Info Security
Serious Flaw Found in HP OMEN Driver
A serious flaw has been found in the driver of a popular PC gaming software used by millions.
Researchers from SentinelLabs published details of the vulnerability in the HP Omen Gaming Hub on September 14. They said that attackers could exploit the flaw to locally escalate to kernel-mode privileges.
“With this level of access, attackers can disable security products, overwrite system components, corrupt the OS, or perform any malicious operations unimpeded,” wrote researchers.
Omen comes preinstalled on all HP OMEN desktops and laptops and can be used to control and optimize settings such as device GPU, fan speeds, CPU overclocking, memory and more.
The vulnerability was reported to HP on February 17, 2021, and was later given a Common Vulnerability Scoring System (CVSS) score of 7.8, making it a high-severity flaw.
No evidence of the flaw’s being exploited in the wild was discovered by SentinelOne.
“While we haven’t seen any indicators that these vulnerabilities have been exploited in the wild up till now, using any OMEN-branded PC with the vulnerable driver utilized by OMEN Gaming Hub makes the user potentially vulnerable,” noted researchers. “Therefore, we urge users of OMEN PCs to ensure they take appropriate mitigating measures without delay.”
Commenting on the newly unearthed flaw, Jamie Boote, security consultant at the Synopsys Software Integrity Group, said, "With the rise of remote workers during the Covid-19 Pandemic, the collision between corporate IT environments and personal hardware will only rise as employees supply more of their own hardware to continue to customize and equip their home offices.
“It is impossible to anticipate all potential driver and hardware vulnerabilities that can arise from these situations, so it is important for IT departments to recognize and react to threats such as these when they’re made public.”
Boote added that the enforcement of proactive security measures such as keeping up with threat intelligence feeds, limiting software installations to only approved software sources and maintaining approved workstation images can limit the impact of threats such as this gaming hub privilege escalation bug.
“Perhaps this vulnerability is a reminder of why it’s called 'The Bleeding Edge,'” said Boote.
Arizona Medical Practice Permanently Loses EHR Data
A medical practice in Arizona has lost nearly all the data entered into its electronic health record (EHR) system due to a cyber-attack.
Desert Wells Family Medicine, which has been serving patients in Queens Creek for 20 years, was attacked by cyber-criminals on May 21. The practice had backed up all its EHR data before the attack took place, but the attackers managed to encrypt both the original files and the backup files using ransomware.
The practice has begun notifying 35,000 patients that their protected health information has been compromised. Information that may have been accessed by the attackers during the security incident included patient names, dates of birth, addresses, billing account numbers, medical record numbers, treatment information, and Social Security numbers.
Desert Wells said it had done everything that it could to retrieve the encrypted data, including engaging external specialists, but their efforts had proved fruitless.
All EHR information added into Desert Wells’ system prior to the date of the attack has been lost forever, and the practice is currently in the process of constructing an entirely new EHR system.
“Upon discovering the extent of the damage, we engaged additional forensics and recovery services as part of our exhaustive efforts to do everything we could to try and recover the data,” said Daniel Hoag, MD, a family medicine physician at Desert Wells.
“Unfortunately, these efforts to date have been unsuccessful and patient electronic records before May 21, 2021, are unrecoverable.”
The practice said that no evidence has been found to suggest that any of the compromised patient data has been misused. Third-party computer forensics experts hired to investigate the incident found no evidence that any patient data had been exfiltrated from Desert Wells before the files were encrypted.
“We recognize this is an upsetting situation and, from my family to yours, sincerely apologize for any concern this may cause,” said Hoag. “I’m sure many of you have been reading about other healthcare providers in the community, and around the country, that have been impacted by cybersecurity events.”
Hoag added that Desert Wells is continuing to take steps to enhance the security of its systems, including improving its endpoint detection, implementing 24/7 threat monitoring, and providing additional training and education to staff.
Americans Fined After Hacking for Foreign Government
Three former members of the United States military or United States Intelligence Community (USIC) have been fined for providing hacking-related services to a foreign government.
United States citizens, 49-year-old Marc Baier and 34-year-old Ryan Adams, and 40-year-old former US citizen Daniel Gericke were investigated by the Department of Justice (DOJ) over claims that they had violated U.S. export control, computer fraud, and access device fraud laws.
On September 7, the three men entered into a deferred prosecution agreement (DPA) with the DOJ that requires them to pay $1,685,000 in penalties. The agreement also places restrictions on the future activities and employment of the three men.
According to court documents, between 2016 and 2019, all three defendants worked as senior managers at a company based in the United Arab Emirates (UAE) that performed and supported hacking for the benefit of the UAE government.
Services carried out by the defendants included the provision of support, direction and supervision in the creation of sophisticated “zero-click” computer-hacking and intelligence-gathering systems capable of compromising a device without any action being taken by the target.
