US Cybersecurity Firm Founder Admits Funding DDoS Attacks

An American businessman who co-founded a cybersecurity company has admitted to hiring criminals to carry out cyber-attacks against others.

Tucker Preston, of Macon, Georgia, confessed to having paid threat actors to launch a series of distributed denial-of-service (DDoS) attacks between December 2015 and February 2016. 

DDoS attacks prevent a website from functioning by bombarding it with so much junk internet traffic that it can't handle visits from genuine users.

In a New Jersey court last week, 22-year-old Preston pleaded guilty to one count of damaging protected computers by transmission of a program, code, or command. Preston admitted to causing at least $5,000 of damage to the business he targeted. 

"In or around December 2015, Preston arranged for an entity that engages in DDoS attacks to initiate attacks against a company. The entity directed DDoS attacks against the victim company, causing damage and disrupting the victim’s business," wrote the Department of Justice in a statement released on January 16.

The count to which Preston pleaded guilty is punishable by a maximum penalty of 10 years in prison and a fine of up to $250,000 or twice the gross gain or loss from the offense.

US Attorney Craig Carpenito credited special agents of the FBI, under the direction of Special Agent in Charge Gregory W. Ehrie in Newark, New Jersey, with the investigation that led to Preston's guilty plea.

The identity of the company that Preston paid criminals to attack has not been revealed, but Carpenito has confirmed that the targeted business had servers in New Jersey. 

Preston co-founded the cloud-based internet security and performance company BackConnect Security LLC, which claims to be "the new industry standard in DDoS mitigation" and is currently online using an invalid certificate. 

Preston was featured in the 2016 KrebsOnSecurity story "DDoS Mitigation Firm Has History of Hijacks," which detailed how BackConnect Security LLC had developed the unusual habit of hijacking internet address space it didn't own in a bid to protect clients from DDoS attacks. 

Preston will reappear before the court on May 7 for sentencing.

Scottish Police Deploy Tech That Extracts Data from Locked Smartphones

Police Scotland has announced plans to establish "cyber kiosks" that will allow officers to scan locked smart devices for evidence. 

The 41 new kiosks will be located in police stations across local policing divisions, where they will be operated by over 400 specially trained officers.

Each kiosk is essentially a desktop computer capable of performing data extraction, transfer, and analysis. The extraction devices are manufactured by Israeli company Cellebrite and are used around the world to retrieve data from cell phones, drones, and other types of digital technology.

Police Scotland said the Cellebrite devices will speed up their workflow and get smartphones that are found not to contain any information pertinent to an investigation back into their owners' hands more quickly. 

"The technology allows specially trained officers to triage mobile devices to determine if they contain information that may be of value to a police investigation or incident. This will allow lines of inquiry to be progressed at a much earlier stage and devices that are not relevant to an investigation to be returned quicker," said Police Scotland.

Scottish police purchased the Cellebrite devices two years ago; however, legal concerns over how the technology may impact the public's right to privacy have delayed their deployment. 

The Scottish Human Rights Commission and Privacy International have each said that the legal powers under which Police Scotland will operate the new technology are "not sufficiently clear, foreseeable or accessible."

Privacy International has expressed concerns over "the failure of Police Scotland to carry out impact assessments" in relation to the new technology.

Deputy Chief Constable Malcolm Graham has said that the technology will only be used by the police where there is a "legal basis and where it is necessary, justified and proportionate" to an incident or crime under investigation.

Graham said: "Increases in the involvement of digital devices in investigations and the ever-expanding capabilities of these devices mean that demand on digital forensic examinations is higher than ever.

"Current limitations however, mean the devices of victims, witnesses and suspects can be taken for months at a time, even if it later transpires that there is no worthwhile evidence on them. By quickly identifying devices which do and do not contain evidence, we can minimize the intrusion on people’s lives and provide a better service to the public."

Hong Kong Looks to GDPR as it Strengthens Privacy Laws

Hong Kong is set to follow the lead of European regulators in applying tougher penalties for data protection infractions, following a serious breach at airline Cathay Pacific in 2018.

Proposed amendments to the regional government’s Personal Data (Privacy) Ordinance, which cited the GDPR, would see fines levied as a percentage of global turnover, according to reports.

The privacy commissioner may even be given powers to levy fines immediately depending on the severity of an incident, without first needing to issue an enforcement notice.

The proposals would also mandate breach notifications to the commissioner within five days, a couple of days longer than GDPR rules but still an improvement on the current situation.

