Feed aggregator

Novel Phishing Attack Abuses Google Drive and Docs

Info Security - Fri, 06/18/2021 - 08:59
Novel Phishing Attack Abuses Google Drive and Docs

Enterprising cyber-criminals have found a way to create convincing phishing emails which abuse Google Docs and Drive functionality to bypass security filters, according to Avanan.

Researchers at the email security vendor claimed this is the first time such techniques have been used to piggyback on a popular service like Google’s.

The email that victims receive contains what appears to be a legitimate Google Docs link, Avanan explained in a blog post.

Clicking through takes the user to a Google Docs page hosting what appears to be a Word doc.

“This Google Docs page may look familiar to those who share Google Docs outside of their organization. This, however, isn’t that page. It’s a custom HTML page made to look like that familiar Google Docs share page,” Avanan explained.

“The attacker wants the victim to ‘Click here to download the document’ and once the victim clicks on that link, they will be redirected to the actual malicious phishing website where their credentials will be stolen through another web page made to look like the Google Login portal.”

The attack itself is fairly simple to execute. A malicious coder creates an HTML web page designed to resemble a Google Docs sharing page and uploads it to Google Drive.

Then they simply right-click to open in Google Docs, before embedding and publishing it to the web. Google does most of the hard work, including generating a link that will render the full HTML file, Avanan explained.

The vendor claimed a similar technique had been used to spoof a DocuSign document, taking the user to a fake DocuSign login page.

Using Google Docs in this way, attackers have a good chance of bypassing static link scanners that many legacy security products use, Avanan argued. An AI-based tool capable of spotting suspicious behavior should perform better.

Phishing remains the top threat vector for today’s cyber-criminals. Of the 62.6 billion cyber-threats detected by Trend Micro last year, over 91% were sent via email.

Hank Schless, senior manager of security solutions at Lookout, argued that phishing attacks like these could seriously impact corporate cybersecurity.

“Threat actors know that stealing legitimate login credentials is the best way to discreetly enter an organization’s infrastructure. Since most organizations use either Google Workspace or Microsoft 365 as their main productivity platform, attackers build phishing campaigns that specifically exploit those services,” he added.

“Once the attacker has those login credentials and can log into the cloud platform they’ve chosen to build their campaign around, there’s no limit to what data they could exfiltrate.”

Categories: Cyber Risk News

Carnival Confirms Another Breach Impacting Staff and Passengers

Info Security - Fri, 06/18/2021 - 08:23
Carnival Confirms Another Breach Impacting Staff and Passengers

One of the world’s largest cruise ship operators has disclosed a data breach from mid-March, impacting an unspecified number of customers, employees, and crew.

Carnival Corporation runs many of the globe’s leading cruise lines, including P&O, Cunard and Carnival Cruise Line.

According to a data breach notification letter sent to customers and seen by Infosecurity, the firm detected unauthorized third-party access to a “limited number” of email accounts on March 19.

“The impacted information includes data routinely collected during the guest experience and travel booking process or through the course of employment or providing services to the company, including COVID or other safety testing,” it continued.

“That information may include names, addresses, phone numbers, passport numbers, dates of birth, health information and in some limited instances additional personal information such as Social Security or national identification numbers.”

According to reports, the incident affected customers and employees on Carnival Cruise Line, Holland America Line and Princess Cruises.

Although Carnival claimed in the letter that there was a “low likelihood” of the data being misused, it urged recipients to review their account statements and credit history and be on guard for possible follow-on phishing attempts using the information.

The firm also offered those affected free credit monitoring and identity theft detection for 18 months. 

This isn’t the first time Carnival has suffered a security breach.

In March 2020, it revealed that the personal information of passengers and crew was obtained by a third party the previous May, impacting its Princess Cruises and Holland America Line brands.

Then in August 2020, it revealed that ransomware attackers managed to steal personal information from guests and employees of its Carnival Cruise Line, Holland America Line and Seabourn businesses.

Categories: Cyber Risk News

A Billion CVS Records Exposed

Info Security - Thu, 06/17/2021 - 18:40
A Billion CVS Records Exposed

More than a billion records were exposed after a misconfiguration error left a CVS Health cloud database without password protection.

The 240GB of unsecured data was discovered by WebsitePlanet and security researcher Jeremiah Fowler in a cooperative investigation. 

Because of the security oversight by CVS Health, which owns CVS Pharmacy and Aetna, a total of 1,148,327,940 records were exposed.

Information that was left publicly accessible to anyone who knew how to look for it included customers' search histories detailing their medications, and production records that exposed visitor ID, session ID, and device information (i.e., iPhone, Android, iPad, etc.). 

Personal data was also exposed, with researchers noting that "a sampling search query revealed emails that could be targeted in a phishing attack for social engineering or potentially used to cross reference other actions."

Researchers said that any threat actors who accessed the database could have gleaned a clear understanding of configuration settings, discovered where data is stored, and accessed a blueprint of how the logging service operates from the backend.

After encountering the unprotected database on March 21, researchers contacted CVS Health, which acted swiftly to restrict public access.

“We were able to reach out to our vendor and they took immediate action to remove the database," said CVS Health. "Protecting the private information of our customers and our company is a high priority, and it is important to note that the database did not contain any personal information of our customers, members or patients.”

“Misconfigurations like these are becoming all too common. Exposing sensitive data doesn’t require a sophisticated vulnerability, and the rapid growth of cloud-based data storage has exposed weaknesses in processes that leave data available to anyone," PJ Norris, senior systems engineer at Tripwire, told Infosecurity Magazine.

