Info Security

Subscribe to Info Security  feed
Updated: 1 hour 31 min ago

MoviePass Operators Settle Data Security Allegations

Tue, 06/08/2021 - 17:57
MoviePass Operators Settle Data Security Allegations

The operators of subscription service MoviePass have agreed to settle Federal Trade Commission allegations of fraud and data security failures. 

It is alleged that MoviePass used an elaborate three-prong approach to prevent and discourage subscribers from using its $9.95 "one movie a day" monthly subscription service as advertised.

First, according to the FTC complaint, the company blocked as many as 75,000 subscribers from accessing content by purposefully invalidating their passwords. 

The FTC said: "MoviePass’s operators invalidated subscriber passwords while falsely claiming to have detected 'suspicious activity or potential fraud' on the accounts. MoviePass's operators did this even though some of its own executives raised questions about the scheme."

Their next alleged tactic was to create a time-sensitive ticket verification program that discouraged thousands of subscribers from using the service. 

"This program required subscribers to take and submit pictures of their physical movie ticket stubs for approval through the MoviePass app within a certain timeframe," said the FTC.

"Subscribers who failed to submit their tickets could not view future movies and could have their subscriptions canceled if they failed to verify their tickets more than once."

Finally, MoviePass’s operators allegedly set “trip wires” to block set groups of subscribers from using the service after they collectively hit certain thresholds based on their monthly cost to the company. The FTC alleges that this tactic was used against subscribers who typically watched three or more movies per month.

The operators of the now defunct app were further accused of storing the personal information it collected from subscribers in plain text and allowing unrestricted access to customers' names, email addresses, birth dates, credit card numbers, and geolocation information.

In August 2019, MoviePass confirmed that it suffered a data breach that may have exposed customer credit card numbers.

MoviePass Inc., which was founded in 2011 and headquartered in New York City,  shuttered its mobile ticketing service in 2019. In January 2020, its parent company Helios and Matheson Analytics, Inc., filed for bankruptcy

Under the proposed settlement, MoviePass, Helios, former MoviePass CEO Mitchell Lowe, and former Helios CEO Theodore Farnsworth will be barred from misrepresenting their business and data security practices.

The order also states that any businesses controlled by MoviePass, Helios, or Lowe must implement comprehensive information security programs.

Categories: Cyber Risk News

Cyber-attack on NYC Law Department

Tue, 06/08/2021 - 17:35
Cyber-attack on NYC Law Department

An intrusion into the IT system of the New York City Law Department is being co-investigated by the New York Police Department and the FBI’s Cyber Task Force.

The hack was first reported by The Daily News, which learned that sensitive information belonging to more than a thousand department employees may have been exposed in the security incident.

After discovering the intrusion, the city restricted admission to the system, preventing government lawyers from accessing documents. 

On June 7, the city government confirmed that it was examining “unauthorized access within the NYC Law Department’s IT environment.”

In a statement released Monday, Laura Feyer, a spokesperson for Mayor Bill de Blasio, told The Daily News that “the City’s Cyber Command" had "promptly launched an investigation into the matter.”

Feyer added: “As the investigation remains ongoing, the City has taken additional steps to maintain security, including limiting access to the Law Department’s network at this time.”

The New York City Law Department is staffed by approximately 1,000 lawyers and 890 support professionals. 

Mayor de Blasio said last night that investigators were yet to find any evidence that data belonging to the Law Department had been “compromised” in the attack.

“We’re still tracking down exactly who was behind it,” he told NY1. “So far, we believe the defenses have held.”

News of the intrusion came to light on Monday morning when The Daily News discovered that a city lawyer had cited technical problems when a filing a request to extend a case due to be heard in Manhattan federal court by one week. 

“The Law Department has been experiencing a connectivity issue since yesterday, and, as a result, no one is currently able to log on to the Law Department’s computer system,” city attorney Katherine Weall wrote to Judge P. Kevin Castel.

“I am therefore unable to access and file the answer I have drafted in this case, which is due today,” she added.

Nicholas Paolucci, a Law Department spokesperson, said the agency was taking steps “to ensure there was minimal impact to cases.”

The incident comes just days after Metropolitan Transportation Authority officials revealed that at least three of the agency's 18 database systems had been accessed by hackers.

Categories: Cyber Risk News

Illinois County Stricken with Grief

Tue, 06/08/2021 - 16:06
Illinois County Stricken with Grief

A new organized cybercrime group claims to have stolen sensitive data belonging to a county in Illinois. 

St. Clair County disabled its website on June 2 out of “an abundance of caution” after suffering a cyber-attack. Ransomware gang Grief has claimed responsibility for the digital assault.  

Because of the incident, several county services were rendered unavailable from May 28, including access to court records and payment for ticket fees. 

The county jail's network was also impacted, with one woman telling 5 On Your Side that her partner was held past his release date because of the cyber-attack.

"I keep being told that the jail is on lockdown because there has been a system failure since last Saturday, and I want to know what's going on," said the anonymous woman. "Nobody can get released. Nobody can post bond. They can't check out any information." 

County Information Technology Director Jeff Sandusky said: “Beginning around May 28, St. Clair County became aware of a cybersecurity incident involving our computer systems.

"We immediately responded to secure our systems and commence an investigation into the nature and scope of the incident." 