The breach of Hong Kong’s national carrier two years ago, which affected over nine million customers, shone a light on the inadequacies of the Special Administrative Region (SAR)’s existing data protection regime.

It took Cathay seven months to report the incident, although it was under no legal obligation to do so at all.

The privacy commissioner was powerless to levy fines: instead, the only option was an enforcement notice citing violation of privacy laws and ordering the firm to improve its cybersecurity posture. Failure to comply with the order leads to a fine of just HK$50,000 ($6433).

Rights groups have written to Hong Kong’s Legislative Council (LegCo), arguing that the proposals still don’t go far enough.

The government’s current proposal is too narrow, and LegCo now has a critical opportunity to strengthen this outdated law and bring it closer to better models, such as Europe’s privacy laws,” said Sophie Richardson, China director at Human Rights Watch (HRW).

“Strong protections on how people’s personal data can be collected and used will help assuage fears that mass surveillance tactics used elsewhere could spread to Hong Kong.”

HRW also wants to see the definition of personal data under the ordinance broadened, and a distinction to be made between general personal data and sensitive data, with the latter subject to stricter conditions.

It also argued for stronger rights for data subjects over how their data is used: for example, mandating firms to obtain explicit consent before using personal data, and empowering individuals to have data erased if they choose.

Such elements are all key parts of the GDPR. Various parts of the EU regulation can also be found in the new California privacy law, CCPA.

UK Gov Database Leak Exposes 28 Million Children

The UK government is facing urgent questions after it was revealed that betting companies were given access to a Department for Education (DfE) database containing personal information on 28 million children.

Known as the Learning Record Service, the database stores information on students in England, Wales and North Ireland choosing to take post-14 qualifications like GCSEs.

However, according to a report in The Sunday Times, a data intelligence firm known as GB Group was able to sign an agreement with a third-party company to access the data. GB Group’s clients include gambling firms such as Betfair and 32Red, which apparently used the data for age and ID verification on their websites.

The third-party, Trust Systems Software (Trustopia), denies providing database access to GB Group. Both GB Group and the DfE are investigating the reports, with the latter having reportedly disabled access to the data trove and informed privacy watchdog the ICO.

“This was completely unacceptable and we have immediately stopped the firm’s access and ended our agreement with them. We will be taking the strongest possible action,” a spokesperson told the paper.

The children’s commissioner for England, Anne Longfield, reportedly said she was “very shocked to learn that data has been handed over in this way.”

Although the information used by the betting firms appears to have been limited, given it covers a huge number of children, the incident could well lead to a significant GDPR investigation by the ICO.

“This is not just a security breach, but a breach of trust, where there is an expectation of fair, lawful and transparent uses of the data by everyone who has access to it — which in this case has not happened,” argued KnowBe4 security awareness advocate, Javvad Malik.

“In all of this, the responsibility sits squarely with the Department for Education, which has collected vast amounts of children's data for nearly a decade with apparently little oversight.”

Zero-Day IE Bug is Being Exploited in the Wild

Both Microsoft and the US government are warning computer users of a critical remote code execution (RCE) vulnerability in Internet Explorer, which is currently being exploited in the wild.

The zero-day bug, CVE-2020-0674, exists in the way the scripting engine handles objects in memory in IE, according to a Microsoft advisory updated over the weekend.

Attackers could send phishing emails to victims, tricking them into visiting a specially crafted website designed to exploit the flaw through IE, Redmond claimed.

“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” it continued.

“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The vulnerability affects IE versions 9, 10 and 11 running on all Windows desktop and server versions, including the no-longer supported Windows 7 and Server 2008.

Despite admitting that the flaw is being exploited in “limited targeted attacks,” Microsoft has yet to release an emergency patch. Instead, it detailed a set of temporary mitigations which revolve around restricting access to the JavaScript component JScript.dll.

Carl Wearn, head of e-crime at Mimecast, advised organizations to enforce the use of alternative browsers until the issue is fixed.

“In addition to the threat from this zero-day vulnerability, I would also be wary of using IE at present due to the current resurgence in the use of exploit kits specifically designed to exploit IE vulnerabilities,” he added.

“Ransomware threat actors in particular are currently utilizing exploit kits such as Fallout and Spelevo. While posing no threat to other browsers these exploit kits will likely compromise any Windows machine utilizing Internet Explorer if it visits a compromised website.”

IE versions still have a combined global market share of over 5%, according to the latest figures from December 2019.

