Info Security
Cyber Threats Result in 60% Increase in Cyber Intelligence Sharing Among Financial Firms
FS-ISAC (The Financial Services Information Sharing and Analysis Center) has announced that global cyber intelligence sharing among its member financial firms has soared by 60% from August 2020 to August 2021, caused by supply chain and ransomware threats.
Record-breaking levels of intelligence sharing across all regions occurred due to large-scale threats. These areas included North America; Latin America; Europe, the UK, the Middle East, Africa and Asia Pacific.
Commenting on the news, FS-ISAC said that attacks against the financial sector and its supply chain have become a risk management imperative. Steven Silberstein, CEO of FS-ISAC, raised this point, saying that “With the increase in sophisticated cross-border cyber-criminal campaigns against the financial sector and its supply chain, sector-wide global collaboration has become a risk management imperative.
“Intelligence and best practice sharing across our community and platforms have reached new heights, spurred by the high-profile events of the last 12 months. We commend the members who go above and beyond to protect the financial system at large,” he added.
Also commenting on this finding and stressing the importance of sharing intelligence, Fred Gibbins, chief information security officer at American Express, said: “American Express is deeply interconnected with the other players in the global financial system. We believe it is our critical responsibility to share intelligence and best practices with our peers to help the industry to protect and defend against emerging cyber threats. We are honored to be recognized by FS-ISAC and appreciate the collaboration between all the members for our collective protection.
“In Latin America, we benefit from intelligence that is shared by global US and Europe-based firms as well as from our neighboring countries,” said Juan Carrasco, head of cybersecurity at Banco Falabella Chile. “By monitoring attacks in Argentina and Brazil, we were able to predict and thwart a cyber-attack in Chile. This attests to the power of cross-border intelligence sharing in mitigating cyber risk,” he continued.
Corsin Camichel, cyber threat intelligence regional lead at UBS, pointed out the importance of following information-sharing best practices:
“As a global firm, UBS monitors the global cybersecurity landscape to proactively detect and mitigate risks.
“Sharing intelligence and best practices with our peers and regional counterparts is fundamental to staying ahead of emerging cyber threats,” he said.
US Eye-Care Providers Report Data Breaches
The protected health information of hundreds of thousands of Americans has been exposed in two separate security incidents at eye-care providers in the United States.
Simon Eye Management reported a data breach to the Department of Health and Human Services’ Office for Civil Rights on September 14. An email hacking incident at the Delaware-based eye-care group exposed the data of 144,000 individuals.
According to a notice issued by Simon Eye, suspicious activity "related to certain employee email accounts" was observed on or about June 8. An investigation carried out with the help of third-party computer forensic specialists found that unauthorized access to some employee email accounts had occurred from May 12, 2021, to May 18, 2021.
“Our investigation revealed that the unauthorized third party attempted to engage in wire transfer and invoice manipulation attacks against the company, none of which were successful,” said the eye-care group.
Information impacted by the incident may have included names, medical histories, treatment or diagnosis information, and health insurance information. Simon Eye said that "a smaller number of individuals" may also have had their Social Security numbers, birth dates, and/or financial account information exposed.
The eye-care provider said that it had not discovered any evidence of data misuse linked to the incident.
On May 12, USV Optical, Inc., a subsidiary of U.S. Vision, Inc., noticed suspicious activity on its network. A forensic investigation confirmed that hackers were able to access certain USV Optical servers and systems for nearly a month.
It was determined that data belonging to 180,000 individuals (employees and patients) may have been accessed and possibly exfiltrated by an unauthorized individual from April 20, 2021, to May 17, 2021.
Information that could have been compromised included names, eye-care insurance information, and insurance claims information. In a security notice, USV Optical said that for some individuals, addresses, dates of birth, and/or "other individual identifiers" may also have been exposed.
"We have no evidence of any identity theft or fraud occurring as a result of this incident," stated USV Optical, adding that they “are reporting this incident to relevant state and federal regulators as required."
FBI and CISA Issue Conti Warning
An alert has been issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) over Conti ransomware.
In the warning, which was posted on September 22, the agencies observed the increased use of Conti in more than 400 attacks against organizations in the United States and internationally.
The alert said that Conti actors often get network access via spearphishing campaigns, stolen or weak Remote Desktop Protocol (RDP) credentials, phone calls, fake software promoted via search engine optimization, common vulnerabilities in external assets, and other malware distribution networks.
In the execution phase, the actors run a getuid payload, then use a more aggressive payload to lower the risk of triggering antivirus engines.
Cobalt CIO Andrew Obadiaru ascribed the increase in Conti ransomware attack to "our new remote work ecosystem."
"To protect yourself from becoming the next victim of a Conti attack, I recommend business leaders deploy the following security safeguards: (1) invest in email filtering and phishing detection capabilities, (2) protect and properly secure your remote desktop platform connectivity, (3) perform regular backup testing, and (4) ensure your backups are offline," Obadiaru told Infosecurity Magazine.
On the same day on which the alert was issued, security specialist Positive Technologies published a report that found that ransomware attacks have reached “stratospheric” levels, accounting for 69% of all attacks involving malware in the second quarter of 2021. This represents an increase of 30% compared with the same period last year.
Other key findings in Cybersecurity Threatscape: Q2 2021 are that the percentage of attacks aimed at compromising computers, servers, and network equipment increased from 71% in Q1 this year to 87% in Q2.
While the volume of attacks on governmental institutions soared from 12% in Q1 to 20% in Q2, there was only a minor rise (0.3%) in overall attacks from Q1 to Q2.
