A cyber-espionage group dubbed Bronze President has been targeting countries in South and East Asia.
Researchers at Secureworks' Counter Threat Unit (CTU) have observed the group spying on the activities of political and law enforcement organizations and NGOs.
The threat group seems to have developed its own remote access tools, which it uses alongside publicly available remote access and post-compromise toolsets to gain entry to a network.
Using publicly available open-source tools could be a deliberate ploy by the group to cover its tracks and reduce the risk of attribution.
Once inside, the threat actors elevate their privileges and install malware on a large proportion of systems. Bronze President then runs custom batch scripts to collect specific file types and takes proactive steps to minimize detection of its activities.
The threat actors appear to be monitoring their targets as they steal data from compromised systems over a long period of time. Countries that have been targeted include India and Mongolia.
Activity from the threat actors has been observed by Secureworks' researchers since mid-2018, but it's is thought that the group may have started causing trouble as early as 2014.
Among the group's phishing lures, researchers found emails suggesting an interest in national security, humanitarian, and law enforcement organizations in East, South, and Southeast Asia.
Researchers believe the Bronze President group is operating from a base within the People's Republic of China (PRC).
Connections were found between a subset of the group's operational infrastructure and PRC-based internet service providers. Furthermore, the group uses tools such as PlugX that have historically been leveraged by threat groups based in the PRC.
"It is likely that Bronze President is sponsored or at least tolerated by the PRC government. The threat group's systemic long-term targeting of NGO and political networks does not align with patriotic or criminal threat groups," wrote Secureworks' researchers.
The operational tactics of the group indicate that the crew behind it are highly organized.
Researchers noted: "Bronze President has demonstrated intent to steal data from organizations using tools such as Cobalt Strike, PlugX, ORat, and RCSession. The concurrent use of so many tools during a single intrusion suggests that the group could include threat actors with distinct tactics, roles, and tool preferences."
A class-action lawsuit has been filed against a Canadian laboratory testing company following a cyber-attack in which the data of 15 million of its customers was accessed by criminals.
Sensitive information exposed in the incident may have included customers' names, addresses, email addresses, logins, passwords, dates of birth, health card numbers, and lab test results.
The cyber-criminals who accessed the data were paid an undisclosed amount by LifeLabs in return for a promise to not make the information public.
On December 27, lawyers Peter Waldmann and Andrew Stein filed an unproven statement of claim in Ontario Superior Court in which LifeLabs is accused of breach of contract and negligence. The company is further accused of violating consumer protection laws and of violating their customers’ privacy and confidence.
It is further alleged that LifeLabs stored customers' personal information on unsecured networks or servers, failed to implement "any, or adequate, cyber-security measures," didn't encrypt data, and neglected to hire or train any personnel responsible for network security management.
According to Canadian Underwriter, Waldmann and Stein are seeking more than $1.13bn in compensation for LifeLabs' Canadian customers to make up for the mental anguish, wasted time, and damage to their credit reputation they have suffered. The plaintiffs are seeking additional punitive and moral damages.
In an open letter, LifeLabs CEO Charles Brown wrote that up to 15 million customers, almost all of them in Ontario and British Columbia, may have been affected by the data breach.
On December 18, a toll-free helpline, set up to field calls from concerned LifeLabs customers, received over 5,000 calls. According to CTV news, a second line had to be set up to deal with the volume of calls.
LifeLabs is owned by one of the biggest pension funds in Canada, the Ontario Municipal Employees Retirement System, which has $92 billion in assets.
The Austrian government has been hit by a cyber-attack that could be the work of a rival foreign power.
The attack, which was leveled against the country's Foreign Ministry, began late on Saturday night. A spokesperson for the ministry described the incident as "serious" and said that experts had warned it could continue for several days.
On the same day the attack was launched, at a congress held in the city of Salzburg, Austria's Green Party said that it was in favor of forming a coalition with the conservative People's Party.
The ministry said that the attack had been caught early and countermeasures had immediately been put in place. The signatures and the pattern of the attack suggest that it could be the work of a state-sponsored threat actor.
"Despite all intensive security measures, there is never 100 percent protection against cyber-attacks," the ministry said, before adding that other European countries had been affected by similar incidents in the past.
By Sunday, the ministry's official website was once again accessible.
