Info Security

Subscribe to Info Security  feed
Updated: 38 min 28 sec ago

News Corp Discloses Cyber-Attack

Mon, 02/07/2022 - 18:00
News Corp Discloses Cyber-Attack

Publishing company News Corp has disclosed that it was the victim of a cyber-attack last month.

Threat actors compromised email accounts belonging to journalists and other employees at the company, which Australian-born American media tycoon Rupert Murdoch owes. 

In an email sent to staff members on Friday and viewed by The New York Times, News Corp’s chief technology officer David Kline wrote that “a limited number” of email accounts and documents belonging to News Corp headquarters, News Technology Services, Dow Jones, News UK and The New York Post had been impacted by the incident. 

The security incident was discovered on January 20. It was reported to the relevant authorities and is now being investigated by US law enforcement and by cybersecurity firm, Mandiant.

Kline wrote that the attack is believed to have originated from outside the United States. 

“Our preliminary analysis indicates that foreign government involvement may be associated with this activity, and that some data was taken,” wrote Kline. 

“Mandiant assesses that those behind this activity have a China nexus and believes they are likely involved in espionage activities to collect intelligence to benefit China’s interests.”

Commenting on the attack, iboss CEO Paul Martini said: “This is an early example of what we believe will be a broader escalation of cyber-attacks by nation-state actors in the coming year.

“Just days ago, the FBI labeled Chinese cyber aggression more ‘brazen and damaging’ than ever before and we’re seeing that play out in real time.”

Martini conjectured that the attack was part of an “intelligence gathering campaign that could have broader impacts on US journalism and politics for years to come.”

Liu Pengyu, a spokesman for the Chinese Embassy in Washington, reportedly wrote in an email: “We hope that there can be a professional, responsible and evidence-based approach to identifying cyber-related incidents, rather than making allegations based on speculations.”

Tripwire’s VP of strategy, Tim Erlin, commented: “Cyber-attack attribution is extremely difficult, and while the casual reader may draw the conclusion here that China is responsible (which may be true), it’s worth noting the language that Mandiant uses. 

He added: “The term ‘China nexus’ and the phrase ‘benefit China’s interests’ are both ways of softening the conclusion. In these types of reports, language matters.”

Categories: Cyber Risk News

Washington Warns of POLARIS Breach

Mon, 02/07/2022 - 17:45
Washington Warns of POLARIS Breach

The Washington State Department of Licensing (DOL) has shuttered its Professional Online Licensing and Regulatory Information System (POLARIS) after detecting suspicious activity. 

POLARIS stores information about license holders and applicants. The type of information varies for different licenses and may include Social Security numbers, dates of birth, driver license numbers and other personally identifying information (PII).

In a statement posted to its website, the DOL said it became aware of unusual goings involving professional and occupational license data during the week commencing January 24 2022. The decision was taken to shut down POLARIS as a precaution while the activity was investigated.

The department said the Washington Office of Cybersecurity was assisting in the safe recovery of the system and in the investigation to determine whether a data breach had occurred. 

"At this time, we have no indication that any other DOL data was affected, such as driver and vehicle licensing information. All other DOL systems are operating normally," stated the DOL.

It added: "With the support and assistance of nationally recognized cybersecurity experts, we are investigating what happened and what data and people may be affected."

The department has created an Intent to Renew form to help those professionals who have tried to renew their licenses while POLARIS is down. A call center was set up on February 4 to answer questions by individuals who were impacted by the outage.

DOL has said it will not act against individuals whose license expired while POLARIS was inaccessible.

The department issues over 40 types of licenses. These include driver and vehicle licenses and professional licenses for cosmetologists, real estate brokers, architects, driving instructors and bail bondsmen. 

DOL said that the security incident only appeared to potentially impact professional and occupational license data.

"At this time, we are not aware of any suspicious activity involving other DOL systems, such as the driver and vehicle licensing system (DRIVES)," stated the DOL.

"DRIVES is operating normally. We are monitoring all our systems very carefully."

The department said it will notify any individuals whose personal data was accessed during the incident and provide them with "further assistance."

Categories: Cyber Risk News

UK Adds New Offenses to Online Safety Bill

Mon, 02/07/2022 - 10:49
UK Adds New Offenses to Online Safety Bill

The UK government has unveiled plans to strengthen its Online Safety Bill, which includes the creation of new criminal offenses.

The legislation, first drafted in May 2021, will place new obligations on social media sites and other services hosting user-generated content or allowing people to talk to others online to remove and limit the spread of illegal and harmful content. This includes child sexual abuse, terrorist material and suicide content.

The UK’s communications regulator, Ofcom, will be responsible for holding these firms to account, with the power to fine those failing to meet their duty of care up to £18m or 10% of annual global turnover, whichever is higher.

Digital Secretary Nadine Dorries has now announced that three new offenses relating to abusive and offensive online communications will be included in the bill. This followed a review by the Law Commission, which concluded that current laws in this area have not kept pace with the rise of smartphones and social media. The new offenses are:

  • A ‘genuinely threatening’ communications offense, where communications are sent or posted to convey a threat of serious harm. This will combat online threats to rape, kill and inflict physical violence or cause people serious financial harm. This is particularly designed to protect public figures such as MPs, celebrities or footballers.
  • A harm-based communications offense to capture communications sent to cause harm without a reasonable excuse. This offense will be based on the intended psychological harm towards the victim by considering the context in which the communication was sent. It is hoped this will better tackle abusive messages towards women and girls, which may not seem obviously harmful when considered on their own. It is also designed to avoid criminalizing communications sent with no intention to cause harm, such as consensual messages between adults.
  • An offense for when a person sends a communication they know to be false with the intention to cause non-trivial emotional, psychological or physical harm. This will cover false communications deliberately sent to inflict harm, such as hoax bomb threats, instead of misinformation where people are unaware that what they are sending is false or genuinely believe it to be true.

