Info Security
CISOs Agree That Traditional Application Security Measures Don't Work
Nearly three-quarters (71%) of CISOs aren’t confident that code in cloud-native architectures is free of vulnerabilities before it goes into production, according to new research from Dynatrace.
The software intelligence firm polled 700 global security chiefs in large enterprises with over 1,000 employees to better understand their concerns over microservices, containers, and Kubernetes in development.
Some 89% claimed their use had created dangerous application security blind spots.
These challenges appear to be compounded by time-to-market pressures and existing tools and processes not fit-for-purpose in the new cloud native era.
Over two-thirds (68%) of CISOs said the sheer volume of alerts coming through makes it difficult to prioritize. On average, their teams receive 2,169 flags about potential application security vulnerabilities each month, most of which are false positives, the research claimed.
Over a quarter (28%) said development teams sometimes bypass vulnerability checks to speed up delivery, while three-quarters (74%) said traditional scanning tools and other legacy security controls don’t work in today’s environments.
Bernd Greifeneder, founder and CTO of Dynatrace, argued that the growing use of cloud-native architectures had broken traditional approaches to app security.
“This research confirms what we’ve long anticipated: manual vulnerability scans and impact assessments are no longer able to keep up with the pace of change in today’s dynamic cloud environments and rapid innovation cycles,” he added.
“Risk assessment has become nearly impossible due to the growing number of internal and external service dependencies, runtime dynamics, continuous delivery, and polyglot software development, which uses an ever-growing number of third-party technologies. Already stretched teams are forced to choose between speed and security, exposing their organizations to unnecessary risk.”
Most CISOs questioned for the research agreed that more automation of deployment, configuration and management was needed.
“As organizations embrace DevSecOps, they also need to give their teams solutions that offer automatic, continuous, and real-time risk and impact analysis for every vulnerability, across both pre-production and production environments, and not based on point-in-time snapshots,” said Greifeneder.
Campaigners Request Meeting with Home Secretary as Part of Computer Misuse Act Review
Campaigners have written to the UK Home Secretary, Priti Patel, welcoming the announced review into the Computer Misuse Act (CMA) and requesting a meeting with her to discuss reform proposals.
The CyberUp Campaign and techUK penned the letter following a joint briefing call on Tuesday May 25 among industry representatives about the review, which Patel first announced in a speech during the CYBERUK 2021 virtual event last month. In her talk, she explained this is part of the UK government’s efforts to ensure law enforcement agencies are equipped with “the right tools and mechanisms to detect, disrupt, and deter our adversaries.”
The government has now opened a call for evidence from across the cybersecurity industry, which closes on June 8, 2021. This is requesting insights into the legislation, including whether current “protections in the CMA for legitimate cybersecurity activity provide adequate cover.”
Welcoming this development, the letter informed the Home Secretary that the CyberUp Campaign and techUK “share the desire to see a legal framework in the UK that is best able to assist UK law enforcement in defending the UK from an ever-evolving array of cyber threats, and that supports a thriving and internationally competitive UK cybersecurity industry.”
Many in the industry have long called for the act to be updated, observing that the cyber and technology landscape has changed substantially since it was first enacted in 1990.
In June 2020, a group of cybersecurity organizations coordinated by the CyberUp Campaign wrote an open letter to the UK Prime Minister Boris Johnson, emphasizing the need for the CMA to be updated. This letter stated: “In 1990, when the CMA became law, only 0.5% of the UK population used the internet, and the concept of cybersecurity and threat intelligence research did not yet exist. Now, 30 years on, the CMA is the central regime governing cybercrime in the UK despite being originally designed to protect telephone exchanges. This means that the CMA inadvertently criminalizes a large proportion of modern cyber-defense practices.”
Commenting on the latest developments, Ollie Whitehouse, CTO of NCC Group and spokesperson for the CyberUp Campaign said: “The goverment consultation represents a once-in-a-generation opportunity for the cyber sector to have our say on the badly out of date Computer Misuse Act, which has been around since the inception of the sector and increasingly acts as a barrier.”
Matt Evans, director at techUK, added: “Through the formal review of the Computer Misuse Act 1990, there is a real opportunity for the UK to future-proof key cybersecurity legislation, allowing industry and law enforcement to better work together to protect citizens and businesses alike.
“This is likely the start of a longer process and techUK will look to ensure that industry plays its role in exploring the potential options and challenges around reform, with a string view that through working towards sensible reforms that can also contribute to the UK’s international competitiveness and leadership in the cyber domain.
