Strategies organizations should take to keep up with the evolution of cyber-attackers was the topic of a panel discussion during Digital Transformation EXPO Europe 2021.
Moderating the session, Lisa Short, director & co-founder, Hephaestus Collective & P&L Digital Edge, observed how the digital world has become more “pervasive” during the past 18 months, with organizations undergoing significant digital transformations. She then posed the question: how should industry professionals be reacting to this change?
Matt Howells, head of cyber defense, Hargreaves Lansdown, said that threat actors are broadly using the same methods they did pre-pandemic, such as ransomware, but the velocity of attacks has ramped up. He also noted that cyber-criminals are becoming more collaborative, such as utilizing ‘as-a-service’ approaches. As such, “it’s physically impossible to stay ahead of our adversaries – there are 10s of thousands of them out there across the globe.”
Amid this environment, Jack Chapman, vice president, threat intelligence at Egress, said it is vital that security teams utilize the new technologies they have adopted since COVID-19 and combine those with the human and process layers. “It’s a case of re-evaluating what the threats our organization is facing and taking a realistic approach, because if we’re honest, every layer can be overcome. What we’re doing here is mitigating these threats and by understanding them, we stand a much better chance.”
Vijay Kumar Velu, director, offensive security, BDO UK LLP, emphasized that it is not a new set of threats being facing by organizations, but rather the changing tactics. This is partly due to the surge in cryptocurrencies, providing new avenues for cyber-criminals to make money via cryptojacking. “It’s just the way they want to make money that changes,” he stated.
Short then asked the panel about the types of tools organizations should invest in to better protect their systems and data. Howells pointed out that any new technology, person or service must be carefully vetted before being rolled out. Otherwise, “you are allowing insider threats to walk straight in the front door, which a number of organizations do on a daily basis.”
Chapman emphasized that the focus should always be on creating new layers of security by design, and tools need to be tailored for that purpose. “Any organization has different risks, different employees, different objectives, and one answer fits-all doesn’t work.”
Kumar Velu was then asked whether he feels security teams are getting enough funding to spend on security given the increased threat landscape. Short outlined the context of this question — the eye-opening costs of data breaches, which are expected to reach $10.5tn by 2025. Vijay agreed that more money is required but cautioned that teams must be careful about how they spend their budget, as “the spends are going wrong sometimes.”
Building on this point, Howells stated that the best way to ensure the right decisions about security spending is to have the right CISO to communicate security risks and needs effectively to the board. “If you have somebody who is able to communicate to them in the language that can drive home exactly what we’re trying to achieve from a cyber-perspective or a transformational perspective from IT, I think you will always get through to your c-suite,” he opined.
He added that while tools are essential, organizations should also be focusing on getting security basics right, such as having a CMDB.
Kumar Belu also advised organizations to focus on defending the critical assets of their business and ensuring they remain protected in the event of a breach. “Always focus on the risk that matters to you. One size doesn’t fit all — only the size that matters to you,” he said.
Renowned documentarist Louis Theroux described the growing societal dangers posed by social media use during the keynote interview at the Digital Transformation EXPO Europe 2021.
The session came ahead of the release of Theroux's new three-part documentary series, exploring how tech is increasingly coalescing with human psychology. In one prominent example of this, he noted that former US president, Donald Trump, was able to "get elected based on his ability to communicate to us through our phones."
The discussion, which tech journalist Georgie Barrat moderated, then discussed the Capitol Hill riots at the beginning of the year. This is an event Theroux analyzed extensively for the making of his new series, and he explained that the disturbing scenes were only made possible by social media, particularly Twitter. This was partly due to the encouragement given by President Trump for his supporters to protest his election defeat via the platform following constant allegations of vote-rigging. But more profoundly, he described how social media had enabled people with extremist views to "find their tribe" and be able to "live in an echo chamber," where their beliefs are constantly reinforced rather than largely ignored.In his new three-part documentary series, Louis Theroux (pictured) explores how tech is increasingly coalescing with human psychology
This phenomenon has subsequently spilled out into the real world, leading to the chaotic and disturbing scenes at Capitol Hill. Such a scenario could not have occurred without social media, according to Theroux, as most people who believe in conspiracy theories such as election fraud would otherwise live separate lives from one another.
Therefore, "we have poisoned ourselves with information."
While Theroux believes social media firms should do more to combat misinformation and disinformation on their platforms, he acknowledged that such approaches could lead to quashing legitimate free speech. For example, he pointed out that during the early part of the COVID-19 pandemic, social media companies were banning people for suggesting the virus was caused by a lab leak in Wuhan — a theory now considered plausible by experts.