"This slowdown was to be expected as companies took greater measures to secure the network perimeter and remote access systems during a global pandemic and the growth of a dispersed workforce," said Positive Technologies. "However, the rise in ransomware attacks in particular – a 45% jump in the month of April alone – should cause grave concern."
Illinois Clarifies Limitations on Data Privacy Claims
A court in Illinois has issued an opinion clarifying how the statute of limitations should be applied to the state's Biometric Information Privacy Act (BIPA).
In what The National Law Review described as "a highly anticipated ruling," the Illinois Appellate Court published an opinion that while a one-year deadline would be applied to claims based on unlawful profit or disclosure, claims relating to data retention policy disclosure, informed consent, and safeguarding would have a limitation period of five years.
The ruling was made by a panel of three judges in the case of Tims v. Black Horse Carriers, Inc. The panel said that the different limitation periods are necessary because each BIPA requirement is "separate and distinct."
The five-year statute of limitations period applies to all BIPA claims that assert (1) unlawful collection of biometric data without written notice, or (2) issues relating to storing or transmitting it, or (3) claims involving the company's failure to develop a publicly available retention and destruction schedule.
BIPA claims that allege (1) improper disclosure or (2) improper sale, lease, trade, or profit from biometric data will fall under the one-year limitations period.
"This long-awaited decision provides much-needed clarity for businesses and entities involved in the collection or processing of biometric data that impacts Illinois residents," said Natalie Prescott, practice group associate at law firm Mintz.
"This clarification by the Illinois Appellate Court provides more certainty with respect to when potential claims can be deemed untimely."
Commenting on the ruling, Tim Wade, technical director, CTO team at California-based AI cybersecurity company Vectra, emphasized the unique importance of biometric data.
"The loss of biometric data is concerning for the same reasons biometric-based authentication systems are weak – an individual can’t go out and get a new set of fingerprints, a new retinal pattern, or a new face.
"For this reason, companies that collect and store such information must be held to the highest standards of stewardship, and failure to maintain such stewardship is a non-trivial matter. Any erosion in our legal system’s position with respect to that seriousness is a net-loss for individual privacy."
85% of UK's Top Universities at Risk of Email Fraud
More than four-fifths (85%) of the UK’s top 20 universities are putting their students, staff and suppliers at risk of email fraud, according to a new study by Proofpoint.
The researchers found that just 15% of the universities have implemented the recommended and strictest level of domain-based message authentication, reporting and conformance (DMARC). DMARC is an email validation protocol that verifies that the domain of the sender has not been impersonated.
The findings have come amid surging phishing attacks targeting the education sector since the start of the COVID-19 pandemic. For example, last year, a Barracuda Networks study showed that schools, colleges and universities are being disproportionately targeted by spear-phishing attacks. Experts believe that cyber-criminals increasingly view the industry as a soft target.
Encouragingly, 70% of the universities included in the analysis have published a DMARC record, representing a 100% increase since 2019. Therefore, more than two-thirds of these institutions have recognized the need to implement DMARC protocols.
However, six universities out of the 20 had no DMARC record.
Adenike Cosgrove, a cybersecurity strategist at Proofpoint, commented: “Our research has shown that many UK universities are still exposing people to cyber-criminals on the hunt for personal and financial data by not implementing simple, yet effective email authentication best practices. Email continues to be the vector of choice for cyber-criminals and the education sector remains a key target.
“Organizations in all sectors should deploy authentication protocols, such as DMARC, to shore up their email fraud defenses. Cyber-criminals pay close attention to major trends and will drive targeted attacks using social engineering techniques such as impersonation, and universities are no exception to this. As the university terms begins, students and staff must be vigilant in checking the validity of all emails, especially when levels of uncertainty and anticipation are higher at the beginning of a new term.”
More Afghan Citizens' Data Exposed in Second MoD Breach
The UK’s Ministry of Defence (MoD) has reportedly suffered a second data breach that has exposed details of more Afghan citizens who may be at risk of reprisals from Taliban forces.
Earlier this week, the government department was forced to apologize for sending an email that exposed the data of more than 250 Afghan interpreters who worked for British forces during the allied occupation of the country. This included their email addresses, names and LinkedIn profile images, putting them at risk of reprisals from the Taliban, who recently retook control of Afghanistan 20 years after being ousted by British and US forces.
A second data breach involving Afghan citizens who may be eligible to relocate to the UK has now been uncovered by the BBC, who revealed MoD officials sent an email earlier this month that mistakenly copied in dozens of people. This displayed the email addresses and some names of 55 Afghanis, including those from the Afghan National Army.
The email informed the recipients that UK relocation officials had been unable to contact them and requested updated details.
The MoD has apologized for the latest breach and said it was offering extra support to those affected. A department spokeswoman was quoted as saying: “We have been made aware of a data breach that occurred earlier this month by the Afghan Relocation and Assistance Policy (Arap) team.
“This week, the defence secretary instigated an investigation into data handling within that team.
“Steps have now been taken to ensure this does not happen in the future.”
Commenting on the story, Wouter Klinkhamer, CEO at Zivver, said: “The Afghanistan/MoD data leak news is a stark reality of what can happen when digital communications are not safeguarded. This is an extreme example, of course, where the data breach is potentially life-threatening. Still, all business leaders need to sit back and review how sensitive information is being shared and what support their workforce has to communicate securely. Commonly, incidents such as this result from human error (verified by the UK’s ICO) — an employee inadvertently selecting ‘Cc’ instead of ‘Bcc’ before sending the email. However, we’re all human, we all make mistakes — organizations need to focus on how they can empower their individuals to be able to share information securely when they need, with confidence and with ease to avoid a potentially damaging situation.”
