.”

Speaking to Infosecurity, and asked if they felt that groups were exchanging tools or selling them on dark markets, Clarke said that sharing was very rare among threat actors, but it was more likely that different actors were using a similar kit.

Categories: Cyber Risk News

St Louis Man Jailed for $12m Tax Refund Scam

Mon, 01/13/2020 - 12:00
St Louis Man Jailed for $12m Tax Refund Scam

A St Louis man has been sentenced to four years behind bars for his part in a major identity fraud campaign in which a group claimed over $12m in tax refunds.

Babatunde Olusegun Taiwo will spend 48 months in prison plus three years of supervised release and will pay restitution of $889,712, according to the Department of Justice (DoJ).

That amounts to the total the IRS paid out in tax refunds to Taiwo and his co-conspirators after they filed over 2000 fraudulent returns, the DoJ said.

They apparently used personally identifiable information (PII) obtained from a breach at a payroll company to file returns on behalf of hundreds of school district employees in Alabama and Mississippi.

In a bid to try and conceal the fraud, they stole and used “electronic filing identification numbers” from businesses that help their clients with tax returns. However, they directed the IRS to send refunds to their homes in St Louis, which is likely to have raised internal red flags.

“Today’s sentencing of Babtunde Taiwo highlights how seriously IRS Criminal Investigation and our law enforcement partners take the issue of identity theft,” said Thomas Holloman, special agent in charge, of the Atlanta IRS Criminal Investigation field office.

“We will continue to pursue criminals who prey on innocent victims and we will continue to enforce our nation’s tax laws. Today’s sentencings should send a clear message to would-be criminals — you will be caught and you will be punished.”

Co-conspirator Kevin Williams has already been sentenced to 78 months behind bars for his role in the scheme, as well as voter fraud and re-entering the US after having been removed.

The IRS, and the UK’s HMRC, are frequently targeted by scammers impersonating legitimate taxpayers, and are often themselves spoofed in phishing emails sent to victims.

The “Dirty Dozen” list of tax scams circulated by the IRS last year highlighted the most popular tricks used by fraudsters, but the tax office warned that such “aggressive” schemes are constantly evolving.

Categories: Cyber Risk News

Hundreds of Millions of Broadcom Modems “Haunted” by New Bug

Mon, 01/13/2020 - 11:00
Hundreds of Millions of Broadcom Modems “Haunted” by New Bug

Security researchers are warning of a new critical vulnerability affecting multiple cable modem manufacturers that use Broadcom chips — exposing hundreds of millions of users to remote attacks.

Discovered by three researchers from security consultancy Lyrebirds and an independent, the so-called “Cable Haunt” bug (CVE-2019-19494) is described as a buffer overflow, “which allows a remote attacker to execute arbitrary code at the kernel level via JavaScript run in a victim's browser.”

Specifically, the flaw is found in Broadcom chip’s spectrum analyzer component, which is designed to identify problems with the modem cable connection. If attackers can first trick the user into opening a web page containing malicious JavaScript, possibly via a phishing email, then they can effect the buffer overflow, giving them access to the modem.

This opens up a range of potential options to the hackers, including: changing the default DNS server, disabling ISP firmware upgrades and covertly changing the code themselves, man-in-the-middle attacks and conscripting the device into a botnet.

Basically, it means being able to snoop on all traffic flowing into the modem, send users unwittingly to malicious domains and launch botnet attacks.

The scale of the problem is potentially immense — affecting many more devices than the 200 million estimated in Europe.

“The reason for this is that the vulnerability originated in reference software, which has seemingly been copied by different cable modems manufacturers when creating their cable modem firmware,” the researchers warned. “This means that we have not been able to track the exact spread of the vulnerability and that it might present itself in slightly different ways for different manufacturers.”

ISPs have been contacted by the team with a fix prior to disclosure, but the quartet claimed only to have had “limited success” with this approach. Models from Netgear, Sagemcom, Technicolor and Compal are among the 10 identified as affected.

However, the vulnerable spectrum analyzer in question is not directly exposed to the internet, making this attack a relatively complex endeavor and therefore not likely to be used in mass campaigns given the numerous other flaws that can be more easily exploited in routers.

Categories: Cyber Risk News

National Lottery Hacker Jailed for Nine Months

Mon, 01/13/2020 - 10:00
National Lottery Hacker Jailed for Nine Months

A cyber-criminal has been jailed for nine months for committing offences against the National Lottery.