The county notified appropriate law enforcement authorities of the incident and said it has been "working diligently with industry-leading third-party cybersecurity specialists to investigate the source of this disruption and confirm the impact on our systems."

Sandusky added that the county has dedicated substantial resources to gauging the attack's full scope and will provide relevant updates as the findings emerge. 

The county's website via was restored by June 4, but some services remain unavailable.

Grief is an emerging ransomware group, which claims to have swiped data from at least five entities, including Mobile County, Alabama, and HDHC Home Decor. 

Screenshots of the group’s website in the TOR network show the group claims to have purloined 2.5 gigabytes of data from St. Clair. Internal company documents and personal and customer information are among the allegedly stolen data.

Grief emerged at around the same time as another new ransomware gang, Prometheus, which claims to have ties to REvil. 

Categories: Cyber Risk News

CISA and Bugcrowd to Launch Federal Crowdsourced VDP Platform

Tue, 06/08/2021 - 15:38
CISA and Bugcrowd to Launch Federal Crowdsourced VDP Platform

The Cybersecurity and Infrastructure Security Agency (CISA) has partnered with Bugcrowd to launch the first ever federal civilian enterprise-wide crowdsourced vulnerability disclosure policy (VDP) platform.

The move will allow Federal Civilian Executive Branch (FCEB) agencies to coordinate with the civilian hacker community about vulnerabilities in their critical systems. FCEB agencies will now be able to receive security feedback from Bugcrowd’s community of ethical hackers around the world, helping them quickly identify and monitor vulnerabilities in their critical systems.

The collaboration follows the publication of the Binding Operational Directive (BOD) 20-01 in September last year. This directive mandates all FCEB agencies to develop and publish a VDP “for purposes of safeguarding federal information and information systems.”   

Bugcrowd and CISA will work with Endyna, a government contractor that provides technology-based solutions, to deliver the VDP platform. Endyna’s will provide a Software as a service (SaaS) component to CISA’s VDP platform, and has been awarded a one-year contract with four option years.

In addition to the CISA-funded VDPR platform, the initiative will allow FCEB agencies to create their own bug bounty programs from Bugcrow and Endyna as part of any new digital transformation strategies they undertake.

Ashish Gupta, CEO and president of Bugcrowd, commented: “As seen in the commercial and defense sectors, crowdsourced cybersecurity and vulnerability disclosure programs are a critical safeguard in helping reduce the risk of breach.

“The need for cyber resilience and risk management is unprecedented in today’s digitally connected world and the partnership between CISA and Bugcrowd provides the most powerful crowdsourced cybersecurity platform solution to address the government’s growing need for contextually intelligent security assessments to protect its vast attack surface. We are honored to be the first crowdsourced cybersecurity vendor to work with CISA on an FCEB-wide proactive defense strategy through our VDP solution.”

Ashok Siddhanti, CEO of Endyna, stated: “We are firmly committed to enhancing government defenses and improving security operations across network infrastructures.

“Our fundamental goal is to radically improve the FCEB’s ability to detect and remediate security gaps within these respective agencies’ digital infrastructures, and we look forward to working with Bugcrowd to advance government security.”

Categories: Cyber Risk News

#Infosec21: Cybersecurity to Become a "Matter of Life and Death"

Tue, 06/08/2021 - 15:26
#Infosec21: Cybersecurity to Become a "Matter of Life and Death"

The internet is both “the best and worst innovation of our time,” and as reliance on it grows, our ability to secure it could become a matter of life and death. This is according to Mikko Hypponen, researcher at F-Secure, speaking during the keynote session on Day 1 of the Infosecurity Europe virtual conference.

Hypponen firstly outlined how threat actors have changed significantly since he started working in the industry in 1991. Back then, “viruses and other kinds of malware we were finding were all written by teenage boys,” just for fun. At that point he could never have envisioned today’s scenario, in which the main threat actors are highly sophisticated organized crime groups and governments.

This change has been brought about by the internet revolution, according to Hypponen. He noted that the “first wave” of this is now over, in which all computers are online, and we are currently in the midst of the second, in which “everything else” becomes connected. These include smart devices and even more significantly, devices that don’t even require an internet connection, such as kitchen radios. This will be purely for the purpose of manufacturers to obtain diagnostics information.

Hypponen believes that as this process carries on, and more areas become interconnected, the internet will become as essential to society as electricity is today. “When technology is useful enough, we can’t live without it,” he commented. Currently, he observed that internet outages are an inconvenience but generally, not a matter of life and death. However, Hypponen expects it will reach this status within the next 20-30 years. “If your network cuts out it is going to be just as bad as getting your power cut,” he said, adding that in fact one day “when we have an internet outage, it’s going to cut power.”

“If your network cuts out it is going to be just as bad as getting your power cut”

In this landscape, the challenge for the cybersecurity industry “is to make sure the connectivity stays online regardless of the attacks that might be launched against it.” This is going to be very difficult – Hypponen highlighted how the internet has become a major vehicle for cybercrime and other malicious activities in recent years. Preventing these is to some extent a thankless task for cybersecurity professionals, with no credit given for stopping attacks, while failure to prevent incidents is highly visible.