US Could Appoint a Cybersecurity Leader for Each State

The USA is considering legislation that would protect local governments by requiring the appointment of a cybersecurity leader for each state.

Backers of the Cybersecurity State Coordinator Act of 2020 say the proposed law will improve intelligence sharing between state and federal governments and speed up incident response times in the event of a cyber-attack.

Under the legislation, the director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency would be tasked with appointing an employee of the agency in each state to serve as cybersecurity state coordinator. 

Money to create these positions would come from the federal government, which would be required to ring-fence the necessary funding. 

The role of each state coordinator would be multifaceted, combining elements of training, advisory work, and program development.

Each leader would serve as a principal federal cybersecurity risk advisor, coordinating efforts to prepare for, respond to, and remediate cyber-attacks. Another core responsibility would be to raise awareness of the financial, technical, and operational resources available to nonfederal entities from the federal government.

Coordinators would be expected to support training, exercises, and planning for continuity of operations to expedite as swift a recovery as possible from cybersecurity incidents. Furthermore, they would be called on to assist nonfederal entities in developing and coordinating vulnerability disclosure programs consistent with federal and information security industry standards.

"State, local, Tribal, and territorial entities face a growing threat from advanced persistent threat actors, hostile nation states, criminal groups, and other malicious cyber actors," reads the bill. "There is an urgent need for greater engagement and expertise from the Federal Government to help these entities build their resilience and defenses."

The bill, which has attracted bi-partisan support, was introduced by Senators Maggie Hassan and Gary Peters and is co-sponsored by senators John Cornyn of Texas and Rob Portman of Ohio.

Portman said: "This bipartisan bill, which creates a cybersecurity state coordinator position, would help bolster state and local governments' cybersecurity by facilitating their relationship with the federal government to ensure they know what preventative resources are available to them as well as who to turn to if an attack occurs."

Possessing Ransomware Could Become Illegal in Maryland

Lawmakers in the state of Maryland are considering making it a criminal offense to be in possession of ransomware. 

A bill was introduced on Tuesday, January 14, that seeks to penalize Marylanders who knowingly possess the malware and intend to use it to cause harm. The bill also grants victims of a ransomware attack the right to sue the hacker for damages in civil court. 

The state has already outlawed the use of malicious technology to extort money out of victims. Senate Bill 30, which was heard before the Senate Judicial Proceedings Committee last week, would make it a misdemeanor to be in possession of ransomware with the intent to use it in a malicious manner.

Any person convicted of this misdemeanor could face 10 years in prison and/or a fine of up to $10,000. 

The proposed law would not apply to cybersecurity researchers who may be in possession of ransomware for innocent research purposes.

Senator Susan Lee, who is the lead sponsor of the bill, said that it "gives prosecutors tools to charge offenders.”

Assuming a remarkable level of naiveté on the part of cyber-criminals who use ransomware to extort vast sums of money from organizations and individuals, Lee said that it was "important to establish [the bill] so criminals know it’s a crime."

In January 2019, the Salisbury, Maryland, police department suffered a ransomware attack that prevented officers from accessing the department's computer network. Four months later, Baltimore, the state's largest urban conurbation, was hit by a ransomware attack that is estimated to have cost around $18m. 

Possessing ransomware is already a criminal offense in several US states, including Michigan and California. The fight against ransomware was led by Wyoming, which in 2014 became the first state to make it illegal to possess ransomware, spyware, adware, keyloggers, and several other types of malware.

There's no denying that ransomware is causing problems in the United States. In 2019 alone, this particular strain of malware impacted at least 113 state and municipal governments and agencies, 764 healthcare providers, and 89 universities, colleges, and school districts, with estimated costs of $7.5bn. 

According to a ransomware report by cybersecurity firm Emsisoft,"the only way to stop ransomware is to make it unprofitable, and that means the public sector must practice better cybersecurity so that ransoms need not be paid."

Mitsubishi Electric Discloses Information Leak

Japanese company Mitsubishi Electric has today disclosed an information leak that occurred over six months ago. 

The century-old electronics and electrical equipment manufacturing firm announced the breach by issuing a brief statement on its website.

An official internal investigation was launched after suspicious activity was observed taking place on June 28, 2019. The company said that upon noting the unusual behavior on the network, measures were immediately taken to restrict external access. 

According to Nippon.com, hackers accessed servers and computers at Mitsubishi headquarters and other offices belonging to the company in a large-scale cyber-attack. 