Theroux also spoke of his fears surrounding large tech firms' extensive collection of personal data, enabling these companies to "create pictures of your behavior," thereby targeting individuals with specific content and adverts.
He believes this process can change human behavior, as humans are "socially malleable," shaped by the environment they reside in. He pointed out that behaviors like pedophilia and slavery would have been considered acceptable many years ago, as they were the norm for their environment. This is an area people should be very mindful of while operating in the online world.
Theroux also emphasized that social media has many positive aspects, including calling powerful people out for inappropriate behavior. However, big tech and governments have much work to do to ensure these benefits are not outweighed by significant societal harms such as disinformation in the future.
Government security experts have urged organizations to review and re-plan any BYOD strategies implemented as a quick fix during the pandemic, warning of mounting cyber-risk.
GCHQ-offshoot the National Cyber Security Centre (NCSC) has released updated guidance for organizations designed to help them design, deploy and manage what it claimed could be a “potentially difficult IT set-up.”
Senior platforms researcher, “Luna R,” warned in a new blog post that the time for a “just make it work” mentality is over, and BYOD must now be carefully considered and rigorously implemented to be effective and secure.
“You cannot do all your organization’s functions securely with just BYOD, no matter how well your solution may be configured,” she argued. “If you’ve given BYOD users admin access to company resources, revoke that access immediately, then come back.”
The rapid shift to remote working during the first months of the pandemic made employee use of personal devices virtually essential in many organizations, especially those with smaller IT budgets.
However, stories soon emerged of threat actors targeting vulnerabilities and misconfigurations in these devices and home networks to get to corporate networks and resources.
A Bitglass study from July 2020 revealed that 69% of organizations allow employees to use personal devices for work. However, it also noted that over half (51%) lack visibility into file-sharing apps, 30% have no control over mobile enterprise messaging tools and only 9% have cloud-based anti-malware solutions in place.
Remarkably, by November 2020, over half (51%) of organizations still didn’t have a BYOD policy in place.
An HP study from May 2021 revealed that over half (51%) of global IT decision-makers had seen evidence of compromised personal PCs being used to access company and customer data over the past year.
Security researchers have warned of a new ransomware variant leveraging a recently disclosed vulnerability for initial access and going to great lengths to evade detection.
However, in Atom Silo’s case, the variant exploited a vulnerability in Atlassian’s Confluence collaboration software made public just three weeks before the attack.
Interestingly, the researchers discovered that a separate threat actor had exploited the same bug to deploy a coinminer (also called a cryptocurrency miner) on the victim organization’s system.
“For many organizations, keeping up with the pace of patching can be a challenge in the best of times — and the effects of lock-down and other recent stressors affecting staff availability are only making keeping up with patches more difficult,” said Sophos researchers Sean Gallagher and Vikas Singh.
“Ransomware operators and other malware developers are becoming very adept at taking advantage of these gaps, jumping on published proof-of-concept exploits for newly-revealed vulnerabilities and weaponizing them rapidly to profit off them.”
The ransomware actors also used “well-worn techniques in new ways, and made significant efforts to evade detection prior to launching the ransomware,” they argued.
Specifically, the intrusion began with an Object-Graph Navigation Language (OGNL) injection attack, which provided a backdoor via which they dropped and executed additional files for a second covert backdoor.
These files included a legitimate, signed executable from a third-party software provider that was vulnerable to an unsigned DLL side-load attack.
Sophos warned that such techniques are becoming increasingly common and challenging to defend against.
“Abuse of legitimate but vulnerable software components through DLL side-loading and other methods has long been a technique used by attackers with a wide range of capabilities, and it has filtered down to the affiliates of ransomware operators and other cyber-criminals,” the researchers explained.
“While abuse of some of these legitimate, signed components is well-enough known to defend against, the supply of alternative vulnerable executables is likely deep. Spotting legitimate executables that exist outside of the context of the products they are supposed to be part of requires vigilance — and vulnerability disclosure by the vendors they come from.”
Once the backdoor was loaded, the attackers proceeded to lateral movement, exfiltration and encryption, disrupting Sophos endpoint protection in the process via a malicious kernel driver to evade detection.
Apache HTTP Server users have been urged to immediately patch after it emerged that a zero-day vulnerability in the popular open-source software is being exploited in the wild.
CVE-2021-41773 is described as a path traversal flaw in version 2.4.49, which was itself only released a few weeks ago.