US Locks Up Call Center Scammer
A fraudster who tricked and threatened thousands of Spanish-speaking immigrants into paying for educational products has been sentenced to 110 months in prison in the United States.
Peruvian national and call center owner Henrry Adrian Milla Campuzano was part of a conspiracy to defraud victims using false statements and the threat of deportation or legal action in a non-existent "minor crimes court."
Milla Campuzano, a 37-year-old resident of Lima, owned and operated two call centers in Peru, the Latinos en Accion and Accion Latino. He admitted that from April 2011 until his arrest in July 2019, he and his employees contacted victims via phone and falsely claimed to be lawyers, court officials, federal agents, and minor crimes court representatives.
Victims were erroneously informed that they were required to accept and pay for English-language courses and other educational products that were never delivered.
The conspirators didn't stop at targeting the victims, but also contacted their family members and friends and fraudulently threatened them with legal consequences if they did not make payments.
Threats used against the victims included court proceedings, negative marks on their credit reports, imprisonment, and immigration consequences.
Milla Campuzano is the sixth individual to plead guilty to involvement in this conspiracy and to receive a lengthy prison term. He and four co-defendants were extradited to the Southern District of Florida in October 2020.
Jerson Renteria was sentenced to 100 months in prison, and Fernan Huerta, Omar Cuzcano, and Evelyng Milla were each sentenced to serve 90 months in prison.
California resident Angel Armando Adrianzen, who teamed up with the call centers in Peru to run the telemarketing scam, was sentenced in May to serve 121 months in prison followed by fifteen years’ supervised release.
Two additional defendants in the case – Carlos Espinoza Huerta and Josmell Espinoza Huerta – were extradited from Peru to the United States on June 25 and are due to be tried in Florida in February.
Acting US Attorney Juan Antonio Gonzalez for the Southern District of Florida said: “We will continue to bring American justice to transnational criminals who use fear tactics and intimidation to steal money from immigrants, seniors and others who live in this country.”
SCADAfence Partners with Keysight Technologies
A new partnership aimed at amplifying the security of operational technology (OT) networks was announced today by cybersecurity company SCADAfence.
Under the new pact, SCADAfence will join forces with American manufacturer of electronics testing and measurement equipment and software, Keysight Technologies, to enhance the cybersecurity of complex OT networks and boost their network visibility.
Through continuous monitoring and proactive mitigation, the new partnership aims to increase the control that organizations have over their industrial environments. The union brings together SCADAfence’s non-intrusive platform for deep packet inspection (DPI) and Keysight’s network test access point (TAP) and network packet broker (NPB) solutions.
“Protecting and securing OT environments from security threats and anomalies has become a top priority for the industrial sector, and we provide deep packet-level visibility with accurate real-time analytics," said Elad Ben-Meir, chief executive officer of SCADAfence.
"We're excited to partner with Keysight Technologies to help industrial organizations leverage both solutions for better visibility and more advanced packet information within OT environments.”
Companies already using SCADAfence's services include Vestel, Mitsui Fudosan, Taro Pharmaceuticals, and numerous other Fortune 500 companies in the United States.
In a statement released September 22, the companies said that deploying their solution together will increase real-time visibility into OT environments and provide detailed asset visibility and continuous threat detection for manufacturing sites, water and wastewater environments, oil and gas facilities, automotive, and other industrial infrastructures.
The partnership will give Keysight the ability to collect data across all OT environments that can be used to generate actionable insights.
“Critical infrastructures are being targeted more than ever and are facing more security threats in the OT and IoT networks. The mitigation process can take from weeks to possibly months to patch vulnerabilities within the more complex environments,” said Taran Singh, vice president, enterprise solutions, Keysight.
“Our joint-partnership with SCADAfence will allow our customers and other industrial organizations to speed up that process from weeks to a few days.”
News of the partnership comes six months after SCADAfence announced that it had secured $12m in funding aimed at accelerating growth.
US Execs Tout Retaliation Over Diplomacy
Business executives in the United States favor retaliatory action over diplomacy when it comes to preventing cyber-attacks.
A day after American president Joe Biden announced his intention to replace "relentless war" with "relentless diplomacy," new research by Arctic Wolf shows that just 15% of US executives believe that diplomacy effectively stops future cyber-attacks.
More than twice as many US executives – 31% – believe that retaliatory cyber-attacks against foreign nations would be effective in putting a halt to digital assaults.
When asked which countries posed the most serious threat to their business, 41% of IT decision makers pointed the finger at China while another 41% named Russia.
The research is based on a survey of more than 1,400 senior IT decision makers and business executives in Canada, the UK, and the US that took place in August.
"Survey respondents revealed that despite recent interventions into cybersecurity issues, they lack faith in the government's ability to protect them from cyber-threats, with 60% of organizations believing that spending on new security tools and services is the most effective way of stopping attacks," stated Arctic Wolf's Ian McShane.
This lack of confidence extended to the respondents' own ability to secure hybrid work environments, with 60% of executives stating that their individual employees wouldn't be able to identify a cyber-attack targeting their business in any working location.
Another key finding of the report was that most C-suite executives in Canada, the UK, and the US said that they would pay a ransom to their cyber-attackers.
The survey found that only 22% of C-suite executives, when asked if they would pay a ransom if their organization were hit by a ransomware attack, answered “never.” When the same question was posed to middle managers, more than half (56%) gave "never" as their response.