Mitsubishi said: "We have confirmed that our network may have been subject to unauthorized access by third parties and that personal information and corporate confidential information may have been leaked to the outside."

Mitsubishi announced the breach today after it was reported by two newspapers, the Asahi Shimbun and Nikkei. A theory put forward by both local papers is that the attack was initiated by a cyber-espionage group with links to the People's Republic of China. 

While Nikkei reported that hackers swiped 200 MB of information from Mitsubishi, the manufacturer claims that its investigation of the incident uncovered no evidence that any sensitive data connected to its business partners or government defense contracts had been stolen or misused. 

In a statement no doubt intended to reassure Mitsubishi's corporate parents, the company wrote: "As a result of an internal investigation, it has been confirmed that sensitive information on social infrastructure such as defense, electric power, and railways, highly confidential technical information, and important information concerning business partners has not been leaked." 

When announcing the incident, Mitsubishi didn't explain why it had waited so long after discovering the breach to go public with the news. However, the inclusion of the comment "to date, no damage or impact related to this matter has been confirmed" could imply that the company chose to hold back information until it had a clear idea of what the effects of the breach might be.

Japan's chief cabinet secretary Yoshihide Suga said the government had been informed of the cybersecurity breach and that there was no leak of information related to defense equipment or to the electric power sector.

€114m in Fines Imposed by Euro Authorities Under GDPR

Data protection regulators have imposed €114m ($126m/£97m) in monetary fines under the GDPR for a wide range of infringements, according to new findings from DLA Piper.

Whilst not all fines were related to data breach infringements, DLA Piper’s latest GDPR Data Breach Survey found that more than 160,000 data breach notifications have been reported across the 28 European Union Member States since the GDPR came into force on May 25 2018.

In terms of the total value of fines issued by geographical region, France (€51m), Germany (€24.5m) and Austria (€18m) topped the rankings, whilst the Netherlands (40,647), Germany (37,636) and the UK (22,181) had the highest number of data breaches notified to regulators.

The highest GDPR fine to date was €50m, imposed by the French data protection regulator on Google, for alleged infringements of the transparency principle and lack of valid consent. Earlier this year, the UK ICO published intentions to fine British Airways £183.39m and Marriott £99m following two high profile data breaches, although neither fine has been finalized at the time of writing.

Ross McKean, a partner at DLA Piper specializing in cyber and data protection, said: “GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12% compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organizations.

“The total amount of fines of €114m imposed to date is relatively low compared to the potential maximum fines that can be imposed under GDPR, indicating that we are still in the early days of enforcement. We expect to see momentum build with more multi-million Euro fines being imposed over the coming year as regulators ramp up their enforcement activity.”

Travelex Begins Reboot as VPN Bug Persists

Under-fire foreign currency firm Travelex has claimed its first customer-facing services in the UK have gone live after a crippling ransomware attack in December, with experts suggesting an unpatched VPN bug may have been to blame.

The London-headquartered business has been slammed by customers after the suspected Sodinokibi (REvil) ransomware struck on December 31, forcing it to take systems offline as a precautionary measure.

Several complained that the foreign currency they ordered and paid for online is unavailable, leaving them out of pocket. The outage affected not just Travelex’s websites but its bricks-and-mortar outlets and services it provides to major UK high street banks such as Barclays and RBS.

However, the firm claimed in an update on Friday it has been working hard this month to restore online and customer-facing systems.

“On 17 January 2020, we confirmed that the first of our customer-facing systems in the UK were live and that the phased restoration of our systems globally was now firmly underway. We are prioritizing the UK as this is our single largest market,” it said.

Although unconfirmed, security experts believe that an unpatched critical vulnerability in Pulse Secure VPNs (CVE-2019-11510) may have allowed attackers to remotely execute malicious code on Travelex IT systems.

Troy Mursch of Bad Packets claimed to have reached out to the firm in September to flag the software flaw, which has a CVSS score of 10.0, but received no response.

On Friday, he said that there are still over 3000 vulnerable Pulse Secure VPN servers out there. That’s bad news because the bug is seeing “wide exploitation,” despite the fact that a patch has been available since April 2019, according to the US Cybersecurity and Infrastructure Security Agency (CISA).

“A remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials,” CISA said of CVE-2019-11510.

“It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.”

Although Travelex maintains that there is “no evidence that any data has left the organization,” the hackers behind the $6 million ransom demand have claimed they exfiltrated 5GB of sensitive customer data last year.

