Feed aggregator

70% of Cyber Pros Believe Cyber Insurance is Exacerbating Ransomware

Info Security - Wed, 08/25/2021 - 14:33
70% of Cyber Pros Believe Cyber Insurance is Exacerbating Ransomware

More than two-thirds (70%) of cybersecurity professionals believe that the issue of ransomware is being exacerbated by cyber-insurance payouts to victim organizations, according to a new study by cybersecurity firm Talion.

The survey of 200 UK cybersecurity professionals also unveiled some worrying findings about reporting ransomware attacks to law enforcement. When asked why so many attacks are not reported, nearly half (45%) of respondents said that they believe businesses think law enforcement slows down ransomware recovery and they are focused on getting their systems back online. More than a third (37%) said it was because companies have paid a ransom and don’t want to get into trouble.

Additionally, one in 10 of those surveyed said companies didn’t know how to report ransomware attacks to law enforcement.

The report follows a surge in ransomware attacks globally in 2021. Earlier this month, a study from the International Data Corporation (IDC) found that over one-third of organizations worldwide have experienced a ransomware attack or breach that blocked access to systems or data in the previous 12 months. This has led to numerous eye-watering ransoms being paid to cyber-criminals, ramping up the debate on whether it is ever acceptable to pay a ransomware demand.

Commenting on the study, Mike Brown, CEO of Talion, said: “Our study highlights that many organizations are concerned about reporting ransomware attacks to law enforcement out of fear it could have further negative repercussions. All victims want to get back to business as usual as quickly as possible; however, it can be a complicated landscape to navigate. Should you pay the ransom? If so, is it lawful? Organizations should be mindful that it is unlawful to make a payment to terrorist organizations or prescribed groups in breach of international sanctions. What is required is a clear legal framework that allows organizations to make the best, lawful decisions when they are in this high-stress situation. Law enforcement needs to find a way to work with a commercial organization so that they are viewed as a source of expertise and support, not a further obstacle to overcome.”

“In terms of insurance payouts, it is not surprising so many security professionals see them as fuelling the ransomware industry, as they certainly cushion the blow of attacks. However, payouts are not guaranteed, and insurers are getting stricter every day. The best option is, therefore, to prepare for attacks and rehearse your strategy so when your organization gets hit in real life, losses are kept to a minimum.”

In June, Talion launched the #RansomAware campaign, a coalition of cyber security experts, businesses, academia and government to facilitate collaboration and information sharing around ransomware.

Categories: Cyber Risk News

Innovative Recruitment Practices Can Close the Cyber Skills Gap

Info Security - Wed, 08/25/2021 - 12:58
Innovative Recruitment Practices Can Close the Cyber Skills Gap

Developing more innovative hiring practices is crucial to attracting more talent to the cybersecurity industry, according to panelists speaking during a recent RSA webcast.

The event was held amid growing efforts from the US federal government to attract new candidates to the cybersecurity industry to close the burgeoning skills gap.

Barbara Endicott-Popovsky, executive director of Center for Information Assurance and Cybersecurity and professor at the University of Washington, stated: “It’s been frustrating to watch the lack of awareness of the cyber threats that we face and even more frustrating to spend so much time as we have developing talent and trying to make sure we get the right people to the right places.”

The first step in addressing this issue is to ensure there is much more clarity about the types of people and skills that are needed to work in cyber, according to Lynn Clark, chief of the NSA/DHS Centers of Academic Excellence at the National Security Agency (NSA). “It’s really hard to produce educational programs to prepare people for the workforce if we don’t know what our end objective is,” she outlined.

It is also vital that cybersecurity recruiters recognize the wide variety of motivations candidates have to work in this sector, thereby ensuring they “use the right lure for the right fish,” said Joshua Corman, senior advisor for the Cybersecurity and Infrastructure Security Agency (CISA).

He listed five different drivers (p’s) for those who work in the industry: protectors, purpose, prestige, profit and protest/patriotism, adding that “how you engage and recruit them will be different.”

The discussion then turned to the types of people and skills needed to make up the industry. Endicott-Popovsky observed that traditionally, the cyber industry has primarily been comprised of ‘techies,’ meaning other important skill sets are lacking.

Emily Harding, deputy director and senior fellow with the International Security Program at the Center for Strategic and International Studies (CSIS), said that in her experience, character and mindset are more important than qualifications when looking to recruit candidates for cybersecurity jobs. She believes the ideal person needs to be “smart and can think, and who does not get discouraged by bureaucracy or small hurdles, somebody who doesn’t want a roadmap to accomplish things.”

As well as hackers who can use their technical skills to discover security flaws, Corman feels the cyber industry needs more ‘translators’ in its ranks to translate these flaws into action. During previous experiences, he found that people with backgrounds in areas like law and project management are particularly effective at this role. “The things we were able to do were because we came from incredibly different backgrounds, but we had a common cause, common purpose and could be brought together like a team of Avengers to fight the greatest foes and risks,” he added.

Clark concurred with these perspectives, emphasizing the need for security teams to be comprised of people with strong soft-skills, such as communication and collaboration, alongside “people who understand the technology.” She pointed out, “All the technology in the world is not going to protect us from the hacker who can socially engineer somebody into giving him a password or who can spearphish and get the important information they need to access our systems.”