“An attacker could use a path traversal attack to map URLs to files outside the expected document root,” a description of the bug noted. “If files outside of the document root are not protected by ‘require all denied’ these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts.”
According to Sonatype senior security researcher, Ax Sharma, there are around 112,000 Apache servers across the globe running version 2.4.49, two-fifths of which are located in the US.
He argued that the new zero-day exploit highlights that, even when a vendor releases patches, they may subsequently be bypassed.
On that point, Google research earlier this year claimed that a quarter of zero-day exploits could have been avoided if vendors had taken more time over patching. It noted that 25% of zero-days spotted in 2020 were closely related to previously publicly disclosed vulnerabilities.
Sonatype’s Sharma also warned that unpatched Apache Airflow servers at dozens of tech firms were leaking thousands of credentials and configuration secrets due to poor configuration and security practices.
“Most of these issues could have been avoided by simply upgrading Airflow to version 2, which comes with extensive improvements and security enhancements,” he argued.
News of the acquisition by the Quest Software business was announced yesterday; however, the terms of the deal were not disclosed.
One Identity said that combining OneLogin with its existing privileged access management (PAM), identity governance and administration (IGA), and active directory management and security (ADMS) solutions will allow customers “to take a holistic approach to identity security with trusted, proven technology in each major category.”
Together, the customer bases of OneLogin and One Identity cover a vast cross-section of the world’s enterprises. OneLogin manages more than 40 million identities for 5,500 customers, while One Identity takes care of more than 250 million identities for 5,000 organizations.
“Joining One Identity provides us with the ability to further accelerate our growth and provide additional value for both of our [companies’] customers,” said Brad Brooks, CEO of OneLogin. “With OneLogin’s robust unified platform for both workforce and CIAM, combining forces with One Identity’s suite of products including their PAM solution, will allow new and existing customers, on a global scale, to tap into the market’s only unified identity security platform.”
Citing Verizon’s Data Breach Investigations report that found 61% of breaches are caused by the improper management of credentials used to access data and applications, and roughly 70% are linked to the abuse of accounts with “privileged” access, One Identity said that an end-to-end approach to identity security was important to protect the way organizations work.
“With the proliferation of human and machine identities, the race to the cloud and the rise of remote working, identity is quickly becoming the new edge – and protecting identity in an end-to-end manner has never been more important,” said Bhagwat Swaroop, president and general manager of One Identity.
“By adding OneLogin to our portfolio, and incorporating it into our cloud-first Unified Identity Security Platform, we can help customers holistically correlate all identities, verify everything before granting access to critical assets and provide real-time visibility into suspicious login activity. With identity at the core, customers can now implement an adaptive zero trust strategy and dramatically improve their overall cybersecurity posture.”
Netflix has axed some scenes from its hit show Squid Game because the phone numbers it featured turned out to be genuine and in use by people in the real world.
The deletions were made after the owners of the phone numbers received thousands of text messages and phone calls from curious Squid Game fans located around the globe.
Since premiering on the streaming platform on September 17, Squid Game looks set to become one of the most popular Netflix shows in history. The South Korean fictional drama depicts contestants who are deeply in debt playing children's games to win a life-altering amount of cash. In a disturbing twist, players who lose are executed.
A Korean man from Gyeonggi province, who claims his digits were exposed in a subway scene featured in the first episode of the show, said that his phone has been overwhelmed with thousands of nuisance calls.
Speaking to Korean publication Money Today, he said: "It has come to the point where people are reaching out day and night due to their curiosity."
The constant contact from Squid Game fans has prevented the man from receiving calls and messages that are actually intended for him.
"It drains my phone's battery, and it turns off," he said.
He added: “At first, I didn’t know why, then my friend told me that my number came out in Squid Game.”
The man's phone number allegedly appeared on a business card passed to Lee Jung-Jae’s character, Seong Gi-Hun, by a mysterious man in a black suit.
Changing his number to avoid nuisance calls is not something the man said he wanted to do, since he has used it for business calls for the past decade.
The man said that his wife, whose phone number is identical to his with the exception of one digit, has also been receiving nuisance calls from Squid Game fans with careless fingers.
A spokesperson for Netflix and the show's maker Siren Pictures said: "Together with the production company, we are working to resolve this matter, including editing scenes with phone numbers where necessary."
A voucher scheme launched by the Northern Ireland Assembly to stimulate economic growth following Covid-19 lockdowns is having an identity crisis.
Under the £145m High Street Spend Local Scheme, the approximately 1.4 million residents of Northern Ireland who are aged 18 and over are eligible to apply for a £100 Spend Local voucher.
