Info Security

Subscribe to Info Security  feed
Updated: 41 min 52 sec ago

Atom Silo Uses DLL Side-Loading to Deploy Ransomware

Wed, 10/06/2021 - 08:48
Atom Silo Uses DLL Side-Loading to Deploy Ransomware

Security researchers have warned of a new ransomware variant leveraging a recently disclosed vulnerability for initial access and going to great lengths to evade detection.

Atom Silo is almost identical to the LockFile ransomware spotted spreading earlier this year by exploiting PetitPotam and ProxyShell vulnerabilities in Microsoft products, according to Sophos.

However, in Atom Silo’s case, the variant exploited a vulnerability in Atlassian’s Confluence collaboration software made public just three weeks before the attack.

Interestingly, the researchers discovered that a separate threat actor had exploited the same bug to deploy a coinminer (also called a cryptocurrency miner) on the victim organization’s system.

“For many organizations, keeping up with the pace of patching can be a challenge in the best of times — and the effects of lock-down and other recent stressors affecting staff availability are only making keeping up with patches more difficult,” said Sophos researchers Sean Gallagher and Vikas Singh.

“Ransomware operators and other malware developers are becoming very adept at taking advantage of these gaps, jumping on published proof-of-concept exploits for newly-revealed vulnerabilities and weaponizing them rapidly to profit off them.”

The ransomware actors also used “well-worn techniques in new ways, and made significant efforts to evade detection prior to launching the ransomware,” they argued.

Specifically, the intrusion began with an Object-Graph Navigation Language (OGNL) injection attack, which provided a backdoor via which they dropped and executed additional files for a second covert backdoor.

These files included a legitimate, signed executable from a third-party software provider that was vulnerable to an unsigned DLL side-load attack.

Sophos warned that such techniques are becoming increasingly common and challenging to defend against.

“Abuse of legitimate but vulnerable software components through DLL side-loading and other methods has long been a technique used by attackers with a wide range of capabilities, and it has filtered down to the affiliates of ransomware operators and other cyber-criminals,” the researchers explained.

“While abuse of some of these legitimate, signed components is well-enough known to defend against, the supply of alternative vulnerable executables is likely deep. Spotting legitimate executables that exist outside of the context of the products they are supposed to be part of requires vigilance — and vulnerability disclosure by the vendors they come from.”

Once the backdoor was loaded, the attackers proceeded to lateral movement, exfiltration and encryption, disrupting Sophos endpoint protection in the process via a malicious kernel driver to evade detection.

Categories: Cyber Risk News

Patch Apache HTTP Servers Now to Avoid Zero Day Exploit

Wed, 10/06/2021 - 08:16
Patch Apache HTTP Servers Now to Avoid Zero Day Exploit

Apache HTTP Server users have been urged to immediately patch after it emerged that a zero-day vulnerability in the popular open-source software is being exploited in the wild.

CVE-2021-41773 is described as a path traversal flaw in version 2.4.49, which was itself only released a few weeks ago.

“An attacker could use a path traversal attack to map URLs to files outside the expected document root,” a description of the bug noted. “If files outside of the document root are not protected by ‘require all denied’ these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts.”

According to Sonatype senior security researcher, Ax Sharma, there are around 112,000 Apache servers across the globe running version 2.4.49, two-fifths of which are located in the US.

He argued that the new zero-day exploit highlights that, even when a vendor releases patches, they may subsequently be bypassed.

On that point, Google research earlier this year claimed that a quarter of zero-day exploits could have been avoided if vendors had taken more time over patching. It noted that 25% of zero-days spotted in 2020 were closely related to previously publicly disclosed vulnerabilities.

The new Apache HTTP Server Version 2.4.50 also includes a fix for a denial of service vulnerability, CVE-2021-41524, discovered a few weeks ago but not thought to have been actively exploited.

Sonatype’s Sharma also warned that unpatched Apache Airflow servers at dozens of tech firms were leaking thousands of credentials and configuration secrets due to poor configuration and security practices.

“Most of these issues could have been avoided by simply upgrading Airflow to version 2, which comes with extensive improvements and security enhancements,” he argued.