These offenses will carry different maximum sentences, including up to five years in prison for threatening communications.

Professor Penney Lewis, Commissioner for Criminal Law, explained: “The criminal law should target those who specifically intend to cause harm while allowing people to share contested and controversial ideas in good faith. Our recommendations create a more nuanced set of criminal offenses, which better protect victims of genuinely harmful communications as well as better protecting freedom of expression.

“I am delighted that the government has accepted these recommended offenses.”

In addition, new obligations will be placed on social media companies to remove the most harmful illegal content and criminal activity on their sites more quickly. These priority offenses include revenge porn, hate crime, fraud, the sale of illegal drugs or weapons, the promotion or facilitation of suicide, people smuggling and sexual exploitation. Terrorism and child sexual abuse were already categorized in this way. For these types of content, social media sites must take proactive action to prevent them from being viewed by users. This is instead of taking down content in response to user reports.

Dorries commented: “This government said it would legislate to make the UK the safest place in the world to be online while enshrining free speech, and that's exactly what we are going to do. Our world-leading bill will protect children from online abuse and harms, protecting the most vulnerable from accessing harmful content and ensuring there is no safe space for terrorists to hide online.

“We are listening to MPs, charities and campaigners who have wanted us to strengthen the legislation, and today’s changes mean we will be able to bring the full weight of the law against those who use the internet as a weapon to ruin people’s lives and do so quicker and more effectively.”

Categories: Cyber Risk News

European Police Flag 500+ Pieces of Terrorist Content

Mon, 02/07/2022 - 10:24
European Police Flag 500+ Pieces of Terrorist Content

European police have found and referred 563 pieces of terrorist content to service providers in the region, as a UK man was jailed for sharing a bomb-making manual online.

The Referral Action Day took place last week at Europol’s headquarters. The EU’s Internet Referral Unit (EU IRU) coordinated the referral activity with specialized counter-terrorism units from France, Germany, Hungary, Italy, the Netherlands, Portugal, Spain, Switzerland and the UK.

In particular, they were looking for content on “explosive chemical precursors” being shared online by terrorist-supporting networks, including jihadists. This refers to content such as bomb-making tutorials and information on carrying out terrorist attacks.

The content found on 106 websites and platforms will now be assessed by the relevant online service providers against their terms and conditions.

Last November, over 20 websites in Germany and the UK were suspended by service providers for disseminating online terrorist propaganda – fewer than half the number of sites originally flagged by police.

However, a new EU regulation will soon give the authorities the power to demand the removal of online terrorist content.

The news comes after a 19-year-old UK man was sentenced to 42 months in jail for sharing a bomb-making manual on social media.

Connor Burke, from southeast London, pleaded guilty at Woolwich Crown Court to disseminating a terrorist publication that contained information on how to create improvised explosive devices (IEDs).

He also pleaded guilty to four counts of possession of a document “likely to be useful” to a would-be terrorist.

“Burke had an unhealthy interest in extreme right-wing terrorist ideology, and this led to him sharing extremely dangerous material with others online,” argued Richard Smith, head of the Metropolitan Police’s Counter Terrorism Command.

“Increasingly, we’re seeing young people being drawn into extremist ideologies, some of whom – like Burke – then go on to commit serious terrorism offenses.

Categories: Cyber Risk News

Swissport Ransomware Attack Delayed Flights

Mon, 02/07/2022 - 10:01
Swissport Ransomware Attack Delayed Flights

Airport services giant Swissport is restoring its IT systems after a ransomware attack struck late last week, delaying flights.

The Zurich-headquartered firm operates everything from check-in gates and airport security to baggage handling, aircraft fuelling and de-icing and lounge hospitality. It claims to have provided ground services to 97 million passengers last year and handled over five million tons of air freight.

Swissport took to Twitter on Friday to warn its IT infrastructure had been hit by ransomware and apologize for any impact on service delivery.

However, a day later, the firm appeared to have things back under control.

“IT security incident at #Swissport contained,” it tweeted. “Affected infrastructure swiftly taken offline. Manual workarounds or fallback systems secured operation at all times. Full system clean-up and restoration now under way. We apologize for any inconvenience.”

It’s unclear exactly how severely the outage impacted its many clients around the globe. However, one report from German media revealed it led to temporary delays at Zurich airport.

“Due to system problems at our airport partner Swissport, 22 flights were delayed by three to 20 minutes yesterday,” a spokeswoman for the airport is quoted as saying.

The attackers are believed to have struck early in the morning of Thursday February 3. By Friday, there was no significant impact on operations at Zurich airport.

Backup procedures reportedly kicked in during the outage so that there was no impact on aircraft crews. However, a Swissport spokesperson reportedly admitted: “there may be delays in some cases.”

The news follows a series of attacks and disruptions at European ports and oil terminals over the past week, impacting fuel supply chains at a time of rising prices and heightened concern over the possible knock-on effect of Russia invading Ukraine.