He continued: "A misconfigured database on an internal network might not be noticed, and if noticed, might not go public, but the stakes are higher when your data storage is directly connected to the internet. Organizations should identify processes for securely configuring all systems, including cloud-based storage, like Elasticsearch and Amazon S3."

Categories: Cyber Risk News

Australia Suffers Widespread Internet Outage

Info Security - Thu, 06/17/2021 - 17:48
Australia Suffers Widespread Internet Outage

Australians' lives were disrupted on Thursday by a widespread internet outage that impacted the country's mail service and multiple businesses, including banks and airlines.

The outage began in the early hours and was caused by a problem at Akamai Technologies, a global content delivery network (CDN) and cybersecurity and cloud service provider. 

Akamai, which is based in Cambridge, Massachusetts, has acknowledged the issue, but has not yet disclosed the cause of service disruptions to its hosting platform, which mitigates against Distributed Denial-of-Service (DDoS) attacks. 

Akamai’s Chris Nicholson told NPR: "Akamai can confirm the segment of our Prolexic platform impacted is up and running and we are continuing to validate services. We will share more details of what transpired, but our first priority is ensuring all customer impact is mitigated."

Three of the country's four largest banks – ANZ, Westpac, and the Commonwealth Bank (CBA) – were all affected along with many smaller banks and some credit unions.

On Thursday afternoon, banking customers began reporting on social media that they were experiencing access issues when trying to use online banking services and banking apps.

Banks used social media to let their customers know that they were trying to deal with the situation.

CBA tweeted: "We're aware some of you are experiencing difficulties accessing our services and we're urgently investigating."

The Reserve Bank of Australia said on Thursday night: "We have implemented appropriate mitigations and the website is now back up and running." 

However, ABC News reported that ongoing technical problems led to the cancellation of some market operations between the Reserve Bank and other commercial banks. 

Services were also disrupted at Southwest Airlines, United Airlines, and Virgin Australia, which stated on social media that it was being impacted by a system outage that had affected its website and contact center.

Virgin, whose services were back online shortly after 5pm, stated that it "was one of many organizations to experience an outage with the Akamai content delivery system today and we are working with them to ensure that necessary measures are taken to prevent these outages from reoccurring."

The national mail service, Australia Post, said that a number of its services had been knocked offline by an "external outage." The Hong Kong Stock Exchange‘s website was also impacted.

Australians' lives were disrupted on Thursday by a widespread internet outage that impacted the country's mail service and multiple businesses including banks and airlines.

The outage began in the early hours and was caused by a problem at Akamai Technologies, a global content delivery network (CDN), cybersecurity and cloud service provider. 

Akamai, which is based in Cambridge, Massachusetts, has acknowledged the issue, but has not yet disclosed the cause of service disruptions to its hosting platform, which mitigates against Distributed Denial-of-Service (DDoS) attacks. 

Akamai’s Chris Nicholson told NPR: "Akamai can confirm the segment of our Prolexic platform impacted is up and running and we are continuing to validate services. We will share more details of what transpired, but our first priority is ensuring all customer impact is mitigated."

Three of the country's four largest banks - ANZ, Westpac, and the Commonwealth Bank (CBA) - were all affected along with many smaller banks and some credit unions.

On Thursday afternoon, banking customers began reporting on social media that they were experiencing access issues when trying to use online banking services and banking apps.

Banks used social media to let their customers know that they were trying to deal with the situation.

CBA tweeted: "We're aware some of you are experiencing difficulties accessing our services and we're urgently investigating."

The Reserve Bank of Australia said on Thursday night: "We have implemented appropriate mitigations and the website is now back up and running." 

However, ABC News reported that ongoing technical problems led to the cancellation of some market operations between the Reserve Bank and other commercial banks. 

Services were also disrupted at Southwest Airlines, United Airlines, and at Virgin Australia, which stated on social media that it was being impacted by a system outage that had affected its website and contact center.

Virgin, whose services were back online shortly after 5pm, stated that it "was one of many organizations to experience an outage with the Akamai content delivery system today and we are working with them to ensure that necessary measures are taken to prevent these outages from reoccurring".

The national mail service Australia Post said that a number of its services had been knocked offline by an "external outage". The Hong Kong Stock Exchange‘s website was also impacted.

Categories: Cyber Risk News

Hackers Can Spy on Peloton Workouts

Info Security - Thu, 06/17/2021 - 16:13
Hackers Can Spy on Peloton Workouts

Peloton bike users could be spied on while working out, according to new research by McAfee's Advanced Threat Research team.

The team discovered a vulnerability (CVE-2021-3387) in the touchscreen of the $2,495 Bike+ that allows it to be controlled remotely by a threat actor without any interference to the equipment's operating system.

Hackers could exploit the flaw to install malicious apps that spoof Netflix or Spotify to steal personal details and login credentials. 

Researchers also found that the vulnerability allowed bad actors to access the Peloton bike's microphone and camera to spy on users. 

McAfee said that bikes used in hotels and other public spaces were most at risk because hackers had to physically access the screen and infect it with malicious code stored on a USB drive to exploit the flaw. 

The lower-priced Peloton Bike is not affected by the flaw as the fitness device uses a different type of touchscreen. 

But researchers noted: "Further conversations with Peloton confirmed that this vulnerability is also present on Peloton Tread exercise equipment, however, the scope of our research was confined to the Bike+."  

The flaw was detected in the Peloton bike's software. After McAfee shared the discovery with Peloton, the two companies joined forces to "responsibly develop and issue a patch."