The zero-click exploits were later deployed by other employees at the UAE-based company to illegally obtain and use access credentials for online accounts issued by companies in the United States. The exploits were further used to obtain unauthorized access to mobile phones and computers in the United States and around the world.
The State Department’s Directorate of Defense Trade Controls (DDTC) informed the defendants on multiple occasions that the work they were doing was a “defense service” as defined under the International Traffic in Arms Regulations (ITAR) and that they needed a license from the State to provide the services they were carrying out.
“This agreement is the first-of-its-kind resolution of an investigation into two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation, and a commercial company creating, supporting and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United States,” said Acting Assistant Attorney General Mark J. Lesko for the Justice Department’s National Security Division.
Software Supply Chain Attacks Surge 650% in a Year
The insatiable global demand for open source code packages has led to a triple-digit year-on-year surge in upstream software supply chain attacks, according to Sonatype.
The supply chain management specialist compiled its 2021 State of the Software Supply Chain report from publicly available and proprietary data.
It claimed that global developers would borrow over 2.2 trillion open-source packages or components from third-party ecosystems to accelerate time-to-market. This includes Java downloaded from the Maven Central Repository, Python packages downloaded from PyPi, JavaScript from npmjs and .NET NuGet packages.
These shared code packages often contain publicly disclosed vulnerabilities that threat actors can exploit. However, increasingly cyber-criminals are getting more proactive, Sonatype warned.
“Next-generation software supply chain attacks are far more sinister, because bad actors are no longer waiting for public vulnerability disclosures to pursue an exploit. Instead, they are taking the initiative and injecting new vulnerabilities into open source projects that feed the global supply chain, and then exploiting those vulnerabilities before they are discovered,” the report noted.
“By shifting their attacks ‘upstream,’ bad actors can gain leverage and the crucial benefit of time that that enables malware to propagate throughout the supply chain, enabling far more scalable attacks on ‘downstream’ users.”
Such attacks have increased by a staggering 650% year-on-year, versus a figure of 430% last year, Sonatype said.
There were 216 such attacks detected over four years between February 2015 and June 2019. However, this figure rose to 929 during just a year (July 2019–May 2020). That number surged to a staggering 12,000 over the past year.
“We now know that popular projects contain disproportionately more vulnerabilities,” argued Sonatype EVP, Matt Howard.
“This stark reality highlights both a critical responsibility, and opportunity, for engineering leaders to embrace intelligent automation so they can standardize on the best open source suppliers and simultaneously help developers keep third-party libraries fresh and up-to-date with optimal versions.”
Major cyber-threat campaigns, including the attacks on SolarWinds and Codecov, highlight the potentially severe repercussions of code supply-chain compromises.
Nearly a Third of Brits Say They Feel Unsafe Online
Nearly a third (29%) of Brits feel unsafe while using the internet, according to a new report by Veriff.
The survey of 2000 UK citizens revealed a range of factors that have caused this sentiment. One of these is rising scam attempts, with over two-fifths (42%) of those surveyed experiencing a package delivery scam during the past three months. The next most common type of scam is those relating to tax rebates (25%) followed by TV licenses (19%).
Veriff also found that 13% of Brits have received a COVID-19 vaccine scam during this period, further highlighting how fraudsters have leveraged the circumstances of the pandemic to target people in the past 18 months.
The potential impact of ‘digital trails’ being left on the internet was also a significant concern for people. Almost half (48%) of millennials expressed fears that old posts online will come back to haunt them, while more than two-thirds (37%) of all those surveyed said they regretted sharing personal details online.
Additionally, more than half (52%) of Brits were worried that their images may be used online without their permission. More than two-thirds (68%) agreed that social media companies should require users to show ID when signing up to their site in order to help combat issues like identity fraud and online abuse.
Surprisingly, Generation Z (16-24-year-olds) were more likely to feel unsafe online than any other age group (41%). This compared to just 18% of those aged 55 and older feeling unsafe.
In terms of internet usage, people who spend more than 30 hours online per week were least likely to feel unsafe online (21%). In contrast, almost half (48%) of people who spend just one or two hours online per week were most likely to feel safe online.
Janer Gorohhov, co-founder and CPO at Veriff, commented: “Cyber-criminals are continuously thinking of new ways to commit fraud, with the pandemic sadly providing them with more opportunities than ever — from COVID-19 vaccination scams to fake delivery texts — which is why we wanted to uncover how the nation really feels online and how the future of identity verification can help people feel safer.
“With the common misconception being that the older generation is most susceptible to online fraud, we were interested to find that the younger generations were the most likely to feel unsafe online. With the internet playing such a vital role in the lives of many young Brits, unfortunately, their hours spent online does not make them any less of a target of online fraud, if anything, it heightens the risk.”