Commenting on the news, Hugo van den Toorn, manager of offensive security at Outpost24, said: "It is true that despite the precautions taken and all the controls in place, a motivated attacker can always find a way through an organization’s defenses. Although we see an increase in politically motivated attacks over the past few years, we should remain vigilant in blaming certain threat actors or nation-states.
"As we also see that attribution remains difficult with cyber-attacks, past attacks have taught us that adversaries will attempt to make their attacks look like other actors in an attempt to avoid taking the blame or to provoke conflicting parties."
This latest incident in Austria follows the serious cyber-attack on the German government's IT network, which was launched in March 2018. A group of Russian-backed threat actors known as APT28 or Fancy Bear was suspected to be behind not only that attack, but also an earlier cyber-hit on the German parliament carried out in 2015.
APT28 are similarly suspected of waging cyber-warfare on entities in Eastern Europe and in the United States.
The US government has echoed concerns from the cybersecurity industry that Iranian state hackers could respond to the assassination of a top Tehran general with attacks on US critical infrastructure (CNI).
Widely considered the second most powerful man in Iran, Qassem Suleimani was killed by a US drone strike in Baghdad on Friday.
Military and political leaders in the country have warned of retribution, while signs posted along the vast funeral procession today are reported to have read: “Harsh revenge is awaiting.”
The Department for Homeland Security (DHS) has duly issued an alert warning of a terror threat on home soil, although it admitted “at this time we have no information indicating a specific, credible threat to the homeland.”
However, an attack could come with little or no warning, with cyber a likely vector, it said.
“Previous homeland-based plots have included, among other things, scouting and planning against infrastructure targets and cyber-enabled attacks against a range of US- based targets,” the notice continued.
“Iran maintains a robust cyber program and can execute cyber-attacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”
On Saturday, the website of the government-run American Federal Depository Library Program (FDLP) was defaced with an image of a bloodied Donald Trump. Industry experts believe things could escalate even further.
John Hultquist, director of intelligence analysis at FireEye, warned of an uptick in cyber-espionage against government entities, designed to give Tehran a geopolitical advantage, and destructive attacks on CNI.
“Iran has leveraged wiper malware in destructive attacks on several occasions in recent years. Though, for the most part, these incidents did not affect the most sensitive industrial control systems, they did result in serious disruptions to operations,” he added.
“We are concerned that attempts by Iranian actors to gain access to industrial control system software providers could be leveraged to gain widespread access to critical infrastructure simultaneously. In the past, subverting the supply chain has been the means to prolific deployment of destructive malware by Russian and North Korean actors.”
A booking site for customers of Japanese “love hotels” has been hacked, raising fears over follow-on identity fraud and blackmail attempts.
In a country known for its focus on convenience, love hotels are a popular feature in towns and cities, offering a place for amorous couples to bed down for a few hours or a whole night without needing to trek back to their tiny apartments.
In such establishments, privacy is of the utmost importance, with the check-in counter often designed so that guests can pay for a room without coming face-to-face with any hotel employees.
However, the compromise at Almex, which runs the popular HappyHotels[dot]jp site, threatens to unmask those guests.
In a notice, the firm said customer data including guest email addresses, handle name, birth date and gender, telephone number, log-ins, address and credit card information could all have been swiped by attackers.
“We sincerely apologize for the inconvenience and anxiety that may have caused our customers and other concerned parties. The service has been suspended because we are currently investigating the cause and taking measures,” it added.
“This password may have been leaked at this time, so if you use the same e-mail address and password as those of other companies 'services, please change the password of other companies' services as soon as possible.”
Given the sensitive nature of the website, and the fact that some users may have been visiting love hotels with someone other than their partner, there’s an obvious risk of online blackmail and extortion for guests who’ve been exposed.
According to recent stats, over a third (38%) of Japanese women claimed that their husband or boyfriend has cheated on them in the past, with the figure slightly lower (31%) for women that have cheated on their partners.
The websites of a major global currency exchange business are still down after a “software virus” struck the firm on New Year’s Eve last week.
London-headquartered Travelex, which describes itself as “the world's leading foreign exchange specialist,” operates online around the world and in airports, as well as supporting travel money services for several high street lenders in the UK.