“Whether the surge in attacks is related to current geopolitical events is unknown,” said Andy Norton, European cyber-risk officer at Armis.

“However, providers of critical services should immediately review the adequacy of their risk assessments, with emphasis on the criticality of ancillary IT systems that have increased connectivity, and the potential to impact OT and ICS production and service delivery.”

Categories: Cyber Risk News

Crypto Firm Meter Loses $4.4m in Cyber-Heist

Mon, 02/07/2022 - 09:34
Crypto Firm Meter Loses $4.4m in Cyber-Heist

Yet another cryptocurrency firm has been hacked to the tune of millions of dollars.

Meter provides decentralized finance (DeFi) infrastructure services, linking siloed blockchains for users with so-called “cross-chain bridges.”

Over the weekend, it revealed that an unauthorized intruder had managed to exploit a bridge vulnerability to mint a large number of Binance Coins (BNB) and wrapped Ethereum (WETH), while running down its reserves.

After halting bridge transactions immediately, the firm investigated the source of the bug.

“The extended code had a wrong trust assumption which allowed hacker to call the underlying ERC20 deposit function to fake an BNB or ETH transfer,” it explained on Twitter.

“The only impacted tokens were native gas tokens (WETH and BNB), and only Meter and Moonriver networks were impacted.”

Meter admitted it lost $4.4m in the raid but said it would compensate those affected while working with the authorities to trace its attacker.

“We urge all the liquidity providers that provide liquidity involving WETH and BNB to remove liquidity from the pool and wait for an additional announcement from the Meter team,” it added. “Please try avoid trading in these pairs as well.”

Meter urged the hacker to return the funds but has not publicly offered its assailant a bug bounty reward for their safe return, as did two other crypto firms compromised last week.

DeFi provider Quibit Finance proffered a reward of $2m to its attackers and a promise not to press charges after they made off with $80m.

Then a few days later, another cross-chain bridge provider, Wormhole, lost an estimated $322m after attackers stole 120,000 ETH. This time it offered a staggering $10m to the hacker.

A few days later, proprietary trading firm Jump Trading said it replenished those funds “to make community members whole and support Wormhole now as it continues to develop.”

Categories: Cyber Risk News

Major Vulnerability Found in Argo CD

Fri, 02/04/2022 - 18:30
Major Vulnerability Found in Argo CD

Security researchers at Apiiro have discovered a significant software supply chain zero-day vulnerability in the popular open-source continuous delivery platform, Argo CD.

Used by thousands of organizations globally, Argo CD is a tool that reads environment configurations (written as a helm chart, kustomize files, jsonnet or plain YAML files) from git repositories and applies it Kubernetes namespaces. The platform can manage the execution and monitoring of application deployment post-integration.

The flaw (CVE-2022-24348) lets attackers access and exfiltrate sensitive information such as passwords and API keys.

“A 0-day vulnerability, discovered by Apiiro’s Security Research team, allows malicious actors to load a Kubernetes Helm Chart YAML file to the vulnerability and ‘hop’ from their application ecosystem to other applications’ data outside of the user’s scope,” wrote researchers.

Exploitation of the flaw can lead to privilege escalation, sensitive information disclosure, lateral movement attacks and more.

The attack begins with the threat actor constructing a malicious Kubernetes Helm Chart-a YAML file that embeds different fields to form a declaration of resources and configurations needed in order for deploying an application.

Using the Helm Chart, the attacker builds a dummy configuration to exploit a parsing confusion vulnerability to access restricted information.

Finally, the attacker extracts sensitive data such as API keys and passwords that can be leveraged to carry up follow-up attacks and facilitate lateral movement inside the victim’s network. 

Apiiro reported the attack to Argo CD on January 30 2022. After discussing the vulnerability’s extent and impact, the vendor created a patch to fix the problem. Advisories and the patch were released on Thursday. 

Apiiro’s research team praised Argo CD’s incident response and “professional handling of the case.”

“We are seeing more advanced persistent threats that leverage zero day and known, unmitigated vulnerabilities in software supply chain software such as Argo CD,” commented Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber.

He added: “For years, known, unmitigated vulnerabilities have contributed more than any other factor to mounting cyber risk. But hackers are always looking for the most-effective path of least resistance to attain their objectives.”

Categories: Cyber Risk News

Nord Security and Surfshark to Merge

Fri, 02/04/2022 - 18:00
Nord Security and Surfshark to Merge

Lithuanian-based cybersecurity companies and rival virtual private network (VPN) providers Nord Security and Surfshark have finalized a merger agreement.

The companies said that the merger would “open new technical knowledge-sharing opportunities and enable more focused market diversification.” Both companies will continue to operate autonomously and maintain separate infrastructure and product roadmaps.

Since both companies are privately owned entities, the transaction details have not been disclosed. 

Nord Security was established in 2012 and now has 1,000 employees who support 15 million users worldwide. The company is known for its VPN service NordVPN, freemium VPN provider Atlas VPN, password manager NordPass, encrypted cloud storage NordLocker and the advanced network access security solution NordLayer.

According to a post on its website about the merger, Nord Security was impressed by the fast growth of Surfshark and the expertise and professionalism of its team. 

“The increasing complexity of cybersecurity and digital privacy is a growing challenge worldwide. We believe that this industry requires radical simplification and ease of access, both for consumers and businesses,” said Tom Okman, the co-founder of Nord Security.