London Councils Lose Nearly 1300 Devices Over Three Years

The number of London councils reporting lost or stolen mobile computing devices has more than doubled over the past three financial years, according to new Freedom of Information (FOI) data.

Think tank Parliament Street compiled responses from 23 out of the 31 local borough councils that operate across the UK capital.

It found that a total of 1293 devices were lost or stolen over the three financial years from 2016, including laptops, mobile phones and tablets. The figure jumped from 304 in 2016-17 to 635 in 2018-19, a 109% increase.

Phones went missing most often, accounting for 951 lost or stolen devices over the period. The figure rose 122%, from 215 in 2016-17 to 478 in 2018-19.

Laptop losses also almost doubled over the period, from 64 to 124, while tablet losses increased slightly from 26 to 33.

Lambeth was most affected by missing devices, recording 281 losses, 84% of which were mobile phones. Next came Richmond and Wandsworth (123) and Brent (170). Richmond and Wandsworth, which reported together, saw a 666% increase in lost and stolen devices, while the figure stood at 74% in Brent.

Absolute Software EMEA VP, Andy Harcup, warned that the rise of flexible working combined with opportunistic thieves is increasing the risk of confidential public sector data going missing.

“If said device ends up in the wrong hands, these councils and the constituents they serve could be facing severe consequences, including a major data breach with citizen details finding their way onto the dark web,” he added.

“It's time for all organizations to wake up to the very real risks posed by stolen devices in terms of data security. Every single council should have robust end-point security measures in place to ensure that devices reported missing can be accessed, tracked, deleted and frozen appropriately.”

Citrix Patches ADC Bug as Attacker Hoards Access

Citrix has begun issuing patches for a serious vulnerability in its Application Delivery Controller (ADC) product which experts have warned is being exploited in the wild.

The tech giant revealed the CVE-2019-19781 bug in ADC and its Citrix Gateway back in December. If successfully exploited, it could allow an unauthenticated attacker to perform arbitrary code execution.

Although the firm announced a series of mitigations to help protect customers as it readied a permanent fix, researchers claimed to have discovered tens of thousands of users that were still exposed, including high value targets across verticals including finance, government and healthcare.

Part of the problem appeared to be that not all of these mitigations worked as intended. The Dutch authorities urged businesses to disable Citrix systems altogether.

With proof-of-concept exploits appearing online in recent days and reports of active attacks, Citrix appeared to accelerate the process of readying patches.

Permanent fixes for ADC versions 11.1 and 12.0 are now ready and it has “moved forward” availability dates for other versions 12.1, 13 and 10.5 to January 24. Its Citrix SD-WAN WANOP product will also be patched on the same day.

The news comes as FireEye warned it had spotted “dozens of successful exploitation attempts” against ADC deployments that had not put in place temporary pre-patch mitigations.

One particular payload, which it named “NotRobin,” appears to be hoarding access to exposed Citrix systems.

“FireEye believes that the actor behind NotRobin has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign. They remove other known malware, potentially to avoid detection by administrators that check into their devices after reading Citrix security bulletin CTX267027,” FireEye explained.

“NotRobin mitigates CVE-2019-19781 on compromised devices but retains a backdoor for an actor with a secret key. While we haven’t seen the actor return, we’re skeptical that they will remain a Robin Hood character protecting the internet from the shadows.”

Fidelis Cybersecurity Acquired by Skyview Capital

An American company dedicated to thwarting cyber-attacks has been snapped up by a global private equity firm. 

Skyview Capital, LLC announced its acquisition of Fidelis Cybersecurity, Inc yesterday. Fidelis is located in the Maryland town of Bethesda, which a 2015 NerdWallet survey found to be the most educated place in America. 

Fidelis Cybersecurity is a leading provider of network traffic analysis and of digital forensics and incident response solutions that enable enterprises and government organizations to detect, hunt, and respond to advanced threats that evade traditional security solutions.

The company counts among its 250 employees some of the world's leading cybersecurity experts, including specialists from the US Department of Defense, the intelligence community, and industry.

Solutions developed by Fidelis are delivered as standalone network, endpoint, and deception products; an integrated platform; or as a constantly operational managed detection and response service that augments existing security operations, threat hunting, and incident response capabilities.

Fidelis was acquired from a consortium of investors in a stock transaction in a deal that serves to increase Skyview's existing software technology portfolio.