A statement on its main UK website written in English, French, Japanese, German, Dutch, Italian and Czech claims that “planned maintenance” is the cause of the “temporary” outage and that it will be back online soon.
However, a notice posted to Twitter and the firm’s dot-com site reveals a different story — that a “software virus” discovered last Tuesday has “compromised some of its services.”
“As a precautionary measure in order to protect data and prevent the spread of the virus, we immediately took all our systems offline. Our investigation to date shows no indication that any personal or customer data has been compromised,” it explained.
“We have deployed teams of IT specialists and external cybersecurity experts who have been working continuously since New Year’s Eve to isolate the virus and restore affected systems.”
The firm’s bricks-and-mortar branches are still working as normal, Travelex added, but reports suggest that both the app and its services to UK banks are impacted.
Some experts suggested ransomware as a likely cause of the incident, with the firm praised for its speedy response.
“Having a well-tested resilience plan in place that covers the technical aspects, communication with the public and clear responsibilities for handling incidents can ultimately make a difference between a costly response and maintaining customer trust,” argued Iain Kothari-Johnson, financial services Lead for cybersecurity at Fujitsu UK.
“Break-glass incident response services, where experts are on-hand to rapidly investigate and mitigate threats, can also help reduce the financial and reputational impact of this type of incident and should be considered as part of any good resilience plan.”
Two days after singing megastar Mariah Carey had her Twitter account hacked, the same fate has befallen American actor and comedian Adam Sandler.
According to The Hollywood Reporter, a hacker or hackers compromised the account of the Happy Gilmore star yesterday to post a string of racist, sexist, and anti-Semitic tweets. Several of the barely literate messages contained the N-word.
In this latest celebrity Twitter hack, various tweets were retweeted from several other accounts, including one tweet from @MJerkme. Showing an extremely poor grasp of the English language, this missive, directed at former US president Barack Obama, described Donald Trump's predecessor as an "arangatang monkey."
The message went on to garble "u ruined my life when u messed with the food stamp rates i hate u forever retart."
Given the content of the tweets, this cyber-attack is, perhaps more than anything, a damning indictment of the American education system.
One thing the hacker(s) couldn't be accused of was political bias, since they took swipes at both the Democrats and the Republicans. In one tweet to @realDonaldTrump they accused the current US president of being "a racist cracker."
Other messages retweeted by the hacker(s) came from the Twitter account @iNuBLoM. This particular Twitter handle was referenced during Carey’s hack, which is believed to have been perpetrated by the Chuckling Squad hacking group.
The Chuckling Squad claimed responsibility for hacking Twitter CEO Jack Dorsey's Twitter account in August last year. Apparently, they haven't reached the level of comedic sophistication at which one can divine when a joke has gone on long enough.
According to reports, other tweets posted by the hacker(s) that appear to have been deleted referenced Carey’s hacking. In one, the poster claimed to have "just had phone sex with @MariaCarey."
While SIM-swapping was used to carry out the Dorsey hack, it is as yet unknown how Carey and Sandler's Twitter accounts came to be compromised.
The Sandler hack occurred at around 5:30 p.m. yesterday. According to Sandler's representative, the compromised account was locked as soon as the issue occurred.
Sandler's account, which is currently promoting the actor's latest film Uncut Gems, has 2.4 million followers.
A user who accessed their Xiaomi home security camera via their Google account was shown still images of strangers in unknown locations.
The Netherlands-based user, known as "Dio-V," was confronted with random snapshots from other people's lives after trying to stream content from a Xiaomi Mijia to a Google Nest Hub.
Dio-V reported the incident on Reddit yesterday. Along with footage to demonstrate the serious security flaw, Dio-V posted the comment: "When I load the Xiaomi camera in my Google home hub I get stills from other people's homes!!"
The still black and white images include shots of a baby lying down in a crib beneath a mobile and several different scenes in which strangers' living rooms, a staircase, and an enclosed porch area are depicted. In one restful scene, a mature gentleman is taking a nap in a kitchen.
Exactly when Dio-V's feed first began showing still images of other people's homes or how long the camera was connected to his Google account before this alarming situation started happening is not clear.
Dio-V said that the camera and the Nest Hub were both purchased new, ruling out any possibility that the incident involves a lingering connection with a previous owner.