Hypponen went to describe the changing threat landscape since the start of the COVID-19 pandemic. Many organizations that have shifted to remote working are now far more vulnerable to being breached, largely because a substantial number of corporate file servers have moved from internal networks to the public internet and are “only protected by usernames and passwords.”

Another trend he observed is that there has been a sharp rise in attacks on healthcare organizations over the past 15 months, including hospitals, clinics and research facilities. Previously, Hypponen didn’t see these types of bodies as prime targets for cyber-criminals, as they were not particularly lucrative compared to other sectors such as finance. This appears to be changing, with institutions like hospitals viewed by many threat actors as more likely to pay ransoms when their systems are encrypted or medical data stolen.

The last year or so has also seen the rise of double extortion ransomware attacks, also known as ransomware 2.0, where in addition to locking systems, malicious actors steal data and threaten to release it if a fee is not paid. This tactic has proved very successful, according to Hypponen, who gave the example of the Maze ransomware gang, which reportedly retired from operating in October 2020 as a result of the financial gain they have made from their attacks. He commented: “This is exactly what we don’t want to happen – we don’t want high tech lowlifes to be successful,” and encourage more people to go down this pathway.

Another area discussed in Hypponen’s address was supply chain attacks, which he said was particularly favored by nation-state actors, “looking for very specific victims” for espionage purposes. Unlike cyber-criminals, these actors will not deviate from their target if it becomes difficult to get into a system, and will therefore look for alternative routes, as demonstrated by the recent SolarWinds incident.

The root cause of these kinds of attack vectors “is always either a technical problem or a human problem,” noted Hypponen. While technical problems, such as unpatched servers, can be solved, albeit with difficulty, human error, like falling for phishing scams, is another matter. He stated: “There’s no patch for human brains.”

In the view of Hypponen, the solution is to become less reliant on humans in cybersecurity in general. For example, in the future, he believes machine learning will be used to write code, removing the need for human programmers. “When we have advanced, powerful systems writing all the code around us, there will be less Bucks, which means there will be less vulnerabilities,” he outlined.

On flip side, one day we could see machine learning be used by malicious actors to write malware. However, Hypponen noted that there is research being undertaken today looking at how this potential threat can be mitigated.

Concluding, Hypponen said that his 30-year career in cyber had demonstrated to him “how hard it is to forecast the future.” He added that we are living in an age of technological revolution and these advances are both the best and worst thing to happen in our lifetime.

Categories: Cyber Risk News

Large Parts of Internet Offline Today Following Cloud Provider Issue

Tue, 06/08/2021 - 11:48
Large Parts of Internet Offline Today Following Cloud Provider Issue

Large parts of the internet were temporarily offline today, including Amazon, Reddit and Twitch, it has been reported. Other significant organizations whose websites were affected by the incident included media outlets the Financial Times, The Guardian and New York Times and the UK’s When users attempted to enter these websites, they were met with messages like “Error 503 Service Unavailable” and “connection failure.”

Experts have traced the issue to a Fastly content delivery network (CDN) failure, which underpins many major websites. Fastly is a cloud computing services provider that runs an “edge cloud” designed to speed up loading times for websites, protect them from denial-of-service attacks and help them deal with bursts of traffic.

The Guardian reported that the outage started at around 11 am BST, lasting for approximately 30 minutes.

While the failure brought some websites down entirely, specific sections of other services were also damaged. These include the servers on Twitter that host the social network’s emojis.

The affected websites now appear to back online, and at around 12.10 BST, Fastly tweeted: “We identified a service configuration that triggered disruptions across our POPs globally and have disabled that configuration. Our global network is coming back online.” The company has also provided continuous updates about the issue on its service status pages.

Security experts were quick to express their concerns about the failure in Fastly’s system, as it highlights the reliance many organizations have on CDN infrastructure for the running of their websites and may provide opportunities for cyber-criminals to strike. Michael Barragry, operations lead and security consultant at edgescan commented: “CDNs have become ubiquitous in today’s web. Although they are primarily used to ensure smooth delivery of resources so that websites can perform optimally, they also often supply additional security features such as WAF-like traffic filtering and DDoS protection.

“The exact nature of this “issue” is unclear, but given how vast the impact appears to be, it looks to have transcended any failover or redundancies that were in place. This outage could also represent a window of opportunity for further attacks – especially against those sites which have an over-dependence upon CDN infrastructure for their security. Additional independent security layers should be used where appropriate to ensure that no single point of failure is present.”

Sergio Loureiro, cloud security director at Outpost24, said: “We have yet to gain insights into what exactly lead to this global outage. Based on the Fastly status pages, all their content delivery systems are affected by this issue. This global outage that affects many high-profile companies does highlight the dependency we have on cloud services and their availability. This directly impacts many businesses, including for example Reddit who’s entire business is based around their website.”

Categories: Cyber Risk News

Evil Corp Rebrands Ransomware to Escape Sanctions

Tue, 06/08/2021 - 10:58
Evil Corp Rebrands Ransomware to Escape Sanctions

Threat actors behind a notorious Russian cybercrime group appear to have rebranded their ransomware once again in a bid to escape US sanctions prohibiting victims from paying them.

Experts took to Twitter to point out that a leak site previously run by the Babuk group, which famously attacked Washington DC’s Metropolitan Police Department (MPD), had rebranded to “PayloadBin.” The Babuk group claimed that it was shutting down its affiliate model for encrypting victims and moving to a new model back in April.