Categories: Cyber Risk News

One Identity Acquires OneLogin

Tue, 10/05/2021 - 19:52
One Identity Acquires OneLogin

Software company One Identity has acquired identity access management (IAM) solutions provider OneLogin

News of the acquisition by the Quest Software business was announced yesterday; however, the terms of the deal were not disclosed. 

One Identity said that combining OneLogin with its existing privileged access management (PAM), identity governance and administration (IGA), and active directory management and security (ADMS) solutions will allow customers “to take a holistic approach to identity security with trusted, proven technology in each major category.”

Together, the customer bases of OneLogin and One Identity cover a vast cross-section of the world’s enterprises. OneLogin manages more than 40 million identities for 5,500 customers, while One Identity takes care of more than 250 million identities for 5,000 organizations.

“Joining One Identity provides us with the ability to further accelerate our growth and provide additional value for both of our [companies’] customers,” said Brad Brooks, CEO of OneLogin. “With OneLogin’s robust unified platform for both workforce and CIAM, combining forces with One Identity’s suite of products including their PAM solution, will allow new and existing customers, on a global scale, to tap into the market’s only unified identity security platform.”

Citing Verizon’s Data Breach Investigations report that found 61% of breaches are caused by the improper management of credentials used to access data and applications, and roughly 70% are linked to the abuse of accounts with “privileged” access, One Identity said that an end-to-end approach to identity security was important to protect the way organizations work.

“With the proliferation of human and machine identities, the race to the cloud and the rise of remote working, identity is quickly becoming the new edge – and protecting identity in an end-to-end manner has never been more important,” said Bhagwat Swaroop, president and general manager of One Identity. 

“By adding OneLogin to our portfolio, and incorporating it into our cloud-first Unified Identity Security Platform, we can help customers holistically correlate all identities, verify everything before granting access to critical assets and provide real-time visibility into suspicious login activity. With identity at the core, customers can now implement an adaptive zero trust strategy and dramatically improve their overall cybersecurity posture.”

Categories: Cyber Risk News

Squid Game Scenes Cut Over Data Exposure

Tue, 10/05/2021 - 18:40
Squid Game Scenes Cut Over Data Exposure

Netflix has axed some scenes from its hit show Squid Game because the phone numbers it featured turned out to be genuine and in use by people in the real world. 

The deletions were made after the owners of the phone numbers received thousands of text messages and phone calls from curious Squid Game fans located around the globe.

Since premiering on the streaming platform on September 17, Squid Game looks set to become one of the most popular Netflix shows in history. The South Korean fictional drama depicts contestants who are deeply in debt playing children's games to win a life-altering amount of cash. In a disturbing twist, players who lose are executed. 

A Korean man from Gyeonggi province, who claims his digits were exposed in a subway scene featured in the first episode of the show, said that his phone has been overwhelmed with thousands of nuisance calls. 

Speaking to Korean publication Money Today, he said: "It has come to the point where people are reaching out day and night due to their curiosity."

The constant contact from Squid Game fans has prevented the man from receiving calls and messages that are actually intended for him.

"It drains my phone's battery, and it turns off," he said. 

He added: “At first, I didn’t know why, then my friend told me that my number came out in Squid Game.”

The man's phone number allegedly appeared on a business card passed to Lee Jung-Jae’s character, Seong Gi-Hun, by a mysterious man in a black suit.

Changing his number to avoid nuisance calls is not something the man said he wanted to do, since he has used it for business calls for the past decade. 

The man said that his wife, whose phone number is identical to his with the exception of one digit, has also been receiving nuisance calls from Squid Game fans with careless fingers. 

A spokesperson for Netflix and the show's maker Siren Pictures said: "Together with the production company, we are working to resolve this matter, including editing scenes with phone numbers where necessary."

Categories: Cyber Risk News

Northern Irish Voucher Scheme Marred by Identity Snag

Tue, 10/05/2021 - 17:20
Northern Irish Voucher Scheme Marred by Identity Snag

voucher scheme launched by the Northern Ireland Assembly to stimulate economic growth following Covid-19 lockdowns is having an identity crisis. 

Under the £145m High Street Spend Local Scheme, the approximately 1.4 million residents of Northern Ireland who are aged 18 and over are eligible to apply for a £100 Spend Local voucher. 

The voucher takes the form of a prepaid card, which is accepted by businesses across Northern Ireland. To apply for the card, residents must submit their email address along with their National Insurance number (NINO). 