A mandatory software update that fixes the issue was released to users by Peloton earlier this month. 

Adrian Stone, Peloton’s Head of Global Information Security, said: “This vulnerability reported by McAfee would require direct, physical access to a Peloton Bike+ or Tread. Like with any connected device in the home, if an attacker is able to gain physical access to it, additional physical controls and safeguards become increasingly important. 

"To keep our members safe, we acted quickly and in coordination with McAfee. We pushed a mandatory update in early June and every device with the update installed is protected from this issue.”

McAfee's report is the second security issue to hit Peloton in the past two months. In May, the company released an update to stop the leakage of personal account information, including the age, weight and location of its users.

Categories: Cyber Risk News

LORCA Announces New Intensive Program for Most Promising Cyber Startups

Info Security - Thu, 06/17/2021 - 15:28
LORCA Announces New Intensive Program for Most Promising Cyber Startups

The London Office for Rapid Cybersecurity Advancement (LORCA) has launched a new initiative designed to propel the growth of UK cyber startups.

LORCA Ignite will see six of the most successful companies that have graduated from the LORCA accelerator program during the past three years participate in a new, intensive program, which will help them achieve rapid scale and commercial growth.

LORCA is a government-backed initiative that started in 2018 to accelerate the growth of UK cyber startups. It is delivered by Plexal at the London-based technology hub Here East and is supported by Deloitte and the Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast. The year-long programs help the selected startups to secure investment, access new markets, and even participate in overseas trade missions, alongside mentoring and training sessions.

LORCA has significantly exceeded expectations during that time, with the 72 cyber startups and scaleups to take part in the program so far raising more than £200m in investment and generating over £37m in revenue. The level of investment achieved at this point is a massive 450% higher than LORCA’s original target that was set in 2018.

The new six-month program will enable the six selected firms to attend commercial and technology validation clinics and a showcase event. These firms have collectively raised £27m in investment and grants in the last three years. Additionally, LORCA Ignite will provide them with access to investors, mentoring services, and national and global networks and connect them to companies and security leaders who may require their products and services.

The cohort will also receive professional services expertise from several LORCA’s corporate partners, including AHL Connect, Outfly, Informed Funding, and Infosec People.

The six companies making up the LORCA Ignite cohort are:

Digital Infrastructure Minister Matt Warman commented: “Good cybersecurity is the bedrock of our digital economy, and our thriving sector will play a vital role in helping the nation build back better and stronger from the pandemic.

“Through our support for LORCA, we are backing our innovative cyber startups to grow their businesses and develop the cutting-edge solutions people and companies need to stay one step ahead of security threats.”

Saj Huq, director of LORCA, outlined: “LORCA Ignite is the evolution of an accelerator program that has demonstrated the extraordinary success of the British startup ecosystem over the last three years. By combining government support with innovation expertise and access to investors and global tech leaders, LORCA has accelerated the growth of a new generation of world-class British cyber startups. LORCA Ignite will continue that growth trajectory for some of the most high-potential businesses that have participated in our program. The UK has a globally competitive cyber ecosystem, and we need to provide support to the cyber scaleups at the forefront of what is quickly becoming a jewel in the UK’s tech crown.”

This week, it was announced that Risk Ledger, one of the companies that will take part in LORCA Ignite, has been chosen by NHS Test and Trace to help it manage its supply chain cybersecurity risks.

Categories: Cyber Risk News

Puzzling New Malware Blocks Access to Piracy Sites

Info Security - Thu, 06/17/2021 - 13:00
Puzzling New Malware Blocks Access to Piracy Sites

Researchers have admitted they’re baffled by a new piece of malware primarily designed to prevent victims from visiting software piracy sites.

Sophos principal researcher, Andrew Brandt, branded the discovery “one of the strangest cases I’ve seen in a while.”

It’s hidden in pirated copies of various software, including security products, and distributed on game chat service Discord and through Bittorent. Once double-clicked, it works by flashing up a bogus error message on the victim’s screen while executing.

The malware apparently blocks infected users from visiting a large number of piracy sites by modifying the HOSTS file on their systems. Brandt described this as a “crude but effective” strategy — crude because although it works, the malware has no persistence mechanism.

This means that anyone can remove the HOSTS file entries and stay removed unless the program is run a second time. Bizarrely, Brandt claimed to have discovered a malware family that behaved almost identically more than a decade ago.

The malware also downloads and executes a second payload, an executable named “ProcessHacker.jpg.”

It’s detected by Sophos as Mal/EncPk-APV.

Brandt said that the malware developer’s end game is still a mystery.

“On the face of it, the adversary’s targets and tools suggest this could be some kind of crudely compiled anti-piracy vigilante operation. However, the attacker’s vast potential target audience — from gamers to business professionals — combined with the curious mix of dated and new tools, techniques and procedures (TTPs) and the bizarre list of websites blocked by the malware, all make the ultimate purpose of this operation a bit murky,” he added.

“There may not even be an overall purpose to this attack at all. However, that doesn’t reduce the level of risk or the potential disruption for victims.”

Brandt urged users to install a robust security solution to spot such threats and avoid downloading pirated or “too good to be true” software.

Categories: Cyber Risk News

60% of Businesses Would Consider Paying a Ransomware Demand

Info Security - Thu, 06/17/2021 - 10:23
60% of Businesses Would Consider Paying a Ransomware Demand

Three in five (60%) organizations would consider paying an extortion demand in the event of a ransomware attack, according to a new study by the Neustar International Security Council (NISC).