Surfshark was developed with the assistance of Lithuanian business incubator Tesonet, which also helped NordVPN to grow.

He added: “Together, Nord Security and Surfshark create the largest internet security powerhouse in the market, ready to bring advanced solutions for customers.” 

Nord Security said that while both companies will work independently to improve their own products, they will consolidate their resources to reach mutual goals and innovate within the cybersecurity industry.

Smaller fish Surfshark launched in 2018 and employs around 200 people. The company delivers software solutions and was a founding member of the VPN Trust Initiative. It is known for its Surfshark One suite, which bundles an award-winning VPN, antivirus, private search tool and data leak detection system alert to provide cybersecurity protection.

“Consolidations in the global consumer cybersecurity market indicate the industry’s maturity. They also bring new competitive challenges,” said Vytautas Kaziukonis, founder and CEO of Surfshark.

They added: “Nord Security and Surfshark joining forces will set the ground to scale in different digital security dimensions, which is necessary to meet the growing requirements of our customers.”

Categories: Cyber Risk News

Tennessee College Hit with Ransomware

Fri, 02/04/2022 - 17:30
Tennessee College Hit with Ransomware

A cyber-attack on a community college in Tennessee may have exposed the personal data of students, staff and faculty. 

Attackers struck Pellissippi State Community College (PSCC) with ransomware on December 5 2021. The digital assault shut down online network connections to all five of its campuses during finals week, disrupting online exams. 

All the college's connected PC workstations and most of its servers, including the operating system and files, were encrypted. The attackers also changed the passwords of every user.

"What I can say is that this is not going to be a quick fix," said Pellissippi State vice president for academic affairs, Kellie Toon, at the time of the attack.

"There have been other schools hit and just by all indications in can take months to rebuild it. We can rebuild it. We will rebuild it ... but it's going to take time. " 

The attack left staff and some of the college's 11,000 students unable to access email or the Microsoft communications platform Teams. 

The college launched an investigation into the cyber-attack to gauge its impact. On February 1, PSCC began informing an unspecified number of individuals that their sensitive information may have been compromised in the attack. 

A notice on the college's website states: "Our investigation confirmed that the attacker had access to our Active Directory database, which includes first and last name; PSCC username; PSCC email address; office location and phone number; job title and department (if an employee); P number (a unique number assigned to each student and employee used only at PSCC and not used to sign documents); General user ID number (a long random string of numbers used only by PSCC in its Banner system); and PSCC account password (hashed)."

The college added that cyber-criminals may have also been able to access "other personal data in our system."

PSCC said that the individuals whose data may have been accessed and acquired in the attack included former and current students, faculty, staff and participants in Tennessee Consortium for International Studies (TNCIS) programs.

Categories: Cyber Risk News

#Enigma2022: Security's Role in Helping HealthTech Find Its Way

Fri, 02/04/2022 - 16:04
#Enigma2022: Security's Role in Helping HealthTech Find Its Way

Securing healthcare technologies is critical to human health and safety, not just in the medical setting but also with consumer HealthTech.

In an afternoon session on February 3 at the Engima 2022 conference, Joy Forsythe, director of security at Alto Pharmacy, explained that HealthTech is a growing area of healthcare products and services targeted at consumers that are available outside traditional medical establishments. HealthTech can include online medical services and both software and hardware-based human health monitoring technologies.

Forsythe pointed out that any information collected about a person's health by a healthcare provider or medical professional that has a direct relationship with a patient is often considered in the US to be protected health information. The US Government rules to protect such information is referred to HIPAA (Health Insurance Portability and Accountability Act).

She noted that it's not always clear what rules apply when it comes to HealthTech services and devices.

Forces Impacting Security in the Healthcare Ecosystem

Forsythe identified regulations as critical among the primary forces that impact security across the healthcare landscape.

While HIPAA outlines user privacy, other regulations include guidance on security practices issued by the US Department of Health and Human Services (HHS). For example, Forsythe noted that HSS has established that fax is considered a secure transmission method if the recipient's fax number can be confirmed.

"Generally speaking in healthcare, if you verify that the fax number is correct, that's considered secure," she said. "If there's a breach because of a fax that was sent to the correct phone number, the provider is not liable."

While fax is an outdated decades-old technology, the HSS guidance on email for secure data transmission is less specific. As a result, Forsythe stressed, many healthcare entities in the US had banned email for sending personal health information.

Industry certification is another strong force that security needs to deal with for healthcare security.

"Certification is an attempt to standardize third-party risk assessments and simplify vendor management," Forsythe said. "But certification often pushes outdated security controls, and they failed to reduce risk in modern environments."

How HealthTech Can Improve Security

Not all HealthTech devices are bound by the same regulations in the US as technologies and services directly provided by medical professionals.

"Consumer wellness startups are not acting as healthcare providers, and they may not be subject to HIPAA for a while," she commented. "They still have to abide by other privacy laws that are often less burdensome."

The opportunity for security people in HealthTech is to actually really do the risk identification for the privacy rules that are in place, such as CCPA in California or GDPR in Europe.

It's also important that HealthTech providers track which data is identifiable because that's the data that matters for privacy. Additionally, she recommends that HealthTech providers enable an auditable record of all access to user data by services, employees and partners.

Forsythe concluded by emphasing the role that security can bring HealthTech: "I think there's still a lot of opportunity for security to come into HealthTech organizations and make a difference in how they handle data." 