The panel also agreed that the organizations need to adapt their standard requirements for cybersecurity candidates to enable this type of neurodiversity to become a reality. This includes working with HR and legal departments to reduce the emphasis on formal technical qualifications. Additionally, Harding believes “you have to have that human-to-human connection as much as possible, where you’re going out to career fairs and universities and recruiting.”

The principle of favoring character over qualifications is particularly pertinent when it comes to recruiting for leadership positions. Corman observed that individuals are often pushed into leadership roles based on their technical expertise, which is the wrong criteria to use. “You have to make sure you have the right leaders because they set the tone, the cadence, the value set, the culture, as best they can,” he noted.

More broadly, Corman said that all personnel operating in the rapidly evolving field of cybersecurity must be flexible and willing to learn on the job continuously. “An adaptable person will adapt at the speed of cyber,” he commented.

Categories: Cyber Risk News

Drug Dealers Get 27 Years After Police Crack EncroChat Comms

Info Security - Wed, 08/25/2021 - 09:23
Drug Dealers Get 27 Years After Police Crack EncroChat Comms

A drug dealer has been given a ten-year jail sentence after officers monitored his encrypted communications with other suppliers, according to the National Crime Agency (NCA).

Lee Broughton, 40 from Epsom, was sentenced last week at Kingston Crown Court after pleading guilty back in April to supplying cocaine.

His case was one of the many that the NCA is working on as part of Operation Venetic, after international law enforcers cracked a popular encrypted chat platform.

The agency revealed last year that it had been working on cracking EncroChat since 2015. The service is said to have had 60,000 users globally, 10,000 of whom were in the UK. It was reportedly used for trading drugs and other illegal goods, laundering money and planning hits on rivals.

The service offered users special devices, costing around €1000 each, and would charge €1500 for a six-month subscription offering worldwide coverage. Devices didn't require users to associate a SIM card with their account and used a dual operating system with an encrypted interface.

Law enforcers have already arrested over 700 individuals in the UK due to their success in infiltrating EncroChat.

Broughton used the username "Sleekyak" to communicate with 22 contacts via the service — boasting he could sell 10 to 20kg of cocaine per week. He was apparently linked to the EncroChat moniker after revealing in one conversation the date of his birthday.

In related news, Michael Devine, 45, from Pete Best Drive in Derby, was this week sentenced to 17 years behind bars after using EncroChat to discuss sailing hundreds of kilograms of cocaine across the Atlantic.

According to reports, police were able to unmask Devine as the individual behind the "lawfularbor" and "mixedtree" accounts thanks to his references to family members, his poker playing, his car and Costco membership.

Police have scored several wins with other encrypted chat services used by criminals. They took down Sky ECC in March 2021 and, more recently, disrupted the notorious Anom service.

Categories: Cyber Risk News

Cybercrime Losses Triple to £1.3bn in 1H 2021

Info Security - Wed, 08/25/2021 - 08:57
Cybercrime Losses Triple to £1.3bn in 1H 2021

Individuals and organizations lost three times more money to cybercrime and fraud in the first half of the year compared to the same period in 2020, as incidents soared, according to new figures.

The data comes from the National Fraud Intelligence Bureau (NFIB), which collects reports of cybercrime and fraud from Action Fraud, the UK’s national reporting center for such crimes.

It revealed that between January 1 and July 31 2020, victims lost £414.7m to cybercrime and fraud. However, the figure surged to £1.3bn for the same period in 2021.

This can be partly explained by the huge increase in cases from last year to this. In the first half of 2020, there were just 39,160 reported to Action Fraud, versus 289,437 in the first six months of 2021.

In both periods, individuals comprised the vast majority of cases and the majority of losses. However, organizations lost 6.6 times more money in the first half of 2021 compared to 1H 2020, while individual victims lost 2.6 times more during the period.

Experts urged the government to do more to educate individuals about the dangers of phishing and the importance of cybersecurity best practices and argued that organizations should be more proactive in mitigating home working risks.

“The pandemic has opened up many opportunities for malicious hackers to intercept individuals, remote workers and businesses as we have been thrown out of our usual routines and away from the safety of corporate firewalls. For many businesses, the rush to move their products and services online, or into the cloud, has left the door open as cybersecurity took a back seat to business continuity,” explained Outpost24 CSO, Martin Jartelius.

“Across the country, millions of people have switched to work from home and remain digital-only for the past 18 months. This gives hackers the time to test out different attack techniques, learn what works — sometimes from other hacking groups — and evolve their tactics to achieve maximum return.”

Categories: Cyber Risk News

Tech CEOs to Discuss Cybersecurity with Biden Today

Info Security - Wed, 08/25/2021 - 08:37
Tech CEOs to Discuss Cybersecurity with Biden Today

The CEOs of some of the world’s biggest tech companies are set to meet President Biden today to discuss how their products can improve the security of America’s businesses and critical infrastructure providers, according to a report.

Apple boss Tim Cook, Amazon CEO Andy Jassy and Microsoft supremo Satya Nadella are attending the meeting. At the same time, the CEOs of Google, IBM, JP Morgan Chase and utility firm Southern Co have also been invited, according to Bloomberg.