The voucher takes the form of a prepaid card, which is accepted by businesses across Northern Ireland. To apply for the card, residents must submit their email address along with their National Insurance number (NINO).
However, it has been reported that the voucher applications of around 1,000 eligible individuals were denied because their NINO had already been used to successfully complete an earlier voucher application.
It is unclear whether the issue is the result of a system glitch, human error on the part of the applicants, or fraudsters who have been applying for vouchers using stolen NINOs.
A spokesperson for the Department for the Economy told the BBC that "no fault" had been found in its voucher application system that might account for the situation.
The husband of a woman impacted by the issue told The Nolan Show: "She tried to apply for the card – went online, gave her email address, got her link back and then you click on the link and put in your National Insurance number.
"A screen popped up and said: 'We're sorry but it appears your National Insurance number has been entered already and used by someone else making an application.' And that was it, and the only thing she could do about it was to email [the Department for the Economy]."
The woman subsequently reported the issue to the Department via email. The only response she has received is a message saying that they were aware of the issue.
Her husband told the Belfast Telegraph that as a test, he applied for a voucher using an altered version of his own NINO and was able to advance to the next stage of the application.
The Department for the Economy stated: "The scheme has robust anti-fraud measures in place and this issue will be kept under close review."
Google has announced financial backing for a new initiative designed to incentivize proactive security improvements to open source code.
Unlike bug bounty programs which offer financial rewards to researchers who discover critical software bugs, the Secure Open Source (SOS) project will do the same for developers whose work prevents major vulnerabilities appearing in the first place.
“SOS rewards a very broad range of improvements that proactively harden critical open source projects and supporting infrastructure against application and supply chain attacks,” Google explained.
“To complement existing programs that reward vulnerability management, SOS’s scope is comparatively wider in the type of work it rewards, in order to support project developers.”
The selection process for in-scope projects will take into account NIST guidelines and the new Presidential executive order on cybersecurity, as well as criteria such as how many users will be affected, and how serious an impact a compromise would have.
The initial list of projects includes software supply chain improvements such as hardening of CI/CD pipelines, adoption of software artifact signing and verification, and enhancements that produce higher OpenSSF Scorecard results.
Google’s $1m investment will help to fund awards of $10,000 or more for “complicated, high-impact and lasting improvements that almost certainly prevent major vulnerabilities in the affected code or supporting infrastructure.”
Smaller amounts ranging from $505 to $10,000 are available depending on the complexity and benefits.
“This $1 million investment is just the beginning — we envision the SOS pilot program as the starting point for future efforts that will hopefully bring together other large organizations and turn it into a sustainable, long-term initiative under the OpenSSF,” Google concluded.
“We welcome community feedback and interest from others who want to contribute to the SOS program. Together we can pool our support to give back to the open source community that makes the modern internet possible.”
A recent report from Sonatype revealed a 650% year-on-year increase in upstream supply chain attacks impacting open source software components.
A major telecoms service provider has revealed it was the victim of a five-year breach impacting hundreds of customers.
Syniverse routes text messages for hundreds of global telco customers — allowing it to boast of reaching “more people and devices than anyone on Earth.”
However, in a filing with the SEC last week ahead of the firm going public via a merger with a special purpose acquisition company (SPAC), it admitted discovering a major incident back in May.
The unauthorized access to its operational and IT systems was subsequently found to have been ongoing since May 2016.
“Syniverse’s investigation revealed that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (EDT) environment was compromised for approximately 235 of its customers,” it continued.
“All EDT customers have been notified and have had their credentials reset or inactivated, even if their credentials were not impacted by the incident. All customers whose credentials were impacted have been notified of that circumstance.”
Although the firm claimed it has seen no efforts to disrupt operations or monetize the attack, it could not rule out further discoveries.
“While Syniverse believes it has identified and adequately remediated the vulnerabilities that led to the incidents described above, there can be no guarantee that Syniverse will not uncover evidence of exfiltration or misuse of its data or IT systems from the May 2021 Incident, or that it will not experience a future cyber-attack leading to such consequences,” it said.
“Any such exfiltration could lead to the public disclosure or misappropriation of customer data, Syniverse’s trade secrets or other intellectual property, personal information of its employees, sensitive information of its customers, suppliers and vendors, or material financial and other information related to its business.”
It's unclear exactly what information the attackers would have gained access to with the EDT compromise, but it could theoretically include metadata or even the content of text messages, including one-time passcodes, which could unlock two-factor authentication-protected accounts.