"techUK looks forward to engaging with the government throughout the review process on behalf of industry and additionally urges its relevant members to directly input into the Home Office.”
DNS Attacks on the Rise, Costing $1 Million Each
According to new research, cyber-attacks using DNS channels to steal data, DDoS victims, and deploy malware have grown in volume and cost throughout the pandemic.
EfficientIP’s 2021 Global DNS Threat Report was compiled by IDC from interviews with 1,114 organizations across the world about their experiences of last year.
It found that 87% of organizations suffered one or more DNS attack in 2020, up eight percentage points from 2019. On average, victims were hit 7.6 times at the cost of $950,000 per attack.
The most common forms of attack were DNS phishing (49%), DNS-based malware (38%), DDoS (29%), DNS hijacking (27%), DNS tunnelling for command and control (24%), zero-day bugs (23%) and cloud misconfiguration abuse (23%).
Phishing appears to have been particularly popular due to the large number of potentially at-risk remote workers.
These attacks frequently led to cloud service and in-house app downtime, compromised websites, brand damage, lost business and sensitive data theft, the report claimed.
Threat actors often use DNS as it is always on, with traffic whitelisted by most firewalls. That opens up opportunities to hide malware or stolen data in DNS channels, among other things.
However, given its ubiquity, DNS can also play an essential role in securing organizations — especially protecting remote workers and data and application traffic, EfficientIP said.
Half of those surveyed said they use DNS traffic analysis to detect compromised devices, and a quarter 27% send DNS traffic logs to SIEM platforms for analysis.
“While it is positive that companies want to use DNS to protect their increasingly remote workforces, organizations are continuing to suffer the costly impacts of DNS attacks,” said Romain Fouchereau, research manager for European security at IDC.
“As threat actors seek to diversify their toolkits, businesses must continue to be aware of the variety of threats posed, ensuring DNS security is a key priority to preventing these.”
Chinese Actors Reportedly Breached America's Largest Transport Network
According to a new report, Chinese threat actors breached North America’s largest transport network in a likely cyber-espionage campaign earlier this year.
The attackers reportedly exploited a zero-day vulnerability in the Pulse Connect Secure remote access product to penetrate the IT systems of New York’s Metropolitan Transportation Authority (MTA) in April.
Although they achieved persistence for several days and compromised three of the transit authority’s 18 computer systems, the MTA claimed that the actors stole no customer or internal data and made no changes to critical systems.
“Our response to the attack, coordinated and managed closely with state and federal agencies, demonstrated that while an attack itself was not preventable, our cybersecurity defense systems stopped it from spreading through MTA systems,” a statement sent to the New York Times revealed.
The MTA is said to have begun a forensic review following warnings about the zero-day by US authorities.
According to the report, the attack involved two sets of Chinese threat groups. A potential target for the attack was insider information on subway cars and rail networks that could allow the country to dominate the global market.
Pulse Secure customers were warned about the bug in late April. As Infosecurity reported at the time, CVE-2021-22893 has a CVSS score of 10.0 and is listed as a critical authentication bypass.
It was being exploited in combination with multiple legacy CVEs in the product from 2019 and 2020 to bypass multi-factor authentication — enabling attackers to install web shells and perform espionage activities.
Brooks Wallace, VP EMEA at Deep Instinct, argued that although the attackers didn’t cause any physical damage to transport networks around New York, they had the opportunity.
“This attack could easily have been a way for the attackers to determine whether or not an isolated infrastructure could be breached and taken down, with plans for a more widespread cyber-attack across the US in the future,” he added.
“Staying at the bleeding edge of innovation is the only way to outpace the attackers. The best protection against attacks such as this one is a multi-layered approach using a variety of solutions. A ‘prevention-first’ mindset is also key.”
Museum Website Vandalized with X-Rated Ads
Visitors to a Scottish tourism website were greeted with X-rated images after malicious cyber-criminals plastered its pages with pornographic promotions.
The independent site eastlothianmuseums.org was set up by organizers ABC to help tourists seeking cultural experiences in East Lothian.
"People usually tend to overlook museums when they are on a break because these places take time and lot of patience, but we at ABC are dedicated towards changing that mindset and introduce people to museums in East Lothian," said the group.
But despite describing themselves as a "team that loves museums and wants the natives of Scotland as well as travelers from other countries to know their importance," ABC appears to have abandoned the website.
The East Lothian Courier reports that no news or updates have been posted to the eastlothianmuseums.org site in more than two years.