However, it has been reported that the voucher applications of around 1,000 eligible individuals were denied because their NINO had already been used to successfully complete an earlier voucher application. 

It is unclear whether the issue is the result of a system glitch, human error on the part of the applicants, or fraudsters who have been applying for vouchers using stolen NINOs. 

A spokesperson for the Department for the Economy told the BBC that "no fault" had been found in its voucher application system that might account for the situation.

The husband of a woman impacted by the issue told The Nolan Show: "She tried to apply for the card – went online, gave her email address, got her link back and then you click on the link and put in your National Insurance number.

"A screen popped up and said: 'We're sorry but it appears your National Insurance number has been entered already and used by someone else making an application.' And that was it, and the only thing she could do about it was to email [the Department for the Economy]."

The woman subsequently reported the issue to the Department via email. The only response she has received is a message saying that they were aware of the issue.

Her husband told the Belfast Telegraph that as a test, he applied for a voucher using an altered version of his own NINO and was able to advance to the next stage of the application.

The Department for the Economy stated: "The scheme has robust anti-fraud measures in place and this issue will be kept under close review."

Categories: Cyber Risk News

Google Pledges $1m to Secure Open Source Project

Tue, 10/05/2021 - 08:48
Google Pledges $1m to Secure Open Source Project

Google has announced financial backing for a new initiative designed to incentivize proactive security improvements to open source code.

Unlike bug bounty programs which offer financial rewards to researchers who discover critical software bugs, the Secure Open Source (SOS) project will do the same for developers whose work prevents major vulnerabilities appearing in the first place.

“SOS rewards a very broad range of improvements that proactively harden critical open source projects and supporting infrastructure against application and supply chain attacks,” Google explained.

“To complement existing programs that reward vulnerability management, SOS’s scope is comparatively wider in the type of work it rewards, in order to support project developers.”

The selection process for in-scope projects will take into account NIST guidelines and the new Presidential executive order on cybersecurity, as well as criteria such as how many users will be affected, and how serious an impact a compromise would have.

The initial list of projects includes software supply chain improvements such as hardening of CI/CD pipelines, adoption of software artifact signing and verification, and enhancements that produce higher OpenSSF Scorecard results.

SOS will also look at projects which use OpenSSF Allstar and remediate any discovered issues, and ones capable of earning a CII Best Practice Badge.

Google’s $1m investment will help to fund awards of $10,000 or more for “complicated, high-impact and lasting improvements that almost certainly prevent major vulnerabilities in the affected code or supporting infrastructure.”

Smaller amounts ranging from $505 to $10,000 are available depending on the complexity and benefits.

“This $1 million investment is just the beginning — we envision the SOS pilot program as the starting point for future efforts that will hopefully bring together other large organizations and turn it into a sustainable, long-term initiative under the OpenSSF,” Google concluded.

“We welcome community feedback and interest from others who want to contribute to the SOS program. Together we can pool our support to give back to the open source community that makes the modern internet possible.”

A recent report from Sonatype revealed a 650% year-on-year increase in upstream supply chain attacks impacting open source software components.

Categories: Cyber Risk News

Text Message Giant Reveals Five-Year Breach

Tue, 10/05/2021 - 08:45
Text Message Giant Reveals Five-Year Breach

A major telecoms service provider has revealed it was the victim of a five-year breach impacting hundreds of customers.

Syniverse routes text messages for hundreds of global telco customers — allowing it to boast of reaching “more people and devices than anyone on Earth.”

However, in a filing with the SEC last week ahead of the firm going public via a merger with a special purpose acquisition company (SPAC), it admitted discovering a major incident back in May.

The unauthorized access to its operational and IT systems was subsequently found to have been ongoing since May 2016.

“Syniverse’s investigation revealed that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (EDT) environment was compromised for approximately 235 of its customers,” it continued.

“All EDT customers have been notified and have had their credentials reset or inactivated, even if their credentials were not impacted by the incident. All customers whose credentials were impacted have been notified of that circumstance.”

Although the firm claimed it has seen no efforts to disrupt operations or monetize the attack, it could not rule out further discoveries.

“While Syniverse believes it has identified and adequately remediated the vulnerabilities that led to the incidents described above, there can be no guarantee that Syniverse will not uncover evidence of exfiltration or misuse of its data or IT systems from the May 2021 Incident, or that it will not experience a future cyber-attack leading to such consequences,” it said.