The firm claims to process over 740 billion messages every year for 300+ global mobile operators.
An audacious supply chain raid like this bears the hallmarks of nation-state intelligence gathering or a highly organized cybercrime group.
Facebook has apologized for a major global outage that left users unable to access the social network and other platforms for hours, blaming the incident on a configuration error.
The outage began at around 11.40 Eastern Time on Monday morning and lasted well into the evening of the same day — affecting not just Facebook and Messenger but Instagram and WhatsApp.
The recovery effort was also impacted as Facebook engineers found it difficult to access internal tooling which used the same internet infrastructure. Global staff were left high-and-dry for similar reasons.
The issue appears to have stemmed from an update to the firm’s Border Gateway Protocol (BGP) records. BGP is critical to the seamless functioning of the internet, allowing networks of addresses such as Facebook’s to advertise their presence to others.
“It's a mechanism to exchange routing information between autonomous systems (AS) on the internet,” explained Cloudflare in a technical blog about the incident.
“The big routers that make the internet work have huge, constantly updated lists of the possible routes that can be used to deliver every network packet to their final destinations. Without BGP, the internet routers wouldn't know what to do, and the internet wouldn't work.”
Although some commentators had speculated foul play, the cause of the outage appears to be human error..
Vice president of infrastructure, Santosh Janardhan, said no user data was compromised and that the root cause of the issue was a “faulty configuration change.”
“Our engineering teams have learned that configuration changes on the backbone routers that coordinate network traffic between our datacenters caused issues that interrupted this communication. This disruption to network traffic had a cascading effect on the way our datacenters communicate, bringing our services to a halt,” he explained.
“People and businesses around the world rely on us every day to stay connected. We understand the impact outages like these have on people’s lives, and our responsibility to keep people informed about disruptions to our services. We apologize to all those affected, and we’re working to understand more about what happened today so we can continue to make our infrastructure more resilient.”
The offshore assets of 35 current and former world leaders have been exposed in an unprecedented leak of financial records dubbed the Pandora Papers.
The cache of 11.9 million confidential files was leaked to the International Consortium of Investigative Journalists (ICIJ) in Washington, DC. Containing 2.94 terabytes of data, the Papers represent the largest trove of leaked offshore data in history.
According to the ICIJ, the papers offer “a sweeping look at an industry that helps the world’s ultra-wealthy, powerful government officials and other elites conceal trillions of dollars from tax authorities, prosecutors and others.”
More than 100 billionaires are featured in the files, which were derived from 14 offshore services firms from around the world, engaged by clients to set up offshore structures and trusts in tax havens such as the Cayman Islands, Panama, Dubai, Switzerland, and Monaco.
Exposed by the leak are the finances of more than 300 public officials such as government ministers, judges, mayors, and military generals in more than 90 countries. Also impacted are wealth celebrities, musicians, and business leaders.
The ICIJ said that the leaked records have also uncovered the financial secrets of "a global lineup of fugitives, con artists and murderers."
For two years, more than 600 journalists at 150 news outlets have been reviewing the leaked files, which were shared by the ICIJ with media partners including the Guardian, BBC Panorama, Le Monde, and the Washington Post.
The Guardian wrote: "The Pandora papers reveal the inner workings of what is a shadow financial world, providing a rare window into the hidden operations of a global offshore economy that enables some of the world’s richest people to hide their wealth and in some cases pay little or no tax."
Information revealed in the leak includes the secret purchase through offshore companies of a $22 million chateau in the French Riviera by the Czech Republic’s billionaire prime minister, Andrej Babis, who styles himself as a man of the people.
The papers also show that 14 luxury homes were secretly purchased for $106 million by King Abdullah II of Jordan, whose country relies on foreign aid to support its people.
Mishcon de Reya is bringing a representative suit against DeepMind pertaining to the company’s data-sharing deal with the Royal Free London National Health Service (NHS) Foundation Trust.
A five-year partnership between the Trust and DeepMind was announced in 2015 to "build on the successful year-long joint project to build a smartphone app called Streams, which alerts clinical teams as soon as test results show that a patient is at risk of developing acute kidney injury."
The Jurist reports that "when the data-sharing agreement was made public, it was revealed that DeepMind was gaining access to a wide-ranging scope of data including admissions, discharge and transfer, accidents, emergencies, critical care, pathology and radiology data."
In July 2017, the Information Commissioner’s Office (ICO) ruled the Royal Free NHS Foundation Trust failed to comply with the Data Protection Act when it provided patient details to DeepMind.