After apparently being forsaken by its operators, the site fell into the hands of cyber-criminals hoping to lure victims with links to sexually explicit content. After hacking into the site, the threat actors posted links to adult websites that promise to fulfill "society's darkest fantasies."
In addition to adware, the site was laced with graphic descriptions of sex acts that could be viewed by clicking on certain links.
East Lothian Council said the racy site has now been updated with a security warning.
"We are aware of this site, which details information on a range of museums and related visitor attractions across the county. It is not linked to or connected with East Lothian Council and our museums service or using the council branding style or logo.
"Anyone connecting to this site will see a security warning which indicates that continued use of the site may cause problems to the user."
Enquiries by the council were unable to establish where the site might be hosted. But misspellings of the word 'whisky' suggest it may not be based in Scotland.
Dirk Schrader, global vice president of security research at New Net Technologies, commented: “Websites are an easy target for attackers, as they are destined to be publicly available. This means the attacker can scan them with a range of automated penetration tools.
"Badly maintained websites, using outdated content management systems, are the go-to place for attackers to install reflectors or agents to enable additional attacks."
Missing Toddler Chat Group Banned
A partial settlement has been reached in a cyber-bullying case brought by the parents of a missing toddler against the operator of a chat group set up to discuss the fate of their son.
Dylan Ehler was three years old when he vanished from the backyard of his grandmother's home in Truro, Nova Scotia, at around 1:15 pm on May 6, 2020. Searches for the missing child were called off after two weeks, and his whereabouts remain a mystery.
The only trace of the toddler discovered to date were his rubber boots, which were located roughly 150 meters apart along Lepper Brook.
In online discussions of the case, Ehler's parents, Jason Ehler and Ashley Brown, have been variously accused without evidence of involvement in the boy's disappearance and of murdering their son.
In February, Ehler's parents decided to take April Diane Moulton and Tom Hurley, also known as Tom Hubley, to court, arguing that the accusations and insults posted on a Facebook page administered by the pair constitute cyber-bullying.
The page, which was called "Dylan Ehler Open for Discussions" or "Dylan Ehler Open for Suggestions," at one point had over 17,000 members.
"It's been horrific quite frankly," said the parents' lawyer, Allison Harris. "They're dealing with looking for their son, and this has taken away from that.
"Every time they go online, they get these kinds of messages, and some of this has spilled over into the community, and that's impacting them as well."
In an order signed late last month in Nova Scotia Supreme Court, Moulton was prohibited from re-opening the now closed Facebook page about Dylan and from starting another one like it. Moulton is also banned from making any further public posts about the missing child or his parents.
Hurley was offered a similar agreement to the one accepted by Moulton but has not accepted it. He reportedly said that since he lives in the same small town as Ehler's parents, he cannot agree to a ban on seeing them.
The parties are due to meet face to face in court on August 3 for a hearing.
White House Issues Open Letter on Ransomware
The White House has sent an open letter to companies in the United States entreating them to urgently act against the threat of ransomware.
Corporate executives and business leaders received a memo on Thursday morning from Anne Neuberger, the National Security Council's top cyber official. In the missive, Neuberger underscored the sweeping danger of ransomware to the private sector.
"All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location," wrote Neuberger. "We urge you to take ransomware crime seriously and ensure your corporate cyber defense match the threat."
Neuberger, who is deputy national security adviser for cyber and emerging technology, called for swift action from corporations and businesses, which she stated have "a distinct and key responsibility” when it comes to America's cybersecurity.
“All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location,” wrote Neuberger in the letter dated Wednesday. “But there are immediate steps you can take to protect yourself, as well as your customers and the broader economy.”
She added that the impact of ransomware upon a company was directly linked to that company's attitude toward the threat.
“The most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German and other organizations around the world is that companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively,” wrote Neuberger.
The letter follows a recent string of ransomware attacks on American companies. Last month's cyber-assault on the Colonial Pipeline was followed by attacks on global meat supplier JBS and on ferry service the Steamship Authority of Massachusetts.
A threat group known as both REvil and Sodinokibi, believed to have ties with Russia, has been blamed for the cyber-attacks on the Colonial Pipeline and JBS.
"More than any other threat, non-technical executives are familiar with ransomware by name and are already looking for solutions," commented John Bambenek, threat intelligence advisor at Netenrich. "A letter from a White House official isn’t going to change the game in the slightest."
Fujifilm Shuts Down Servers to Investigate Possible Ransomware Attack
Fujifilm is investigating a potential ransomware attack that resulted in the company closing down part of its network.