A senior official familiar with the event told the news site that part of the discussion would be focused on how software can enhance supply chain security.

It’s thought that critical infrastructure could also be a focus — particularly in light of the Colonial Pipeline ransomware attack in May, which led to surging fuel prices for days up and down the US East Coast.

Digital supply chain attacks are also increasingly commonplace, with the SolarWinds campaign highlighting the lengths state-backed threat actors are prepared to go to infiltrate US government organizations. Microsoft claimed shortly after that over 1000 Kremlin operatives had worked on the campaign.

The line between state-sponsored and financially motivated cybercrime attacks has become increasingly blurred over recent months. The Kaseya ransomware campaign appeared inspired in some part by SolarWinds, targeting an IT management software provider to hit thousands of downstream customers.

The Biden administration appears more determined to tackle these challenges than its predecessor, although, to an extent, they have become more acute over the past few months.

The President himself warned last month that if a “real shooting war” broke out with a major power, it could result from a significant cyber incident.

That follows tense negotiations with the Kremlin over Russia’s apparent harboring of cybercrime groups like those that hit Colonial Pipeline, Kaseya and meat processing giant JBS USA.

He is reported to have told President Putin that critical infrastructure providers should be considered off-limits.

Categories: Cyber Risk News

Cyber-thieves Scam New Hampshire Town Out of $2.3m

Info Security - Tue, 08/24/2021 - 20:14
Cyber-thieves Scam New Hampshire Town Out of $2.3m

A New Hampshire town is reeling from the "very shocking" cybercrime that claimed more than 14% of its annual budget.

Peterborough is a 7,000-person town with a budget for the fiscal year of just over $15.8m. Cyber-thieves conned the town out of $2.3m through two business email compromise (BEC) scams. 

First the criminals used forged documents and compromised email accounts to pose as staff at the local school district. This enabled them to divert a million-dollar transfer made to the district by the town into a bank account under their control. 

The theft came to light on July 26 when the ConVal School District notified the town that it had missed a $1.2m monthly payment.

On August 18 it emerged that cyber-thieves had stolen more money by posing as general contractor Beck and Bellucci, hired by the town to repair Main Street Bridge.

Town administrator Nicole MacStay and select board chair Tyler Ward said it was not yet clear whether any of the town's losses would be covered by their insurance policy.

In a phone interview on Tuesday, MacStay said: “It’s very shocking to us to be quite honest. It’s just been very difficult to work through all this, and try to do the best we can to recover these funds ... to mitigate the burden on our residents and taxpayers."

An investigation into the thefts has been launched by the United States Secret Service. While the investigation is carried out, the town's finance department staff have been placed on leave.

A press release issued by Ward and MacStay suggests that finance department staff were unwitting pawns in the thefts, which have been attributed to threat actors that appear to be based outside of the United States.

“Investigations into these forged email exchanges show that they originated overseas,” stated the release.

“These criminals were very sophisticated and took advantage of the transparent nature of public sector work to identify the most valuable transactions and focus their actions on diverting those transfers.” 

The town is reviewing its procedures regarding electronic financial transfers and has canceled all automated clearing house transfers.

Categories: Cyber Risk News

FBI Issues Ransomware Group Flash Alert

Info Security - Tue, 08/24/2021 - 19:12
FBI Issues Ransomware Group Flash Alert

The Federal Bureau of Investigation's Cyber Division has issued a flash warning over an organized cyber-criminal gang calling itself OnePercent Group. 

In a TLP: WHITE alert published Monday, the FBI said the group has been targeting companies in the United States since November 2020. 

OnePercent's modus operandi is to use the threat emulation software Cobalt Strike to perpetuate ransomware attacks. The infection process begins in the victim's inbox.

"OnePercent Group actors compromised victims through a phishing email in which an attachment is opened by the user," states the FBI warning. "The attachment's macros infect the system with the IcedID banking trojan."

The malicious attachment appears as a zip file containing a Microsoft Word or Excel document. Once activated, the banking trojan downloads extra software onto the victim's computer, including Cobalt Strike, which the FBI said "moves laterally in the network, primarily with PowerShell removing."

After accessing a victim's computer, OnePercent encrypts their data and exfiltrates it from the network using rclone. A virtual ransom note is left that tells the victim they have one week from the date of infection to make contact with the ransomware group. 

"OnePercent Group actors’ extortion tactics always begin with a warning and progress from a partial leak of data to a full leak of all the victim’s exfiltrated data," warned the FBI.

If no contact is made, the group contacts the victim via a ProtonMail email address or over the phone using spoofed phone numbers. Victims are told that a small portion of their data will be leaked through The Onion Router (TOR) network and clearnet, unless a ransom payment is made. 

Should a victim refuse to pay up after this initial "one percent leak," the ransomware group threatens to sell their data to the ransomware gang Sodinokibi  (REvil) to publish at an auction. 

The FBI said that OnePercent Group threat actors have been spotted entering a victim's network around a month before ransomware is deployed. 

US companies are urged by the FBI to back-up their critical data offline and use multi-factor authentication with strong passphrases to protect themselves from ransomware attacks. 