Following a National Crime Agency (NCA) investigation, Anwar Batson, 29, of Notting Hill, London, was sentenced at Southwark Crown Court on 10 January. He admitted four offences under the Computer Misuse Act 1990 and one fraud charge.

The NCA was notified of the attack against National Lottery accounts in November 2016. The customer database affected contained around nine million records.

Daniel Thompson, 27, of Newcastle, and Idris Kayode Akinwunmi, 21, of Birmingham, were jailed for eight months and four months respectively for the attack in July 2018, having used an online application to bombard victims’ web domains with thousands of attempts to log in to customer accounts.

The NCA stated that Batson was responsible for using a widely available hacking tool – Sentry MBA – to create a file that launched the attack, telling others they could make quick cash by using the tool against Camelot (which runs the National Lottery) and also giving the username and password of one lottery player to Akinwunmi, who stole £13 from his account before sending Batson £5.

Batson was arrested in May 2017 and, whilst he first denied any involvement in the crime, police officers discovered conversations between him and others about hacking, buying and selling of username and password lists, configuration files and personal details. His computer also contained a conversation with Akinwunmi about stealing the £13, the NCA added.

NCA senior investigating officer Andrew Shorrock said: “Even the most basic forms of cybercrime can have a substantial impact on victims.

“No one should think cybercrime is victimless or that they can get away with it. The NCA will pursue and identify offenders and any conviction can be devastating to their futures.”

Categories: Cyber Risk News

Citrix Admins Urged to Act as PoC Exploits Surface

Mon, 01/13/2020 - 09:45
Citrix Admins Urged to Act as PoC Exploits Surface

IT administrators are being urged to put in place mitigations for a serious Citrix vulnerability which the vendor says won’t be patched until next week at the earliest, after proof-of-concept (PoC) exploits were published.

The tech giant revealed the CVE-2019-19781 vulnerability in its Citrix Application Delivery Controller (ADC) and Citrix Gateway back in mid-December last year.

If exploited, it could allow an unauthenticated attacker to perform arbitrary code execution, the firm warned, strongly advising customers to apply the relevant mitigations and update the firmware when a new version becomes available.

However, in a new blog post, Citrix revealed that these fixes would not be available until January 20 at the earliest, with version 10.5 not receiving one until January 31.

That could give attackers enough time to compromise organizations which have not applied the relevant mitigations. PoCs have started to emerge on GitHub over the past few days which could allow attackers to gain full control over affected devices.

Troy Mursch, chief research officer at Bad Packets, warned that he had detected multiple exploit attempts from a host in Poland over the weekend.

“Given the ongoing scanning activity detected by security researcher Kevin Beaumont and SANS ISC since January 8, 2020 – it’s likely attackers have enumerated all publicly accessible Citrix ADC and Citrix (NetScaler) Gateway endpoints vulnerable to CVE-2019-19781,” he added.

It’s believed that tens of thousands of systems could be at risk.

Tripwire researcher Craig Young claimed that 39,378 of the 58,620 IP addresses he detected likely to be NetScaler or ADC VPN portals did not have mitigations enabled.

“The list contains countless high value targets across a swath of verticals including finance, government, and healthcare,” he added. “In total, there were 141 distinct domain names ending .gov plus another 351 distinct names containing .gov. in the domain.”

Categories: Cyber Risk News

Cyber-Attack Makes Pennsylvania Students Learn "Old School" Style

Fri, 01/10/2020 - 18:45
Cyber-Attack Makes Pennsylvania Students Learn "Old School" Style

Students in the Pittsburg Unified School District of Pennsylvania were left without internet access on Monday as the result of a ransomware attack.

With schools' internet servers and email compromised, youngsters returning to classes after the winter break were forced to enrich their brains the old-fashioned way, through books and direct teaching. 

“We will be teaching and learning like ‘back in the day,’ without laptops and internet,” wrote Pittsburg Unified School District Superintendent Janet Schulze on social media on Monday night. 

“Our schools have access to student information and our phones are working.”

Alongside her message that students would be going back to "old school," Schulze said that a ransomware attack had disabled the district’s network systems during the festive break.

According to The Mercury News, the district took all the servers affected by the attack offline, along with any servers that may have potentially been compromised. 

No personal data is reported to have been accessed as a result of the incident, and normal teaching schedules were resumed on Tuesday. 