The research also revealed that one in five businesses would be prepared to spend 20% or more of their annual revenue to restore their systems in these situations.

The findings have come amid a surge in high-profile ransomware incidents in recent months, many of which have resulted in substantial payouts to the perpetrators. For example, just last week, meat processing company JBS confirmed it paid its extorters $11bn. In contrast, last month it was reported that Colonial Pipeline paid out $4.4m after attackers knocked the US’ largest fuel pipeline offline. In the latter case, the US Department of Justice was able to seize the majority of funds paid to the Russian ransomware group.

These incidents have reignited the complex debate on whether it is ever right for organizations to pay a ransomware demand.

Encouragingly, Neustar’s study, which was based on a survey of 304 senior professionals across six EMEA and US markets, found that 80% of respondents emphasize defending against ransomware attacks in light of current events. More than two-thirds (69%) saw ransomware as a growing threat to their organization, making it the top concern across more than a dozen attack vectors.

The participants were also asked for their views on the effectiveness of currently available security technologies in protecting against ransomware. Close to three-quarters (74%) said they were either ‘very’ or ‘somewhat’ sufficient, while 26% viewed the technologies as ‘somewhat’ or ‘very’ insufficient.

Rodney Joffe, NISC Chairman, SVP, and fellow at Neustar, commented: “Companies must unite in not paying ransoms. Attackers will continue to increase their demands for ever larger ransom amounts especially if they see that companies are willing to pay. This spiral upwards must be stopped. The better alternative is to invest proactively in mitigation strategies before the attacks, including the use of qualified providers of “always-on” monitoring and filtering of traffic as part of a layered security approach.”

Categories: Cyber Risk News

Amazon Web Services Misconfiguration Exposes Half a Million Cosmetics Customers

Info Security - Thu, 06/17/2021 - 08:48
Amazon Web Services Misconfiguration Exposes Half a Million Cosmetics Customers

Hundreds of thousands of retail customers had their personal data exposed thanks to a misconfigured cloud storage account, Infosecurity has learned.

A research team at reviews site WizCase traced the leaky Amazon S3 bucket to popular Turkish beauty products firm Cosmolog Kozmetik.

The 20GB trove contained around 9500 files, including thousands of Excel files which exposed the personal information of 567,000 unique users who bought items from the provider across multiple e-commerce platforms.

Although the research team discovered no payment information, they did find customers’ full names, physical addresses and purchase details among the leaked orders. In some cases, phone numbers and emails were also exposed.

The oldest orders dated back to 2019, and they went right up to the present day. This indicates that the database is continually updated.

WizCase warned that many of those whose details were exposed may be unaware of the leak, as e-commerce marketplace users often don’t check the names of sellers.

Cosmolog Kozmetik, which also sells under the name “Marketlog,” is commonly found on major Turkish e-commerce platforms Trendyol, Hepsiburada, and Unishop.

WizCase warned that if threat actors managed to find and copy the exposed data, it might put these shoppers at risk of follow-on phishing and fraud, including refund scams. They could even suffer physical theft of packages if attackers track and steal shipments as they arrive at customers’ homes, it added.

“Cyber-criminals are always generating new methods to exploit anyone vulnerable on the internet,” WizCase warned in a blog post detailing the privacy snafu.

“For future purposes, we recommend always inputting the bare minimum of information when making a purchase or setting up an account on the internet. The less information you give hackers to work with, the less vulnerable you are to attack.”

Although WizCase contacted the Turkish CERT, Amazon and Cosmolog Kozmetik about the breach, none had replied at the time of writing.

Categories: Cyber Risk News

US Warns Russia of Cyber-Attack No-Go List

Info Security - Thu, 06/17/2021 - 08:26
US Warns Russia of Cyber-Attack No-Go List

President Biden and his team have warned the Putin administration of 16 critical infrastructure entities that are off-limits for threat actors operating from Russia.

The news came as the two leaders sat down in Geneva for a summit which Biden said was designed to ensure a “stable and predictable” relationship between countries following the turmoil of the Trump years.

After an audacious attack on Colonial Pipeline, which disrupted fuel supplies on the East Coast for days, Biden has been under increasing pressure to confront Putin over the cybercrime groups apparently operating with impunity from Russia.

The two spent “a great deal of time” talking about cybersecurity, said Biden in a post-meeting press conference.

“I talked about the proposition that certain critical infrastructure should be off limits to attack — period — by cyber or any other means. I gave them a list … of 16 specific entities; 16 defined as critical infrastructure under US policy, from the energy sector to our water systems,” he added.

“Of course, the principle is one thing. It has to be backed up by practice. Responsible countries need to take action against criminals who conduct ransomware activities on their territory.”

The two countries will now sit down to work on a deeper agreement on cybersecurity, designed to articulate “what’s off-limits.”

The US hammered out a similar agreement with China back in 2015 when Barack Obama warned Xi Jinping not to allow state-backed spies to target US companies in “economic cybercrime” attacks.

However, that deal soon fell apart as it became clear Beijing had no intention of dropping its plans.

Putin reportedly appeared similarly unapologetic at the Geneva meeting, claiming the Colonial Pipeline attack had nothing to do with the Kremlin. His US sources told him most cyber-attacks originate from the US.

Adam Flatley, former NSA director of operations and now director of threat intelligence at [redacted], said the summit went as expected.

“Both sides went in and stated their positions to set the playing field for the next few years. Russia denied everything, which is totally standard. Biden stated our opposing positions and didn’t cave to any of Putin’s initial demands, most of which were normal,” he explained.