Categories: Cyber Risk News

US Signs Cybersecurity Agreements with Singapore

Info Security - Tue, 08/24/2021 - 18:03
US Signs Cybersecurity Agreements with Singapore

The United States and Singapore have agreed to cooperate on cybersecurity and climate change issues.

On August 23, Singapore's prime minister, Lee Hsien Loong, announced that three cybersecurity agreements had been signed by the cyber, defense, and finance agencies of both countries. 

The announcement was made during a visit to Singapore by US vice president Kamala Harris. On Monday, Loong and Harris spent 90 minutes together in a meeting that Harris described as "productive."

Speaking at a joint press conference on Tuesday, Harris said: “Today, we are in Singapore to stress and reaffirm our enduring relationship to this country and in this region, and to reinforce a shared vision of a free and open Indo-Pacific region, and to reaffirm our mutual interests in peace and stability in Southeast Asia.”

Loong said that the agreements would deepen collaboration between the two countries on critical technology, data security, the sharing of best practices, and infrastructure defense.

The first agreement is a bilateral Memorandum of Understanding (MOU) between the US Treasury and the Monetary Authority of Singapore that aims to help both financial sectors share information on cyber-threats to financial markets and be more prepared for and resilient to cyber-threats.

A second MOU was signed between the US Defense Department and the Singapore Ministry of Defense. The White House said the agreement "will support broad defense cooperation to advance cybersecurity information sharing, exchange of threat indicators, combined cyber training and exercises, and other forms of military-to-military cooperation on cyber issues."

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Cyber Security Agency of Singapore (CSA) signed the third MOU in a bid to improve the exchange of intelligence on cyber-threats and defensive measures, increase coordination for cyber-incident response, and enable cybersecurity capacity building across Southeast Asia.  

The two countries further agreed to start a new Climate Partnership oriented toward green solutions around goods, services and technology, and carbon credits. 

Harris began a three-day visit to Singapore on August 22 by meeting with Singapore's president, Halimah Yacob. The meeting took place at the Istana, where a new orchid hybrid – the Papilionanda Kamala Harris – had been named in the vice president's honor. 

Categories: Cyber Risk News

Time to Fix High Severity Apps Increases by Ten Days

Info Security - Tue, 08/24/2021 - 09:59
Time to Fix High Severity Apps Increases by Ten Days

The average time taken to fix high severity application security flaws has increased by ten days in just a month, according to the latest data from NTT Application Security.

The security vendor’s AppSec Stats Flash report for August offers a broad view of the current state of application security across various verticals.

Most important is the data that details how quickly or otherwise organizations are at closing the window of exposure (WoE) between a patch becoming available and one being applied.

Although it found the “time to fix” had dropped overall by two days, from 202 days to 200 days, for high severity vulnerabilities, it increased from 246 days last month to 256 days in this month’s analysis.

The report found that utilities and retail firms, in particular, were performing poorly.

“Applications in the utility space continue to suffer from high window of exposure, with 67% of applications having at least one serious exploitable vulnerability throughout the year,” it noted.

“Retail Trade saw an increase of three base points in its WoE — from 58% last time to 61% this time. As we get closer to the final quarter of the year, there will be an expected increase in the transactions and activity on retail web and mobile applications. As such, applications in this sector are going to be rich targets for exploits.”

The most vulnerable sector was once again the “Management of Companies and Enterprises” vertical.

NTT Application Security warned that vulnerable applications are an increasingly dangerous vector for embedding ransomware and enabling supply chain attacks.

The top five vulnerability types by volume were HTTP response splitting, query language injection, cross-site scripting (XSS), cross-site request forgery and remote file inclusion.

These remain unchanged from previous months, indicating a “systemic failure” to address well-known security issues and making the task of threat actors even easier, the vendor claimed.

Categories: Cyber Risk News

Over a Third of Smart Device Owners Do Not Take Security Measures

Info Security - Tue, 08/24/2021 - 09:42
Over a Third of Smart Device Owners Do Not Take Security Measures

More than a third (35%) of connected device owners in the UK do not take additional security measures to protect their smart home devices and rely solely on inbuilt security features.

This is according to findings from the 2021 Norton Cyber Safety Insights Report: Special Release – Home & Safety, which examined consumers’ at-home online behaviors.

The UK portion of the study revealed a worrying lack of security hygiene for smart devices among British consumers. Only 37% of connected device owners deny permissions to apps on their devices, while just a third (33%) install cybersecurity software. An even lower proportion said they change the default passwords on devices (32%) or regularly update device passwords (30%). Additionally, only 31% of people who own a Wi-Fi router change their router password more than once a year, with 42% admitting they have never changed the password or are not sure how often the password is changed.

More encouragingly, 86% of Brits who own a connected device said they would take action if one of their devices were hacked. The most common of these actions are changing security settings or passwords (53%).

The research, based on an online survey of more than 1000 UK adults by The Harris Poll, found that 71% of UK adults own a smart home device, with smart TVs (52%) and smart speakers/home assistants (33%) the most common types. While many find these devices to be helpful (41%) and convenient (36%), a significant proportion described them as a security risk (24%) and intrusive (22%). Some even said they are not trustworthy (15%), creepy (12%) or scary (8%).