Quarter of Fortune 500's External IT Assets Are a Cyber Risk
The external attack surface of Fortune 500 companies contains known, exploitable vulnerabilities and security issues, according to new research from Cyberpion.
The Israeli startup compiled its findings from a “single-pass scan” of the public and internet-facing assets of every Fortune 500 company in the first half of 2021.
Nearly three-quarters (73%) of these organizations’ IT infrastructure is now located externally, but this outsourcing trend appears to have created a significant visibility gap. Some 24% of these assets are considered risky or have a known vulnerability, Cyberpion claimed.
This includes a quarter (25%) of externally hosted cloud-based assets that failed at least one security test, such as misconfigured storage.
The report also claimed that the average Fortune 500 firm has 126 different login pages for customers and employees — but 10% of these allow data transmission over unencrypted HTTP or have invalid certificates.
Fortune 500 firms also connect to an average of 951 cloud assets, but almost 5% of these are vulnerable to severe abuse, Cyberpion claimed. This includes AWS buckets misconfigured, which could allow hackers to read or overwrite customer data or code.
The vendor warned that attackers could take advantage of these gaps in visibility and protection to launch Magecart-style attacks, DNS hijacks or brand abuse — resulting in financial and reputational damage.
“Security teams often can’t effectively defend against attacks stemming from third parties because they lack visibility into the total inventory and volume of assets they are connected to,” said Cyberpion CEO Nethanel Gelertner.
“They are unaware of the exposure to these external vulnerabilities and can’t identify and mitigate against these risks. In addition, the growth of these interconnected assets continues to explode due to trends in cloud-first architectures and digital transformation initiatives, meaning that assessing and protecting the attack surface has become even more challenging over time.”
Microsoft Patches OMIGOD, MSHTML and PrintNightmare Bugs
Microsoft fixed over 60 CVEs in this month’s Patch Tuesday update round, including a zero-day being actively exploited in the wild.
First made public last week, CVE-2021-40444 is a remote code execution vulnerability in Microsoft’s MSHTML engine.
A second zero-day, which was publicly disclosed but not actively exploited, is CVE-2021-36968, an elevation of privilege vulnerability in Windows DNS. It is labeled “important” by Microsoft and only impacts Windows 7 and Windows Server 2008.
However, these vulnerable legacy systems could appeal to threat actors as targets, according to Ivanti VP of product management, Chris Goettl.
“In this case, they could find the fact that this only affects legacy OSs as attractive, banking on the fact that companies are still running these systems but not continuing with extended security updates (ESU) from Microsoft,” he explained.
“If you fall into this group, there is yet more reason to either subscribe to Microsoft’s ESU for Windows 7 and Server 2008/2008 R2 or migrate off of these platforms, as the risk of running these end-of-life systems continues to grow.”
Elsewhere there was also an updated patch for one of the print spooler bugs known as PrintNightmare, to fix new issues discovered by researchers beyond the original fix. With exploit code available for this CVE, it’s also a matter of urgency to patch, said Goettl.
Other noteworthy CVEs that got the patch treatment this month were CVE-2021-38647, CVE-2021-38648, CVE-2021-38645, and CVE-2021-38649 — affecting Microsoft’s Open Management Infrastructure (OMI) agent.
Dubbed “OMIGOD” by researchers at Wiz.io, the bugs could enable a remote attacker to gain root access to Linux virtual machines running on Azure.
“We conservatively estimate that thousands of Azure customers and millions of endpoints are affected. In a small sample of Azure tenants we analyzed, over 65% were unknowingly at risk,” the firm warned.
Massachusetts AG Launches Probe into T-Mobile Data Breach
The attorney general of Massachusetts, Maura Healey, has announced a probe into the recent data breach suffered by American telecommunications company T-Mobile.
In August, the United States wireless carrier disclosed a data breach impacting around 54.6 million individuals. Data exposed in the security incident included names, addresses, birth dates, phone numbers, Social Security numbers, information from driver’s licenses, International Mobile Equipment Identity (IMEI) numbers, and International Mobile Subscriber Identity (IMSI) numbers belonging to T-Mobile pay monthly customers and to people who applied for T-Mobile credit.
Healey proclaimed on Tuesday that an investigation has been launched by her office to examine what safeguards T-Mobile had put in place prior to the breach to protect consumers’ data and mobile device information.
The probe will also delve into how the breach occurred, how T-Mobile handled the incident, and what actions were taken by the company to notify impacted customers and T-Mobile credit applicants.
“My office is extremely concerned about how this data breach may have put the personal information of Massachusetts consumers at risk,” Healey said in a statement.
“As we investigate to understand the full extent of what’s happened, we urge impacted consumers to take the necessary precautions to ensure their information is safe, and to prevent identity theft and fraud.”
Turkey resident John Binns claimed to the Wall Street Journal that he was responsible for the T-Mobile hack that led to the major data breach. The 21-year-old American said he used an unprotected router exposed on the internet to gain access to T-Mobile servers sited in a data center near East Wenatchee, Washington, in July.