Since learning of the flaw, Google has disabled Xiaomi integration for Google Home and the Assistant until a fix is found.
Google said: "We’re aware of the issue and are in contact with Xiaomi to work on a fix. In the meantime, we’re disabling Xiaomi integrations on our devices."
The Xiaomi Mijia 1080p Smart IP Security Camera that Dio-V used can be linked to a Google account for use with Google/Nest devices through Xiaomi's Mi Home app/service.
Commenting on the flaw, Xiaomi stated: "Upon investigation, we have found out the issue was caused by a cache update on December 26, 2019, which was designed to improve camera streaming quality. This has only happened in extremely rare conditions.
"In this case, it happened during the integration between Mi Home Security Camera Basic 1080p and the Google Home Hub with a display screen under poor network conditions. We have also found 1044 users were with such integrations and only a few with extremely poor network conditions might be affected.
"This issue will not happen if the camera is linked to the Xiaomi’s Mi Home app. Xiaomi has communicated and fixed this issue with Google, and has also suspended this service until the root cause has been completely solved, to ensure that such issues will not happen again."
After six and half years in the job, Ciaran Martin is to relinquish his role as head of UK cybersecurity.
The 45-year-old has announced plans to surrender his title of chief executive of the National Cyber Security Centre (NCSC) in the summer of 2020.
Oxford University graduate Martin, who has dedicated his entire working life to the UK civil service, described his years with the NCSC as "the privilege of a lifetime."
British government ministers established the NCSC four years ago on the recommendation of Martin, who was then appointed to lead it.
Martin in a statement: "When we created the NCSC we set out to achieve something truly special, and I hope and believe we are leaving UK cyber security in much better shape."
Martin, who was recently appointed a Companion of the Order of the Bath by Queen Elizabeth in the New Year's Honor's List, said that the time was ripe to bring a fresh perspective to the demanding role. However, he believes his successor will not be in for an easy ride.
"Challenges around securing technology are only going to get ever more complex," said Martin, "so it’s right that after six and a half years that someone else takes this world-class organization to the next level."
Britain's Government Communications Headquarters, commonly known as GCHQ, has said that a new NCSC chief executive will be appointed and in place by the end of the summer.
Martin joined the board of GCHQ in December 2013 as head of cybersecurity. His recommendation to set up the NCSC as a division of GCHQ was made after the 2015 election.
The NCSC now employs approximately 1,000 staff and operates from a head office in London's Victoria area on an annual budget of £250m. The center offers practical cybersecurity advice for individuals and organizations via a website.
Since its inception, the NCSC has dealt with over 2,000 cybersecurity incidents targeting the UK. In the 12 months ending August 2019, the NCSC supported nearly 900 British organizations to recover from cyberattacks.
A cryptocurrency exchange has been forced to reset customer passwords after a suspected data leak via social media, although its incident response efforts caused more confusion among some users.
US-based exchange Poloniex informed around 1% of its customer base that they had to reset their log-ins, following a tweet claiming to contain a list of leaked email/password combos.
However, customers took to Twitter warning that the email itself was a phishing scam, forcing the exchange to re-emphasize its legitimacy.
It followed-up with a blog post to clarify the situation.
“Our immediate priority was to ensure that our customers’ accounts were safe. As a result, we reset the passwords of potentially impacted customers, as users often reuse passwords or minor variants of the same password,” it explained.
“Our second priority was to determine the source of the leak and we can now confirm that neither this list, nor the information contained, originated from Poloniex. For those interested in our security protocols, we do not store passwords in plain text or a recoverable form, but rather we store them as salted bcrypt hashes.”
In fact, 90% of the compromised passwords on that list have already appeared on breach notification site HaveIBeenPwned?, it said.
“If you have a Poloniex account and did not receive an email from us related to this, you can be confident that your email address was not on the list,” the firm continued. “Less than 5% of the email addresses on the posted list were associated with Poloniex accounts.”
The incident highlights the increasing difficulty online firms are having to convince customers of the legitimacy of urgent communications, in light of a continued epidemic of phishing scams.
Following the collapse of UK travel agency Thomas Cook last year, UK banks were criticized for sending unsolicited text messages to affected customers containing clickable links.