"At this time, we do not have any indication that personal data/information has been compromised," wrote Schulze. 

"We are continuing to investigate and work with a cybersecurity team and experts. Since the investigation is continuing, complete findings are not available, and it is still too early for us to provide further details."

It was reported on Tuesday that the district was working with two internet technology companies to find a remedy for the attack. Contact has also been established with attorneys who specialize in dealing with the fallout from ransomware attacks.

The latest ransomware attack is the second such incident to befall a Contra Costa County system since the new year began. On Friday, January 3, a similar attack on Contra Costa County Library System resulted in a network outage in which services at 26 branches were impacted.

Library services are yet to be restored, and visitors to the system’s website are being greeted with the message: "Our network is currently down, and patrons are unable to login at this time. We are investigating the issue and will establish service as soon as possible."

Categories: Cyber Risk News

Patients of Hacked US Surgical Company Hit with Ransom Demands

Fri, 01/10/2020 - 17:55
Patients of Hacked US Surgical Company Hit with Ransom Demands

Patients of a hacked facial surgery company in Florida are being individually threatened by cyber-criminals, who are demanding money in return for not releasing stolen personal information to the public.

The Center for Facial Restoration, Inc. (TCFFR), located in Miramar, became the victim of a cyber-attack in November last year. 

In a statement published on the TCFFR website, plastic surgeon and company founder Dr. Richard Davis wrote: "On November 8, 2019, I received an anonymous communication from cyber criminals stating that my clinic’s server [was] breached."

"The hackers claimed to have 'the complete patient’s data' for TCFFR that 'can be publicly exposed or traded to third parties.'"

Along with the message that his business had been compromised, Davis received a demand for an undisclosed ransom. 

The ambitious cyber-criminals, not content with whatever money they may have been able to extort from the specialist rhinoplasty company, then began demanding ransoms from individual TCFFR patients. 

"They demanded a ransom negotiation, and as of November 29, 2019, about 15–20 patients have since contacted TCFFR to report individual ransom demands from the attackers threatening the public release of their photos and personal information unless unspecified ransom demands are negotiated and met," wrote Davis.

Davis believes up to 3,500 former and current patients may have been affected by the cyber-attack. Compromised data may include driving licenses, passports, home addresses, email addresses, phone numbers, patient photographs, and credit card payment receipts. 

The incident was reported to the FBI's Cyber Crimes Center on November 12, and on November 14 Davis met with the Bureau to pass on detailed information regarding the attack and the ransom demands. 

Davis wrote: "The investigation is currently ongoing. The FBI requests that patients receiving ransom demands file an independent cybercrime complaint online at"

Since the attack, Davis has installed new hard drives, firewalls, and virus/malware detection software in hopes of preventing a similar incident from happening. 

"I am sickened by this unlawful and self-serving intrusion, and I am truly very sorry for your involvement in this senseless and malicious act," wrote Davis.

The doctor published a public notice concerning the incident as the company's data storage practices made it difficult to contact patients individually.

"Because we store PII as the scan of the patient’s intake demographic questionnaire, and not in an electronic demographic database, obtaining contact information in order to individually notify all 3,500 patients has been painstakingly slow and labor intensive, and access to the data has been hindered by ongoing IT service disruptions," wrote Davis.

Categories: Cyber Risk News

MAZE Relaunches "Name and Shame" Website

Fri, 01/10/2020 - 17:20
MAZE Relaunches "Name and Shame" Website

A threat group has once again taken to the internet to publish data stolen from alleged victims who refuse to cooperate with its ransom demands. 

In December 2019, the MAZE ransomware group published online a portion of the 120 GB of data they claimed to have stolen from Southwire, North America’s most prominent wire and cable manufacturer, after the company refused to pay a $6m ransom. 

The data was published on the http(colon)//mazenews(dot)top/ site, which was hosted at an ISP in Ireland. Southwire subsequently filed a lawsuit in the Northern District of Georgia, USA, on December 31 against the MAZE operators and won their case, and the site was taken down. 

But yesterday at around 5 p.m. ET the “mazenews” website was back up online, this time hosted out of Singapore via Alibaba. 

Using an ominous black backdrop and bright red text, the website lists the companies that have allegedly been compromised. In some instances, the total amount of data that has been exfiltrated is also displayed. 