"The Trust provided personal data of around 1.6 million patients as part of a trial to test an alert, diagnosis and detection system for acute kidney injury," said the UK data protection regulator.
"But an ICO investigation found several shortcomings in how the data was handled, including that patients were not adequately informed that their data would be used as part of the test."
On September 30, Mishcon de Reya announced that it was bringing an action against DeepMind "on behalf of Mr Andrew Prismall and the approximately 1.6 million individuals whose confidential medical records were obtained by Google and DeepMind Technologies in breach of data protection laws."
Mr. Prismall said: “Given the very positive experience of the NHS that I have always had during my various treatments, I was greatly concerned to find that a tech giant had ended up with my confidential medical records.”
Lawyer Ananaya Agrawal wrote in The Jurist that Mishcon’s representative suit resembles a class-action lawsuit in the United States and “will have important ramifications for large-scale access and use of health data by tech companies in a post-pandemic, post-Brexit UK.”
A former Facebook employee is to appear before a US Senate subcommittee tomorrow after blowing the whistle on the company's alleged prioritization of profit above user welfare.
Frances Haugen, a 37-year-old data scientist from Iowa, revealed yesterday that it was she who leaked internal research carried out by Facebook to the Wall Street Journal. This research formed the basis of an investigative series named The Facebook Files, which the Journal has been reporting for the past three weeks.
Among the claims made by the Journal are that Facebook identified negative effects that its platform was having upon its users but didn't take any action to fix the problems.
It is further alleged that while claiming to treat all its users equally, Facebook allowed certain high-profile users to post content including harassment and incitement to violence.
Haugen, who has a degree in computer engineering and a Harvard master’s degree in business, held positions at Google, Yelp, and Pinterest prior to working for Facebook for two years as a product manager on the company's civic misinformation team. Before quitting her job in May, she copied a trove of internal company memos and documents.
“I’ve seen a bunch of social networks and it was substantially worse at Facebook than anything I’d seen before," Haugen told CBS.
Speaking on a 60 Minutes episode that aired Sunday, Haugen said: “The thing I saw at Facebook over and over again was there were conflicts of interest between what was good for the public and what was good for Facebook. And Facebook, over and over again, chose to optimize for its own interests, like making more money.”
She added: “The version of Facebook that exists today is tearing our societies apart and causing ethnic violence around the world.”
Following Haugen’s disclosures, two members of the European Parliament have called for an investigation to be launched into the social media company.
"We need to regulate the whole system and the business model that favors disinformation and violence over factual content – and enables its rapid dissemination," said European Parliament lawmaker Alexandra Geese.
On October 5, Haugen will testify before a Senate subcommittee in a hearing on Facebook’s research into Instagram’s effect on the mental health of young people.
A coordinated law enforcement action has led to the arrest of two “prolific ransomware operators” in Ukraine, Europol has revealed.
The strike was undertaken between the French National Gendarmerie, the Ukrainian National Police and the United States Federal Bureau of Investigation (FBI) in conjunction with Europol and INTERPOL on September 28. While neither the individuals nor the gang they allegedly belong to were named, Europol said they were “known for their extortionate ransom demands (between €5m and €70m).”
The group is believed to have targeted numerous “very large industrial groups in Europe and North America” since April 2020. They are also renowned for their ‘double extortion’ tactics, deploying malware and stealing sensitive data from their victims in addition to encrypting their files. They would then demand a large ransom payment under threat of leaking the stolen data on the dark web.
The Ukrainian authorities stated that the suspects were responsible for attacks against over 100 worldwide organizations, causing more than $150 million in damages.
As well as the two arrests, the joint law enforcement action resulted in seven property searches, seizure of $375,000 in cash, seizure of two luxury vehicles worth €217,000 and asset freezing of $1.3m in cryptocurrencies.
Europol helped bring together law enforcement agencies to establish a joint strategy, including creating a virtual command post. The operation involved six investigators from French Gendarmerie, four from the US FBI, a prosecutor from the French Prosecution Office of Paris, two specialists from Europol’s European Cybercrime Centre (EC3) and one INTERPOL officer to work alongside the Ukrainian National Police.
Providing further insights into the tactics used by the ransomware operators, Stefano De Blasi, threat researcher at Digital Shadows, said: “The suspects reportedly compromised their victims via spear-phishing campaigns and by targeting remote working tools such as remote desktop protocol (RDP) and virtual private networks (VPN). This observation highlights how social engineering remains a vital access vector for threat actors, as human curiosity is often exploited to bypass technological defences. Additionally, the use of RDP and VPN to compromise organizations suggests that the suspects have likely gained access to victims by purchasing initial access broker (IAB) listings on cyber-criminal forums and marketplaces.”