A ‘new’ ransomware variant with the same name has also been doing the rounds of late, but according to CTO of Emsisoft, Fabian Wosar, it’s nothing more than a copycat effort by Evil Corp.

“Looks like EvilCorp is trying to pass off as Babuk this time. As Babuk releases their PayloadBin leak portal, EvilCorp rebrands WastedLocker once again as PayloadBin in an attempt to trick victims into violating OFAC regulations,” he said.

If that’s correct, it would appear to be the latest in a long line of rebranding by the group from its original BitPaymer effort in a bid to circumvent US sanctions.

Michael Gillespie, the creator of the ID Ransomware service, explained that aside from WastedLocker, the group has used “Hades” and “Phoenix” as new names for the same malware.

Wosar said it was easy to identify the same underlying code in all of those ‘variants.’

“EvilCorp malware sticks out like a sore thumb simply because of the obfuscator they use,” he tweeted. “But the cryptographic scheme is identical, encrypted file format is identical, MO is identical, configuration format is identical, the list goes on and on.”

The group was placed on the US Treasury’s Office of Foreign Assets Control (OFAC) sanctions list in December 2019 after being accused of using the Dridex banking Trojan to steal over $100 million globally.

That meant corporate victims were effectively prohibited from paying the group a ransom or risk themselves being accused of breaking sanctions.

Mitch Mellard, a threat intelligence analyst at Talion, argued that rebranding could be widespread in the underground economy.

“I feel that this situation is somewhat of an indictment of ransomware insurance as a whole. We have reached the point where instead of blanket condemnation of paying ransoms across the board, two lists of criminals have been created,” he added.

“The first list is comprised of actors who have achieved such renown that paying them is actually treated as ... paying criminals. The second list is, by nature of its contents, also entirely criminals, but those who it is somehow acceptable to reward monetarily for their illegal activities.”

Categories: Cyber Risk News

French Antitrust Regulator Slaps $268 Million Fine on Google

Tue, 06/08/2021 - 09:52
French Antitrust Regulator Slaps $268 Million Fine on Google

The French antitrust regulator has fined Google €220 million ($268 million) for abusing its dominant position in the online advertising market.

The fine, which Google has not disputed, was levied because the tech giant favored its own Google Ad Manager technologies.

This put competitors — such as publishers News Corp, Le Figaro group and the Rossel La Voix group, who brought the initial complaint — at a disadvantage, according to the Autorité de la concurrence.

The proprietary technologies in question were the DFP ad server — which allows site and app publishers to sell their advertising space — and the SSP AdX sales platform — which enables publishers to sell impressions to advertisers.

Autorité de la concurrence president, Isabelle de Silva, argued that this investigation was the first to look into the algorithmic processes by which online display advertising works.

“The particularly rapid investigation revealed processes by which Google, building on its considerable dominance in ad servers for websites and applications, outperformed its competitors on both ad servers and SSP platforms,” she added.

“These very serious practices penalized competition in the emerging online advertising market, and allowed Google not only to maintain but also to increase its dominant position. This sanction and these commitments will make it possible to re-establish a level playing field for all players, and the ability for publishers to make the most of their advertising space.”

Google France legal director, Maria Gomri, said the firm had “agreed on a set of commitments to make it easier for publishers to make use of data and use our tools with other ad technologies.”

These will be tested and developed over the coming months, with some changes set to be rolled out globally, she added.

Google has been on the receiving end of multiple fines in Europe over recent years, most notably a $1.7 billion antitrust penalty from the European Commission in 2019 — again for abusing its dominant position in the online advertising market.

The tech behemoth was also one of the first to receive a major GDPR fine, when the French regulator CNIL imposed a €50 million penalty for failing to notify users about how their data is used.

Categories: Cyber Risk News

DoJ Seizes Millions in Ransom Paid by Colonial Pipeline to Darkside Hackers

Tue, 06/08/2021 - 08:32
DoJ Seizes Millions in Ransom Paid by Colonial Pipeline to Darkside Hackers

The US authorities have scored a rare win in the fight against ransomware after claiming to have seized the majority of the funds paid to Russian ransomware hackers by Colonial Pipeline.

The Department of Justice (DoJ) announced on Monday that it had been able to track and access 63.7 out of the 75 Bitcoins paid by the East Coast fuel transportation company to the DarkSide gang. That amounts to roughly $2.3 million of the $4.4 million reportedly paid to the extorters.

The news is a coup for the newly launched DoJ Ransomware and Digital Extortion Task Force, which coordinated the operation.

Law enforcers were apparently able to review the public Bitcoin ledger and track the transfers to a specific address, for which the FBI had a private key, enabling it to access and seize the funds.

Deputy attorney general, Lisa Monaco, argued that “following the money” is still one of the most powerful tools investigators have in tracking down and disrupting cybercrime.

“Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises,” she added.

“We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks. Today’s announcements also demonstrate the value of early notification to law enforcement; we thank Colonial Pipeline for quickly notifying the FBI when they learned that they were targeted by DarkSide.”

Experts welcomed the news.