On the site, MAZE states: "Represented here companies do not wish to cooperate with us, and trying to hide our successful attack on their resources. Wait for their databases and private papers here. Follow the news!"

Companies listed so far are Southwire, RBC, THEONE, Vernay, Bakerwotring, BILTON, greccoauto, Groupe Igrec, Mitch Co International, Einhell, CONTINENTALNH3, Groupe Europe Handling SAS, Auteuil Tour Eiffel, Fratelli Beretta, Randalegal, crossroadsnet, SAXBST, American tax advisory firm BST & Co, and laboratory testing facility MDL. The Florida city of Pensacola is also listed.  

Downloadable files, presented as proof that a compromise has taken place, are available for Einhell, Fratelli Beretta, Crossroadsnet, MDL, BST & Co, SAXBST, Auteuil Tour Eiffel, and Southwire. Under the "proofs" category for the other companies, MAZE has written only "coming soon." 

The ransomware group claims to have exfiltrated 3 GB of data from Fratelli Beretta, and 25 GB of data each from SAXBST and BST & Co. MAZE further claims that 10% of the 120 GB it allegedly stole from Southwire is "available for downloading." 

For some unstated reason, the threat group showed mercy on alleged victim Pensacola. 

"We are going to make a gift to City of Pensacola: we will not publish leaked private data, but we publish the list of leak data and hosts to proof, that we did it, we really hacked City of Pensacola," wrote MAZE.

The city's operational departments that MAZE claims to have compromised include the treasury, finance, risk management, executive, legal, housing, and human resources departments.

Categories: Cyber Risk News

US Pressures UK on Final Huawei Decision

Fri, 01/10/2020 - 12:01
US Pressures UK on Final Huawei Decision

The US made a last ditch bid to convince the British government to fall into line over Huawei this week, as newly introduced legislation proposed excluding allies from intelligence sharing agreements.

Secretary of state, Mike Pompeo, was expected to press his counterpart Dominic Raab at a meeting in Washington this week over the UK’s position on its 5G networks.

A final decision is expected to be taken by Boris Johnson’s new government later this month, but a government leak last April suggested the UK is happy to keep Huawei equipment in “non-core” parts of its networks.

That puts it at odds with a Trump administration that is trying to pressure allies into its harder line opposition to the Shenzhen-based company, which it claims is a national security risk due to its ties to the Communist Party of China.

“The security and resilience of the UK’s telecoms networks is of paramount importance,” a Foreign Office spokesperson told Reuters. “The government continues to consider its position on high-risk vendors and a decision will be made in due course.”

Also this week, Republican senator Tom Cotton introduced a new bill that would prevent Washington from sharing intelligence with any countries which allow 5G technology from Huawei to operate “within their borders.”

The legislation is seen as an attempt to put more pressure on the Five Eyes intelligence sharing alliance which includes the US, Australia, New Zealand, Canada and the UK.

Donald Trump last year declared a National Emergency to prevent “foreign adversaries” from providing equipment for its critical 5G network infrastructure. An entity list prevented US firms from selling key components to Huawei and scores of other Chinese companies.

However, its efforts to convince allies around the world to do the same has been met with mixed results, especially as blacklisting Huawei would set their development of 5G back considerably, while Trump's “America First” rhetoric makes the US a less convincing ally.

Categories: Cyber Risk News

Facebook Improves Political Ad Transparency but Refuses Ban

Fri, 01/10/2020 - 11:00
Facebook Improves Political Ad Transparency but Refuses Ban

Facebook has revealed new capabilities to improve transparency and user control over political ads, but repeated its refusal to ban such advertising outright.

In a blog post on Thursday, director of product management, Rob Leathern, said updates to the Ad Library would help users shine a light on political ads delivered via the social network.

Specifically, users will soon be able to limit the number of political and social issue ads they see on Facebook and Instagram by topic, and remove interests.

They will also be able to stop seeing ads based on advertisers’ “Custom Audiences” — lists they use to target advertising. Users can also see ads that an advertiser had chosen to exclude them from receiving.

This is important because campaigners have argued that political candidates use online advertising to target different groups of voters with often conflicting messages, with neither side aware they are being promised contradictory things.

Users will also be able to see the estimated target audience size for an ad, and Facebook has improved the search and filtering functionality in the Ad Library to help researchers and journalists.

However, Leathern doubled down on the social network’s refusal to join Twitter in banning political ads outright, or Google in limiting the targeting of these ads.