In a written statement issued last month, T-Mobile CEO Mike Sievert told customers he was “truly sorry” for the security breach.
Sievert said that the company “didn’t live up to the expectations we have for ourselves to protect our customers” and added, “Knowing that we failed to prevent this exposure is one of the hardest parts of this event.”
In response to the breach, T-Mobile is offering consumers various free theft-protection services, including scam and account take-over protection for their cell phones.
Kape Technologies to Acquire ExpressVPN
Well-known virtual private network (VPN) provider ExpressVPN is to be acquired by Israeli-British cybersecurity company Kape Technologies in a deal worth almost $1bn.
The acquisition, which will involve $936m in shares and cash, was announced on September 13. Kape Technologies said the deal represents a “key milestone” in the booming arena of digital privacy.
In a statement released Monday, Kape said that it was joining forces with ExpressVPN “to create a premium consumer privacy and security player in the industry.”
Kape said that ExpressVPN will be “joining the Kape family” with a shared vision to transform privacy and security. Under this vision, Kape said it will define a new generation of privacy and security protection tools that will give consumers more control over their own digital safety.
“Controlling one's digital presence is at the forefront of every tech consumer’s mind now, and Kape is more committed than ever to innovating and delivering the tools internet users need to protect their data and rights,” said Ido Erlichman, chief executive officer of Kape Technologies.
“Kape is now synonymous with taking control of your digital experience.”
The acquisition will unite an international team of 720 employees and broaden Kape’s reach from nearly three million customers to more than six million, Kape said in a statement.
ExpressVPN was founded in 2009 and is based in the British Virgin Islands. Erlichman said Kape had been impressed with the company’s work ethic and inventive approach.
“We’ve admired the ExpressVPN team’s relentless pursuit of excellence and innovation and are excited to welcome them to Kape,” said Kape’s CEO.
“With ExpressVPN to join the Kape family of world-leading privacy and security brands, together we will have the vision, talent, and resources to take the industry to the next level,” he added.
A major chunk (40%) of ExpressVPN’s paying subscribers are based in North America.
Dan Pomerantz, co-founder of ExpressVPN, said: “With access to greater capital and resources as part of Kape, we’re excited to be able to accelerate our product development, deliver even more innovation to our users, and protect them from a wider range of threats.”
NY County IT Supervisor Charged with Crypto-Mining
An information technology expert employed by a New York county has been arrested on suspicion of mining crypto-currency at work.
Christopher Naples is accused of covertly installing dozens of machines throughout his workplace and using them to mine Bitcoin and other types of crypto-currency as part of a secret illegal money-making scheme.
Naples, who lives in Mattituck, New York, was hired by Suffolk County back in 2000. His current title is Assistant Manager of Information Technology Operations for the Suffolk County Clerk’s Office.
Authorities said that the clandestine crypto-mining activity allegedly carried out by 42-year-old Naples ran up electricity bills in excess of $6,000 for his unsuspecting employer.
Charges were announced against Naples on Wednesday by Suffolk County district attorney Timothy Sini. Naples has been charged with counts including grand larceny, computer trespass, and public corruption.
Sini said Naples is accused of installing 46 crypto-mining devices in six rooms inside the county center located in Riverhead, New York. Hiding places in which the devices were allegedly concealed included beneath the floorboards of the building, on top of or inside server racks, and inside an electrical wall panel that was not in use.
The scheme had allegedly been going on for months with at least ten of the crypto-mining devices up and running since February 2021.
Naples was released on his own recognizance after appearing in court on Wednesday.
“Mining crypto-currency requires an enormous amount of resources, and miners have to navigate how to cover all of those electricity and cooling costs,” said Suffolk County’s Sini in a statement regarding Naples’ arrest.
“Naples found a way to do it. Unfortunately, it was on the backs of taxpayers. We will not allow County employees, who are already on the public’s payroll, to steal taxpayer money or illegally use government resources for their own personal gain.”
The mining devices increased the temperature in some rooms by 20 degrees.
Sini said: “Not only do we have thousands of dollars of taxpayer money funding this operation, but it also put the county’s infrastructure at risk.”
Naples faces up to 15 years in prison if convicted of the top count against him.
Financial Services Firms Spend Over $2m on Ransomware Recovery
Global financial services firms spent more than $2m on average recovering from a ransomware attack last year, according to new data from Sophos.
The UK security vendor polled 550 IT decision-makers in mid-sized financial sector firms around the globe to compile its State of Ransomware in Financial Services 2021 report.
It found that a third (34%) of firms in the vertical were hit by ransomware in 2020, with half (51%) admitting their attackers managed to encrypt data.
However, although most (62%) were able to restore scrambled data from backups, the recovery costs ascribed to victim organizations from the sector were much higher than the average across all verticals ($1.85m).