A major US hospitality chain has revealed that POS malware affecting scores of its restaurant brands may have led to customer card data theft over several months in 2019.
Landry’s claimed in an incident notice this week that 63 of its food and beverage and restaurant concepts — including Morton’s, Bubba Gump and Rainforest Café — had been affected.
Although the firm switched its POS card machines to an end-to-end encrypted system following a 2016 breach, order entry systems were left unprotected — and it is these that are thought to have been affected by the malware.
“Besides the encryption devices used to process payment cards, our restaurants and food and beverage outlets also have order entry systems with a card reader attached for waitstaff to enter kitchen and bar orders and to swipe Landry’s Select Club reward cards,” the note continued.
“In rare circumstances, it appears waitstaff may have mistakenly swiped payment cards on the order entry systems. The payment cards potentially involved in this incident are the cards mistakenly swiped on the order-entry systems. Landry’s Select Club rewards cards were not involved.”
Customers that visited between March 13 2019 and October 17 2019 may have been affected, although at “a small number of locations” hackers may have accessed cards as early as January 18 2019, it said.
“The malware searched for track data (which sometimes has the cardholder name in addition to card number, expiration date, and internal verification code) read from a payment card after it was swiped on the order-entry systems,” said Landry’s.
“In some instances, the malware only identified the part of the magnetic stripe that contained payment card information without the cardholder name.”
This data is usually sold on the dark web by hackers, where it is used to create counterfeit cards. Although the advent of EMV cards has largely eradicated this type of fraud across Europe, slow adoption in the US means POS malware attacks like this still happen from time to time.
Last year, restaurant chain Huddle House suffered just such an attack after a third party POS vendor was compromised.
A US company targeted by ransomware has taken its fight to the Irish courts to have confidential data stolen by the same attackers removed from the web.
Southwire was struck by the Maze variant in December last year, with attackers demanding over $6m in ransom — not only for the decryption key, but also to regain company data that they exfiltrated.
However, the attackers reportedly grew frustrated with the firm’s refusal to pay up, and started publishing the data on a site called mazenews[dot]top.
That’s when the firm, which is one of America’s largest manufacturers of wire and cabling, enlisted its lawyers.
According to local reports, the company has secured an injunction in the Irish High Court against the registrants of the IP address linked to the “mazenews” site.
They’re said to work for a now-dissolved company called World Hosting Farm Limited (WHFL), with addresses in Cork and Dublin. The owner and director of the firm is Artur Grabowski of Stupsk, in Poland, according to the court documents.
Grabowski and the others named in connection with the IP address were all contacted by Southwire but failed to respond, hence the temporary injunction. It apparently requires the removal of all confidential information from the site and that no more material is published online.
Southwire is also said to have asked the judge to prevent media outlets from publishing its name in reporting of the court case, arguing that it would help the ransomware authors. However, Ms Justice Mary Rose Gearty refused.
Data theft is becoming increasingly common in ransomware attacks, raising the stakes for victim organizations.
Aside from Maze, strains such as Zeppelin, Snatch, Sodinokibi and Merry Christmas have all been observed exfiltrating sensitive data from targeted networks. The tactic is designed to force victim organizations to pay up to avoid their data being published, rather than simply ignore the ransom demands and restore from backup.
A data breach at a Chicago healthcare provider may have exposed the personal health information of 12,578 people.
Sinai Health System was breached in a cybersecurity incident that occurred in the fall of 2019. Hackers are thought to have gained unauthorized access to the organization’s email via a phishing attack.
Patient data that was stored in the email accounts and may have been exposed included names, addresses, dates of birth, Social Security numbers, health information, or health insurance information.
The healthcare provider became aware that two of its employees had been taken in by a phishing scam that struck in October.
In a statement released by Sinai Health System on December 19, the company wrote: "Sinai Health System (Sinai) has become aware of a potential data security incident that may have resulted in the inadvertent exposure of some patients’ personal and health information.
"On October 16, 2019, forensic information technology experts determined that patient information could be at risk after an unknown third party gained unauthorized access to two employee email accounts."
Following the discovery of the malicious attack, hospital officials took steps to secure the email accounts and reset passwords. Sinai Health System has also reviewed and revised its information security policies and procedures, including email retention procedures.