“Ultimately, we don’t think decisions about political ads should be made by private companies, which is why we are arguing for regulation that would apply across the industry. The Honest Ads Act is a good example — legislation that we endorse and many parts of which we’ve already implemented — and we are engaging with policy makers in the European Union and elsewhere to press the case for regulation too,” he continued.

“Frankly, we believe the sooner Facebook and other companies are subject to democratically accountable rules on this the better.”

Experts have warned that, left unregulated, online political advertising could slowly chip away at the legitimacy of election results, especially if ads are micro-targeted. Rights groups have argued that, although strict rules apply to regular advertisers around factual accuracy, politicians can lie on the network without repercussions.

Categories: Cyber Risk News

Dixons Carphone Receives Maximum Fine for Major Breach

Fri, 01/10/2020 - 10:01
Dixons Carphone Receives Maximum Fine for Major Breach

A major UK high street retailer has been fined the maximum amount under the pre-GDPR data protection regime for deficiencies which led to a breach affecting 14 million customers.

Privacy regulator the Information Commissioner’s Office (ICO) fined DSG Retail £500,000 under the 1998 Data Protection Act after POS malware was installed on 5390 tills.

The incident affected Currys PC World and Dixons Travel stores between July 2017 and April 2018, allowing hackers to harvest data including customer names, postcodes, email addresses and failed credit checks from internal servers, over a nine-month period.

The “poor security arrangements” highlighted by the ICO included ineffective software patching, the absence of a local firewall, and lack of network segregation and routine security testing.

“Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen,” said ICO director of investigations, Steve Eckersley.

“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”

Eckersley claimed that the stolen data exposed customers to significant risk of follow-on identity fraud and financial theft, with almost 3300 of them contacting the ICO by March 2019 about the breach.

However, the retailer said it is considering an appeal.

“When we found the unauthorized access to data, we promptly launched an investigation, added extra security measures and contained the incident,” said CEO Alex Baldock in a statement.

“We duly notified regulators and the police and communicated with all our customers. We have no confirmed evidence of any customers suffering fraud or financial loss as a result.”

Another business in the group, Carphone Warehouse, was fined £400,000 by the ICO in 2018 for similar security issues.

Categories: Cyber Risk News

Amazon Ring Workers Fired After Watching Users' Videos

Thu, 01/09/2020 - 18:02
Amazon Ring Workers Fired After Watching Users' Videos

Four employees of Amazon's home security company Ring have been fired after being caught snooping at users' videos. 

The online retail giant admitted terminating individuals over unauthorized access in a letter dated January 6 that was addressed to US senators Ron Wyden, Edward Markey, Gary Peters, Chris Van Hollen, and Christopher Coons. 

In the letter, Amazon states: "Over the last four years, Ring has received four complaints or inquiries regarding a team member’s access to Ring video data. Although each of the individuals involved in these incidents was authorized to view video data, the attempted access to that data exceeded what was necessary for their job functions. 

"In each instance, once Ring was made aware of the alleged conduct, Ring promptly investigated the incident, and after determining that the individual violated company policy, terminated the individual."

Amazon's letter was written in response to an earlier letter dated November 20 that was sent to the company by the aforementioned senators. In that letter, the senators asked Amazon to answer a long list of questions regarding the data and security practices of the Ring company and the security of its camera-bearing doorbell devices, which have been purchased in the millions.

One of the questions asked was "How many employees of Amazon and Ring have access to American users' camera data?" Amazon answered that R&D teams can only access publicly available videos and videos available from Ring employees, contractors, and friends and family of employees or contractors with their express consent.

"Aside from this," wrote Amazon, "a very limited number of employees (currently three) have the ability to access stored customer videos for the purpose of maintaining Ring’s AWS infrastructure."

The company said that Ring logs and monitors all access, adding that employees and contractors are warned that improper access to, or use of, confidential information or technology could result in termination.

The news puts a fly in the ointment of Ring's attempt to make users feel more secure by launching a "privacy dashboard" at the CES 2020 conference on Monday. The newly unveiled account control panel was designed to help users manage their access settings better and block intruders from viewing their video footage.

After a stream of headlines slamming the security of its video doorbell devices, this latest revelation could potentially push the Amazon-owned company one step closer to bringing down the curtain on its beleaguered devices.

Categories: Cyber Risk News