“Any such exfiltration could lead to the public disclosure or misappropriation of customer data, Syniverse’s trade secrets or other intellectual property, personal information of its employees, sensitive information of its customers, suppliers and vendors, or material financial and other information related to its business.”

It's unclear exactly what information the attackers would have gained access to with the EDT compromise, but it could theoretically include metadata or even the content of text messages, including one-time passcodes, which could unlock two-factor authentication-protected accounts.

The firm claims to process over 740 billion messages every year for 300+ global mobile operators.

An audacious supply chain raid like this bears the hallmarks of nation-state intelligence gathering or a highly organized cybercrime group.

Categories: Cyber Risk News

Facebook Blames Global Outage on Configuration Error

Tue, 10/05/2021 - 08:20
Facebook Blames Global Outage on Configuration Error

Facebook has apologized for a major global outage that left users unable to access the social network and other platforms for hours, blaming the incident on a configuration error.

The outage began at around 11.40 Eastern Time on Monday morning and lasted well into the evening of the same day — affecting not just Facebook and Messenger but Instagram and WhatsApp.

The recovery effort was also impacted as Facebook engineers found it difficult to access internal tooling which used the same internet infrastructure. Global staff were left high-and-dry for similar reasons.

The issue appears to have stemmed from an update to the firm’s Border Gateway Protocol (BGP) records. BGP is critical to the seamless functioning of the internet, allowing networks of addresses such as Facebook’s to advertise their presence to others.

“It's a mechanism to exchange routing information between autonomous systems (AS) on the internet,” explained Cloudflare in a technical blog about the incident.

“The big routers that make the internet work have huge, constantly updated lists of the possible routes that can be used to deliver every network packet to their final destinations. Without BGP, the internet routers wouldn't know what to do, and the internet wouldn't work.”

Although some commentators had speculated foul play, the cause of the outage appears to be human error..

Vice president of infrastructure, Santosh Janardhan, said no user data was compromised and that the root cause of the issue was a “faulty configuration change.”

“Our engineering teams have learned that configuration changes on the backbone routers that coordinate network traffic between our datacenters caused issues that interrupted this communication. This disruption to network traffic had a cascading effect on the way our datacenters communicate, bringing our services to a halt,” he explained.

“People and businesses around the world rely on us every day to stay connected. We understand the impact outages like these have on people’s lives, and our responsibility to keep people informed about disruptions to our services. We apologize to all those affected, and we’re working to understand more about what happened today so we can continue to make our infrastructure more resilient.”

Categories: Cyber Risk News

Pandora Spills Secrets of Super Rich

Mon, 10/04/2021 - 19:17
Pandora Spills Secrets of Super Rich

The offshore assets of 35 current and former world leaders have been exposed in an unprecedented leak of financial records dubbed the Pandora Papers

The cache of 11.9 million confidential files was leaked to the International Consortium of Investigative Journalists (ICIJ) in Washington, DC. Containing 2.94 terabytes of data, the Papers represent the largest trove of leaked offshore data in history.

According to the ICIJ, the papers offer “a sweeping look at an industry that helps the world’s ultra-wealthy, powerful government officials and other elites conceal trillions of dollars from tax authorities, prosecutors and others.”

More than 100 billionaires are featured in the files, which were derived from 14 offshore services firms from around the world, engaged by clients to set up offshore structures and trusts in tax havens such as the Cayman Islands, Panama, Dubai, Switzerland, and Monaco.

Exposed by the leak are the finances of more than 300 public officials such as government ministers, judges, mayors, and military generals in more than 90 countries. Also impacted are wealth celebrities, musicians, and business leaders.

The ICIJ said that the leaked records have also uncovered the financial secrets of "a global lineup of fugitives, con artists and murderers."

For two years, more than 600 journalists at 150 news outlets have been reviewing the leaked files, which were shared by the ICIJ with media partners including the Guardian, BBC Panorama, Le Monde, and the Washington Post.

The Guardian wrote: "The Pandora papers reveal the inner workings of what is a shadow financial world, providing a rare window into the hidden operations of a global offshore economy that enables some of the world’s richest people to hide their wealth and in some cases pay little or no tax."