The figure is also surprising considering that only a quarter (25%) of financial services victims paid the ransom demand — the second-lowest payment rate of all industries surveyed and below the global average of 32%.
Sophos claimed the high cost of recovery is partly down to the highly regulated nature of the sector, with firms forced to adhere to multiple compliance mandates, including PCI DSS, SOX and GDPR.
“Strict guidelines in the financial services sector encourage strong defenses. Unfortunately, they also mean that a direct hit with ransomware is likely to be very costly for targeted organizations,” said John Shier, senior security advisor, Sophos.
“If you add up the price of regulatory fines, rebuilding IT systems and stabilizing brand reputation, especially if customer data is lost, you can see why the survey found that recovery costs for mid-sized financial services organizations hit by ransomware in 2020 were in excess of $2m.”
Interestingly, attackers hit only 8% of organizations in the sector with double extortion attacks, which now account for the majority of all ransomware, according to some estimates.
Although it fell slightly from the previous year, the financial services sector recorded the second-highest cost of a data breach in 2021, at $5.72m, according to IBM.
Global Databases Riddled with an Average of 26 Vulnerabilities
Nearly half (46%) of the world’s on-premises databases contain known vulnerabilities — most of which are high or critical severity, according to a new five-year study from Imperva.
The security vendor scanned 27,000 databases globally over five years and discovered that they contained 26 vulnerabilities each on average. Some 56% of these were ranked in the top two severity categories, meaning they could lead to serious compromise if exploited.
Some CVEs have not been addressed for several years, Imperva claimed.
Despite the growing popularity of cloud-based platforms, the news is concerning, as most organizations continue to store their most sensitive data on-premises, according to Elad Erez, chief innovation officer at Imperva.
“While organizations stress publicly how much they invest in security, our extensive research shows that most are failing,” he added.
“Too often, organizations overlook database security because they’re relying on native security offerings or outdated processes. Given that nearly one out of two on-prem databases is vulnerable, it is very likely that the number of reported data breaches will continue to grow, and the significance of these breaches will increase too.”
A standard route to compromising non-publicly accessible databases is via web application vulnerabilities such as SQLi or phishing and malware designed to give attackers a foothold into networks.
Compromising public databases is even more accessible, with attackers able to scan for exposed targets via tools like Shodan, before deploying exploit code, Imperva warned.
“Attackers now have access to a variety of tools that equip them with the ability to take over an entire database, or use a foothold into the database to move laterally throughout a network,” said Erez.
“The explosive growth in data breaches is evidence that organizations are not investing enough time or resources to truly secure their data. The answer is to build a security strategy that puts the protection of data at the center of everything.”
France was by far the worst global offender in terms of percentage of vulnerable databases (84%) and second only to China (74) in terms of the average number of bugs per database (72).
Apple Releases Urgent Patch Following Discovery of Pegasus Spyware
Apple has released an urgent update to patch a critical vulnerability that has been exploited by the notorious Pegasus mobile spyware.
The vulnerability, CVE-2021-30860, was discovered by researchers at University of Toronto’s Citizen Lab when analyzing the iPhone of an anonymous Saudi activist infected with NSO Group’s Pegasus spyware. They found a zero-day zero-click exploit against iMessage, which the team dubbed “FORCEDENTRY.” This exploit infected the device by targeting Apple’s rendering library, and was effective against Apple iOS, MacOS and WatchOS devices.
Citizen Lab made a “high-confidence attribution” to NSO Group for the exploit, which it believes has been in use since at least February 2021. It stated: “Our latest discovery of yet another Apple zero day employed as part of NSO Group’s arsenal further illustrates that companies like NSO Group are facilitating “despotism-as-a-service” for unaccountable government security agencies. Regulation of this growing, highly profitable and harmful marketplace is desperately needed.”
After the lab passed details of their findings to Apple, the tech giant quickly released the patch. Apple customers are now being urged to immediately update their devices with the latest update, with the vulnerability affecting all iPhones with iOS versions prior to 14.8, all Mac computers with operating system versions prior to OSX Big Sur 11.6, Security Update 2021-005 Catalina, and all Apple Watches prior to watchOS 7.6.2.
In a statement, Ivan Krstić, head of Apple security engineering and architecture, said: "Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.” He also reassured customers that the vulnerability is "not a threat to the overwhelming majority of our users."
Israeli firm NSO Group has regularly been at the center of numerous controversies surrounding the unethical use of Pegasus by authoritarian governments. Facebook is undertaking legal action against the company for allegedly exploiting a vulnerability in WhatsApp to enable its clients to spy on over 1400 users globally, and the spyware was also found on the mobile phone of murdered Saudi journalist Jamal Khashoggi.
CNN quoted a new NSO Group statement, which didn’t directly address the allegations. It stated: "NSO Group will continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime."