He added: “Europol also stated that the operation resulted $1.3m being frozen within the group’s seized crypto wallets. Ukrainian police stated that the suspects had an accomplice who helped the group launder money gained from illicit means. The use of individuals skilled in laundering money has been a significant factor in the development of ransomware groups into an effective criminal business model. Although law enforcement agencies have not named the ransomware gang behind this operation, it is unclear what extent the operation will have on the group in question, or on the wider ransomware ecosystem.
“While solitary operations will not provide a remediation to the ransomware threat overnight, law enforcement operations can have a significant impact to targeted ransomware groups, often resulting in a suspension or disruption of their activity. These raids can achieve their greatest potential when paired with diplomatic efforts, innovative policies and effective public-private partnerships.”
A former US army contractor has been sentenced to more than 12 years behind bars after pleading guilty to helping defraud thousands of military service members, veterans and their families.
Fredrick Brown, 40, of Las Vegas, was sentenced for one count of conspiracy to commit wire fraud and one count of conspiracy to commit money laundering, following a guilty plea nearly two years ago.
As a civilian medical records technician and administrator at the US army’s 65th Medical Brigade, Yongsan Garrison, he admitted to stealing the personal information of countless military staff, including by taking screenshots of his computer while logged into medical databases.
These details — which included names, social security numbers, military ID numbers, dates of birth and contact information — were then sent to Philippines-based co-defendant Robert Wayne Boling Jr.
In concert with others, he’s accused of using the info to access Pentagon and Veterans Affairs benefits sites to steal millions of dollars.
The fraud scheme targeted around 3300 victims, including eight general officers and many disabled veterans, who were singled out because of the more considerable service-related benefits they received. In total, these individuals lost around $1.5m due to the plot, it’s claimed.
Brown has also been ordered to pay over $2.3m in restitution and will be placed on supervised release for three years after completing his prison term.
Another co-defendant, Trorice Crawford, 34, of San Diego, was last year sentenced to 46 months in federal prison for his role in the scheme — which was to recruit money mules to help launder the funds.
“The defendant brazenly preyed on and victimized US service members and veterans, many of whom were disabled and elderly,” said US attorney Ashley Hoff for the Western District of Texas.
“As part of our mission, we strive to protect these honorable men and women from fraud and abuse. If fraudsters target our service members and veterans, we will seek to identify them and hold them accountable. This office will continue to zealously investigate and prosecute perpetrators of these schemes.”
US cryptocurrency exchange Coinbase is facing a backlash from its users after notifying them that at least 6,000 customers had their funds stolen by hackers.
The “third-party campaign” took place between March and May 20, 2021.
“In order to access your Coinbase account, these third parties first needed prior knowledge of the email address, password, and phone number associated with your Coinbase account, as well as access to your personal email inbox,” the firm explained in a breach notification letter.
“While we are not able to determine conclusively how these third parties gained access to this information, this type of campaign typically involves phishing attacks or other social engineering techniques to trick a victim into unknowingly disclosing login credentials to a bad actor. We have not found any evidence that these third parties obtained this information from Coinbase itself.”
However, while Coinbase does not appear to have been responsible for the initial data leak, which enabled the first stage of the attack, a crucial flaw in its authentication process was to blame for the unauthorized account access.
“Even with the information described above, additional authentication is required in order to access your Coinbase account,” it continued.
“However, in this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account.”
Coinbase, the world’s second-largest cryptocurrency exchange with tens of millions of global users, said it would reimburse customers the full value of their losses. The firm has also updated its SMS Account Recovery protocols to ensure authentication can’t be bypassed in a similar way in the future.
However, it warned that, while inside hacked accounts, unauthorized third parties would have access and potentially changed details. These details include full name, email and home address, date of birth, IP address for account activity, transaction history, account holdings and balance.
This isn’t the first time Coinbase has been in the news following a security breach. In 2019 it was forced to halt trading of Ethereum Classic (ETC) after spotting “double spend” attacks totalling more than $1m.
Hacked Coinbase accounts are said to be worth as much as $610 apiece on the cybercrime underground.
The government has released more details about a planned National Cyber Force (NCF), confirming that it will be located in the northwest village of Samlesbury.
First mooted in 2018, the new facility will form the hub of the UK’s offensive cyber capabilities, drawing personnel from GCHQ, the Ministry of Defence, MI6 and the Defence Science and Technology Laboratory (DSTL).