Categories: Cyber Risk News

US Accuses Russia of Disinformation Plot to Justify Invasion of Ukraine

Fri, 02/04/2022 - 13:00
US Accuses Russia of Disinformation Plot to Justify Invasion of Ukraine

The United States has accused Russia of a disinformation plot to serve as a pretext to an invasion of Ukraine.

This would be a video purporting to show a Ukrainian attack on Russian territory or against Russian-speaking people in Eastern Ukraine. According to the US government, the fabricated video would be highly graphic, including images of dead bodies.

On Thursday, Pentagon spokesman John Kirby told reporters: "We do have information that the Russians are likely to want to fabricate a pretext for an invasion.

"As part of this fake attack, we believe that Russia would produce a very graphic propaganda video, which would include corpses and actors that would be depicting mourners and images of destroyed locations."

The US government added that it revealed the plans to help prevent conflict from breaking out in the region. However, no evidence was provided to support its claim, which Russia has denied.

The BBC reported that senior US officials believe the video is just one of a number of ideas Russia has to provide a pretext to invade Ukraine.

The claim has come amid mounting tension in the region, which has led to a massive build-up of Russian troops on its border with Ukraine.

Jake Moore, global cybersecurity advisor at ESET, noted that advancements in deepfake technologies are facilitating the use of fabricated videos, potentially to provoke war. “This reported use of deep fakery would highlight the extreme and dramatic turn in the nature of warfare that we are witnessing. Being able to drum up fear is often as powerful as the attack itself. In this new age of deepfake weaponry, it could worryingly not be too long before we have no idea what is real, making nation-state attacks even more difficult to protect from or predict,” he commented.

Russia has been accused of targeting Ukraine with numerous cyber-attacks in recent weeks, including forcing more than a dozen government websites offline.

Categories: Cyber Risk News

NFT Wash Trading Made Scammers at Least $9m in 2021

Fri, 02/04/2022 - 10:02
NFT Wash Trading Made Scammers at Least $9m in 2021

Cyber-criminals are making and laundering millions through non-fungible tokens (NFTs), according to new data from Chainalysis.

NFTs are technically unique records on a blockchain that are each linked to a piece of digital content. They can be minted and sold by the content creator to investors, fans and collectors.

Their popularity soared last year, according to Chainalysis.

The Singapore-based blockchain investigations and analytics firm tracked $44.2bn worth of cryptocurrency sent to ERC-721 and ERC-1155 contracts – the two types of Ethereum smart contracts associated with NFT marketplaces and collections. That’s up from just $106m in 2020.

However, this surging market for NFTs also attracted fraudsters and cyber-criminals.

Chainalysis claimed that so-called “wash trading” made scammers $8.9m last year.

Wash trading refers to a situation in which a seller is on both sides of a trade in order to mislead potential buyers about an asset’s value and liquidity.

“In the case of NFT wash trading, the goal would be to make one’s NFT appear more valuable than it really is by ‘selling it’ to a new wallet the original owner also controls,” Chainalysis explained.

“In theory, this would be relatively easy with NFTs, as many NFT trading platforms allow users to trade by simply connecting their wallet to the platform, with no need to identify themselves.”

The firm’s analysis revealed 110 profitable NFT wash trades last year. However, the actual figure for this volume and the profits made from the scams may be much higher, as Chainalysis only looked at activity using Ethereum and wrapped Ethereum (wETH) currencies.

The firm urged NFT marketplaces to clamp down on such activity.

“NFT wash trading exists in a murky legal area. While wash trading is prohibited in conventional securities and futures, wash trading involving NFTs has yet to be the subject of an enforcement action,” it said.

“However, that could change as regulators shift focus and apply existing anti-fraud authorities to new NFT markets. More generally, wash trading in NFTs can create an unfair marketplace for those who purchase artificially inflated tokens, and its existence can undermine trust in the NFT ecosystem, inhibiting future growth.”

The report also revealed a growing trend of NFTs being purchased to launder illicit funds. In Q3 and Q4 2021, Chainalysis tracked $2.4m in funds sent to NFT marketplaces from “scam-associated addresses” and addresses linked to sanctions activity, such as Chatex.

Categories: Cyber Risk News

Cyber-Attacks Hobble Some of Europe's Largest Ports

Fri, 02/04/2022 - 09:25
Cyber-Attacks Hobble Some of Europe's Largest Ports

Oil terminals in some of Europe’s biggest ports appear to have been disrupted by ransomware, according to reports.

A broker in the region told AFP that the attacks are disrupting the oil supply chain.

“There was a cyber-attack at various terminals, quite some terminals are disrupted,” Jelle Vreeman, senior broker at Riverlake in Rotterdam, told the newswire.

“Their software is being hijacked, and they can’t process barges. Basically, the operational system is down.”

The Amsterdam-Rotterdam-Antwerp oil hub, which spans ports across the Netherlands and Belgium, is believed to have borne the brunt of the attacks. AFP cited local Belgian reports that logistics and storage firm SEA-Tank Terminal is one of those impacted in Antwerp.

According to a separate report from The Associated Press, at least two energy companies in the Belgian ports of Antwerp and Ghent were hit by cyber-attacks, with the government’s Federal Computer Crime Unit opening an investigation.

This follows reports earlier this week that two German oil logistics firms were struck by ransomware: Oiltanking GmbH Group and Mabanaft Group.