Nearly a third of the organizations surveyed (32%) reported suffering a data breach that exceeded six figures in the past year, with most business owners (61%) admitting that they had personally concealed a breach.
Asked if their organization had deliberately covered up a cyber-attack to prevent the reputation of their organization’s being blemished, one in five respondents admitted that it had.
#IMOS21: Alyssa Miller's Advice for Building a Successful Infosecurity Career
Cybersecurity professionals need to shoot for the stars and overcome self-confidence issues to progress in their careers. That was the message of an illuminating keynote address by Alyssa Miller, business information security officer, SMP Global, while giving the keynote address at the Infosecurity Magazine Autumn Online Summit - North America 2021.
Miller began by describing her own career to date, and how she reached the heights of business information security officer at SMP Global, where she leads the cybersecurity strategy for a $4bn a year division.
Her career in information security began at 19 as a programmer at a fintech firm, while she was still studying computer science at university. She stayed at the firm for almost nine years, holding a range of high-profile positions.
At 28, Miller was approached to become a penetration tester; while she was concerned she had no prior knowledge of penetration testing, she was assured she would be able to figure it out. This leap worked, as by the age of 31 Miller was leading a team alongside the entire testing and vulnerability management program for a 35,000 employee company. Despite these achievements, Miller continued to consider her progression as mainly luck. “I never really considered how impressive some of that was,” she explained.
Four years later, at the age of 35, Miller entered the world of consultancy in an application security practice. As the least profitable practice at the consultancy, she was tasked with building a team from the ground up and alongside colleagues, made that team the most profitable in the entire practice, achieving revenue growth of 400%. However, “I never really gave myself a lot of credit for that,” she reflected.
Following a merger, Miller became head of a program services practice of a new consulting services firm at the age of 37, where she worked with high-ranking security leaders like CIOs and CISOs in major global organizations. Again, Miller largely put this down to “serendipity.”
Then, a setback occurred at the age of 41 while working for a security consulting organization as part of a larger security practice at a reseller. She was passed over for promotion to director despite being the pick of the previous director. “It really harmed my self-confidence. I felt like I’d shot too high, maybe I wasn’t ready for that high level of a role,” she outlined.
This led her to re-evaluating her goal of progressing in high-level security positions, and she moved into a 'contributor' role, focusing on public speaking and advocacy work.
Her perspective changed when she was approached by one of the three big social media companies, who asked if she’d like to be considered for an executive position. While nobody was ultimately hired for that role, just being considered “forced me to go back and look at everything I’d done and ask 'why did they choose me?'” This made her analyze the extent of her achievements “and it really built up my self-confidence.”
This new found confidence took Miller to her current high-profile position, as BISO for SMP Global. “This is a chance now to do all those things I’ve been working towards all my life — what an exciting position to be in,” she said, adding: “I’d never have gotten here if I’d been afraid to take that leap, if I’d let that damage to my self-confidence hold me back.”
“This is a chance now to do all those things I’ve been working towards all my life — what an exciting position to be in”Alyssa MillerMiller believes that getting over self-confidence issues is therefore key to progressing security careers, especially for women, who she believes continue to experience numerous disadvantages in the workplace. This includes being expected to give up their careers for their families.
With this in mind, Miller gave the following advice to those keen to develop in their careers:
- Overcome “imposter syndrome” — the fear of being 'found out' in a role is “universally experienced,” particularly in tech. Therefore, it is worth remembering that there is a wide domain of cybersecurity knowledge that is around, meaning each person brings their own unique diverse perspective to the table. “Nobody knows it all,” Miller pointed out.
- Look at job descriptions differently — Miller said that in cyber, many job descriptions “stink,” setting out experiences, requirements and responsibilities that are simply unrealistic. She gave one example of a job description that required 10 years of experience of Kubernetes, even though it has only existed for six. However, she advised potential candidates to not be put off “as no-one can check off all those boxes,” and instead look at the high level job description and ask themselves “is this something you can do or something you can learn to do?”
- Know your worth — Potential employers should never ask you what your current salary is, and if they do, you should turn the question round and tell them what you expect to be paid or even what they expect to pay someone to do that job, Miller advised. She added that you can look on sites like LinkedIn and Glassdoor to give yourself a better idea of what kind of salary you should be earning for the position you are applying for. This way, you can ensure you will be paid what you are worth to that organization.
- Get a mentor — Miller also advised people to get a mentor to help guide them on their career journey. Rather than focusing on learning job skills, the mentor “should be sharing their journey, and be that person to help [with] situations you’re experiencing that you need help understanding or navigating.” This relationship is best forged “organically” via people met at work or at conferences.
- See denials differently — People need to ensure they do not lose confidence if they are not offered a job after attending an interview, said Miller. The decision is never a personal one, and it might just be that “there was something about that role that wasn’t right for you.” She added that it is always worth asking for feedback from the hiring manager about what they could have done differently with their resume or during the interview. “You can use these denials as an opportunity to grow and learn, to understand how a certain position might not be the right fit for you.”
- Negotiate the job offer — It is also important to understand that any job offer you do receive is negotiable, and don’t be afraid the company will rescind the offer if you do try and negotiate the terms of the deal. This is something that recruiters expect, noted Miller. This negotiation doesn’t just have to revolve around salary either, and can include aspects like bonuses and annual leave. “Always be willing ask, don’t be afraid,” she said.
Miller concluded by saying: “Shoot for those heights – just because you shoot high doesn’t mean that you have a chance of falling.”
CREST Appoints New President Following Retirement of Ian Glover
International information security accreditation and certification body CREST has appointed Rowland Johnson as its new President.