The study also highlighted how the increase in screen time during the COVID-19 pandemic has negatively impacted many consumers’ physical (52%) and mental health (41%), in addition to making them more vulnerable to online harms.  

Sarah Uhlfelder, senior strategic director EMEA at NortonLifeLock, commented: “With Brits admitting to spending 5.5 hours a day looking at screens on top of the time they spend on devices for school or work purposes, it’s inevitable that excessive screen time is making many feel burnt out.

“Make no mistake, technology can and does bring a number of social and educational benefits and, over the past year, we even saw it become a lifeline for many. In the UK, one in five adults (21%) purchased a new smart home or connected device to help them and their family cope with the pandemic as lockdowns increased limitations to our social life and it's somewhat virtualized. But, in an increasingly virtual world, adopting healthy screen time routines and digital safety habits is a vital part of daily life.

“Beyond setting boundaries for device usage and screen time limits, people need to be wary of the risks they might be facing online, too. Being mindful of what you reveal about yourself online and exercising caution around potential scams, fraudulent sites or apps, paired with good password hygiene and device protection from multi-layered security software, can go a long way in helping to keep you and your family safe online.”  

Categories: Cyber Risk News

Microsoft Power Apps Tool Exposed 38 Million Records by Default

Info Security - Tue, 08/24/2021 - 09:40
Microsoft Power Apps Tool Exposed 38 Million Records by Default

A configuration issue with a popular Microsoft development platform has exposed tens of millions of sensitive customer records, including those containing COVID-19 information, according to researchers.

Microsoft Power Apps enables “citizen developers” to create mobile and web-based apps for their businesses.

However, a team from UpGuard found that the portal for the platform was configured to allow public access in many cases, exposing at least 38 million records.

The issue stems from the Open Data Protocol (OData) APIs for retrieving data from Power Apps lists. This is the configuration used to “expose records for display on portals.”

“Lists pull data from tables, and limiting access to the list data that a user can see requires enabling Table Permissions,” explained UpGuard.

“‘To secure a list, you must configure Table Permissions for the table for which records are being displayed and also set the Enable Table Permissions Boolean value on the list record to true.’ If those configurations are not set and the OData feed is enabled, anonymous users can access list data freely.”

UpGuard said it first discovered the privacy issue in May. However, after securing one customer, it wondered whether others had lists set to be accessed anonymously via OData feed APIs, exposing sensitive data.

UpGuard said it found over a thousand anonymously accessible lists across several hundred portals. Among the organizations exposed in this way were American Airlines, Ford and multiple public sector entities.

“Among the examples of sensitive data exposed via OData APIs were three Power Apps portals used by American governmental entities to track COVID-19 tracing or vaccination and a portal with job applicant data including Social Security Numbers,” said UpGuard.

Microsoft eventually responded by notifying government customers of the issue and putting several mitigations in place to reduce the likelihood of accidental misconfiguration.

Categories: Cyber Risk News

Mass Exploitation of Exchange Server ProxShell Bugs

Info Security - Tue, 08/24/2021 - 09:27
Mass Exploitation of Exchange Server ProxShell Bugs

Tens of thousands of global Microsoft Exchange servers could be at risk after threat actors began exploiting three so-called “ProxyShell” vulnerabilities.

The three bugs were discovered in the April Pwn2Own competition and patched by Microsoft in April and May. However, the tech giant only assigned CVEs to them in July, complicating efforts by some sysadmins to check if their systems were vulnerable.

In the meantime, threat actors managed to take publicly available information on the vulnerabilities and craft exploits for the three bugs.

Now the Cybersecurity and Infrastructure Security Agency (CISA) has urged vulnerable organizations to patch the flaws.

“Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473CVE-2021-34523, and CVE-2021-31207. An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine,” it said.

“CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May 2021 — which remediates all three ProxyShell vulnerabilities—to protect against these attacks.”

Security experts have warned that threat actors actively scan for vulnerable servers to install web shells on, enabling further malicious activity. The situation calls to mind the four zero-day ProxyLogon bugs patched in March, which were exploited far and wide.

Huntress Lab said it had seen over 140 web shells installed across 1900+ unpatched servers in just 48 hours last week.

The bugs are apparently also being used in conjunction with the recently revealed PetitPotam vulnerability to deliver LockFile ransomware.

Symantec explained the threat in an updated blog post yesterday.

Categories: Cyber Risk News

AT&T Denies Data Breach

Info Security - Mon, 08/23/2021 - 20:49
AT&T Denies Data Breach

Telecommunications company AT&T has trashed claims that the personal data of 70 million of its customers has been stolen by the threat actor ShinyHunters.

The cyber-thief, whose previous exploits have affected Microsoft, Dave, Tokopedia, Pixlr, Mashable, and Havenly among others, posted news of the data theft on an underground hacking forum earlier this month. 

On the forum, ShinyHunters shared a small sample of the data they claim to have swiped from AT&T. The threat actor also offered to sell the whole database for the price of $1m. 

Researchers at RestorePrivacy analyzed the sample of data shared by the threat actor. 