Both companies were forced to declare force majeure, a legal clause used in emergencies when companies cannot fulfill their contractual obligations.

However, the head of Germany’s federal office for information security, Arne Schönbohm, is quoted as saying the incident is serious but “not grave.”

Anglo-Dutch oil giant Shell has already admitted it has been forced to reroute supplies due to the incident.

The news has uncomfortable echoes of the Colonial Pipeline attack in May 2021, which crippled oil supplies up and down the US east coast for days, leading to queues at gas stations.

This time the culprit, at least in the attacks in Germany, appears to be BlackCat (aka “alphv”), a relatively new ransomware-as-a-service variant.

Categories: Cyber Risk News

Trustpilot Set to Sue Firms That Solicit Fake Reviews

Fri, 02/04/2022 - 08:50
Trustpilot Set to Sue Firms That Solicit Fake Reviews

Trustpilot said today that it is planning legal action against businesses involved in soliciting fraudulent reviews on its site.

The Danish consumer reviews platform said it was forced to remove over two million fake reviews in 2020 alone, accounting for nearly 6% of those submitted to its site that year.

Although the firm is investing in automated fraud, enforcement and anomaly detection technologies, it said this will now be matched by a step-up in litigation efforts.

Repeat offenders will be hit with enforcement action. Trustpilot said it would seek to prevent them from soliciting fake reviews and try to recover any damages owed. If successful, these will be donated to organizations that protect consumers from online misinformation.

Other tools at Trustpilot’s disposal are cease and desist notices, termination of business, and public banners on offending firms’ profile pages indicating fraud.

“Consumers rely heavily on reviews to make more informed and confident purchasing decisions each and every day. Protecting and promoting trust is fundamental to Trustpilot’s mission,” said the digital firm’s chief trust officer, Carolyn Jameson.

“Whilst the vast majority of businesses use reviews constructively to help get them closer to their customers, we’re prepared to do everything within our power to clamp down on the small minority who do not behave as they should, and instead  use fake and misleading reviews to take advantage of consumers – often those consumers who are particularly vulnerable.”

Fake reviews are an increasing problem for platform providers, consumers and innocent vendors. A report out last year estimated that they could be responsible for as much as $152bn in purchases.

Also, last year, a misconfigured cloud database exposed a significant scheme by vendors using the Amazon marketplace to buy fake reviews from consumers. Vendors send reviewers a list of products to choose from, and if they leave a five-star review, the individual will get to keep the item.

At least 200,000 fake reviewers were implicated in this one scheme alone.

The situation has deteriorated to the point that regulators are stepping in. Last June, the UK’s Competition and Markets Authority (CMA) announced the opening of a formal probe into Amazon and Google over concerns that they’re not doing enough to protect consumers from fake reviews. 

Categories: Cyber Risk News

Education Provider Infosec Announces New Cybersecurity Scholarships

Thu, 02/03/2022 - 18:00
Education Provider Infosec Announces New Cybersecurity Scholarships

Cybersecurity education provider Infosec Institute is offering scholarships to 15 individuals from underrepresented groups in the cybersecurity industry. 

The $225k in scholarship opportunities will be meted out to veterans, people who identify as BIPOC, students, women who are actively pursuing a career in cybersecurity and members of the LGBTQI+ communities.

Infosec said awarding the scholarships was to reduce the cyber skills and diversity gaps in the industry.

The latest opportunities are part of the institute’s Accelerate Scholarship Program , which has awarded over $500k to aspiring cybersecurity professionals since it was set up in 2018. 

Under the program, 15 scholarship recipients are selected each year to receive lifetime subscriptions to the virtual cybersecurity training resource Infosec Skills which includes access to more than 1400 practical courses, certification training and hundreds of virtual labs in the institute’s cloud-hosted cyber ranges. 

“The need for trained cyber professionals continues to grow, and so does our commitment to helping aspiring professionals advance their careers or get started in this industry,” said Jack Koziol, Infosec CEO and founder. 

“Cybersecurity education can be cost and time prohibitive. Our goal with these scholarships is to break down the barrier of entry, helping fill security roles with talent who bring new perspectives and experiences to our industry.”

Applicants must be at least 18 years old to apply and must be resident in the United States. The deadline to apply for the 2022 Infosec Accelerate Scholarship Program is July 31 2022. Successful applicants will be announced in the first week of September.

The Infosec Accelerate Undergraduate Scholarship is open to college students actively pursuing an associate or bachelor’s degree in a cybersecurity-related field. To apply, students must have a GPA of 3.0 or higher. 

“Now in the fifth year of offering this program, we’re proud to support the growth of our scholarship winners,” said Koziol. 

“We’ve seen many successes with our previous recipients, the motivation and drive they have to learn is inspiring. We will continue to push for and provide opportunities for all types of people to excel in the cybersecurity industry.”

Categories: Cyber Risk News

DHS Creates Cyber Safety Review Board

Thu, 02/03/2022 - 17:30
DHS Creates Cyber Safety Review Board

The United States Department of Homeland Security has established a Cyber Safety Review Board (CSRB) to investigate “significant cyber incidents.” 

Mandated via President Joe Biden’s May 12 2021 executive order (EO 14028) on improving the nation’s cybersecurity, the board “shall review and assess, with respect to significant cyber incidents […] affecting Federal Civilian Executive Branch Information Systems or non-Federal systems, threat activity, vulnerabilities, mitigation activities and agency responses.”