“It looks like we’re back in a more normal world of international relations, which is a good thing. So the real outcome here seems to be that both sides stated their opening positions and will go back home to start pushing their different agendas, and we’ll have to see who has the will and resources to succeed.”

Categories: Cyber Risk News

US Convicts Russian Malware-masker

Info Security - Wed, 06/16/2021 - 18:51
US Convicts Russian Malware-masker

The United States has convicted a Russian cyber-criminal of running a malware-masking service that helped hackers systematically infect victim computers around the world with malware, including ransomware.

On Tuesday, a federal jury in Connecticut found 41-year-old native Estonian Oleg Koshkin guilty of operating a crypting business via multiple websites, including “Crypt4U.com,” and “fud.bz.”

On the websites, Koshkin and his co-conspirators claimed that they could render malicious software such as botnets, remote-access trojans, keyloggers, credential stealers and cryptocurrency miners undetectable by nearly every major provider of antivirus software. 

According to court documents and evidence introduced at trial, Koshkin worked with Kelihos botnet operator Peter Yuryevich Levashov (aka Sergey Astakhov aka Petr Severa) to create a system that would allow Levashov to crypt the Kelihos malware multiple times per day. 

"Koshkin provided Levashov with a custom, high-volume crypting service that enabled Levashov to distribute Kelihos through multiple criminal affiliates," said a Department of Justice spokesperson.

"Levashov used the Kelihos botnet to send spam, harvest account credentials, conduct denial of service attacks, and distribute ransomware and other malicious software." 

The Kelihos botnet included at least 50,000 compromised computers around the world when it was dismantled in 2017 by the FBI following Levashov's arrest in Barcelona. After extradition to the United States, Levashov pleaded guilty in 2018 to one count of causing intentional damage to a protected computer, one count of conspiracy, one count of wire fraud, and one count of aggravated identity theft.

Koshkin was arrested in California in September 2019 and has been detained since his arrest. He faces a maximum penalty of 15 years in prison and is scheduled to be sentenced on September 20.

Pavel Tsurkan, Koshkin’s co-defendant, is charged with aiding and abetting Levashov in causing damage to 10 or more protected computers and also with conspiring to cause damage to 10 or more protected computers.

Acting Assistant Attorney General Nicholas McQuaid of the Justice Department's Criminal Division said: “The verdict should serve as a warning to those who provide infrastructure to cyber-criminals: the Criminal Division and our law enforcement partners consider you to be just as culpable as the hackers whose crimes you enable, and we will work tirelessly to bring you to justice.”

Categories: Cyber Risk News

Deloitte Acquires Terbium Labs

Info Security - Wed, 06/16/2021 - 17:03
Deloitte Acquires Terbium Labs

All of the assets of Terbium Labs have been acquired by multinational professional services network Deloitte Touche Tohmatsu Limited (Deloitte).

The acquisition of the Baltimore-based digital risk protection company was announced by Deloitte on June 15. 

Terbium Labs was found in 2013 to help organizations detect and remediate data exposure, theft, or misuse across the digital landscape. In 2019, the company announced a $2m investment from the Omidyar Network, a philanthropic investment firm created by eBay founder Pierre Omidyar and his wife, Pam.

Deloitte said acquiring the dark web intelligence firm will boost its cyber practice in its Detect & Respond suite offering.

Services and solutions offered by Terbium Labs include a digital risk protection platform that uses artificial intelligence, machine learning and patented data fingerprinting technologies to identify the illegal use of sensitive data online.

"Finding sensitive or proprietary data once it leaves an organization's perimeter can be extremely challenging," said Kieran Norton, Deloitte risk & financial advisory's infrastructure solution leader and principal.  

"Adding Terbium Labs' business to our portfolio will offer our clients one more way to continuously monitor for — and, when appropriate, minimize the impact of — data exposed on the open, deep, or dark web," he added.

"Our industry-leading cyber practice is focused on providing our clients with new and innovative ways to transform their cyber risk postures as they endeavor to strengthen their trust equity, resilience and security," added Deborah Golden, Deloitte risk & financial advisory cyber and strategic risk leader and principal.

"As regulations change and new capabilities become available, we're strategically investing to offer advanced approaches to monitor digital assets privately and securely and to reduce time from event to remediation. These investments are powerful individually in bringing improved outcomes for our clients and transformational together by helping our clients become higher performing and more agile in the face of new threats and more efficient in their operations." 

Terbium Labs is Deloitte's third cyber acquisition this year. The network purchased Root9B, LLC (R9B) in January and announced its acquisition of cloud security posture management provider CloudQuest on June 7.

Categories: Cyber Risk News

IAB Tech Lab Accused of “World’s Largest Data Breach”

Info Security - Wed, 06/16/2021 - 16:28
IAB Tech Lab Accused of “World’s Largest Data Breach”

The IAB Technology Laboratory (IAB Tech Lab), which develops ad-industry standards, is being sued by the Irish Council for Civil Liberties (ICCL) for allegedly being responsible for "the world's largest data breach."

A non-profit digital media consortium established in 2014 and based in New York, the IAB Tech Lab's 650-member community includes Facebook, Google and Amazon.

In a lawsuit filed by ICCL senior fellow Johnny Ryan on May 18 in a court in Hamburg, the IAB Tech Lab comes under fire for real-time bidding, a process during which data is shared between ad brokers and other companies while advertising space is being auctioned as a website loads.

Despite the case's having been filed nearly a month ago, the IAB Tech Lab told a BBC reporter who reached out to the consortium for comment for an article that went live Wednesday that it was not familiar with Ryan's claim.