Commenting on the story, Sam Curry, chief security officer at Cybereason, said: "Monday’s emergency software updates for a critical vulnerability discovered in iPhones, Apple Watches and Macs, shouldn't be cause for panic. Yes, this newest Pegasus spyware delivery mechanism is novel, invasive and can easily infect billions of Apple devices, but stay calm and simply get control of your device and download the software updates available from Apple. Do that and move on. Follow Apple's instructions if you think you are infected and consult your IT department at work, school, etc. Failing that, Apple’s Genius Bar will be able to help. With nearly 2 billion iPhones active around the world, 100 million Apple Watches being used and more than 100 million Macs, security can’t be a luxury for Apple and it’s not, it’s a responsibility they take seriously.”
Jesse Rothstein, CTO and co-founder of ExtraHop, added: “We all carry highly sophisticated personal devices which have profound implications to personal privacy. There are many examples of this such as app data collection — which Apple recently moved to curb with its App Tracking Transparency framework.
“Any sufficiently sophisticated system has security vulnerabilities that can be exploited, and mobile phones are no exception.
“Pegasus is an example of how unknown vulnerabilities can be exploited to access highly sensitive personal information. The NSO group is an example of how governments can essentially outsource or purchase weaponized cyber capabilities. This is no different than arms dealing in my view — it’s just not regulated that way. Companies are always going to have to patch their vulnerabilities, but regulations will help prevent some of these cyber weapons from being misused or falling into the wrong hands.”
Texas GOP Website Down After Anonymous Hack
The website of the Texas Republican Party appeared to be hacked over the weekend and remained largely offline on Monday.
TexasGOP.org showed several crude messages on Saturday — the 20th anniversary of the September 11 terrorist attacks — ridiculing the state’s Republican Party and attacking Texas’ new ‘Heartbeat Act.’
Individuals affiliated with the Anonymous movement appear to be the perpetrators. Hackers replaced website pages with images of Pokémon, links were added directing users to the YourAnonNews Twitter account and pop artist Rick Astley’s viral meme hit Never Gonna Give You Up was added.
However, the Texas Republican Party have seemingly regained partial control of the site on Monday. Yet, none of its typical content was accessible, and all URLs redirected users to a splash page, which outlined the attack and requested donations.
The hack was likely influenced by the state’s controversial new abortion ban, prohibiting the practice after six weeks of the pregnancy and effectively halting abortions in some regions of the state altogether.
“We are committed to taking away all the rights of women so we can live our prosperous, Bible-thumping dream,” the Texas GOP’s mission statement was altered to say by the hackers.
The hackers included a warning at the bottom of the website: “Disclaimer: Hackers on Steroids are 10 times more effective at romance than 100% of Republicans. Trans demon hackers are coming to get you. Abortion is a choice.”
Hackers also added a link to Planned Parenthood of Texas.
The state’s new law has seen no lawsuits be filed since coming into effect on September 1. Pro-choice campaigners have been hoping that an emergency plea for relief at the Supreme Court would stop the law going ahead, but the court’s conservative majority declined to do so.
“While the nation paused over the weekend in remembrance of the 20th anniversary of 9/11 the Republican Party of Texas website was hacked,” read the website on Monday. “Pro-abortion activists targeted us because of our strong support for the Heartbeat Act. This attack adds to a growing list of actions by the radical left who tries to silence anyone that disagrees with them.” it added.
“We have been able to secure our website, but make no mistake, threats and attacks like this only strengthen our resolve.”
Mustang Panda Compromises Indonesian Intelligence Agency
A China-based cyber-espionage threat actor has reportedly compromised the internal networks of at least ten Indonesian government ministries and agencies.
The intrusion – believed to be the work of Mustang Panda – was first reported by The Record and is thought to have impacted the Badan Intelijen Negara (BIN), Indonesia’s main intelligence service.
The cyber-espionage campaign was uncovered in April 2021 by Insikt Group, a division of Recorded Future that is dedicated to researching threats.
Insikt researchers raised the alarm after finding PlugX malware command and control (C&C) servers communicating with hosts located inside the Indonesian government’s networks.
Researchers concluded that the communications, which appear to date back to at least March of this year, are the work of Mustang Panda, who they believe is in control of the malicious servers.
The Indonesian authorities were reportedly notified of the security incident by the Insikt Group in June and again in July. However, Insikt researchers told The Record last month that the malware servers they believe belong to Mustang Panda are still communicating with hosts inside Indonesian government networks.
Commenting on this, Sam Curry, chief security officer at Cybereason, said: "The reported breach of Indonesia’s intelligence agency by Chinese hackers is troubling, and there is no sense in sugarcoating the significance of the potential loss of sensitive data.
“Whether or not this attack is state-sponsored isn’t known, but at the very least more and more ransomware attacks are state-ignored.”