The CSRB, which was chartered on September 21 2021, will only operate in an advisory capacity.

Rob Silvers, the DHS’ undersecretary for strategy, policy and plans, has been selected to chair the board for two years. Together with Cybersecurity and Infrastructure Security Agency director Jen Easterly, Silvers will choose up to 20 individuals to serve as board members.

CSRB will be formed by a mixture of government workers and private sector representatives who may need to obtain security clearances. According to instructions included in Biden’s EO, the person chosen to serve as the board’s deputy chair should work in the private sector. 

Members will include at least one representative from the Department of Defense, the Department of Justice, DHS, CISA, the National Security Agency and the Federal Bureau of Investigation. 

notice published in the Federal Register Thursday stated: “The CSRB will convene following significant cyber-incidents that trigger the establishment of a Cyber Unified Coordination Group as provided by section V(B)(2) of Presidential Policy Directive (PPD) 41; at any time as directed by the President acting through the Assistant to the President for National Security Affairs (APNSA); or at any time the Secretary or CISA Director deems necessary.”

After reviewing a cyber-incident, the CSRB “may develop advice, information, or recommendations for the Secretary for improving cybersecurity and incident response practices and policy.”

The notice said that CSRB’s advice on cybersecurity would be made publicly available “whenever possible” but that some information may be redacted to prevent the disclosure of sensitive data.

DHS secretary Alejandro Majorkas has exempted the board from the transparency rules of the Federal Advisory Committee Act “in recognition of the sensitive material utilized in CSRB activities and discussions.” 

Categories: Cyber Risk News

#Enigma2022: Contextual Security Should Supplement Machine Learning for Malware Detection

Thu, 02/03/2022 - 17:00
#Enigma2022: Contextual Security Should Supplement Machine Learning for Malware Detection

Malware continues to be one of the most effective attack vectors in use today, and it is often combatted with machine learning-powered security tools for intrusion detection and prevention systems.

According to Nidhi Rastogi, Assistant Professor at the Rochester Institute of Technology, machine learning security tools are not nearly as effective as they could be, as several different limitations often hinder them. Rastogi presented her views on the limitations of machine learning for security and a potential solution known as contextual security at a session on February 2 at the Engima 2022 Conference.

A key challenge for contemporary machine learning security comes from false alerts. Rastogi explained the impact of false alerts is both wasted time by organizations and security gaps that could potentially expose an organization to unnecessary risk.

"It is very difficult to get rid of false positives and false negatives," Rastogi said.

Why Machine Learning Models Generate False Alerts

Among the primary reasons machine learning models tend to generate false alerts is a lack of sufficient representative data.

Machine learning, by definition, is an approach where a machine learns how to do something that is often enabled by some form of training on a data set. If the training data set doesn't have all the correct data, it cannot identify all malware accurately.

Rastogi said that one possible way to improve machine learning security models is to integrate a continuous learning model. In that approach, as new attack vectors and vulnerabilities are discovered, the new data is continuously being used to train the machine learning system.

Adding Context to Boost Malware Detection Efficacy

However, getting the right data to train a model is often easier said than done. Rastogi suggests providing additional context as an opportunity to improve malware detection and machine learning models.

The additional context can be derived from third-party and open source threat intelligence (OSINT) sources. Those sources provide threat reports and analysis on new and often novel attacks. The challenge with OSINT is that it is usually in the form of unstructured data, blog posts and other formats that don't work particularly well to train a machine learning model.

"These reports are written in human-understandable language and provide context which otherwise wouldn't be possible to capture in code," Rastogi said.

Using Knowledge Graphs for Contextual Security

So how can unstructured data help to inform machine learning and improve malware detection? Rastogi and her team are attempting to use an approach known as a knowledge graph.

A knowledge graph uses what is known as a graph database, which maps the relationship between different data points. According to Rastogi, the biggest advantage of using knowledge graphs is that it enables an approach to capture and better understand unstructured information written in a language understood by humans.

"All of this combined data on a knowledge graph can help to identify or infer attack patterns when a malware threat is evolving," she said. "That's the advantage of using knowledge graphs, and that's what our research is pursuing."

By adding context and data lineage that help track the source of the data and its trustworthiness, Rastogi said that the overall accuracy of malware detection could be improved.

"We need to go beyond measuring the performance of machine learning models using accuracy and precision scores," Rastogi said. "We want to be able to help analysts by inference with confidence and context."

Categories: Cyber Risk News

KP Snacks Hit by Cyber-attack

Thu, 02/03/2022 - 16:47
KP Snacks Hit by Cyber-attack

Brits could be facing a snack shortage following a cyber-attack on 169-year-old food producer KP Snacks

The German-owned maker of KP Nuts, Hula Hoops, Choc Dips, Nik Naks and Butterkist popcorn was targeted by threat actors on Friday. After gaining access to the company's network, hackers deployed ransomware and took the snack maker's data hostage.

"As soon as we became aware of the incident, we enacted our cybersecurity response plan and engaged a leading forensic information technology firm and legal counsel to assist us in our investigation," said the British-based firm, which is known internationally for its potato chips sold under brands that include McCoy's, Tyrrell's and POM-BEAR.

KP Snacks, which is owned by Intersnack, said that its internal IT teams are working with third-party experts to assess the situation.