Information revealed in the leak includes the secret purchase through offshore companies of a $22 million chateau in the French Riviera by the Czech Republic’s billionaire prime minister, Andrej Babis, who styles himself as a man of the people. 

The papers also show that 14 luxury homes were secretly purchased for $106 million by King Abdullah II of Jordan, whose country relies on foreign aid to support its people. 

Categories: Cyber Risk News

DeepMind Technologies Sued Over Data Sharing

Mon, 10/04/2021 - 17:53
DeepMind Technologies Sued Over Data Sharing

A law firm in the United Kingdom is suing Google's artificial intelligence (AI) subsidiary DeepMind Technologies over an alleged breach of data protection laws. 

Mishcon de Reya is bringing a representative suit against DeepMind pertaining to the company’s data-sharing deal with the Royal Free London National Health Service (NHS) Foundation Trust.

A five-year partnership between the Trust and DeepMind was announced in 2015 to "build on the successful year-long joint project to build a smartphone app called Streams, which alerts clinical teams as soon as test results show that a patient is at risk of developing acute kidney injury."

The Jurist reports that "when the data-sharing agreement was made public, it was revealed that DeepMind was gaining access to a wide-ranging scope of data including admissions, discharge and transfer, accidents, emergencies, critical care, pathology and radiology data." 

In July 2017, the Information Commissioner’s Office (ICO) ruled the Royal Free NHS Foundation Trust failed to comply with the Data Protection Act when it provided patient details to DeepMind.

"The Trust provided personal data of around 1.6 million patients as part of a trial to test an alert, diagnosis and detection system for acute kidney injury," said the UK data protection regulator.

"But an ICO investigation found several shortcomings in how the data was handled, including that patients were not adequately informed that their data would be used as part of the test."

On September 30, Mishcon de Reya announced that it was bringing an action against DeepMind "on behalf of Mr Andrew Prismall and the approximately 1.6 million individuals whose confidential medical records were obtained by Google and DeepMind Technologies in breach of data protection laws."

Mr. Prismall said: “Given the very positive experience of the NHS that I have always had during my various treatments, I was greatly concerned to find that a tech giant had ended up with my confidential medical records.”

Lawyer Ananaya Agrawal wrote in The Jurist that Mishcon’s representative suit resembles a class-action lawsuit in the United States and “will have important ramifications for large-scale access and use of health data by tech companies in a post-pandemic, post-Brexit UK.”

Categories: Cyber Risk News

Facebook Whistleblower to Testify Before Senate

Mon, 10/04/2021 - 16:37
Facebook Whistleblower to Testify Before Senate

A former Facebook employee is to appear before a US Senate subcommittee tomorrow after blowing the whistle on the company's alleged prioritization of profit above user welfare. 

Frances Haugen, a 37-year-old data scientist from Iowa, revealed yesterday that it was she who leaked internal research carried out by Facebook to the Wall Street Journal. This research formed the basis of an investigative series named The Facebook Files, which the Journal has been reporting for the past three weeks.

Among the claims made by the Journal are that Facebook identified negative effects that its platform was having upon its users but didn't take any action to fix the problems. 

It is further alleged that while claiming to treat all its users equally, Facebook allowed certain high-profile users to post content including harassment and incitement to violence.

Haugen, who has a degree in computer engineering and a Harvard master’s degree in business, held positions at Google, Yelp, and Pinterest prior to working for Facebook for two years as a product manager on the company's civic misinformation team. Before quitting her job in May, she copied a trove of internal company memos and documents. 

“I’ve seen a bunch of social networks and it was substantially worse at Facebook than anything I’d seen before," Haugen told CBS.

Speaking on a 60 Minutes episode that aired Sunday, Haugen said: “The thing I saw at Facebook over and over again was there were conflicts of interest between what was good for the public and what was good for Facebook. And Facebook, over and over again, chose to optimize for its own interests, like making more money.”

She added: “The version of Facebook that exists today is tearing our societies apart and causing ethnic violence around the world.”

Following Haugen’s disclosures, two members of the European Parliament have called for an investigation to be launched into the social media company. 

"We need to regulate the whole system and the business model that favors disinformation and violence over factual content – and enables its rapid dissemination," said European Parliament lawmaker Alexandra Geese.