"With the ever-increasing complexity of digital environments and the pace of cyber threats across the world, we see an opportunity to build upon Fidelis' impressive technology and solidify its position within the IT security industry," said Alex Soltani, chairman and CEO of Skyview. 

"This transaction aligns well with our investment philosophy of targeting and investing in mission critical technology businesses across a wide spectrum of verticals, from telecommunications to cybersecurity."

The mission of Fidelis is not set to change as a result of the acquisition. 

Soltani said: "Skyview is committed to realizing the full value of Fidelis as a safeguard against cyber threats, and we are enthusiastic about identifying both organic and inorganic growth opportunities."

Nick Lantuh, president and chief executive officer of Fidelis Cybersecurity, sees the deal as a golden opportunity for growth. 

He said: "We are excited to partner with Skyview Capital and benefit from their ability to help us take the Fidelis platform, which provides unmatched visibility and empowers security teams to rapidly respond to threats, into other markets."

NortonLifeLock Puts Silicon Valley Real Estate Up for Sale

NortonLifeLock, formerly known as Symantec, has put ten large commercial buildings in California’s Silicon Valley on the market. 

The cybersecurity company is seeking a buyer for the properties, which are all based in the Mountain View area, close to the Google Quad Campus. The ten buildings on the market are grouped into three separate campuses, not more than a few minutes' drive from one another. 

Commercial real estate firm Cushman & Wakefield has been hired to help shift the properties, which together total 707,000 square feet. 

According to The Orange County Register, the buildings are featured in a brochure being circulated on behalf of NortonLifeLock. 

"Never before offered to the marketplace, the offering represents a generational opportunity to acquire a portfolio of 10 buildings totaling 706,737 square feet in the heart of Silicon Valley," states the brochure. 

Mountain View was the site of Symantec’s headquarters for many years, but in November the company, under its new name NortonLifeLock, relocated its operational nerve center to Tempe, Arizona. 

One of the three campuses for sale, described in the brochure as the "headquarters campus," is located at 350 Ellis Street. On this site are five buildings offering a total 428,000 square feet of office space. 

The second campus, which is made up of research and office buildings totaling 128,000 square feet, is located at 455, 487, and 501 E. Middlefield Road. The final clutch of office and research buildings, which together offer 150,000 square feet of space, is at 515 and 545 N. Whisman Road.

In an effort to keep the ten properties together, NortonLifeLock is ideally seeking a single buyer for all three campuses.

The brochure states that "it is a strong preference of the seller for one buyer to acquire the entire portfolio," however, "individual offers on the various components may be considered."

NortonLifeLock's decision to put the properties on the market comes amid a concerted effort by the company to downsize. Over the course of 2019, the company announced it would be terminating 320 jobs in Mountain View and a further 82 in San Francisco.

Teen Charged Over $50m SIM-Swapping Scam on Blockchain Experts

A teenager from Montreal is facing four criminal charges in connection with a $50m SIM-swapping scam that targeted two renowned Canadian Blockchain experts. 

Eighteen-year-old hacker Samy Bensaci is accused of being part of a crime ring that stole millions of dollars in crypto-currency by gaining unauthorized access to the cell phones of crypto-currency holders in America and Canada. 

Spokesperson for the Canadian police force, the Sûreté du Québec, Lieutenant Hugo Fournier, said the elaborate SIM-swapping cyber-fraud was responsible for the theft of "$50 million from our neighbors to the south and $300,000 in Canada."

Police say the crypto-currency thefts, which netted dozens of victims, were perpetrated by the gang in the spring of 2018. 

Among the alleged victims are renowned Toronto businessman, author, and head of the Blockchain Research Institute Don Tapscott and his son Alex, a globally recognized investor, advisor, and speaker on Blockchain technology and crypto-currencies. Together, father and son co-authored Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World.

Bensaci was arrested in Victoria, British Colombia, in November and charged with fraudulently obtaining computer service, committing fraud over $5,000, identity fraud, and illegally accessing computer data. In December, the teen was released on $200,000 bail and ordered to live with his parents in northeast Montreal until his next court hearing.

According to La Presse, neighbors described Bensaci as a discreet young man who spends a lot of time on his computer.

While staying at his parents' residence, Bensaci is prohibited from accessing "any computer, tablet, mobile phone, game console, including PS3, PS4, Xbox, Nintendo Switch, or any other device capable of accessing the Internet," and banned from possessing or exchanging any form of crypto-currency. 

Many of the individuals allegedly targeted by the gang had attended the Consensus crypto-currency fair, held annually in New York.