"We examined the sample, and it appears to be authentic based on available public records. Additionally, the user who posted it has a history of major data breaches and exploits," wrote researchers in a blog post. 

They added: "While we cannot yet confirm the data is from AT&T customers, everything we examined appears to be valid."

Researchers believe that ShinyHunters has accessed customer data including names, phone numbers, physical addresses, email addresses, Social Security numbers, and birth dates. 

The hacker told RestorePrivacy that all the allegedly stolen data related to AT&T customers located in the United States. While they would not reveal how they obtained the data, ShinyHunters did say that they had accessed three encrypted strings of data that included dates of birth and Social Security numbers. 

In an update to a blog post published August 19, the researchers said that AT&T had denied the breach.

An AT&T corporate communications officer told RestorePrivacy: "Based on our investigation today, the information that appeared in an internet chat room does not appear to have come from our systems."

Researchers described the company's response as "interesting" and noted that "the claim that this was posted in an 'internet chat room' is simply not correct. It was posted in a well-known hacking forum by a user with a history of large (and verified) exploits." 

The communication company's comment came as no shock to ShinyHunters. 

The threat actor told researchers: "It doesn’t surprise me. I think they will keep denying until I leak everything."

Categories: Cyber Risk News

Poly Network Hacker Returns Remaining Funds

Info Security - Mon, 08/23/2021 - 18:09
Poly Network Hacker Returns Remaining Funds

Every token swiped in the world's biggest ever crypto-currency heist has now been returned to the victim organization. 

A cyber-thief hit blockchain connection platform Poly Network on August 10, stealing crypto-currency worth more than $610m. After a blockchain keeper's private key was leaked, the attacker exploited a code vulnerability to change the “keeper role” of two blockchain contracts so that any transaction was possible. 

From a Bscscan contract, the threat actor made the following withdrawals: $133,023,777.79, $85,519,813.63, $87,594,029.67, $132,907,573.59, $132,907,574.59 and $133,029927.08 (USD). A further $93,343,903.87 in Ether was withdrawn ($182,628,360.16 USD) from an Etherscan contract.

After the attack took place, Poly Network appealed to the culprit to give back their ill-gotten gains. The attacker responded by saying that they had performed the theft to make a point about security and had always intended to give the proceeds back.

In the days that followed, the attacker began paying back the stolen funds in increments. By August 13, nearly half of the tokens ($260m worth) had been returned to Poly Network in the form of $3.3m worth of Ethereum, $256m worth of Binance Coin, and $1m worth of Polygon. 

While negotiating with Poly Network to return the funds, the hacker was given the name Mr. White Hat by their victim. The platform offered the unknown attacker a job as its chief security advisor and offered to pay them a $500k bug bounty for identifying the flaw exploited in the attack. 

Now the mystery hacker has given its victim access to the final cache of stolen tokens. In a blogpost published on Monday, Poly Network said Mr. White Hat had at last shared with them the private key needed to regain control of the remaining tokens.

"At this point, all the user assets that were transferred out during the incident have been fully recovered," said the organization. "We are in the process of returning full asset control to users as swiftly as possible."

Prior to the theft from Poly Network, the biggest crypto-heist to have occurred took place in 2018 when thieves stole $534.8m from Japanese digital currency exchange Coincheck.

Categories: Cyber Risk News

Hackers Leak Footage of Iranian Prison

Info Security - Mon, 08/23/2021 - 16:34
Hackers Leak Footage of Iranian Prison

A hacking group has leaked what it claims is surveillance footage shot inside an Iranian prison where political prisoners are typically incarcerated.

Silent videos capturing the dire conditions of life inside Tehran's Evin Prison were shared with the media on Sunday by hacktivist group Tapandegan (Palpitations). Iran International reports that the Tapandegan received the images from a hacking group calling itself Edalat-e Ali (Ali's Justice).

The footage shows guards beating a prisoner and guards and prisoners fighting among themselves. In one video, an emaciated prisoner is shown passing out and falling to the ground before being dragged up some stairs.

What appears to be an attempt by one prisoner to end his own life was captured by the CCTV. The footage shows a man breaking a bathroom mirror and attempting to cut open his arm with one of the shards. 

Images in which guards are shown wearing facemasks are believed to date from the COVID-19 pandemic. Much of the videos bear a timestamp from this year or 2020.

Ali's Justice claims to have hacked into the prison's surveillance system a few months ago and stolen hundreds of gigabytes of data. The group said it was exposing the stolen footage now to coincide with the election of Iranian president Ebrahim Raisi.

Some of the footage appears to capture a cyber-attack taking place at the prison. It shows a guard looking on as monitor after monitor in a control room flashes red and then displays the text "cyberattack" along with an image of scales. The message “The Evin prison is a stain on Raisi’s black turban and white beard” then appears.

The Associated Press noted that the computer system in use in the control room appeared to be running Windows 7. With patches no longer provided for this operating system by Microsoft, it would be vulnerable to attack. 

While Edalat-e Ali appear to be a new hacking group, Tapandegan became notorious in 2018 when they hacked into systems at Mashhad International Airport and posted anti-government messages and images on arrival and departure information screens. 

Evin was built in the 1970s and holds around 15,000 people. 