“It has become clear that we need to use several tools to stem the tide of this serious problem, and even law enforcement agencies need to broaden their approach beyond building cases against criminals who may be beyond the grasp of the law,” argued John Hultquist, VP of analysis at Mandiant Threat Intelligence.

“In addition to the immediate benefits of this approach, a stronger focus on disruption may disincentivize this behavior, which is growing in a vicious cycle.”

Categories: Cyber Risk News

Hacker Group Gunning for Musk

Mon, 06/07/2021 - 18:19
Hacker Group Gunning for Musk

A hacking group has released a video slamming self-proclaimed Martian Emperor Elon Reeve Musk for his alleged callousness over the impact his cryptocurrency vacillations may have had upon the fortunes of the average working person.

Anonymous accuses the billionaire Tesla CEO and SpaceX founder, CEO, and chief engineer of using his immense wealth and influence to toy with cryptocurrency markets with no regard for how others might be affected.

"The games you have played with the crypto markets have destroyed lives," said the group in their latest video.

Musk’s messages on social media have had a major impact on the cryptocurrency market. In March, a few weeks after Tesla revealed it had bought $1.5bn of Bitcoin, the electric carmaker said that it would accept the cryptocurrency as payment.

Two months later, Musk sent the price of the world's biggest cryptocurrency tumbling by around 15% after tweeting that Tesla had suspended vehicle purchases using Bitcoin due to concerns over the cryptocurrency's environmental impact.  

Musk, whose family formerly owned half an emerald mine in Zambia, tweeted: "We are concerned about rapidly increasing use of fossil fuels for Bitcoin mining and transactions, especially coal, which has the worst emissions of any fuel."

The billionaire, whose fortune The Times alleged is fueled by children working in dangerous lithium mines, added: "Cryptocurrency is a good idea on many levels and we believe it has a promising future, but this cannot come at great cost to the environment."

In their latest video, Anonymous claims that Musk's "carefully created public image is being exposed." Citing allegations that Tesla risks the health and safety of its employees in pursuit of ever-greater profits, the hacking group claims Musk's interest in climate change is not founded in concern for humanity but instead stems from "a superiority and savior complex."

Anonymous goes on to claim that Tesla makes most of its money not by selling cars, but via government subsidies. 

"Tesla has also made more money holding Bitcoin for a few months than they did in years of selling cars," said the hackers, before alleging that Tesla bought its Bitcoin with government subsidies. 

Categories: Cyber Risk News

CloudQuest Acquired by Deloitte

Mon, 06/07/2021 - 16:43
CloudQuest Acquired by Deloitte

Deloitte Touche Tohmatsu Limited today announced its acquisition of CloudQuest, a cloud security posture management (CSPM) provider based in Cupertino, California. 

Multinational professional services network Deloitte said that the deal will bolster its current cloud cybersecurity offerings with CloudQuest's cloud-native security capabilities "to more seamlessly manage security workflows, reduce risk and improve data security."

Vikram Kunchala, Deloitte risk & financial advisory cyber cloud leader and principal, Deloitte & Touche LLP, said that the Covid-19 pandemic had not delayed the adoption of cloud technologies. 

"While the global pandemic slowed some things, it didn't slow cloud migration or cloud reliance for the vast majority of organizations," said Kunchala.

"As organizations work to build or advance their security postures for cloud or hybrid-cloud environments, we're expanding and diversifying our services and solutions portfolio to help our clients continuously monitor, prevent and remediate security threats."

Bolting on CloudQuest's business will allow Deloitte to continue to expand its portfolio of cloud security orchestration, automation and response (SOAR) services and solutions. 

"We see incredible opportunity in novel approaches that help organizations securely transform and operate while also realizing competitive advantage," said Deborah Golden, Deloitte risk & financial advisory cyber and strategic risk leader and principal, Deloitte & Touche LLP, "and we're continually investing to bring the most innovative solutions to our clients.

"Our acquisition of CloudQuest represents our profound commitment to transforming alongside our clients, competing vigorously in the market, and aggressively building out tech-enabled approaches that position Deloitte cyber as an unquestionable business enabler."

Financial terms of the deal were not disclosed. CloudQuest is Deloitte's second cyber acquisition in 2021, preceded by cyber-threat hunting firm Root9B, LLC (R9B).

CloudQuest CEO Vijay Sarathy, who co-founded the company in 2017, said: "Joining Deloitte will enable us to expand our capabilities, helping organizations protect against the next generation of security threats, promote continued innovation and agility, and foster more efficient cloud security capabilities. 

"This new chapter is one that my co-founders Ramesh Menon, Nishan Sathyanarayan and I always hoped to achieve, as we worked to help those in the cloud accelerate their cybersecurity efforts." 

Categories: Cyber Risk News

California City Hid Cyber-attack

Mon, 06/07/2021 - 15:58
California City Hid Cyber-attack

A California city whose police department recently revealed it had been victimized by cyber-criminals has now acknowledged it suffered an earlier cyber-attack in 2018.

Azusa's 63-officer police department was targeted by the DoppelPaymer ransomware gang late last winter. The attack was kept secret while officials worked with the FBI, Los Angeles County Sheriff’s Department, and ransomware consultants to try to retrieve hundreds of highly sensitive files encrypted in the incident. 