Curry said that the public and private sectors need to do more to prevent cyber-attacks and make life difficult for attackers who get past digital defenses.
“Sure, the threat actors will get in, but so what? We can make that mean nothing,” said Curry. “We can slow them down, we can limit what they see and we can ensure fast detection and ejection. We can – in short – make material breaches a thing of the past.”
US Locks Up Key Player in Nigerian Romance Scam
An Oklahoma man has been sent to prison for his role in an online romance scam that defrauded victims across the United States out of at least $2.5m.
Norman resident Afeez Olajide Adebara was handed a custodial sentence on Friday after pleading guilty on November 3, 2020, to conspiracy to commit money laundering.
According to court documents, 36-year-old Adebara acted as the manager of a group of money launderers involved in the scam.
Between 2017 and November 2019, Adebara and his co-conspirators used fake passports and other fraudulent identification paperwork to open multiple bank accounts under various aliases.
Adebara and his co-conspirators then knowingly concealed the proceeds of the fraudulent scheme and their sources by transferring the funds between and among those accounts.
“Thereafter, Adebara took further steps to conceal the source of the funds, took a commission for himself, and directed the remainder of the funds back to the online romance scammers in Nigeria, including in the form of vehicles and vehicle parts,” said the Department of Justice in a statement released on September 10.
Under the scam, Adebara worked closely with co-conspirators based overseas who created fake dating profiles and social media accounts that were used to lure and defraud victims.
The co-conspirators posed as US residents working or traveling abroad and tricked victims into believing that they had found love online. After manipulating a victim into thinking that they were in a romantic relationship, a scammer would ask for increasingly large sums of money.
Victims – many of whom were elderly – would wire the money to the scammer’s bank account in the belief that they were helping their significant other to complete a business project or to return to the United States.
Account details and routing numbers of the bank accounts into which the fraudulently obtained funds were wired were provided by Adebara to his co-conspirators.
On September 10, in the Northern District of Oklahoma, Adebara was sentenced to four years in prison. Previously, six individuals, some of whom are American citizens and others of whom are Nigerian citizens, received custodial sentences for their involvement in the same romance scam.
CISA Announces New Chief of Staff
The United States Cybersecurity and Infrastructure Security Agency (CISA) has appointed Kiersten Todt as its new chief of staff.
In her new role, cybersecurity veteran Todt will be tasked with allocating resources, planning, and supporting CISA’s goals through the creation of long-term objectives.
CISA director Jen Easterly, in an announcement earlier today, described Todt as “extraordinarily well-qualified for this critical role.”
Easterly added: “I am particularly excited to be able to draw upon Kiersten’s leadership ability and her deep partnerships with industry, to include the small business community – a key element of our nation’s economy.”
Todt is the managing director of the Cyber Readiness Institute (CRI), a non-profit initiative that she co-founded in July 2017. Previously, Todt served as executive director for the Presidential Commission on Enhancing National Cybersecurity under President Barack Obama.
CRI’s mission is to bring together the expertise of senior executive leaders at global companies to develop free resources to improve the cyber-readiness of small and medium-sized enterprises (SMEs) so as to secure global value chains.
With Todt at the helm, the CRI’s membership has grown to include Apple, Microsoft, ExxonMobil, General Motors, MasterCard, PSP Partners, Principal Financial Group, and the Center for Global Enterprise.
The search for a new managing director to lead the CRI is being undertaken by the president of the Center for Global Enterprise, Chris Caine.
In a statement released today, the CRI said: “Under Todt’s leadership, CRI has focused on the central role of human behavior in cybersecurity and developing practical resources organizations can use to create a culture of cyber-readiness.”
In its first four years of existence, the CRI’s Champion Network has expanded to include almost 90 organizations representing more than two million SMEs around the globe.
“We are grateful for Kiersten’s leadership. Her stewardship enabled CRI to go from an idea to a global organization that will forever leave an imprint by making cybersecurity part of the cultural DNA of every small business,” said Sam Palmisano, co-chair of CRI and chairman of the Center for Global Enterprise.
“We look forward to continuing the great work that Kiersten began four years ago.”
WhatsApp to Roll Out Encrypted Backups
Messaging giant WhatsApp is set to roll out end-to-end encrypted (E2EE) backups later this year, in what privacy campaigners claim to be another win for user privacy and security.
The Facebook-owned company said it had designed an entirely new system for encryption key storage to support the new service.
“With E2EE backups enabled, backups will be encrypted with a unique, randomly generated encryption key. People can choose to secure the key manually or with a user password. When someone opts for a password, the key is stored in a Backup Key Vault that is built based on a component called a hardware security module (HSM) — specialized, secure hardware that can be used to securely store encryption keys,” explained WhatsApp’s Slavik Krassovsky and Gabriel Cadden.