"We are reviewing the allegations in conjunction with our legal advisers and will respond in due course, if appropriate," said an IAB Tech Lab spokesperson.

Ryan, who worked as an advertising-industry professional before joining the ICCL, claims that when a user loads an app or web page that carries advertising, their data is shared with hundreds of ad brokers. 

The brokers use the data to sell the ad space that splashes onto the screen while the page loads. According to Ryan, users who see empty ad spaces that then fill with ads are watching their own data being auctioned in real time. 

Ryan said user data shared in the process includes "inferences of your sexual orientation, religion, what you're reading, watching, and listening to, your location."

He said it is multi-million-dollar industry that most internet users know nothing about.

The IAB Tech Lab provides publicly available two- and three-digit codes, each of which represents a piece of user data. For example, a household with an income lower than $10k is given the code 60. 

Ryan alleges that providing that data – which IAB Tech Lab calls "audience taxonomy" – breaches EU privacy rules because users have not actively consented to this collection and dispersion of their data. 

He said: "The law needs to apply and sweep the industry so you can still have your bid requests but without personal data changing hands."

Categories: Cyber Risk News

Members of Clop Ransomware Gang Arrested in Ukraine

Info Security - Wed, 06/16/2021 - 15:39
Members of Clop Ransomware Gang Arrested in Ukraine

Members of the notorious FIN11 (Clop) ransomware gang have been arrested today by the Ukrainian police in conjunction with Interpol and law enforcement from the US and South Korea.

In a statement published today, the Ukrainian police revealed it has arrested six people alleged to be part of the financial cybercrime gang FIN11, which is believed to be behind many high-profile cyber-attacks. These include the attacks exploiting vulnerabilities in Accellion’s FTA product earlier this year, enabling it to access the system of aircraft manufacturer Bombardier.

In the statement, the police outlined its belief that the six suspects “carried out ransomware-type malware attacks on the servers of US and Korean companies.” This includes encrypting personal data of employees and financial reports of the Stanford University School of Medicine, the University of Maryland and the University of California.

The police added that it had seized cash, cars, and a number of Apple Mac laptops and desktops alongside the arrests. It stated: “Through the joint efforts of law enforcement officers, it was possible to stop the operation of the infrastructure from which the virus is spreading and block the channels for the legalization of cryptocurrencies obtained by criminal means.”

The announcement is the latest in several recent successes for law enforcement agencies in countering cyber-criminal gangs. For example, earlier this month, the US Department of Justice revealed it managed to seize around $2.3m of the $4.4m in cryptocurrency paid to the Darkside gang by Colonial Pipeline following the ransomware attack on the fuel transportation company in May.

Security experts such as Kim Bromley, a senior cyber threat intelligence analyst at Digital Shadows, recognizes the significance of these arrests: “On 16 Jun 2021, Ukrainian police announced the arrest of individuals and the takedown of infrastructure related to the ‘Clop’ ransomware. This activity comes in the aftermath of increased pressure from law enforcement and governments on ransomware groups, following recent attacks on critical national infrastructure in the US. Clop ransomware has been active since February 2019 and targets large organizations for big game hunting. Despite partaking in the ever-popular double-extortion tactic, Clop’s reported activity level is relatively low when compared with the likes of ‘REvil’ (aka Sodinokibi) or ‘Conti’.

“Earlier in the year, the ‘Ziggy’ ransomware shut down its operation, citing an increased scrutiny from law enforcement as the reason. This week, the ‘Avaddon’ ransomware also appear to have ceased operations. Seemingly, the consistent pressure from law enforcement on these threat groups is beginning to have a positive impact.”

John Hultquist, VP of analysis, Mandiant Threat Intelligence, outlined: “The Cl0p operation has been used to disrupt and extort organizations globally in a variety of sectors including telecommunications, pharmaceuticals, oil and gas, aerospace and technology. The actor FIN11 has been strongly associated with this operation, which has included both ransomware and extortion, but it is unclear if the arrests included FIN11 actors or others who may also be associated with the operation.

“The arrests made by Ukraine are a reminder that the country is a strong partner for the US in the fight against cybercrime, and authorities there are making the effort to deny criminals a safe harbor. This is especially relevant as President Biden and Putin discuss the state of cyber-threats emanating from Russia, including the ransomware threat, which has increasingly threatened critical infrastructure and the everyday lives of people around the world.”

Categories: Cyber Risk News

NHS Test and Trace Bolsters its Cybersecurity

Info Security - Wed, 06/16/2021 - 13:28
NHS Test and Trace Bolsters its Cybersecurity

NHS Test and Trace has announced that an early-stage UK company will be in charge of managing its supply chain cybersecurity risks.

Risk Ledger, which was part of the fourth cohort of the government-backed London Office for Rapid Cybersecurity Advancement (LORCA) program to promote cyber scaleups, will allow NHS Test and Trace to utilize its ‘social network’ platform. The platform will enable organizations to connect and share risk data securely, quickly and easily. This move is particularly crucial for the UK’s test and trace service, which involves the continued sharing of sensitive data to help control the spread of COVID-19 as lockdown restrictions ease.

The Risk Ledger platform will provide NHS Test and Trace complete visibility of its supply chain, including data needed to identify, measure and mitigate any cyber threats that emerge.

The importance of securing supply chains has come into sharper focus due to recent high profile incidents, especially the SolarWinds attacks at the end of last year.