Employees of the healthcare provider were given additional cybersecurity training following the attack to reduce the risk of further breaches' occurring. The organization has also enhanced the filtering protocols for its email accounts.
An investigation into the incident launched by Sinai Health System uncovered no evidence that any patient information had been exfiltrated or misused.
Sinai Health System wrote: "Experts performed an investigation and found no evidence that any patient information was removed from Sinai Health System’s email accounts or systems.
"Further, Sinai is not aware of any misuse of any patient’s information and has seen no indication that any patient’s information is in the hands of someone it should not be as a result of this incident."
Information regarding the breach was submitted on December 13 to the Office for Civil Rights, which has launched its own investigation into the incident.
Sinai Health System is composed of Mount Sinai Hospital, Holy Cross Hospital, Schwab Rehabilitation Hospital, Sinai Children’s Hospital, Sinai Community Institute, Sinai Medical Group, and Sinai Urban Health Institute.
Hackers have taken over the Twitter account of five-time Grammy Award winner Mariah Carey and used it to send sexually suggestive messages referencing rapper Eminem.
Singing superstar Carey is used to being in the public eye, especially over the festive period when her massive hit "All I Want for Christmas Is You" is played the world over. However, on New Year's Eve the phenomenally successful singer and actress hit the headlines for an entirely different reason.
According to CNN, as the curtain fell on 2019, hackers broke into Carey's account and posted several offensive, racist, and downright lewd tweets. One tweet, reported by The Source, is said to have read: "Eminem can still hold this p***y."
Another tweet posted by the hackers, which bizarrely received 5,463 "likes" and was retweeted 4,014 times, read "Merry Christmas You Dumb Ass N****s!"
In further tweets making references to Eminem, the hackers wrote about the rapper's daughter and posted the comment "Eminem has a little p***s."
It is unclear whether the remarks were an embarrassingly weak attempt at humor or a tribute to Eminem's track "The Kids," in which the rapper describes the most private part of his anatomy as being the size of a peanut.
The hack occurred over several hours on Tuesday afternoon, with the last tweet posted by the infantile miscreants hitting social media at 3:35 p.m.
Carey has 21.4 million followers on Twitter. The singer took the hack in good humor, responding to the incident with a tweet of her own. At 9:51 p.m. on December 31, the vocalist quipped: "I take a freaking nap and this happens?"
It's believed that Carey was targeted by the notorious Chuckling Squad hacking group, which famously compromised the Twitter account of Twitter CEO Jack Dorsey in August after obtaining his cell phone number.
The group has also claimed responsibility for hacking other celebrity accounts, including that of actress Chloë Grace Moretz.
A Twitter spokesperson told The Hollywood Reporter: "As soon as we were made aware of the issue, we locked the compromised account and are currently investigating the situation."
American software company NortonLifeLock is planning to axe over 140 jobs in two states to cut costs.
According to a report published on December 30 in newspaper Community Impact, the security business plans to lay off 42 employees at their Granite Parkway site in Plano, Texas, in the coming months.
A total of 34 Plano positions are expected to be terminated by mid-January, with an additional eight roles expected to be scrapped by mid-February.
Texas isn't the only state in which NortonLifeLock plans to cut jobs in 2020. The San Francisco Business Times reported on December 31 that roughly 100 NortonLifeLock employees based in California will lose their jobs over the next few months.
Vincent Pilette, CEO of NortonLifeLock, told the newspaper that the company is not only axing jobs but also selling off real estate in a major effort to reduce costs and help drive earnings growth.
Arizona-based NortonLifeLock was previously known as Symantec. The company underwent a rebranding after its enterprise cybersecurity business was acquired by San Jose chipmaker Broadcom for around $11bn in the summer of 2019.
In recent weeks, the Wall Street Journal has reported that NortonLifeLock's cybersecurity rival McAfee may put in a bid to buy the company's consumer business, challenging existing private equity bidders Permira and Advent International.
On August 8, the same day that Broadcom's acquisition of Symantec was publicized, Symantec announced plans to lay off roughly 7 percent of its employees during fiscal year 2020.
At its Mountain View headquarters, 152 jobs were expected to be terminated, along with a further 18 positions in San Francisco and 36 roles in Culver City, Los Angeles County.
The layoffs were expected to have been completed by the end of March 2020, according to the San Francisco Chronicle.