In April, a stash of the department's documents was leaked online after the city elected not to pay the ransom demanded by the gang. Among the information leaked were criminal case files and payroll data containing Social Security numbers, driver’s license numbers, medical information, and financial account information.

The city finally publicly acknowledged the hack on May 27 to coincide with the start of Memorial Day weekend, when America's attention typically flits away from the news cycle and toward outdoor social activities and honoring the fallen. 

Azusa PD issued a “notification of data security breach” stating that it had been hit by a “sophisticated ransomware attack” and that "certain Azusa Police information was acquired by the unauthorized individual."

Now the city has said that it was attacked with ransomware by another unnamed cyber-criminal organization in the fall of 2018. Azusa City Manager Sergio Gonzalez said that the city’s insurers, Chubb, paid $65,000 to regain control of 10 data servers at the police department that were taken over by the hackers for more than a week.

“We were able to unlock one server after the ransom was paid but immediately after found a free key to unlock all other locked servers,” Gonzalez said in an email. 

“No information was compromised. Our servers were just locked."

Gonzalez said that the 2018 attack had not been reported because an investigation had determined that no data had been exposed in the incident. 

"We verified with forensic experts that no data was compromised," wrote Gonzalez. "That’s essentially why we did not and were not required to report it (publicly).”

Whittier Daily News reports that the 2018 attack began when a city employee opened an email and clicked on a malicious link. 

Categories: Cyber Risk News

Google's FLoC: Privacy Gone Amok?

Mon, 06/07/2021 - 15:57
Google's FLoC: Privacy Gone Amok?
Categories: Cyber Risk News

Qualys Announces Passing of Philippe Courtot, it's CEO of the Past 20 Years

Mon, 06/07/2021 - 12:11
Qualys Announces Passing of Philippe Courtot, it's CEO of the Past 20 Years

Cloud security firm Qualys has announced the sad news of the passing of its former CEO, chairman and leader for the past 20 years, Philippe Courtot, at the age of 76.

Courtot oversaw the significant growth of Qualys since becoming its CEO in March 2001, initially investing in the company in 1999 when it was founded. His vision to build a cloud delivery platform that would allow for scanning any network on a global scale became realised in Qualys’ global expansion over the past two decades. It first went public in 2012.

Under his leadership, Qualys completed several acquisitions. In recent years these include Second Front Systems and endpoint detection and response startup Spell Security.

Born in 1944 in France, Courtot began his career selling minicomputers before arriving in the US in 1981. After a spell as CEO of Thomson CGR Medical, he founded email platform provider cc:Mail in 1988, achieving a 40% market share before selling the business to Lotus in 1991. He was then appointed president and CEO of Verity before joining Signio, where he oversaw its acquisition by VeriSign.

Courtot was also involved in several initiatives to support the security industry’s role more generally.  These include supporting the formation of the Cloud Security Alliance in 2008, founding the Trustworthy Internet Movement and CSO Interchange, and becoming a trustee for The Internet Society.

Additionally, he received a number of personal awards for his work in security over the years. In 2019, Courtot picked up the Decade of Vision Leadership Award from the Cloud Security Alliance. Last year Courtot received the Benefactor Award from the International Systems and Security Association (ISSA) Education Foundation for supporting cybersecurity and cybersecurity education.

Commenting, Sumedh Thakar, Qualys president and CEO, said: “Philippe was my mentor and advisor; the entire Qualys team and I are deeply saddened by his passing, and our thoughts and prayers are with his family. We are forever grateful for Philippe’s exceptional leadership, vision and passion for helping enterprise customers with practical solutions to the biggest challenges around security. He was dedicated to making life easier for everyone from security analysts through to CISOs.”

Sandra E. Bergeron, Qualys’ lead independent director, stated: “The board and company are incredibly saddened at the loss of Philippe. He was a transformational leader with a passion for business and cybersecurity, who cared deeply about Qualys and its employees. We look forward to honoring him by continuing to grow the company based on his vision.”

Categories: Cyber Risk News

Colonial Pipeline Incident Sparks 'Help Desk' Phishing Attacks

Mon, 06/07/2021 - 10:54
Colonial Pipeline Incident Sparks 'Help Desk' Phishing Attacks

Researchers have discovered a new phishing campaign designed to spread ransomware and steal data by capitalizing on interest in the recent Colonial Pipeline outage.

Security vendor Inky spotted the malicious emails, which said several Microsoft 365 customers were targeted.

Emails were spoofed to appear as if sent from the recipient’s “Help Desk.” They were instructed to click on a malicious link in order to download a critical “ransomware system update” to protect their organization from the same fate as Colonial Pipeline.

“The malicious emails were sent from newly created domains ( and controlled by cyber-criminals. The domain names, sufficiently plausible to appear legitimate, were nonetheless different enough so that garden variety anti-phishing software would not be able to use regular expression matching to detect their perfidy,” explained VP of security strategy, Roger Kay.

“Both domains were registered with NameCheap, a registrar popular with bad actors. Its domains are inexpensive, and the company accepts Bitcoin as payment for hosting services (handy for those trying to remain anonymous). The malicious links in the emails belonged to — surprise — the same domain that sent the emails.”

The download itself is, in fact, Cobalt Strike — a legitimate pen-testing tool often used in ransomware attacks and data exfiltration and which could be used in this instance to control targeted systems.