On October 5, Haugen will testify before a Senate subcommittee in a hearing on Facebook’s research into Instagram’s effect on the mental health of young people.

Categories: Cyber Risk News

Prolific Ransomware Operators Arrested in Joint Law Enforcement Action

Mon, 10/04/2021 - 14:52
Prolific Ransomware Operators Arrested in Joint Law Enforcement Action

A coordinated law enforcement action has led to the arrest of two “prolific ransomware operators” in Ukraine, Europol has revealed.

The strike was undertaken between the French National Gendarmerie, the Ukrainian National Police and the United States Federal Bureau of Investigation (FBI) in conjunction with Europol and INTERPOL on September 28. While neither the individuals nor the gang they allegedly belong to were named, Europol said they were “known for their extortionate ransom demands (between €5m and €70m).”

The group is believed to have targeted numerous “very large industrial groups in Europe and North America” since April 2020. They are also renowned for their ‘double extortion’ tactics, deploying malware and stealing sensitive data from their victims in addition to encrypting their files. They would then demand a large ransom payment under threat of leaking the stolen data on the dark web.

The Ukrainian authorities stated that the suspects were responsible for attacks against over 100 worldwide organizations, causing more than $150 million in damages.

As well as the two arrests, the joint law enforcement action resulted in seven property searches, seizure of $375,000 in cash, seizure of two luxury vehicles worth €217,000 and asset freezing of $1.3m in cryptocurrencies.

Europol helped bring together law enforcement agencies to establish a joint strategy, including creating a virtual command post. The operation involved six investigators from French Gendarmerie, four from the US FBI, a prosecutor from the French Prosecution Office of Paris, two specialists from Europol’s European Cybercrime Centre (EC3) and one INTERPOL officer to work alongside the Ukrainian National Police.

Providing further insights into the tactics used by the ransomware operators, Stefano De Blasi, threat researcher at Digital Shadows, said: “The suspects reportedly compromised their victims via spear-phishing campaigns and by targeting remote working tools such as remote desktop protocol (RDP) and virtual private networks (VPN). This observation highlights how social engineering remains a vital access vector for threat actors, as human curiosity is often exploited to bypass technological defences. Additionally, the use of RDP and VPN to compromise organizations suggests that the suspects have likely gained access to victims by purchasing initial access broker (IAB) listings on cyber-criminal forums and marketplaces.”

He added: “Europol also stated that the operation resulted $1.3m being frozen within the group’s seized crypto wallets. Ukrainian police stated that the suspects had an accomplice who helped the group launder money gained from illicit means. The use of individuals skilled in laundering money has been a significant factor in the development of ransomware groups into an effective criminal business model. Although law enforcement agencies have not named the ransomware gang behind this operation, it is unclear what extent the operation will have on the group in question, or on the wider ransomware ecosystem.

“While solitary operations will not provide a remediation to the ransomware threat overnight, law enforcement operations can have a significant impact to targeted ransomware groups, often resulting in a suspension or disruption of their activity. These raids can achieve their greatest potential when paired with diplomatic efforts, innovative policies and effective public-private partnerships.”

Categories: Cyber Risk News

Ex-Army Technician Gets 12 Years for Role in Fraud Scheme

Mon, 10/04/2021 - 09:05
Ex-Army Technician Gets 12 Years for Role in Fraud Scheme

A former US army contractor has been sentenced to more than 12 years behind bars after pleading guilty to helping defraud thousands of military service members, veterans and their families.

Fredrick Brown, 40, of Las Vegas, was sentenced for one count of conspiracy to commit wire fraud and one count of conspiracy to commit money laundering, following a guilty plea nearly two years ago.

As a civilian medical records technician and administrator at the US army’s 65th Medical Brigade, Yongsan Garrison, he admitted to stealing the personal information of countless military staff, including by taking screenshots of his computer while logged into medical databases.

These details — which included names, social security numbers, military ID numbers, dates of birth and contact information — were then sent to Philippines-based co-defendant Robert Wayne Boling Jr. 

In concert with others, he’s accused of using the info to access Pentagon and Veterans Affairs benefits sites to steal millions of dollars.

The fraud scheme targeted around 3300 victims, including eight general officers and many disabled veterans, who were singled out because of the more considerable service-related benefits they received. In total, these individuals lost around $1.5m due to the plot, it’s claimed.