NortonLifeLock has more than 11,000 employees worldwide and serves more than 50 million people with Norton antivirus software and LifeLock identity theft protection.
The Chronicle reported in September that the newly acquired Symantec would be closing or downsizing various facilities and data centers at an estimated cost of approximately $100m.
Chinese-owned video sharing app TikTok has been banned for use by US soldiers due to growing security concerns, according to reports.
Although military recruiters are using the app to encourage more young people to sign-up for service, owner ByteDance has come under increasing scrutiny in the US over its links to Beijing.
The new Defence Department guidance, seen by Military.com, points to “TikTok as having potential security risks associated with its use.
“Be wary of applications you download, monitor your phones for unusual and unsolicited texts etc., and delete them immediately and uninstall TikTok to circumvent any exposure of personal information,” it continued.
TikTok first came under fire for appearing to censor content related to pro-democracy protests in Hong Kong, and has since been the subject of an investigation by a powerful US committee.
The Committee on Foreign Investment in the United States (CFIUS) has launched an inquiry into whether the sensitive personal user data TikTok collects represents a national security risk. If it decides to turn this into a full investigation, it could spell bad news for the future of the app inside the US.
CFIUS reviews whether foreign acquisitions of US companies could harm the country’s interests. ByteDance didn’t seek the committee’s clearance when it bought US app Musical.ly (now TikTok), in 2017, so the new inquiry is apparently seen as fair game.
The US Army ban follows similar guidance from the US Navy. However, although these new rules apply to government-issued devices, soldiers could still technically use the app on their personal smartphones.
TikTok also released its first ever transparency report at the end of December. But far from alleviating concerns around its links to Beijing, the document raised more suspicions.
According to the document, it didn’t receive a single take down request from the Chinese government in the first half of 2019.
Microsoft has seized scores of domains thought to have been used by a North Korean threat group to support a spear-phishing and information-stealing campaign.
The tech giant secured a court order after filing against the “Thallium” group (aka APT37), enabling it to take control of 50 domains it said were being used to execute attacks against mainly US, but also Japanese and South Korean entities.
“This network was used to target victims and then compromise their online accounts, infect their computers, compromise the security of their networks and steal sensitive information,” explained Microsoft VP of customer security and trust, Tom Burt.
“Based on victim information, the targets included government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues.”
Victims are typically hit by spear-phishing attacks using info gathered from public sources to add legitimacy.
Clicking through on these will take the victim to a spoofed website requesting account log-ins. This strategy is designed to give Thallium attackers access to their emails, contact lists, calendar appointments and anything else of interest.
The group has also been observed setting up a mail forwarding facility so that it can continue to monitor a victim’s communications even after they have updated their account password, Burt explained.
“In addition to targeting user credentials, Thallium also utilizes malware to compromise systems and steal data,” he added.
“Once installed on a victim’s computer, this malware exfiltrates information from it, maintains a persistent presence and waits for further instructions. The Thallium threat actors have utilized known malware named ‘BabyShark’ and ‘KimJongRAT’.”
The takedown follows similar operations carried out by Microsoft against groups operating from China, Russia and Iran.
Back in July last year, the firm claimed it had warned 10,000 customers that they’d been targeted by nation state attacks over the previous 12 months, including hundreds of US political organizations.
US maritime facilities have been on high alert over the Christmas break after the Coast Guard revealed details of a ransomware-related outage in late December.
The bulletin described a recent attack causing widespread operational disruption at a “Maritime Transportation Security Act (MTSA) regulated facility.
“Forensic analysis is currently ongoing but the virus, identified as ‘Ryuk’ ransomware, may have entered the network of the MTSA facility via an email phishing campaign. Once the embedded malicious link in the email was clicked by an employee, the ransomware allowed for a threat actor to access significant enterprise Information Technology (IT) network files, and encrypt them, preventing the facility’s access to critical files,” it explained.
“The virus further burrowed into the industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations. The impacts to the facility included a disruption of the entire corporate IT network (beyond the footprint of the facility), disruption of camera and physical access control systems, and loss of critical process control monitoring systems.”
The port facility’s operations were apparently disrupted for over 30 hours as a result of the attack.