Johnson will take over from Ian Glover, who retired as President of CREST on September 1 after nearly 13 years in the post. This will be for an initial term of one year.
Johnson was previously a member of the CREST GB Executive from 2014–2020 and is credited with playing a major part in the non-profit organization's development in Singapore and America. Therefore, he is viewed as the ideal candidate to lead the body over the next 12 months. His appointment was unanimously approved by the CREST GB Executive and CREST's regional Advisory Boards in the USA, Australia and Southeast Asia.
Rowland Johnson is credited with playing a major part in the non-for-profit organization's development in Singapore and AmericaJohnson is also renowned for his role as a founding director at cybersecurity firm Nettitude, where he oversaw its acquisition by Lloyd's Register in 2018.
A CREST senior management team comprising Elaine Luck, operations manager, Samantha Alexander, principal accreditor and Richard Beddow, CREST's financial controller, will now support Johnson during the transition period. In addition, former President Glover will continue supporting CREST projects internationally until December 1.
Commenting on his appointment, Johnson said: "I feel hugely privileged by the support from CREST's elected members and regional chairs for my appointment to this prestigious role. I will be working closely with Ian and the whole of the CREST team to ensure that the transition is as seamless as possible for CREST members and for everyone we work with across the industry, governments, regulators and academia.
"It is important that members are always right at the heart of everything CREST does and we will be focusing on providing greater support and encouraging closer collaboration, helping us to take things forward so that we are able to build on Ian's legacy. He leaves CREST in a very strong position."
Glover stated: "Having worked closely with Rowland for six years while he was a member of the CREST GB Executive, I am delighted that he is taking up the President's role.
"During my time with CREST I hope I have helped organizations to mature and grow and encouraged individuals to enter and thrive in an increasingly professional industry, and I am confident it will also be Rowland's mission to carry on this work."
Last week, Infosecurity reported on the conclusion of CREST's year-long investigation into NCC Group's exam leak scandal.
Enterprises Need 27 New IT Hires to Manage Security Debt
Organizations that spent heavily on digital transformation during the pandemic will need two years’ worth of investment to mitigate the resulting security gaps, according to a new report from Veritas.
To compile its latest report, The Vulnerability Lag. the data security vendor polled over 2000 senior IT decision-makers across EMEA, APAC and the US from organizations with at least $100m in revenue.
It found that security (51%) and cloud (56%) are the top two areas in which capability gaps expose these large enterprises to attack.
Respondents claimed they’d need to spend $2.5m on average and hire 27 full-time IT employees to close these gaps within the next 12 months.
The report predicted that it will take firms, on average, two years to eliminate the current vulnerabilities in digital systems, which represent a significant risk to their organization today.
There’s an urgency to them doing so: Veritas claimed the average responding organization had experienced 2.57 ransomware attacks that led to downtime in the past 12 months, while 14% have been hit five times or more.
Organizations with at least one gap in their technology strategy have, on average, experienced five times more ransomware attacks leading to downtime in the past year versus those with no gaps, it added.
Some two-fifths (39%) of respondents claimed that security measures had not kept pace with new digital transformation initiatives prompted by the pandemic. The report claimed that part of the challenge is understanding exactly what technology has been introduced and what needs to be protected.
Douglas Murray, CEO at Valtix, argued that protecting cloud infrastructure and data is particularly challenging, especially in a world where organizations are investing in technology from multiple platform providers.
“The good news is that it inevitably always comes back to the best practices of defense-in-depth and ensuring that the right security controls and policy are deployed against every cloud workload,” he added.
“There are a variety of technologies that can help reduce ransomware risk in the cloud, including network-based intrusion prevention, anti-virus and the segmentation of workloads. By taking a cloud-first approach to these problems, security leaders can set the stage for the future through a cloud-native, multi-cloud security architecture.”
Half of Web Owners Don't Know if Their Site Has Been Attacked
Nearly half of US website owners have so little insight into third-party code that they can’t say definitively if their site has suffered a cyber breach, according to new research from PerimeterX.
The web app security vendor polled 501 organizations across multiple verticals to compile its latest report, Shadow Code: The Hidden Risk to Your Website.
According to the vendor, the challenge for these firms is the extensive use of third-party sources for code, many of which obtain their code in turn from other third parties.
It claimed that 99% of firms use this extensive software supply chain for web functionality, including ad tracking, payments, customer reviews, chatbots, tag management, social media integration, and helper libraries that simplify common functions.
What’s more, almost 80% of respondents said that these third-party scripts and open source libraries account for 50-70% of the capability in their website.
The organizations polled recognized the potential risks involved in severe attacks on their web infrastructure, citing damage to brand and corporate reputation, loss of future revenue and potential lawsuits as potentially “huge” or “major” problems.
However, 48% could not say whether their site had been attacked, up from 40% in 2020.
PerimeterX argued that shadow code — scripts and libraries added without IT oversight or security vetting — is a challenge that could introduce hidden risks to the organization.
Although respondents claimed to understand shadow code, only a quarter (25%) said they perform a security review for every script modification, and only a third (33%) automatically detect potential problems.
“While awareness is growing about the consequences of successful cyber-attacks and most organizations claim to have addressed the risks of shadow code, digging deeper into our survey responses shows there is a false sense of security,” argued Brian Uffelman, VP and security evangelist at PerimeterX.
“Organizational security review processes are insufficient, capabilities to automatically detect changes have low adoption, and other means of assessing threats from code vulnerabilities are not up to the task.”
A report from Sonatype last week claimed that software supply chain attacks have surged 650% in just a year as threat actors inject vulnerabilities into upstream open source projects.