The company is investigating "possible unauthorized access" to its server, it said in a statement.
The company first noticed the "possibility" of a ransomware attack on June 1 and took swift action to discontinue all compromised systems.
"We are currently working to determine the extent and the scale of the issue," it said on its website, and that it "apologises to its customers and business partners for the inconvenience this has caused.
"For some entities, this affects all forms of communications, including emails and incoming calls, which come through the company's network systems," said the company.
In an earlier statement, Fujifilm confirmed that the cyber-attack is preventing the company from accepting and processing orders.
Japanese organizations have experienced other notable breaches in recent months. In March, Yamabiko, a Tokyo-headquartered manufacturer of power tools and agricultural and industrial machinery, was apparently added to the data leak site used by the Babuk group.
In May, a subsidiary of Japanese tech giant Toshiba admitted to suffering a cybersecurity breach, reportedly caused by the DarkSide ransomware gang.
Ransomware hackers have gone after larger targets in 2021. This month saw a ransomware attack on the world’s largest meat processing company and May saw a sophisticated ransomware attack on Bose, which resulted in the unauthorized access of personal information on current and former employees.
Mandiant to Re-Emerge After $1.2 Billion FireEye Sale
FireEye has agreed to sell its FireEye Products business and brand name to a private equity firm in a deal that will see the Mandiant business it bought several years ago become a standalone company again.
The $1.2 billion all-cash sale to a consortium led by Symphony Technology Group (STG) is expected to close by the end of Q4 2021.
It will see STG acquire FireEye’s network, email, endpoint and cloud security products — alongside its related security management and orchestration platform.
After its acquisition by FireEye in 2014, Mandiant and founder Kevin Mandia were instrumental in expanding the new company’s focus from web, email and data center security to threat intelligence and incident response services.
Over the intervening years, the company has been busy dealing with the aftermath of countless breaches at big-name firms and government organizations.
FireEye’s work investigating an audacious attack on its own systems uncovered the infamous SolarWinds attacks, which subsequently found that at least nine US government agencies were compromised.
FireEye CEO, Kevin Mandia, argued that the separation of the two businesses again would enable the high-growth Mandiant to thrive.
“After closing, we will be able to concentrate exclusively on scaling our intelligence and frontline expertise through the Mandiant Advantage platform, while the FireEye Products business will be able to prioritize investment on its cloud-first security product portfolio,” he added.
“STG’s focus on fueling innovative market leaders in software and cybersecurity makes them an ideal partner for FireEye Products. We look forward to our relationship and collaboration on threat intelligence and expertise.”
William Chisholm, managing partner at STG, argued that FireEye’s cloud-first XDR platform would play a mission-critical role for current and prospective customers.
“We believe that there is enormous untapped opportunity for the business that we are excited to crystallize by leveraging our significant security software sector experience and our market leading carve-out expertise,” he said.
The private equity firm in March agreed to buy McAfee’s enterprise business for $4 billion.
Secureworks Appoints Wendy Thomas as CEO as Michael Cote Announces Retirement
Cybersecurity firm Secureworks has announced the appointment of Wendy Thomas as its next president and CEO. Thomas will take up the reigns from current CEO Michael Cote from September 3, 2021, when he will retire following nearly 20 years at the company.
Thomas, who is currently president of customer success at Secureworks, has more than 25 years’ experience in strategic and functional leadership roles across multiple organizations, including FirstData, Bell South and Internap Network Services.
During her career at Secureworks, which began in 2008 in its finance team, she has worked alongside Cote to successfully conclude a number of high profile business transactions, such as the acquisition of Verisign’s Managed Security Services (MSS) business and DNS and the company’s acquisition by Dell Technologies back in 2011. Prior to becoming president of customer success at Secureworks, she was its chief product officer, where she led the development of numerous solutions, such as its first security analytics product, Secureworks TaegisTM XDR.
Commenting on her appointment, Thomas said: “I know that I speak for everyone at Secureworks in thanking Mike for his leadership and tireless dedication to the company. I appreciate the support of Mike and the Board, and I am proud to work with an exceptional team that is focused on taking decisive actions to transform cybersecurity.”
Cote will leave the organization after almost 20 years, having joined in February 2002 as chairman, president and CEO. Since that time, Secureworks has grown from generating less than $1m in annual revenue to in excess of $550m, with a global presence in over 60 countries.