“The National Cyber Force will help confront aggressive behavior from malign actors, and demonstrate that Britain is investing in next-generation defense capability to protect our people and help our friends counter cyber-threats. It sends a powerful message to our allies and adversaries alike,” said foreign secretary, Liz Truss.
The move is part of the ruling Conservative Party’s efforts to shift more public sector jobs out of London in an attempt to appeal to its newfound voter base in the north.
Situated between Blackburn and Preston, Samlesbury has little to its name save for a 14th-century country house, a BAE Systems aircraft factory and a brewery.
The government was at pains to point out that any offensive activities it carries out from the new National Cyber Force would be done in a “legal, ethical and proportionate” manner to disrupt hostile states, terrorists and criminals threatening the UK’s national security.
It claimed to be a world leader in such matters, with GCHQ having pioneered techniques to break ISIS propaganda networks.
The hub has been in operation since April 2020 but will reportedly expect more than £5bn in funding before 2030, highlighting the strategic importance with which it is regarded in government.
The announcement follows the opening of a GCHQ facility in Manchester, which the government is positioning as the ‘cyber center’ of the UK. It claimed more than 15% of the city’s population now works in the “digital, creative and technology sector.”
America's head of state, Joe Biden, has announced plans to hold a meeting with representatives of 30 different countries later this month to discuss ransomware and other cybersecurity issues.
In a statement released to coincide with the first day of America's annual Cybersecurity Awareness Month, President Biden said that the chief purpose of the confab would be to address the impact of cyber-threats on economic and national security.
The session will take place virtually and be hosted online by the White House National Security Council. On the agenda alongside ransomware will be how to crack down on the illegal use of crypto-currency and how to improve collaboration between different law enforcement agencies to prosecute cyber-criminals.
"This month, the United States will bring together 30 countries to accelerate our cooperation in combating cybercrime, improving law enforcement collaboration, stemming the illicit use of crypto-currency, and engaging on these issues diplomatically," said the 46th president of the United States.
"We are building a coalition of nations to advocate for and invest in trusted 5G technology and to better secure our supply chains. And, we are bringing the full strength of our capabilities to disrupt malicious cyber activity, including managing both the risks and opportunities of emerging technologies like quantum computing and artificial intelligence."
Biden added that the nation's cybersecurity required the effort of America's businesses and citizens.
"The Federal government needs the partnership of every American and every American company in these efforts," he said.
"We must lock our digital doors — by encrypting our data and using multi-factor authentication, for example—and we must build technology securely by design, enabling consumers to understand the risks in the technologies they buy."
In today's statement, Biden said that his administration had coaxed a commitment "to deploy cybersecurity technologies" from "150 utilities" and was "working to deploy action plans for additional critical infrastructure sectors."
National Security Advisor Jake Sullivan said that the Biden administration would "continue to build on our whole-of-government effort to deter and disrupt cyberattacks."
The owner of two chains of American luxury department stores has warned 4.6 million Neiman Marcus customers that their personal data may have been exposed in a security incident that happened 17 months ago.
Neiman Marcus Group, which owns the Neiman Marcus and Bergdorf Goodman department stores, as well as the high-end home goods line Horchow, said the incident may have exposed information including names, contact details, and payment card information.
In a statement released Thursday, the Group said it had "recently learned that an unauthorized party obtained personal information associated with certain Neiman Marcus customers' online accounts."
Law enforcement has been notified of the breach, and the Group is working with cybersecurity company Mandiant to determine what took place and how it happened.
While the investigation into the incident is ongoing, the Group said that the date of the breach has been narrowed to May 2020.
It has been determined that the unauthorized attacker may have accessed usernames, passwords, and security questions and answers linked to Neiman Marcus online accounts.
The Group, which is headquartered in Dallas, Texas, said that approximately 3.1 million payment cards and virtual gift cards were affected by the security incident. However, the company said that only 15% of the impacted cards were valid or unexpired.
"No active Neiman Marcus-branded credit cards were impacted," stated the company.
No evidence has been found to suggest that Bergdorf Goodman or Horchow online customer accounts were affected by the breach.
Since learning of the incident, the Group has required an online account password reset for affected customers who had not changed their password since May 2020.
"At Neiman Marcus Group, customers are our top priority," said Geoffroy van Raemdonck, chief executive officer of the Neiman Marcus Group.
"We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information."
A dedicated call center, which is open seven days a week, has been set up by the Group to help customers who are concerned about the safety of their personal information.