Treasury Sanctions Russian Crypto Exchange
The US Treasury has added a Russian cryptocurrency exchange to its sanctions list after claiming the firm helped facilitate ransomware payments for countless groups.
SUEX is incorporated in the Czech Republic but reportedly operates out of Russia. The Treasury estimated that 40% of its transaction history is associated with “illicit actors.”
According to separate analysis, the “over the counter” (OTC) broker has received over $160m in Bitcoin alone from illegal and high-risk sources, including Ryuk, Conti and Maze ransomware groups; dark web sites like Hydra Market; and cryptocurrency scammers.
“As a result of today’s designation, all property and interests in property of the designated target that are subject to US jurisdiction are blocked, and US persons are generally prohibited from engaging in transactions with them,” the Treasury explained.
“Additionally, any entities 50% or more owned by one or more designated persons are also blocked. In addition, financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action.”
The US government action was widely trailed over the weekend, and includes a separate update from the Treasury’s Office of Foreign Assets Control (OFAC) designed to remind ransomware victims of the risks involved in paying cyber-criminals.
Specifically, payment of certain groups on sanctions lists, like Evil Corp, may result in penalties levied by the government on the victim organization.
“OFAC has updated the advisory to emphasize the importance of improving cybersecurity practices and reporting to, and cooperating with, appropriate US government agencies in the event of a ransomware attack,” the Treasury said.
“Such reporting, as the advisory notes, is essential for US government agencies, including law enforcement, to understand and counter ransomware attacks and malicious cyber actors.”
The FBI recorded victim ransomware losses of just $29m last year. However, the Treasury estimated that organizations paid out $400m in ransom payments alone last year, more than four times the 2019 figure.
Adam Flatley, director of threat intelligence at [redacted], welcomed the sanctions but said that government efforts need to go further.
“It will be critical that actions like these continue to be pursued as part of a larger, coordinated, intelligence-driven campaign that uses all aspects of national and international power,” he added.
“Financial and law enforcement actions are important components to this campaign, but this problem can’t be solved without bringing in capabilities that have not been traditionally used against criminal organizations.”
Sam Curry, chief security officer at Cybereason, had similar concerns: “The announcement from the White House is a good first step but, if this is the only exchange sanctioned, then there will be little effect, and the ransomware economy will continue to grow. There are many more exchanges, so now it’s all about adaptability and evolution.
“The Department of Justice estimated that 40 percent of the digital transactions facilitated by SUEX were for illicit activity. With yesterday’s news, the ransomware cartels take a one-time loss, re-gear and use new exchanges. So the first move of the chess match has been made. What comes next in this digital frontier skirmishing? Let’s see!”
Afghan Interpreters’ Data Exposed in MoD Breach
The United Kingdom's Ministry of Defense has apologized for sending an email that exposed the data of more than 250 Afghan interpreters who worked for British forces.
The impacted interpreters are seeking to be relocated to the UK either from Afghanistan, where many are currently in hiding from the Taliban, which seized power in August, or from another country to which they have relocated.
The email – in which the interpreters' email addresses, names, and some linked profile images were exposed – was sent by the team in charge of the UK's Afghan Relocations and Assistance Policy (ARAP) to Afghan interpreters who have either left Afghanistan or who remain in the country.
One of the email's recipients told the BBC: "This mistake could cost the life of interpreters, especially for those who are still in Afghanistan. Some of the interpreters didn't notice the mistake and they replied to all the emails already and they explained their situation which is very dangerous."
The MoD has reportedly suspended an official and launched an investigation into the data breach, which UK defense secretary Ben Wallace has described as "unacceptable."
An MoD spokesperson said: “We apologize to everyone impacted by this breach and are working hard to ensure it does not happen again."
Commenting on ARAP's failure to utilize the BCC email feature, Labour shadow defense secretary John Healey said: “We told these Afghans interpreters we would keep them safe, instead this breach has needlessly put lives at risk."
Martin Jartelius, CSO at Outpost24, said that while this type of email-based data breach could easily occur, it was "sad and unnecessary in most organizations."
"It’s so extremely easy to, by mistake and in stress, send an email with recipients listed openly instead of in BCC," said Jartelius. "Still, for example, in the Office365 suite, there are solutions, of which the easiest to at least give an additional notice is the feature mail tips.
"Here you can set the flag to warn for ‘Large Audience,’ and even as an organization sets what [that] level is – the default is 25 if enabled. Organizations that do not want to make the same mistake can set a warning this way."
Medical Device Cybersecurity Center Launches in Minnesota
The University of Minnesota has announced a new center that aims to ensure that medical devices are safe and secured against cybersecurity threats.
The Center for Medical Device Cybersecurity (CMDC) was created after members of the medical device manufacturing industry called for a collaborative hub to facilitate discovery, outreach, and workforce training in device security.
CMDC will foster university-industry-government collaborations focusing on developing new education and training, technologies, and research to address potential threats to the cybersecurity of medical devices.
Collaborators already signed up to work with the CMDC include the University of Minnesota College of Science and Engineering, the Technological Leadership Institute, the Office of the Vice President for Research, and the Earl E. Bakken Medical Devices Center.
"Cultivating innovative and transformational partnerships, like the CMDC, is a core focus of MPact 2025, our new systemwide strategic plan," said University of Minnesota president Joan Gabel. "I'm excited about how this new innovative center will enhance the security of our state's thriving medtech sector and beyond."
The Technological Leadership Institute (TLI), an interdisciplinary center at the University of Minnesota that is sited within the College of Science and Engineering, will house the new CMDC.