Cote stated: “Wendy is a proven and respected leader who has been the driving force of our company’s transformation. Her deep knowledge of our business has made her a valued strategic partner for many years, and throughout her tenure she has delivered strong operating results and innovative solutions through a relentless commitment to our customers, our purpose, and our people. I am confident she will lead Secureworks well into the future and I am proud to have her succeed me. I know she will make an outstanding CEO.”
Ransomware Disrupts Largest Ferry Service in Massachusetts
Ransomware actors have disrupted the largest ferry service operating out of Massachusetts, disrupting passengers and commercial traffic.
The Steamship Authority, which runs to Martha's Vineyard and Nantucket, revealed on Twitter that the attack struck early on Wednesday morning, local time.
The outage meant that customers were unable to book or change vehicle reservations online or by phone. However, existing bookings would be honored, and rescheduling or cancellation fees waived, it said.
“There is no impact to the safety of vessel operations, as the issue does not affect radar or GPS functionality. Scheduled trips to both islands continue to operate, although customers may experience some delays during the ticketing process,” the firm said.
“If traveling with the Authority today, cash is preferred for all transactions. The availability of credit card systems to process vehicle and passenger tickets, as well as parking lot fees, is limited.”
In an update late last night, the Steamship Authority said it expected the disruption to continue throughout Thursday June 3. The firm's website was also down at the time of writing.
“The Steamship Authority continues to work with our team internally, as well as with local, state, and federal officials externally, to address today’s ransomware incident. At this point, we are unable to release or confirm specific details of what occurred,” it said.
Although the target for this attack is relatively minor compared to the recent incidents at Colonial Pipeline and JBS, it proves that no organization is safe from ransomware.
Charles Herring, CTO of WitFoo, argued that poor cyber-hygiene and a lack of coordination between law enforcement and private organizations had enabled cyber-criminals to get ahead in this particular arms race.
“The outer layer of the broken system is that national security and intelligence agencies need access to data collected by law enforcement to inform military and diplomatic strategy and campaigns,” he added.
“We are quickly learning that safely sharing information, while protecting liberties and privacy, is as important to thwarting evolving cybercrime as it was in combating terrorism after 9/11.”
Three-Quarters of Security Leaders Report Increase in Cyber-Attacks in Past Year
More than three-quarters (76%) of security leaders have reported an increase in cyber-attacks over the past 12 months, according to VMware’s Global Security Insights Report 2021.
The report also found that the volume of attempts rose by a significant 52% across all affected organizations, emphasizing how accelerated digitization during the COVID-19 pandemic has expanded the attack surface. Indeed, over three-quarters (78%) of those experiencing a cyber-attack pointed to the rise in remote working as the reason for the increase in volume.
Additionally, four out of five (81%) of the 3542 CIOs, CTOs and CISOs surveyed for the research revealed they had suffered a breach in the past 12 months, with 82% of incidents considered material. Despite this, it appears there may be some complacency on the part of many security leaders: only 56% said they fear a material breach in the coming year, while just 41% have updated their security policies and approaches to tackle the extra risks to their organization.
The vast majority (79%) of security leaders noted that attacks have become more sophisticated in the past year, and the leading causes of breaches were reported to be third-party apps (14%) and ransomware (14%). Applications and workloads were seen as the most vulnerable points on the data journey, and 63% of respondents said there is a need for greater visibility over data and apps to pre-emptively detect attacks.
Encouragingly, close to two-thirds (61%) of security leaders agreed they need to adapt their security in light of the expanded attack surface. Securing the cloud looks to be a particular priority, with almost all (98%) respondents either already use, or are planning to shift to, a cloud-first security strategy.
Commenting on the findings, Rick McElroy, principal cybersecurity strategist, VMware said: “The race to adopt cloud technology since the start of the pandemic has created a once-in-a-generation chance for business leaders to rethink their approach to cybersecurity.
“Legacy security systems are no longer sufficient. Organizations need protection that extends beyond endpoints to workloads to better secure data and applications. As attacker sophistication and security threats become more prevalent, we must empower defenders to detect and stop attacks, as well as implement security stacks built for a cloud-first world.”
FBI: REvil Ransomware Group Behind JBS Attack
The FBI has attributed a major ransomware attack on the world’s largest meat processing company to a notorious group believed to be Russian in origin.
In a brief statement, the Feds blamed REvil (aka Sodinokibi) for the attack on Sao Paolo-headquartered JBS.
“We continue to focus our efforts on imposing risk and consequences and holding the responsible cyber actors accountable. Our private sector partnerships are essential to responding quickly when a cyber intrusion occurs and providing support to victims affected by our cyber-adversaries,” read the statement.