"We suspect that hackers spot targets during such events," said American SIM-swapping victim Rob Ross. Ross, who was robbed of $1m in crypto-currency in two separate attacks by 21-year-old hacker Nicholas Truglia, now manages the StopSIMCrime.org website.

Ontario Provincial Police sent out an alert regarding the SIM-swap scam in November, along with a warning that fraudsters sometimes impersonate a target and falsely claim that their phone has been lost or stolen.

Oracle Issues Record CPU with 334 Patches

Oracle has hit an all-time record for number of security fixes issued in a critical patch update (CPU), providing sysadmins with over 330 in its first quarterly release of the decade.

The enterprise software giant issued 334 patches in total across more than 90 products this week. As such, January 2020 easily beats the previous largest CPU, consisting of 308 fixes in July 2017.

Oracle strongly urged firms to apply the patches as soon as possible, claiming that attacks have had success in compromising customers that failed to update their systems promptly. However, there are short-term alternatives.

“Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack,” it explained.

“Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.”

Among the products affected by this quarter’s CPU are popular platforms including: Oracle Database Server, which featured 12 new patches including three remotely exploitable; Oracle Communications Applications (25 patches, 23 of which are remotely exploitable); Oracle E-Business Suite (23, 21); Oracle Enterprise Manager (50, 10); Fusion Middleware (38, 30); Java SE (12); JD Edwards (9); MySQL (19, 6); Siebel CRM (5); Oracle Virtualization (22, 3); and PeopleSoft (15, 12).

It’s a busy time of the year for IT administrators. Earlier this week, Microsoft released fixes for scores of vulnerabilities in the last regular Patch Tuesday for Windows 7 and Server 2008.

These included a serious bug disclosed by the NSA which could allow attackers to circumvent existing security by ‘signing’ malware with a legitimate-looking certificate.

Equifax Breach Settlement Could Cost Firm Billions

Equifax could end up paying as much as $9.5bn following a data breach settlement branded one of the largest in history by its presiding judge.

The credit reporting giant suffered a major cyber-attack in 2017 after hackers exploited an unpatched Apache Struts vulnerability, compromising highly sensitive personal and financial information on around 148 million customers.

Over two-fifths (44%) of the population of the US are thought to have been affected.

This week, a court in Georgia finally approved a settlement in the long-running class action case that followed the breach, which will require Equifax to pay $380.5m, plus potentially an extra $125m, to satisfy claims of out-of-pocket losses.

However, that’s just a small part of the overall financial impact of the ruling.

The firm has agreed to spend at least $1bn on improving its cybersecurity posture over the coming five years. It will also need to fund several years of credit monitoring from Experian and its own services for class members. That could amount to an extra $2bn if all 140 miilion+ customers sign up.

That’s not to mention the $6bn in credit monitoring services already being claimed by several million class members, their $77.5m in attorney fees and further amounts in litigation expenses that Equifax will need to pay.

The total could creep up towards $10bn — a cautionary tale for organizations tempted to focus on business growth at the expense of cybersecurity and risk mitigation.

“This settlement is the largest and most comprehensive recovery in a data breach case in US history by several orders of magnitude,” wrote district judge Thomas Thrash.

“The minimum cost to Equifax of the settlement is $1.38bn and could be more, depending on the cost of complying with the injunctive relief, the number and amount of valid claims filed for out-of-pocket losses and the number of class members who sign up for credit monitoring.”

Data Breach Site WeLeakInfo Suspended as Feds Swoop

The FBI has joined forces with the UK’s National Crime Agency (NCA) and other law enforcers to suspend a popular website which sells access to stolen data.

The WeLeakInfo[.]com domain was seized by the Feds after the District Court for the District of Columbia issued a warrant, although its administrators are still at large.

Although the site claimed to be focused on helping breached internet users discover if their personal data had been compromised, by selling access to billions of records it also provided a useful resource for cyber-criminals looking to launch credential stuffing, phishing and other attacks.

“The website had claimed to provide its users a search engine to review and obtain the personal information illegally obtained in over 10,000 data breaches containing over 12 billion indexed records – including, for example, names, email addresses, usernames, phone numbers, and passwords for online accounts,” a statement from the Department of Justice explained. 

“The website sold subscriptions so that any user could access the results of these data breaches, with subscriptions providing unlimited searches and access during the subscription period (one day, one week, one month, or three months).”

The way it operated stood in contrast to legitimate breach notification site HaveIBeenPwned, which only lets users know if their accounts have been compromised, rather than providing access to troves of breached data.