"The center aligns perfectly with our mission and merges the expertise within our Medical Device Innovation and Security Technologies masters programs," said TLI director Allison Hubel.
"While manufacturers can ensure a high level of safety through testing, the security of connected devices remains a growing and moving target, making this collaboration and the work of the CMDC critical to the industry and all those it serves."
Plans for the center's first year include a hackathon, roundtables, organizing networking and training opportunities, implementing a medical device cybersecurity short course that TLI will launch this fall, and establishing a medical device cybersecurity internship program.
Health industry companies Boston Scientific, Smiths Medical, Optum, Medtronic, and Abbott Laboratories provided much of the funding for the CMDC.
The United States remains the largest medical device market globally, with 40% of the global medical device market (valued at $156bn) in 2017. By 2023, the medical device market in the US is expected to grow to $208bn.
Hacker Steals $12M from DeFi Platform
“Wrapped” Bitcoin worth more than $12m has been stolen from the decentralized finance protocol pNetwork.
The cross-chain project announced the theft of 277 BTC on September 19 via Twitter, ascribing the hack to a codebase vulnerability.
The theft was executed on Binance Smart Chain, which featured in the biggest ever DeFi heist in history – the $610m Poly Network hack that took place in August.
pNetwork supports multiple blockchains, including Ethereum, xDAI, EOS, Polygon, Binance Smart Chain, Telos and Ultra. Wrapped tokens increase interoperability between different blockchains by making it possible for currency created on one blockchain to cross onto another.
"We're sorry to inform the community that an attacker was able to leverage a bug in our codebase and attack pBTC on BSC, stealing 277 BTC (most of its collateral)," said pNetwork.
"The other bridges were not affected. All other funds in the pNetwork are safe."
The DeFi platform said that it had identified the bug but would keep certain data bridges closed until a fix was found.
In a bid to recover the stolen crypto-currency, pNetwork has publicly offered to pay its attacker 12.5% of their total illegal haul.
"To the black hat hacker. Although this is a long shot, we're offering a clean $1,500,000 bounty if funds are returned," said the platform on Twitter.
"Finding vulnerabilities is part of the game unfortunately, but we all want [the] DeFi ecosystem to continue growing, returning funds is a step in that direction."
pNetwork is undertaking an investigation which it described as "a detailed post-mortem."
"We want to assure everyone that we are prioritizing security over speed," said the platform, adding, "Bridges are being extensively reviewed for that and similar exploits."
On Monday, pNetwork said that while its Telos and EOS bridges had been safely restored, they would be "running with extra security measures in place for the first few days."
In its most recent update, posted at around 6pm Eastern Time on September 20, the platform said that the pUOS on Ultra bridge was not affected and is now back up.
"A detailed post-mortem will be shared tomorrow. Updates to follow on the gradual reactivation of all other bridges," said pNetwork.
#IMOS21: Embrace the Opportunities of Emerging Tech - Lisa Short
Emerging technologies like blockchain and AI should be seen as an opportunity and a threat, according to Professor Lisa Short, director and co-founder of Hephaestus Collective, whose rousing opening keynote addressed attendees of Infosecurity Magazine's Autumn Online Summit - EMEA 2021.
Short began by describing the vast digital shift that has taken place in recent years, noting that advancements in technology mean “revolutions” are now occurring in less than a generation. For example, the development of technologies like AI, blockchain and IoT has meant that in the past two years, tech changes that previously would have taken seven years are now being achieved in just six months.
She also provided some startling statistics around the rate of information being created and published since the advent of social media and user-generated content. Short observed that from the beginning of recorded history to 2003, the entire written works of humanity amounted to five exabytes of data. Since 2003, this same amount of data has been created every two days on average.
These trends provide enormous benefits — as highlighted by the ability to shift to remote working during the COVID-19 pandemic. However, there are reasons for concern. Technologies such as GPT-3 are now capable of recording our habits and knowledge “and influence our thoughts,” making the digital world very “pervasive.” Currently, over half the world’s population are internet users, and this is quickly growing.
Short added it is estimated that by 2023, 70% of all enterprise workloads will be in the cloud, meaning there will be a “lot of material going into a pervasive digital space that is in fact not our computer, it’s on somebody else’s.”
This rapid digitization increases the risk of data breaches. The cost is predicted to surpass $6tn in 2021 and $10.5tn in 2025. Short pointed out this cost, which is just one aspect of infosecurity, is higher than every natural disaster globally in a year and is “considered a bigger threat to humanity than nuclear weapons of mass destruction.” The entire sector spend on cybersecurity, including ransomware costs, is believed to have reached $1tn per annum.
She highlighted that many security experts cite the pace of technology adoption as a significant contributing factor to the increasingly dangerous cyber-threat landscape. This view is because “many of the latest tech-powered business strategies — such as storing massive amounts of data — introduce exponentially more risk.”
Short, therefore, believes a mindset shift is needed, which views advanced technologies as an opportunity to enhance safety and trust online rather than a threat. As Short put it, “invest more in what we have to gain than what we spend to lose.”
"Invest more in what we have to gain than what we spend to lose"This investment must aim to enhance digital trust, most notably by “prioritizing education of people and establishing a culture within businesses and the economy about digital health and trust being a way of life rather than a choice.”