Creating the NHS Test and Trace system, which includes an official app, has brought about several privacy and data protection concerns. It is hoped the contract with Risk Ledger, which was a winner in the Department for Digital, Culture, Media, and Sport’s ‘Most Innovative UK Cyber SME of the Year’ competition in May, will help assuage some of these fears.

Minister for Digital Infrastructure Matt Warman MP commented: “The government is working tirelessly to secure the nation online and grow the UK’s £8.9bn cybersecurity industry as we build back better from the pandemic. We’re helping SMEs develop innovative products and services, and it’s great to see Risk Ledger, one of the firms we’ve supported, win this contract to protect the Test and Trace system and support the national effort against coronavirus.”

Haydn Brooks, Risk Ledger CEO and co-founder, welcomed the move: “NHS Test and Trace is essentially the biggest new start-up in the UK healthcare market so we are delighted they have chosen to take advantage of our ability to provide enhanced visibility of their supply chain risks. I am proud we will be part of the effort to secure this incredibly important supply chain.

“Healthcare organizations and their supply chains handle lots of highly sensitive data and have a high rate of data breaches. We have already seen during the COVID-19 pandemic that bad actors are actively targeting supply chains to access data and cause disruption.”

Categories: Cyber Risk News

Football Fever Puts Password Security at Risk

Info Security - Wed, 06/16/2021 - 10:11
Football Fever Puts Password Security at Risk

Security experts have urged users to think more carefully about their password choice after spotting as many as one million based on simple football-related words.

Authentication firm Authlogics manages a Password Breach Database — a collection of previous stolen or cracked credentials which that allows it to spot trends and offer industry advice.

It claimed that of the one billion passwords in the trove, over 1.1 million are linked to the beautiful game. These are led by the password “football” (353,993), followed by “Liverpool” (215,842), “Chelsea” (172,727), “Arsenal” (151,936) and “Barcelona” (131,090).

The problem for these users is two-fold: not only are such credentials relatively easy to guess or crack, but if they’re reused across multiple accounts, including corporate ones, it could expose them to credential stuffing.

This is the practice of using automated software to try large numbers of previously breached log-ins simultaneously across multiple accounts, hoping that some will work.

Authlogics cited Google research which claims that over half (52%) of users reuse the same password on multiple accounts, with only a third (35%) using a different credential for all log-ins.

“If your password has been breached on one account, and you are one of the 52% of people who reuse their passwords regularly, you might find other accounts which were not breached also compromised,” Authlogics warned.

“If someone is aware of the amount of passwords that are associated with football, and are able to use social engineering tactics to discover which team an individual supports, they can make a good, educated guess as to their password to not just one, but multiple accounts.”

Password managers can help here by storing and recalling unique and robust credentials for each website and online account. Multi-factor authentication (MFA) is also recommended to bolster authentication security.

Authlogics recommended combining letters, numbers and symbols to increase password strength — even if football-mad users want to include their favorite team in their log-ins.

Categories: Cyber Risk News

Most Ransomware Victims Are Hit Again After Paying

Info Security - Wed, 06/16/2021 - 09:18
Most Ransomware Victims Are Hit Again After Paying

Some 80% of global organizations that have paid a ransom demand experienced another attack, often at the hands of the same threat actors, according to a new study from Cybereason.

The security vendor polled 1,263 cybersecurity professionals in multiple verticals across the US, UK, Spain, Germany, France, the United Arab Emirates, and Singapore to compile its latest report, Ransomware: The True Cost to Business.

It confirmed what law enforcers and commentators have been saying for some time – victim organizations should, if possible, avoid paying their extorters. Some 46% of respondents, rising to 53% in the UK, said they believe the same threat group attacked them the second time.

However, this can be difficult to ascertain definitively given the large number of affiliate groups working with the same malware strains. A Sophos report this week revealed that no two REvil affiliates work in the same way.

Not only does paying a ransom encourage copycat crimes, but there’s no guarantee of a swift return to business-as-usual. Cybereason found that in nearly half (46%) of cases, the victim organization regained access to data following payment, but some or all of it was corrupted.

The report also laid bare the potentially devastating consequences of a successful ransomware attack. Two-thirds (66%) of respondents said they suffered significant revenue loss, over half (53%) said their brand suffered, and a third (32%) lost leadership through dismissal or resignation.

In some cases, an attack can have an existential impact: 29% said they were forced to eliminate jobs following an incident. A quarter (25%) of respondents claimed it led to the organization’s closure.

Big-name organizations from Colonial Pipeline to JBS have recently admitted to paying multimillion-dollar sums to their attackers to mitigate potentially severe customer disruption.

However, Cybereason CEO, Lior Div, was clear about which approach corporate victims should take.

“Paying a ransom demand does not guarantee a successful recovery, does not prevent the attackers from hitting the victim organization again, and in the end only exacerbates the problem by encouraging more attacks,” he argued.

“Getting in front of the threat by adopting a prevention-first strategy for early detection will allow organisations to stop disruptive ransomware before they can hurt the business.”

Categories: Cyber Risk News

IoT Supply Chain Bug Hits Millions of Cameras

Info Security - Wed, 06/16/2021 - 08:37
IoT Supply Chain Bug Hits Millions of Cameras

Security experts have warned of a critical IoT supply chain vulnerability that may affect millions of connected cameras globally, allowing attackers to hijack video streams.

Nozomi Networks revealed the flaw in a popular software component from ThroughTek, which OEMs use to manufacture IP cameras, baby and pet monitoring cameras, and robotic and battery devices.

The bug itself is found in a P2P SDK produced by the firm. In this case, P2P refers to functionality that allows a client on a mobile or desktop app to access audio/video streams from a camera or device through the internet.