“When the account owner needs access to their backup, they can access it with their encryption key, or they can use their personal password to retrieve their encryption key from the HSM-based Backup Key Vault and decrypt their backup.”
In order to mitigate the risk of brute force attacks, keys will be rendered permanently inaccessible after a limited number of failed attempts. The firm pointed out that while it will know that a key exists in the HSM, it will not know the key itself — maximizing security.
Transmission of keys to backups and to and from WhatsApp servers will be done via a protocol implemented by WhatsApp’s front-end ChatD service. However, the service will not access the encrypted messages exchanged between a client and HSM-based Backup Key Vault.
Once encrypted, backups can also be stored to iCloud, Google Drive or other off-device locations.
WhatsApp said that, in order to ensure a stable and reliable service, the HSM-based Backup Key Vault would be geographically distributed across multiple data centers.
The move sees the Facebook-owned company offer very different user security and privacy features than Apple, which has sought to differentiate itself on its privacy credentials in recent years.
Apples received backlash when it announced, and then paused, plans to scan users’ iPhones for child abuse material. Apple offers end-to-end encrypted messages via iMessage, but retains the keys for backups, meaning it could hand them over to law enforcers if compelled.
More technical info on the WhatsApp service can be found here.
A Third of Industrial Control Systems Attacked in H1 2021
Around one in three industrial control systems (ICS) were targeted by malicious activity in the first half of 2021, with spyware a growing threat, according to new data from Kaspersky.
The Russian security vendor claimed its solutions blocked over 20,000 malware variants from more than 5000 families during the period.
Of the 33.8% of ICS machines targeted in H1 2021, internet-based threats dominated (18.2%), followed by those delivered via removable media (5.2%) and malicious email attachments (3%).
Deny-listed internet resources were blocked on 14% of computers. These typically host malicious scripts that redirect users to sites spreading malware or cryptocurrency malware, said Kaspersky. Next came malicious scripts and redirects (8.8%), followed by spyware — including backdoors, Trojans and keyloggers (7.4%) — and ransomware (0.4%).
ICS systems covered by the report included Supervisory Control and Data Acquisition (SCADA) servers, data storage servers, data gateways, human-machine interfaces (HMIs), mobile and stationary workstations, and computers used for industrial network administration.
Although the total number attacked increased just 0.4% from the final six months of 2020, the overall trend in recent years has been of surging threats to industrial systems, as IT and OT technologies increasingly converge.
In practice, this means that legacy, often unpatched or unsecured systems are exposed to the public-facing internet, inviting remote attacks.
According to recent research, the number of ICS vulnerabilities reported in the first half of 2021 surged 41%, with most (71%) classified as high severity or critical.
“Industrial organizations always attract attention from both cyber-criminals and politically-motivated threat actors. Reflecting on the previous half year, we have seen among other findings, growth in the number of cyber-espionage and malicious credential stealing campaigns,” explained Kaspersky security expert, Evgeny Goncharov.
“Their success has most likely been the main factor raising the ransomware threat to such a high degree. And I see no reason why some of the APT groups won’t benefit from these credential stealing campaigns as well.”
UK Man Gets Five Years for Online Abuse Campaign
A Nottingham man has been sentenced to more than five years behind bars after blackmailing and harassing several women, according to the National Crime Agency (NCA).
The UK’s law enforcement agency for serious and organized crime. revealed that Shaquille Williams, 26, was jailed for five years and three months late last week at Nottingham Crown Court,
He was found guilty of one count of blackmail related to one victim, three counts of harassing three women and putting them in fear of violence, and two counts of sending grossly offensive messages to two other women.
The NCA said that graphic designer Williams threatened to send intimate private photos of one woman to her family and friends unless she sent him more images.
Williams — of Hartness Road, Clifton, Nottingham — reportedly used various social media accounts to threaten several women, sending them pictures of acid attack victims. In one case, he sent a victim messages that featured the name of her hometown, a picture of hydrochloric acid and the name of the road she lived on, according to the NCA.
Williams had previously viewed footage of women posted online by Abdul Hasib Elahi, 26, who the NCA describes as “one of the worst online sexual offenders” it has ever investigated.
Elahi, of Sparkhill, Birmingham, apparently masqueraded as a rich businessman on “sugar daddy websites” and then tricked victims into sending him sexual images. According to the NCA, once in his possession, he’d use these images to blackmail the victims into videoing degrading acts of themselves.
NCA senior investigating officer, Andy Peach, was quick to link the two offenders.
“Williams inflicted extreme terror on these victims — they have been exceptionally brave in coming forward to ensure he faced justice and went to jail. Williams is a coward and a twisted, callous, sexual deviant,” he said in a statement.
“Some of his crimes were made possible because of Abdul Elahi, whose sadistic depravity and scale of offending horrified the investigative team. There are a series of other inquiries into Elahi’s associates.”