Anti-phishing software must be used to mitigate the risks posed by such attacks in conjunction with well-thought-out policies such as IT teams never asking employees to download certain file types, Kay concluded.

In related news, it has been reported that the DarkSide group responsible for the attack on Colonial Pipeline may have breached the critical infrastructure organization via a single compromised password.

A Mandiant VP working on the case reportedly claimed that the VPN account log-in allowed remote attackers to infiltrate the company’s network, even though the account was no longer in use at the time. The credential was subsequently found on the dark web, meaning it may have been previously reused across multiple accounts.

Categories: Cyber Risk News

Latvian Woman Charged with Developing Malware for Trickbot

Mon, 06/07/2021 - 10:05
Latvian Woman Charged with Developing Malware for Trickbot

A 55-year-old Latvian woman has been charged on multiple counts for her alleged role in developing malware for the infamous Trickbot group.

On Friday, Alla Witte, aka “Max,” was charged with 19 counts of a 47-count indictment after being arrested in February in Miami.

The indictment claimed that she helped develop code related to the control, deployment, and payments of ransomware and software to track authorized users of the malware and tools and protocols to store stolen login credentials.

Trickbot started life several years ago as a banking Trojan. However, subsequent iterations turned it into a multi-purpose modular threat used by cyber-criminals to gain access to victims’ networks and deploy additional malware, including ransomware.

According to the Department of Justice (DoJ), Witte and her co-conspirators stole money and sensitive information globally from individuals and businesses, including banks, beginning November 2015.

Trickbot apparently helped them steal online banking logins and other personal information, including credit card numbers, emails, passwords, dates of birth, social security numbers and addresses. The DOJ alleged that Witte and her co-conspirators used bank account access to steal funds and launder money.

Witte is charged with:

  • One count of conspiracy to commit computer fraud and aggravated identity theft
  • One count of conspiracy to commit wire and bank fraud affecting a financial institution
  • Eight counts of bank fraud affecting a financial institution
  • Eight counts of aggravated identity theft
  • One count of conspiracy to commit money laundering

The crimes she’s accused of could land Witte with a maximum sentence of over 300 years.

The group is accused of infecting tens of millions of computers and stealing millions of dollars over the past six years.

“The Trickbot malware was designed to steal the personal and financial information of millions of people around the world, thereby causing extensive financial harm and inflicting significant damage to critical infrastructure within the United States and abroad,” said acting US attorney, Bridget Brennan, of the Northern District of Ohio.

“Federal law enforcement, along with assistance provided by international partners, continue to fight and disrupt ransomware and malware where feasible. We are united in our efforts to hold transnational hackers accountable for their actions.”

Categories: Cyber Risk News

Warning of New Ransomware Surge in Education Sector

Mon, 06/07/2021 - 08:34
Warning of New Ransomware Surge in Education Sector

The UK’s leading cybersecurity authority has updated its guidance on ransomware following a spate of attacks on the education sector.

GCHQ spin-off, the National Cyber Security Centre (NCSC), said it was investigating another rise in threats targeting schools, universities and colleges.

“Ransomware attacks can have a devastating impact on organizations, with victims requiring a significant amount of recovery time to reinstate critical services. These events can also be high profile in nature, with wide public and media interest,” the NCSC said.

“In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records as well as data relating to COVID-19 testing.”

Recent trends highlighted by the organization include the targeting of networks through VPNs and remote desktop protocol (RDP) endpoints, by exploiting unpatched bugs or weak passwords/lack of multi-factor authentication (MFA). It also pointed to the threat from phishing emails and other unpatched systems like Microsoft Exchange Server.

Using legitimate tools such as Mimikatz, PsExec, and Cobalt Strike is also widespread in enabling lateral movement that traditional security tools have trouble spotting, the NCSC added.

Recently, researchers have seen attempts to sabotage backup/auditing devices to make data recovery more complex, encrypt entire virtual servers, and use scripting environments like PowerShell to deploy tooling and malware.

In April, both the University of Portsmouth and the University of Hertfordshire suffered network outages lasting days after ransomware threat actors struck.

The Harris Federation, which runs 50 primary and secondary academies in the London area, was struck in March, impacting nearly 40,000 pupils.

The NCSC's updated report recommended a defense-in-depth approach to protection, including MFA, anti-virus, prompt patching, and disabling macros and scripting environments to help disrupt ransomware attack vectors.

Categories: Cyber Risk News

US to Treat Ransomware Like Terrorism

Fri, 06/04/2021 - 18:18
US to Treat Ransomware Like Terrorism

A senior official at the United States Department of Justice (DOJ) has said that ransomware attacks in America are to be investigated with a similar urgency as incidences of terrorism.

The official told news agency Reuters that cyber-assaults using this particular type of malware are to be prioritized more highly now following a passel of ransomware attacks against entities in the US and elsewhere.

Ransomware victims in recent weeks have included the Colonial Pipeline, meat supplier JBS, the Steamship Authority of Massachusetts, and Fujifilm.

Reuters reports that internal DOJ guidance on ransomware was received by US attorney’s offices across the country on Thursday. Recipients were told that information regarding ransomware investigations in the field must be shared with a recently created task force based in Washington.