Jake Moore, cybersecurity specialist at ESET, argued that hackers can do a great deal of damage even just with limited sets of breached emails and names.

“The big risk comes from brute force attacks, where criminals use common password combinations against emails to try and break into personal accounts,” he added.

“An incredibly large amount of people still use predictable or simple passwords. Many people's passwords are also readily available on the dark web, so it quickly and simply becomes an exercise in joining the dots for the cyber-criminals.”

The FBI is seeking any information on the owners and operators of WeLeakInfo.

Emotet Locked onto US Military and Government

New research into the latest victims of Emotet has found increased instances of the malware affecting the United States of America's government and military.

The pernicious malware, which is spread via email, has been infecting organizations all over the world since 2014. By shining a spotlight on Emotet's recent activities, researchers at Cisco Talos discovered that the US government is among the latest victims to be compromised. 

Researchers made the discovery by closely examining the patterns of outbound email associated with the malware. 

A Talos spokesperson said: "If a person has substantial email ties to a particular organization, when they become infected with Emotet the effects would manifest in the form of increased outbound Emotet email directed at that organization. 

"One of the most vivid illustrations of this effect can be seen in Emotet's relationship to the .mil (U.S. military) and .gov (U.S./state government) top-level domains (TLDs). 

"When Emotet emerged from its summer vacation back in mid-September 2019, relatively few outbound emails were seen directed at the .mil and .gov TLDs. But sometime in the past few months, Emotet was able to successfully compromise one or more persons working for or with the U.S. government."

The malware's successful compromise of at least one US government employee led to what researchers described as a "rapid increase" in the number of infectious Emotet messages directed at the .mil and .gov TLDs in December 2019.

Following a brief spot of respite over the winter holidays, Emotet is once again causing trouble. Cisco Talos said that the upward trend in the quantity of messages directed at .mil and .gov had "continued into January 2020."

Emotet works by stealing someone's email, then impersonating the victims and sending copies of itself in reply. The malicious emails are delivered through a network of stolen SMTP accounts. 

Recipients, conned into thinking that they are receiving a message from a friend or professional colleague, open the email and are then infected.

The simplicity of Emotet's attack strategy belies its effectiveness. "This relatively simple email-man-in-the-middle social engineering approach has made Emotet one of the most prolific vehicles for delivering malware that we have seen in modern times," said researchers. 

LORCA Announces Fourth and Largest Cohort of Cybersecurity Innovators

The London Office for Rapid Cybersecurity Advancement (LORCA) has announced the 20 scale-ups selected to join its fourth cohort of cyber-innovators.

The latest group is LORCA’s largest and most international yet – including companies from the UK, Israel, Spain, Switzerland, Denmark, Singapore and the US – using technologies such as automation and quantum to protect UK industry against the latest threats.

LORCA is hosted and delivered by Plexal at Here East in London’s Queen Elizabeth Olympic Park. The year-long project will support the 20 new companies to scale, secure investment, access new markets and participate in overseas trade missions, with the ultimate aim of growing the British cybersecurity industry.

The scaleups will also receive technical and commercial support from the program’s delivery partner Deloitte and engineering expertise from the Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast.

LORCA lanched in June 2018 with backing from the Department for Digital, Culture, Media & Sport and has enrolled 55 companies into its program.

The latest cohort includes scaleups with a range of cutting-edge solutions, invited to apply based on three innovation themes identified by industry leaders from various sectors:

• Connected Economy
• Connected Everything
• Connected Everyone

Saj Huq, program director, LORCA, said: “LORCA exists to bring cutting-edge technology to market and to enable the most promising cyber-innovators to become globally competitive businesses. The international reach and the variety of solutions within our incoming fourth cohort is an exciting demonstration of both the strength and attractiveness of the UK market, as well as an illustration of the increasingly prominent role that LORCA plays as a convener and collaborator within the global innovation ecosystem.”

The 20 companies enrolling in the latest cohort are:

1. Acreto
2. Anzen Technologies Systems
3. Avnos
4. Contingent
5. Continuum Security
6. Darkbeam
7. Heimdal Security
8. Keyless
9. Kinnami
10. L7 Defence
11. Orpheus
12. Osirium
13. Risk Ledger
14. ShieldIOT
15. SureCert
16. ThreatAware
17. ThunderCipher (Licel)
18. Variti
19. VIVIDA
20. Westgate Cyber Security