Blockchain and other emergent technologies can help provide governance and assurance over the digital world, if used properly, according to Short. The key to this is fully understanding these technologies and their underlying philosophy. Short emphasized this does not necessarily mean knowledge of the technicalities, such as coding, but rather what it is, how it works and why it helps. These fall into four philosophical concepts:
- Ontology — what is it
- Epistemology — what is it helping us know and understand
- Axiology — how is it changing behavior
- Methodology — strategy and justification of deployment
Short said, according to estimates, achieving this understanding is critical, as blockchain technology can boost global GDP by $1.76tn over the next ten years. Additionally, if just 1% of SMEs adopt, deploy, and understand this technology, this could offer a further boost of $1.42tn. This requires an “inward-facing look at our own self, our businesses and the economy,” which is something organizations typically fail to do, handing over responsibility for areas like cybersecurity to others.
Unfortunately, there is currently a severe lack of knowledge of blockchain across society and the economy; Short said less than 3% of academics, government decision-makers, and board members and leaders have any science and tech expertise, and less than that with knowledge of blockchain. This lack of insights leads to poor outcomes. One example she gave was the UK Financial Conduct Authority banning crypto derivatives and exchange-traded notes to retail investors, which led to these funds simply being taken out of the UK economy.
There is also a significant lack of knowledge of the cybersecurity industry, which contributes to false information and social engineering being spread around blockchain.
Short pointed out that “the front door keys to the digital world are digital identity,” and blockchain offers “amazing potential” in this respect, especially regarding its encryption and evidentiary capabilities. For example, blockchain-enabled a digital trail to be followed to help recover 80% of the funds paid to the DarkSide ransomware gang following the attack on Colonial Pipeline earlier this year.
Other opportunities technologies like blockchain and IoT offer include turning non-performing assets into corporate intelligence and sharing assets without moving data around. “We can cyber-harden the resilience and go straight to the core by making sure we anchor to blockchain and cryptographically encode data,” thereby preventing malicious actors from accessing the data in the first place. Short added: “These technologies have profound abilities to value create and protect assets rather than stopping people getting into the business.”
Short concluded by stating it is the responsibility of the cyber industry to keep up with the pace of technology development and not fear it, thereby providing accurate information over its potential. “It is up to us as an industry to ensure that we give the correct information, that we do bust those myths. If we don’t understand, we seek an understanding,” she outlined.
Malicious Email Surge Predicted for Q4
Corporate end-users should be on high alert for phishing attacks in the final quarter of the year as this is when most malicious emails are likely to land, according to new research from Tessian.
The email security vendor analyzed four billion messages sent between July 2020 and July 2021 to compile its Spear Phishing Threat Landscape 2021 report.
It found 45% more malicious emails sent in October, November and December 2020 than in the previous quarter. That’s perhaps not surprising given the number of opportunities for threat actors at the end of the year to capitalize on current events.
November 2020 saw the most significant spike, with around 90,000 malicious emails detected in the week of the Black Friday sales.
Overall, employee inboxes received 14 malicious emails per year, rising dramatically to 49 on average in the retail sector, 31 in manufacturing, and 22 in the food and drink industry. Employees working in research and development received 16, and those with tech roles received 14.
Organizations don’t just need to keep an eye out for phishing and scam emails in the fourth quarter; they should also train staff to be watchful at specific hours of the day.
The report revealed that malicious emails are typically delivered around 2 pm and 6 pm, perhaps trying to hit inboxes when employees are at their most distracted — just after lunch and at the end of the day.
The most common tactics detected by Tessian were impersonation techniques like display name spoofing (19%), as well as domain impersonation (11%) and account takeover (2%).
The most spoofed brands over the year were Microsoft, ADP, Amazon, Adobe Sign and Zoom.
Tessian CISO, Josh Yavor, argued that staff training alone is not enough to mitigate the threat from malicious emails.
“Gone are the days of the bulk spam and phishing attacks, and here to stay is the highly targeted spear-phishing email. Why? Because they reap the biggest rewards,” he added.
“Cyber-criminals are always finding ways to bypass detection and reach employees’ inboxes, leaving people as the last line of defense. Businesses need a more advanced approach to email security to stop the threats that are getting through because it’s not enough to rely on your people 100% of the time.”
European Police Bust €10m Mafia Fraud Ring
European police claim to have dismantled an organized crime group that made €10m from online fraud, drug trafficking and property crimes last year.
The operation involved the Spanish and Italian national police, with Europol and Eurojust coordinating.
The group itself, which was linked to the Italian mafia, is suspected of defrauding hundreds of victims via phishing attacks, business email compromise (BEC), SIM swapping and other types of online fraud. It is said to have laundered these proceeds through an extensive network of money mules and shell companies.
During police raids in Italy and the Canary Islands holiday hotspot, Tenerife, law enforcers made 106 arrests, conducted 16 house searches, and seized hundreds of credit cards, SIM cards, point-of-sale (POS) terminals, and electronic devices. They also discovered and dismantled a marijuana plantation.
Some 118 bank accounts were frozen as part of the international law enforcement effort.
“This large criminal network was very well organized in a pyramid structure, which included different specialized areas and roles. Among the members of the criminal group were computer experts, who created the phishing domains and carried out the cyber fraud; recruiters and organizers of the money muling; and money laundering experts, including experts in cryptocurrencies,” Europol explained.
“Most of the suspected members are Italian nationals, some of whom have links to mafia organizations. Located in Tenerife, the suspects tricked their victims, mainly Italian nationals, into sending large sums to bank accounts controlled by the criminal network.”
Phishing remains the most common cybercrime reported to the FBI, with more than 240,000 cases logged with the bureau last year. However, it accounted for just $54m in losses in 2021, versus nearly $1.9bn for BEC, which is the most costly crime type.
Identity theft, often the result of SIM swapping and phishing, cost victims over $219m last year.