“It’s a specialized process to ensure we track all ransomware cases regardless of where it may be referred in this country, so you can make the connections between actors and work your way up to disrupt the whole chain,” said principal associate deputy attorney general at the Justice Department, John Carlin.

The Colonial attack is cited in the guidance as a prime example of the “growing threat that ransomware and digital extortion pose to the nation.”

It reportedly reads: “To ensure we can make necessary connections across national and global cases and investigations, and to allow us to develop a comprehensive picture of the national and economic security threats we face, we must enhance and centralize our internal tracking."

The specialized process described by Carlin is typically used in cases of national security. Central notification will now be compulsory for investigations into counter anti-virus services, illicit online forums or marketplaces, cryptocurrency exchanges, bulletproof hosting services, botnets and online money laundering services.

“We’ve used this model around terrorism before but never with ransomware,” said Carlin. 

He added: “We really want to make sure prosecutors and criminal investigators report and are tracking ... cryptocurrency exchanges, illicit online forums or marketplaces where people are selling hacking tools, network access credentials – going after the botnets that serve multiple purposes.”

FBI director Christopher Wray said that the agency is investigating around 100 kinds of ransomware, many of which are linked to criminal operators in Russia.

Categories: Cyber Risk News

More US Kids Warned About Internet Than Unsafe Sex

Fri, 06/04/2021 - 17:34
More US Kids Warned About Internet Than Unsafe Sex

More American parents are warning their children about the dangers of going online than about the importance of sexual safety, according to new research.

A survey of over 1,000 parents in the United States conducted by found that 89% of parents with children aged 12 or older have had an intentional talk about internet safety with their children. By contrast, only 66% of American parents with kids aged 12 or older had purposefully discussed sexual safety with their offspring.

Of those parents with kids aged 12+ who talked to their children about staying safe online, more than half (60%) had engaged in more than one discussion about the topic. By contrast, only 37% of parents with children aged 12 or older had talked to their children more than once about sexual safety.

The survey focused on parents with children aged between 6 and 17. Findings revealed that 82% of parents had talked to their kids about internet safety, with 51% having more than one intentional talk on the subject. 

The two most popular internet safety topics covered by parents were protecting personal information (81%) and stranger danger (79%). 

More than half of parents had discussed social media and mental health (53%) and cyber-bullying (51%) with their kids. 

Sex wasn't the only issue to take a backseat behind the internet in discussions around safety. Researchers found that only 79% of parents with children aged 15 or older had talked to their kids about driving/vehicle safety. 

Of all the parents surveyed, outdoor/wilderness safety had been addressed by just 60%, and fire safety by just 69%. 

The survey found a discrepancy between parents' views on age-restricted internet access and social media policies. 

"Most survey respondents believed their children should reach 14 to 15 years of age before having unsupervised access to social media," said an spokesperson. "Yet major platforms, including Facebook, Instagram, Snapchat, and Twitter, require users to be 13 before making an account."

Results revealed parents' leading internet concerns for their children as being targeted by a predator (67%), seeing sexually explicit content (65%) and seeing graphic or violent content (60%). More than half (56%) worried that their children would be cyber-bullied.

Categories: Cyber Risk News

Biden Expands Trump’s Investment Ban on Chinese Firms

Fri, 06/04/2021 - 15:51
Biden Expands Trump’s Investment Ban on Chinese Firms

President Joe Biden's latest executive order has expanded a ban on investing in Chinese companies with alleged links to defense or surveillance technology sectors that was introduced by former president Donald Trump.

The Trump administration issued an executive order on November 12, 2020, barring US entities from investing in a clutch of PRC companies including smartphone-maker Huawei, China Telecommunications Corp., China Unicom Ltd., and China Mobile Communications Group Co.

On Thursday, Biden signed an order blocking Americans from investing in 59 companies based in the People's Republic of China, including leading microchip-maker Semiconductor Manufacturing International Corp. and the republic's biggest server manufacturer, Inspur.

Defense companies that made it onto Biden’s list included Aviation Industry Corp. of China, Ltd., China North Industries Group Corp., China Aerospace Science and Industry Corporation Ltd., and China Shipbuilding Industry Co.

In 2019, Biden declared that the Chinese were "not bad folks" and that China, which has the world's second largest economy, was "not competition for us."

In the executive order signed yesterday, Biden wrote that "additional steps are necessary to address the national emergency declared in Executive Order 13959 of November 12, 2020 (Addressing the Threat From Securities Investments That Finance Communist Chinese Military Companies), including the threat posed by the military-industrial complex of the People’s Republic of China (PRC) and its involvement in military, intelligence, and security research and development programs, and weapons and related equipment production under the PRC’s Military-Civil Fusion strategy. 

"In addition, I find that the use of Chinese surveillance technology outside the PRC and the development or use of Chinese surveillance technology to facilitate repression or serious human rights abuse constitute unusual and extraordinary threats, which have their source in whole or substantial part outside the United States, to the national security, foreign policy, and economy of the United States, and I hereby expand the scope of the national emergency declared in Executive Order 13959 to address those threats.” 

The prohibitions will take effect on August 2, 2021. The US Treasury Department has said it will update the list of barred companies on a “rolling basis” and that they "fully expect" to add more companies to it in the months ahead.

Categories: Cyber Risk News