“A cyber-attack on one is an attack on us all. We encourage any entity that is the victim of a cyberattack to immediately notify the FBI through one of our 56 field offices.”
The FBI said it would be working to bring the REvil group to justice for the hack on JBS.
REvil is one of the most prolific and successful groups around today, having targeted organizations as diverse as Apple, Jack Daniels, Travelex and even a law firm linked to Donald Trump.
The ransomware variant was responsible for over 14% of attacks in Q1 2021, remaining at the top of the global list, according to Coveware.
However, it operates as most do today via an affiliate model, so it’s unclear who actually used the malware to attack JBS.
There’s still no word from the meat processing giant on any of its public-facing websites about the attack.
Although, as Infosecurity reported on Tuesday, it appears to have impacted the firm’s servers supporting its North American and Australian operations, which could have significant knock-on effects for the meat supply chain in those regions.
Ronnen Brunner, VP of EMEA at ExtraHop, argued that food supplies could be considered critical national infrastructure.
“Businesses can't be protected all the time, but these attacks succeed due to outdated systems and because many organizations still rely on perimeter defence and signature detection tools. This means once the attacker is inside the network, that organization is completely vulnerable,” he added.
“Businesses must learn from the downfall of others. Visibility is crucial for detecting ransomware quick enough to respond before it's too late."
Sextortion Lands Inmate in Federal Prison
An inmate of the South Carolina Department of Corrections (SCDC) has been sentenced to five years in federal prison for his role in a deadly sextortion scheme.
Wendell Wilkins, of Ridgeville, South Carolina, was serving a 12-year sentence for attempted armed robbery when he pleaded guilty to involvement in a cyber-scam to blackmail military members.
Prosecutors alleged 32-year-old Wilkins posed as young women and joined dating sites using smartphones smuggled into the correctional facility. He then allegedly contacted members of the US military, sending them sexually explicit images of young women that he had obtained from the internet.
Wilkins is accused of tricking the military members into sharing personal information and nude photographs of themselves with him by making them believe that they were communicating with a woman.
As part of the scam, Wilkins, and other SCDC inmates under his direction, then allegedly contacted each military member, purporting to be the father of the young woman with whom the member believed that they had been communicating.
The scammers then told the military members that the women they had been exchanging sexually explicit images with were underage and that, as a result, they were now in possession of Child Sexual Abuse Material (CSAM).
Posing as the fake women's fake fathers, the scammers threatened to have the military members arrested or dishonorably discharged unless they paid money, said prosecutors.
“In total, more than 300 military members throughout the United States were victims of the scheme, and the amount of loss exceeded $350,000," said Acting US Attorney Rhett DeHart. "Several military members committed suicide after falling victim to this extortion scheme.”
Wilkins pleaded guilty to money laundering for his role in the scheme and was sentenced to 66 months in federal prison and 36 months of supervised release to be served after he completes his current 12-year state prison sentence.
“This is another example of how dangerous it is for inmates to have illegal cell phones,” said South Carolina Department of Corrections director Bryan Stirling.
“States need the ability to jam cell phone signals inside prisons so we can keep inmates from continuing their illegal activities.”
Teen Crashes Florida School District’s Network
A teenage boy from Florida is facing felony charges after carrying out a cyber-attack that knocked 145 schools offline last spring.
The unnamed 17-year-old junior at St. Petersburg High School crashed the entire computer network of the Pinellas County School District in Florida by deploying a distributed denial-of-service (DDoS) attack. His actions caused all the schools in the district to lose internet access on March 22 and 23.
According to a search warrant from the St. Petersburg Police Department, the youth said he had become "fixated" on the idea of disrupting the district's digital peace after watching a video online that highlighted the vulnerability of school networks.
CI Security founder Michael Hamilton said: "What the student did was he brought down a distributed denial-of-service attack, which is not the same as breaking in and stealing things and changing grades. What it does, is it makes the whole network unavailable."
The teen, who has since been expelled from school, said that he immediately regretted his actions.
“By the time it was done, there was no way to undo it,” he said in an interview with the Tampa Bay Times.
“If I could go back, I wouldn’t do it again.”
The teen said he hopes to get his GED and have a career in cybersecurity. His mother said her son "was just pushing it to see how smart he could go with it."
“It wasn’t something that was malicious," she said, "it was just something like a video game to him in his head."