Categories: Cyber Risk News

US State Department Hit By Cyber-Attack

Info Security - Mon, 08/23/2021 - 13:08
US State Department Hit By Cyber-Attack

The U.S. State Department has reportedly suffered a cyber-attack leading to notifications of a possible serious breach being made by the Department of Defense Cyber Command.

Fox News journalist Jacqui Heinrich made the claim in a series of tweets over the weekend. She wrote, “The State Department has been hit by a cyber attack, and notifications of a possible serious breach were made by the Department of Defense Cyber Command.

“It is unclear when the breach was discovered, but it is believed to have happened a couple of weeks ago.”

Heinrich added that the State Department’s mission to evacuate US personnel and allied refugees from Afghanistan has “not been affected” by the incident.

She also tweeted that “the extent of the breach, investigation into the suspected entity behind it, efforts taken to mitigate it, and any ongoing risk to operations remains unclear.”

Reuters then reported that a “knowledgeable source” had informed them that the department had not experienced any significant disruptions or had its operations impeded in any way.

A spokesperson for the State Department was quoted as saying, “The department takes seriously its responsibility to safeguard its information and continuously takes steps to ensure information is protected. For security reasons, we are not in a position to discuss the nature or scope of any alleged cybersecurity incidents at this time.”

Commenting on the story, Sam Curry, chief security officer, Cybereason, said, “The recent cyber-attack against the U.S. State Department is a reminder that anyone and everyone can be hit and will be hit. Today, it is a matter of how quickly threats are discovered and how quickly they are stopped. Overall, the State Department’s networks are big, and they are presumably getting attacked by nation-states, terrorists and other adversaries on a daily basis. However, without more data on the recent attack, it would be premature to make assumptions on the motives or groups involved in this latest action.

“There’s no shame in being attacked, and disclosing it properly is laudable. There’s a world of difference between an infrastructure beach where a nation-state, rogue group or hacktivist gets in and an information or material breach that causes damage. While the State Department isn’t likely to disclose any further details of this attack, given the current chaos on the ground in Afghanistan and lingering tensions with Russia over the Colonial and JBS attacks and China for carrying out the Microsoft Exchange Server attacks, public and private sector security teams should be on high alert. Also, allies of the US across Europe, Asia-Pacific and Africa should be on high alert. Let’s hope the perception by some that the US is distracted doesn’t lead to more attacks and chaos.”

The revelation has come just weeks after a bipartisan report was published by the Senate Homeland Security and Governmental Affairs Committee, which found “stark” shortcomings in the cybersecurity posture of many federal agencies. The report rated the State Department “effectively a D” regarding its cybersecurity posture, “the lowest possible rating within the Federal Government’s maturity model.”

Curry added, “The State Department attack is one of the reasons for the EDR mandate for the US federal government agencies in the recent White House Executive Order. Having a means of finding the attacks like the one on the State Department as threat actors move in the slow, subtle, stealthy way through networks is the only option in returning defenders to higher ground above threat actors. Advanced prevention, building resilience, ensuring that the blast radius of payloads is minimized and generally using peacetime to foster antifragility is achievable. Today, it’s not about who we hire or what we buy. It’s about how we adapt and improve every day.”

Categories: Cyber Risk News

Infosecurity Europe Moves to ExCeL London in 2022

Info Security - Mon, 08/23/2021 - 10:00
Infosecurity Europe Moves to ExCeL London in 2022

Infosecurity Europe, Europe’s number one information security event, will run from Tuesday 21 to Thursday 23 June 2022 in its new home, ExCeL London.

For many years, Infosecurity Europe, organised by RX (Reed Exhibitions), has taken place at London Olympia. The last two editions of the in-person event have been postponed due to COVID-19.

According to the organizers, the change of venue will allow the event to continually evolve and grow the exhibition and conference program to keep pace with the ever-increasing importance of cybersecurity.

"Infosecurity Europe will run from Tuesday 21 to Thursday 23 June 2022 in ExCeL London"

Nicole Mills, exhibition director at Infosecurity Group, says: “Our fantastic partnership with London Olympia has played an integral part in our journey to become Europe’s premier information security event, and largest community of cybersecurity professionals. In that time, the importance of information security across every facet of society and business has increased enormously, and ExCeL London offers us the perfect platform for the next stage in our development.”

Mills refers to the larger size and greater flexibility of the space and facilities offered at ExCeL London and the regeneration of the local area around ExCeL London.

Simon Mills, Executive Director of ExCeL London, adds: “We are delighted that Infosecurity Europe, the largest gathering of the information security community in Europe, has chosen ExCeL London as its new home.”

Categories: Cyber Risk News

UK Regulator Raises Serious Concerns Over Nvidia-Arm Deal

Info Security - Mon, 08/23/2021 - 09:44
UK Regulator Raises Serious Concerns Over Nvidia-Arm Deal

The UK’s competition authority has raised significant competition concerns over Nvidia’s proposed $40bn takeover of chip designer Arm but did not cite any national security grounds for shelving the deal.

The US-based GPU specialist had wanted to complete the takeover of Cambridge-based Arm within 18 months, but that seems in doubt with the latest review from the Competition and Markets Authority (CMA).