Nozomi Networks claimed that the protocol used for transmission of those data streams “lacks a secure key exchange and relies instead it on an obfuscation scheme based on a fixed key.”

This means that unauthorized attackers could access it to reconstruct the audio/video stream — effectively enabling them to snoop on users remotely.

CISA released its own security alert for the ThroughTek P2P SDK yesterday, giving it a critical CVSS score of 9.1. According to the advisory, it affects: versions 3.1.5 and older; SDK versions with nossl tag; and device firmware that does not use AuthKey for IOTC connection, uses the AVAPI module without enabling DTLS, or uses the P2PTunnel or RDT module.

ThroughTek placed the blame firmly on developers who have incorrectly implemented its SDK or failed to update the offering.

It said version 3.3 was introduced in mid-2020 to fix this vulnerability and urged any customers to update the SDK version used in their products.

It also revealed that the bug could lead to unauthorized eavesdropping on camera video and audio and device spoofing and device certificate hijacking.

The case highlights the challenges facing users of IoT and other devices, which have complex supply chains using components from third parties.

Last year, several zero-day vulnerabilities were discovered in a widely used low-level TCP/IP software library that may have impacted hundreds of millions of IoT devices.

In April this year, researchers found multiple flaws dubbed “Name:Wreck” in popular IT software FreeBSD and various IoT/OT firmware types, which they claimed could be present in over 100 million devices.

Categories: Cyber Risk News

“Homeless Hacker” Arrested

Info Security - Tue, 06/15/2021 - 18:23
“Homeless Hacker” Arrested

Author and activist Christopher Doyon has been arrested in Mexico in connection with a cyber-attack on the Santa Cruz County government's website carried out more than a decade ago.

Doyon, who calls himself Commander X online, wrote and published the book Behind the Mask about his time as a member of hacking group Anonymous. On social media, the 56-year-old is also known as the Homeless Hacker.

A former resident of Mountain View, California, Doyon was reportedly working on behalf of the self-styled cyber-warrior organization People's Liberation Front back in 2010 when the Massachusetts-based group organized a protest in Santa Cruz.

During the event, more than 50 people camped outside the city's district courthouse to protest the city council’s decision to tackle the issue of homelessness in Santa Cruz by banning camping in the city. 

The protest, which began in July, was broken up by police in October. Doyon was arrested for sleeping in public at the protest but failed to show up for a court date. A warrant was subsequently issued for his arrest. 

It is alleged that in December of 2010, Doyon launched a Distributed Denial of Service (DDoS) attack against Santa Cruz County that knocked out the county's website. 

Doyon was arrested in 2011 and charged with conspiracy to cause intentional damage to a protected computer, causing intentional damage to a protected computer, and aiding and abetting. He was released on bail but didn't show up for his federal court hearing scheduled for February 2012. 

The alleged Santa Cruz County attacker then reportedly fled to Canada, leaving his defense attorney to cover the cost of his $35k bail bond. Doyon's time living on the streets of Toronto was captured by documentary co-producer Ian Thornton. 

Doyon was arrested in Mexico on June 11 by Mexican immigration authorities. On June 12 he was deported to the United States and arrested by FBI agents.  

Doyon appeared before magistrate judge Donna Ryu in US District Court for the Northern District of California to face indictment for his failure to appear in federal court in 2012. He was jailed and is scheduled to appear today for arraignment and identification of counsel.

Categories: Cyber Risk News

Marketplace Selling Stolen Credentials Is Dismantled

Info Security - Tue, 06/15/2021 - 17:55
Marketplace Selling Stolen Credentials Is Dismantled

An online marketplace offering millions of allegedly stolen online account login credentials for sale has been taken down in a coordinated international operation.

Law enforcement agencies in Germany, the Netherlands, Romania, and the United States worked together to disrupt and dismantle the infrastructure of the store named Slilpp.

According to a seizure warrant affidavit unsealed on June 10, the Slilpp marketplace pedaled stolen login credentials, including usernames and passwords for bank accounts, online payment accounts, mobile phone accounts, retailer accounts, and other online accounts, for nearly a decade.

The affidavit states that since 2012, the Slilpp marketplace has been providing a forum and payment mechanism that allowed vendors to sell, and customers to buy, illegally obtained login credentials. 

Buyers later used the login credentials they had purchased through Slilpp to conduct unauthorized transactions such as wire transfers from the related accounts, according to the affidavit.

To date, over a dozen individuals have been charged or arrested by United States law enforcement in connection with the Slilpp marketplace.

A series of servers that hosted the Slilpp marketplace infrastructure and its various domain names were identified and seized by the Federal Bureau of Investigation and its partners working in foreign law enforcement overseas. 

At the time of the seizure and subsequent disruption of the marketplace, the affidavit alleges, stolen account login credentials for more than 1,400 account providers were available for sale on Slilpp. 

The full impact of Slilpp has not yet been determined. Based on existing victim reports, the affidavit states, stolen login credentials sold via the marketplace have been exploited to cause losses in excess of $200m in the United States alone. 

“The Slilpp marketplace allegedly caused hundreds of millions of dollars in losses to victims worldwide, including by enabling buyers to steal the identities of American victims,” said Acting Assistant Attorney General Nicholas McQuaid of the Justice Department’s Criminal Division. 

“The department will not tolerate an underground economy for stolen identities, and we will continue to collaborate with our law enforcement partners worldwide to disrupt criminal marketplaces wherever they are located.”

Categories: Cyber Risk News