According to documents filed by the St. Petersburg police to get a search warrant for the teen’s phone, the school district’s director of network and telecommunications, Brian Doughty, told investigators that the attack was considered “critical” because it coincided with statewide testing.
Charter-Spectrum had provided the Pinellas County School District with distributed denial-of-services protection for years, said district spokesperson Isabel Mascareñas. However, the protection was not maintained when the district migrated to a new system in late 2020.
Mascareñas said that, following the attack, Charter-Spectrum has reactivated the protection and given Pinellas County School District a $23,000 credit.
Scripps Notifying 147K People of Data Breach
A California healthcare provider is informing more than 147,000 people that their personal data may have been exposed in a recent cyber-attack.
Scripps Health, which operates five acute-care hospitals in San Diego, among other facilities, took most of its network offline after detecting a ransomware infection at the beginning of May.
The San Diego–based nonprofit system suspended access to several applications, including MyScripps and scripps.org.
While the majority of Scripps' network has now been restored, the attack caused four weeks of disruption, with patient appointments' having to be canceled or rescheduled. Employees were forced to rely on offline documentation methods, and ambulances had to be diverted, causing a surge of patients at other local facilities.
After learning that Personal Identifiable Information (PII) was exposed in the attack, Scripps has begun the process of notifying 147,267 individuals that their information may have been compromised.
Data exposed includes health information, Social Security numbers, driver's license numbers, and financial information.
In a letter mailed to patients Tuesday, Scripps stated that an investigation into the security incident had determined that an unauthorized person had gained access to the healthcare provider's network and exfiltrated copies of some documents before deploying ransomware.
The company said: "Importantly, this incident did not result in unauthorized access to Scripps’ electronic medical record application, Epic. However, health information and personal financial information was acquired through other documents stored on our network."
Scripps said that while it had not found evidence that any of the exposed data had been used to commit fraud, it would be offering credit monitoring to some individuals affected by the attack.
“For the less than 2.5% of individuals whose Social Security number and/or driver’s license number were involved, we will be providing complimentary credit monitoring and identity protection support services," said the company.
The investigation into what documents were exposed is ongoing, and Scripps said the number of individuals whose data was breached could rise.
“We have kicked off an extensive manual review of those documents. This is a time-intensive process that will likely take several months, but we will notify affected individuals and entities as quickly as possible in accordance with applicable regulatory requirements,” the company said.
Banking Fraud up 159% as Transactions Hit Pre-Pandemic Volumes
Banking fraud attempts soared by 159% from the final three months of 2020 to Q1 2021 as scammers sought to hide their attack in legitimate online activity, according to Feedzai.
Data used in the firm’s Financial Crime Report Q2 2021 Edition includes 12 billion global transactions between January-March 2021.
The vast majority (93%) of banking fraud during the period, as always, was online. However, while telephone banking made up less than 1% of total transactions, Q1 2021 saw fraud attempts via this channel spike by a dramatic 728% from the previous quarter.
The primary tactics cyber-criminals used to defraud banks and their customers include account takeover (42%), followed by new account fraud (23%), impersonation (21%), purchase scams (15%) and phishing (7%).
Account takeover (ATO) is usually the result of a scammer getting hold of victims’ online banking log-ins, while account openings can be done with real, synthetic or a blend of the two identities. Impersonation typically involves a fraudster pretending to be a figure of authority in order to access the victim’s bank account.
Overall, card-not-present (CNP) — dominated by online and mobile channels — accounted for 83% of all fraud attempts despite making up just 18% of card transactions. Part of that may be due to the roll-out of EMV cards, which has made in-person fraud using cloned cards more difficult.
That may also be responsible for the drop in POS malware designed to harvest card data from card magstripes as they are entered by customers at restaurants and convenience stores. This was particularly prevalent in the US.
Feedzai linked the increase in fraud to a broader surge in transaction volumes globally — and especially in the US, where generous government stimulus funding has put more money in consumers’ pockets.
Transaction volumes for all regions are now greater than pre-pandemic levels, it said.
“As vaccines become more widespread, we expect the behavioral changes taking place in the US today — namely more travel and a consumer base that more closely resembles a pre-pandemic world — to be mirrored in other countries,” the report argued.
“But that also means the high levels of fraud will only continue to grow. Consumers aren’t the only ones betting on recovery. Fraudsters are too.”
Critical Zero-Day in WordPress Plugin Under Active Attack
Security researchers have warned of a critical new zero-day vulnerability in a WordPress plugin actively exploited in the wild.
The Fancy Product Designer plugin is installed on over 17,000 sites, allowing users to upload images and PDF files to products, according to experts at security vendor Wordfence.