Its report cited “detailed and reasoned submissions from customers and competitors raising concerns” across the globe.

“After careful examination, the CMA found significant competition concerns associated with the merged business’ ability and incentive to harm the competitiveness of Nvidia’s rivals (that is, to ‘foreclose’) by restricting access to Arm’s CPU IP and impairing interoperability between related products, so as to benefit Nvidia’s downstream activities and increase its profits,” it said.

The CMA said the supply of CPUs, interconnected products, GPUs and SoCs could be harmed in this way, across several global markets covering datacenter, IoT, automotive and gaming console applications.

“The CMA found that the foreclosure strategies identified would reinforce each other and would, individually and cumulatively, lead to a realistic prospect of a substantial lessening of competition, and consequently to a stifling of innovation, and more expensive or lower quality products,” the report continued.

The competitions regulator concluded that Nvidia’s suggested remedies would not address these concerns given the complexity of contracts and markets involved, the magnitude of the concerns and the “breadth and technical nature of the offer.”

Arm’s designs are found in most smartphones on the planet and technologies related to military and defense. However, the CMA decision did not reference any concerns over national security.

The UK’s digital secretary will have to decide whether to proceed to a more detailed “phase two” investigation. Lawmakers from the ruling Conservative Party are increasingly pressuring the government not to allow strategically important British companies to be taken over by foreign businesses.

SoftBank acquired Arm for $32bn (£23bn) back in 2016.

Categories: Cyber Risk News

T-Mobile Breach Now Affects 54.6 Million Individuals

Info Security - Mon, 08/23/2021 - 09:17
T-Mobile Breach Now Affects 54.6 Million Individuals

Around six million more current and former T-Mobile customers were affected by a recently disclosed data breach, the US carrier has revealed.

The firm said it was confident it had now closed off access and egress points for the attack but admitted that the breach impacted many more individuals than at first thought.

It said 5.3 million more post-paid customers accounts were compromised, exposing names, addresses, date of births, phone numbers, IMEIs and IMSIs. That’s on top of the 7.8 million already breached.

T-Mobile said it had now also determined that phone numbers and IMEI and IMSI information were compromised for these 7.8 million individuals. That puts them at greater risk of SIM swapping fraud.

In addition, an extra 667,000 accounts of former T- Mobile customers have been accessed, compromising customer names, phone numbers, addresses and dates of birth, the carrier said.

This is on top of the 40 million former and prospective customers who had applied for credit and whose details were subsequently stolen by attackers.

Finally, up to 52,000 names related to current Metro by T-Mobile accounts may have been included in the hackers’ haul. However, no other personally identifiable information (PII) was taken from these individuals.

With the additional disclosures, the total figure for the breach now stands at 54.6 million current, former and prospective customers, up from 49 million.

Martin Riley, director of managed security services at Bridewell Consulting, said it was extremely concerning that T-Mobile was only made aware of the original incident after a threat actor started selling stolen customer data online.

“The problem is that working out what has been taken, and when, can be very challenging for many organizations which is why the average breach detection and containment time is still so long,” he added.

“Enterprises need to shift from a security monitoring and notification approach to one focused on threat detection and response. T-Mobile has been subject to numerous attacks in the past few years and needs to act competently and confidently to minimize reputational damage or a decline in public confidence.”

Categories: Cyber Risk News

New LockFile Ransomware Variant Exploits "PetitPotam" Bug

Info Security - Mon, 08/23/2021 - 08:46
New LockFile Ransomware Variant Exploits "PetitPotam" Bug

Researchers are warning of a new ransomware variant spreading globally via exploitation of the “PetitPotam” vulnerability partially patched by Microsoft last week.

Symantec said the “LockFile” variant was first spotted on July 20 in an attack on a US financial services organization and has subsequently targeted at least ten corporate victims around the world up to August 20.

Attacks begin by accessing victims’ Microsoft Exchange servers, although this vector isn’t yet clear.

Days after this initial access was established, threat actors installed a set of tools to the compromised server, including an exploit for CVE-2021-36942 (PetitPoam) and additional files designed to download shell code to help with the exploitation.

First discovered by a French researcher around a month ago, PetitPotam is an NTLM relay attack vulnerability that an attacker can use with low privileges to take over a domain controller.

It’s been reported that Microsoft’s Patch Tuesday fix for the bug has not fully patched the vulnerability.

“Once access has been gained to the local domain controller, the attackers copy over the LockFile ransomware, along with a batch file and supporting executables, onto the domain controller. These files are copied into the ‘sysvol\domain\scripts’ directory,” Symantec explained.

“This directory is used to deploy scripts to network clients when they authenticate to the domain controller. This means that any clients that authenticate to the domain after these files have been copied over will execute them.”

The security giant added that although LockFile appears to be a new ransomware variant, it could have links to “previously seen or retired threats.”

Both DarkSide and REvil/Sodinokibi operations have gone silent in recent months after high-profile affiliate attacks put them in the media spotlight and under the scrutiny of the US government.

The threat actors behind LockFile use a similarly designed ransom note to that used by the LockBit gang and reference the Conti group in the email address they use for communications.

Categories: Cyber Risk News