Shoppers seeking their favorite snacks may go home disappointed as the website Better Retailing, which first published news of the attack, reported that retailers had been warned by KP Snacks of delays to deliveries. 

According to a letter sent out to shop owners and published by Better Retailing, KP Snacks “cannot safely process orders or dispatch goods” because of the cyber-attack.

Disruptions including late deliveries and cancellations could plague the snack maker "until the end of March at the earliest". 

“While this is causing some disruption to our manufacturing and shipping processes, we are already working on plans to keep our products stocked and on shelves,” said the company in a statement. 

“We have been continuing to keep our employees, customers, and suppliers informed of any developments and apologize for any disruption this may have caused.”

BBC News reported that cyber-criminals have published on the dark net what appear to be personal documents from KP Snacks staff, featuring the company letterhead. The post threatened to publish more data unless a ransom was paid.

Keiron Holyome, vice president UK, Ireland, and Middle East, at BlackBerrycommented: “This attack on KP Snacks underscores that the global cyber risk equally applies to British institutions and their supply chains, with KP Snacks now predicting shortages after a ransomware attack.

“It doesn’t matter whether it’s logistics, fuel or food–these supply chains present unique and complex challenges from a cybersecurity perspective.”

Categories: Cyber Risk News

Growing Number of Phish Kits Bypass MFA

Thu, 02/03/2022 - 10:12
Growing Number of Phish Kits Bypass MFA

Phishing kits designed to circumvent multi-factor authentication (MFA) by stealing session cookies are increasingly popular on the cybercrime underground, security researchers at Proofpoint have warned.

After years of prompting by security teams and third-party experts, MFA finally appears to have reached a tipping point of user adoption. Figures from Duo Security cited by Proofpoint in a new blog today claim that 79% of UK and US users deployed some kind of second-factor authentication in 2021 versus 53% in 2019.

However, the threat landscape is changing as a result. Phishing kits offer a cheap-and-easy way for budding cyber-criminals to launch and monetize campaigns.

“In recent years, Proofpoint researchers have observed the emergence of a new type of kit that does not rely on recreating a target website. Instead, these kits use a transparent reverse proxy to present the actual website to the victim,” the firm explained.

“Modern web pages are dynamic and change frequently. Therefore, presenting the actual site instead of a facsimile greatly enhances the illusion an individual is logging in safely. Another advantage of the reverse proxy is that it allows the threat actor to man-in-the-middle (MitM) a session and capture not only the usernames and passwords in real-time, but also the session cookie.”

These cookies can then be used to access a targeted account without needing a username, password or MFA token.

Proofpoint has already noticed an uptick in the availability of such phishing kits and warned that the trend would only increase as MFA becomes more popular. They include “Modlishka,”  “Muraena/Necrobrowser” and “Evilginx2.”

“We are now in 2022, the pandemic still rages, many workers are still working from home and many may not return to the office. As more companies follow Google’s lead and start requiring MFA, threat actors will rapidly move to solutions like these MitM kits,” Proofpoint concluded.

“They are easy to deploy, free to use, and have proven effective at evading detection. The industry needs to prepare to deal with blind spots like these before they can evolve in new unexpected directions.”

Categories: Cyber Risk News

Home Improvement Firm Fined £200k for Nuisance Calls

Thu, 02/03/2022 - 09:35
Home Improvement Firm Fined £200k for Nuisance Calls

A Welsh home improvement firm has been fined £200,000 by the UK’s privacy watchdog after making more than half a million nuisance phone calls.

Home2Sense Ltd of Lampeter made 675,478 nuisance calls between June 2020 and March 2021 to offer individuals insulation services, according to the Information Commissioner’s Office (ICO).

However, these people were registered with the Telephone Preference Service (TPS), meaning they had explicitly opted out of receiving unsolicited marketing calls.

According to the UK’s Privacy and Electronic Communications Regulations (PECR), it is illegal to contact anyone registered with the TPS for more than 28 days unless that person has explicitly notified the company that they do not object to receiving such calls.

Among the scores of complaints made to the ICO about Home2Sense’s business practices, one distressed victim said a call center marketer asked to speak to their late mother, who had passed away a decade earlier.

On other calls, the operative posed as a local surveyor and claimed the recipient might be in line for a free grant to replace their loft insulation.

“This is my recently deceased mother’s house that I have just inherited in the past few months. It was extremely upsetting to have someone deliberately cold-call me,” they complained.

The company also illegally used several aliases when presenting themselves to the public, including “Cozy Loft,” “Warmer Homes” and “Comfier Homes.”

Head of ICO regions, Ken Macdonald, argued that the firm’s attempt to blame its staff for failing to screen individuals on the TPS list shows a complete disregard for victims’ privacy.

“Some of the complainants described the calls received as ‘aggressive,’ and the company caused two complainants to feel distressed and upset when they asked to speak to a relative that had passed away,” he added.

“Business owners operating in this field have a duty to have robust procedures and training in place so the law is followed. Attempts to rely on ignorance of the law, or trying to pass the buck onto members of staff or external suppliers, will not be tolerated.”

However, it remains to be seen if Home2Sense ends up paying the full £200,000. Just a quarter (26%) of the monetary value of fines issued by the ICO from January 2020 to September 2021 have been paid, according to a November 2021 report. That’s down from 32% during the previous  report period (January 2019-August 2020).

Fines for nuisance calls were among the most likely to remain unpaid, with nearly 80% yet to be collected.

Categories: Cyber Risk News