“We initiated contact with the plugin’s developer the same day and received a response within 24 hours. We sent over the full disclosure the same day we received a response, on June 01 2021,” explained threat analyst Ram Gall.
“Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details even though it has not yet been patched in order to alert the community to take precautions to keep their sites protected.”
The file upload vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.8. Although the Fancy Product Designer plugin has some checks to block malicious file uploads, attackers can easily bypass the checks. In theory, an attacker could upload executable PHP files to any site with the plugin installed, Gall warned.
“This effectively makes it possible for any attacker to achieve Remote Code Execution on an impacted site, allowing full site takeover,” he added.
Wordfence issued a new rule to its paid firewall product on Monday, with subsequent updates to its free version on June 30 to protect customers from the attacks.
However, users were urged to uninstall the plugin for the time being.
“As this is a critical zero-day under active attack and is exploitable in some configurations even if the plugin has been deactivated, we urge anyone using this plugin to completely uninstall Fancy Product Designer, if possible, until a patched version is available,” concluded Gall.
Battle for the Galaxy: 6 Million Gamers Hit by Data Leak
A Chinese game developer has accidentally leaked nearly six million player profiles for the popular title Battle for the Galaxy after misconfiguring a cloud database, Infosecurity has learned.
AMT Games, which has produced a string of mobile and social titles with tens of millions of downloads between them, exposed 1.5TB of data via an Elasticsearch server.
A research team at reviews site WizCase found the trove, which contained 5.9 million player profiles, two million transactions, and 587,000 feedback messages.
Profiles typically feature player IDs, usernames, country, total money spent on the game, and Facebook, Apple or Google account data if the user linked these with their game account.
Feedback messages contain account IDs, feedback ratings and users' email addresses. At the same time, transaction data includes price, item purchased, time of purchase, payment provider, and sometimes buyer IP addresses, according to WizCase.
The firm warned exposed users that their data might have been picked up by opportunistic cyber-criminals searching for misconfigured databases. Data on how much money individuals have spent on the site could enable fraudsters to target the biggest spenders, it added.
WizCase warned that "it is common for unethical hackers and criminals on the internet to use personal data to create trustworthy phishing emails. The more information they possess, the more believable these emails look."
It went on add that confidential information such as email addresses and user issues with the service could enable bad actors to "pose as game support and direct users to malicious websites where their credit card details can be stolen."
The firm urged gamers to input the minimum amount of personal information possible when purchasing or setting up an account and parents not to lend children their credit cards.
WizCase said it reached out to AMT Games with news of the data breach but did not receive a response. The company later disabled access to the database.
Rhode Islander Charged with Phishing Political Candidates
A woman from Rhode Island has been charged with impersonating Microsoft to steal personal information from political candidates and their campaign staff.
Cranston resident Diana Lebeau allegedly sent phishing emails to approximately 22 members of the campaign staff of a candidate for political office in or around January 2020.
In the emails, the 21-year-old allegedly posed as either the campaign’s managers or one of the campaign’s co-chairs. Recipients were directed to enter their account login details into an attached spreadsheet, or to click on a link that took them to a Google Form that requested the same credentials.
Lebeau is further accused of sending several phishing emails to the political candidate’s spouse and to colleagues at the spouse’s workplace. In these emails, Lebeau allegedly impersonated Microsoft’s Security Team or an employee of the workplace’s technology helpdesk.
Recipients were asked to add their account credentials to spreadsheets attached to the emails or were asked to enter sensitive data on a website spoofing that of the spouse’s employer.
In March 2020, Lebeau allegedly launched another phishing campaign targeting a different candidate for political office. Lebeau is accused of impersonating the candidate’s cable and internet provider over email to steal the candidate’s account credentials.
She is further accused of impersonating this candidate in online chats with the same cable and internet provider, as a ruse to reset and obtain the candidate’s account password.
According to the charging document, Lebeau's alleged actions were not motivated by financial or political aims and were not carried out to benefit any foreign government, instrumentality, or agent.
Lebeau has been charged with attempted unauthorized access to a protected computer. If convicted, she could be sentenced to up to one year in prison, be placed under supervised release for up to 12 months and be fined up to $100,000.
"The best first-line defense against an attack like this is training," commented Lookout's Hank Schless.
"Be sure to constantly run security training and include mobile in those sessions. Simple steps like always checking the sender’s reply-to address or asking IT before replying to a message could save your organization from being the victim of the next big data breach."