Brown has also been ordered to pay over $2.3m in restitution and will be placed on supervised release for three years after completing his prison term.

Another co-defendant, Trorice Crawford, 34, of San Diego, was last year sentenced to 46 months in federal prison for his role in the scheme — which was to recruit money mules to help launder the funds.

“The defendant brazenly preyed on and victimized US service members and veterans, many of whom were disabled and elderly,” said US attorney Ashley Hoff for the Western District of Texas.

“As part of our mission, we strive to protect these honorable men and women from fraud and abuse. If fraudsters target our service members and veterans, we will seek to identify them and hold them accountable. This office will continue to zealously investigate and prosecute perpetrators of these schemes.”

Categories: Cyber Risk News

Coinbase Attackers Bypassed Account Authentication

Mon, 10/04/2021 - 08:36
Coinbase Attackers Bypassed Account Authentication

US cryptocurrency exchange Coinbase is facing a backlash from its users after notifying them that at least 6,000 customers had their funds stolen by hackers.

The “third-party campaign” took place between March and May 20, 2021.

“In order to access your Coinbase account, these third parties first needed prior knowledge of the email address, password, and phone number associated with your Coinbase account, as well as access to your personal email inbox,” the firm explained in a breach notification letter.

“While we are not able to determine conclusively how these third parties gained access to this information, this type of campaign typically involves phishing attacks or other social engineering techniques to trick a victim into unknowingly disclosing login credentials to a bad actor. We have not found any evidence that these third parties obtained this information from Coinbase itself.”

However, while Coinbase does not appear to have been responsible for the initial data leak, which enabled the first stage of the attack, a crucial flaw in its authentication process was to blame for the unauthorized account access.

“Even with the information described above, additional authentication is required in order to access your Coinbase account,” it continued.

“However, in this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account.”

Coinbase, the world’s second-largest cryptocurrency exchange with tens of millions of global users, said it would reimburse customers the full value of their losses. The firm has also updated its SMS Account Recovery protocols to ensure authentication can’t be bypassed in a similar way in the future.

However, it warned that, while inside hacked accounts, unauthorized third parties would have access and potentially changed details. These details include full name, email and home address, date of birth, IP address for account activity, transaction history, account holdings and balance.

This isn’t the first time Coinbase has been in the news following a security breach. In 2019 it was forced to halt trading of Ethereum Classic (ETC) after spotting “double spend” attacks totalling more than $1m.

Hacked Coinbase accounts are said to be worth as much as $610 apiece on the cybercrime underground.

Categories: Cyber Risk News

UK's National Cyber Force Heads to the Northwest

Mon, 10/04/2021 - 08:16
UK's National Cyber Force Heads to the Northwest

The government has released more details about a planned National Cyber Force (NCF), confirming that it will be located in the northwest village of Samlesbury.

First mooted in 2018, the new facility will form the hub of the UK’s offensive cyber capabilities, drawing personnel from GCHQ, the Ministry of Defence, MI6 and the Defence Science and Technology Laboratory (DSTL).

“The National Cyber Force will help confront aggressive behavior from malign actors, and demonstrate that Britain is investing in next-generation defense capability to protect our people and help our friends counter cyber-threats. It sends a powerful message to our allies and adversaries alike,” said foreign secretary, Liz Truss.

The move is part of the ruling Conservative Party’s efforts to shift more public sector jobs out of London in an attempt to appeal to its newfound voter base in the north.

Situated between Blackburn and Preston, Samlesbury has little to its name save for a 14th-century country house, a BAE Systems aircraft factory and a brewery.

The government was at pains to point out that any offensive activities it carries out from the new National Cyber Force would be done in a “legal, ethical and proportionate” manner to disrupt hostile states, terrorists and criminals threatening the UK’s national security.

It claimed to be a world leader in such matters, with GCHQ having pioneered techniques to break ISIS propaganda networks.

The hub has been in operation since April 2020 but will reportedly expect more than £5bn in funding before 2030, highlighting the strategic importance with which it is regarded in government.

The announcement follows the opening of a GCHQ facility in Manchester, which the government is positioning as the ‘cyber center’ of the UK. It claimed more than 15% of the city’s population now works in the “digital, creative and technology sector.”

Categories: Cyber Risk News