The Coast Guard urged maritime authorities to implement risk management programs according to best practices outlined in the NIST Cybersecurity Framework (CSF) and NIST Special Publication 800-82.
Specific controls it recommended include intrusion prevention/detection systems, modern virus detection, host and server monitoring, network segmentation, up-to-date IT/OT network diagrams and regular back-ups.
Experts have been warning about a major cyber-attack on port facilities for some time. Late last year, a report from the Singapore-based Cyber Risk Management (CyRiM) project warned that a ransomware campaign targeting Asia’s ports could cost the global economy as much as $110bn.
In July last year the US Coast Guard issued a marine safety alert urging vessel and facility owners and operators to improve baseline cybersecurity, following an attack on a “deep draft vessel” bound for the Port of New York and New Jersey.
RavnAir Group was forced to ground flights on Saturday following a cyber-attack on the Alaskan company's computer network.
The nature of the attack was not disclosed; however, the company did reveal that threat actors specifically targeted the small airline's turboprop-powered regional airliner the De Havilland Canada DHC-8 aircraft, commonly known as the Dash 8.
As a result of the incident, the airline had to disconnect its entire Dash 8 maintenance system and the back-up system.
All RavnAir Alaska Dash 8 flights that were scheduled to take place on Saturday, December 21, a crucial day of travel in the busy holiday season, were affected.
PenAir flights and RavnAir Connect flights were unaffected by the incident, as they were able to run on back-up systems.
RavnAir wrote: "While we continue to work with the FBI, other authorities, and a cybersecurity company to restore affected systems, we are proactively cancelling all RavnAir Alaska Dash 8 flights until 12 noon today, and we expect to experience other schedule cancellations and delays within the RavnAir Alaska (Dash 8 Aircraft) network throughout the rest of the day because the cyber-attack forced us to disconnect our Dash 8 maintenance system and its back-up."
According to news site WKRN, RavnAir spokesperson Debbie Reinwand said that 260 passengers were affected by the malicious cyber-attack. Six flights were cancelled, including the 1:30 p.m. flight from Unalaska to Anchorage.
Disappointed customer Dennis Ede, who was due to take that 1:30 p.m. flight, told KUCB radio: "I'm not happy about it. If I can't get out today, I'll try to get out tomorrow. I'm trying to get home to Seattle to see my family for Christmas."
Two further flights were cancelled on Saturday due to adverse weather conditions.
"We will be trying to add flights where we can over the next two days," wrote RavnAir in a statement released at 1 p.m. Sunday, December 22.
"We have, where possible, re-booked passengers on other flights."
RavnAir Group serves 100 different communities in Alaska from its headquarters in Anchorage. Many of the communities who fly with RavnAir are inaccessible by road.
A critical flaw has been discovered in two Citrix products, placing 80,000 companies in 158 countries at risk.
The easily exploitable vulnerability could allow attackers to obtain direct access to a company's local network and to access a company’s credentials.
It could also be used to launch denial of service and phishing attacks and to implant malware that could lead to cryptocurrency mining.
Positive Technologies expert Mikhail Klyuchnikov found the vulnerability in Citrix Application Delivery Controller (formerly known as NetScaler ADC) and in Citrix Gateway (formerly known as NetScaler Gateway).
This vulnerability affects all supported versions of the products, and all supported platforms, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5.
What makes the weakness especially dangerous is that it can be used to launch an attack that does not require access to any accounts, meaning it can be mounted by any external attacker.
Depending on the specific configuration, Citrix applications can be used for connecting to workstations and critical business systems (including ERP). In almost every case, Citrix applications are accessible on the company network perimeter, and are therefore the first to be attacked.
This newly unearthed vulnerability allows any unauthorized attacker to not only access published applications, but also attack other resources of the company's internal network from the Citrix server.
Citrix is notifying customers and channel partners about this potential security issue, for which a fix is still forthcoming.
The company has urged customers to upgrade all of their vulnerable appliances to a fixed version of the appliance firmware as soon as it is released. It has also set up an alert system, which customers can subscribe to so that they will learn as quickly as possible when a fix has been found.
Dmitry Serebryannikov, director of the security audit department at Positive Technologies, said: "Citrix applications are widely used in corporate networks. This includes their use for providing terminal access of employees to internal company applications from any device via the Internet.
"Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat."