Feed aggregator

No Two REvil Attacks Are the Same, Experts Warn

Info Security - Tue, 06/15/2021 - 09:34
No Two REvil Attacks Are the Same, Experts Warn

According to a new report, no two criminal groups deploy the infamous REvil ransomware variant identically, adding to the challenge for those tasked with detecting and responding to such attacks.

The new study from Sophos details the activity of the affiliates who license the malware itself and handle the break-ins. This ransomware-as-a-service (RaaS) model now accounts for the majority of attacks in the wild.

Initial network access could come from brute-forcing internet-facing services like VPNs, RDP, VNC, and cloud-based management systems. Or it could come from phished or otherwise stolen credentials for legitimate accounts not protected by multi-factor authentication (MFA). Or in some cases, from “piggybacking” from other malware already present on the network.

Brute force password cracking attempts on RDP servers is common: Sophos revealed that one customer experienced 35,000 failed login attempts over a five-minute period, originating from 349 unique IP addresses around the world. 

Suppose they don’t have a functioning credential. In that case, the REvil affiliates are then likely to bide their time, monitoring the target network and/or using tools like Mimikatz to extract passwords for a domain administrator account.

The next stage involves preparing the victim network for a ransomware attack, which Sophos principal researcher, Andrew Brandt, calls “tilling the field.”

“The attackers need to establish a list of internal targets, give themselves domain admin privileges, and use those privileges to shut down or otherwise hobble anything that might impede their attack,” he explained.

“Windows Defender is usually the first to go, but often the attackers will spend some time trying to determine what endpoint protection tools are running on the computers, and may run one or more customized scripts that combine an attempt to kill any running protection process or services, and also to remove any persistence those processes or services might have.”

A tell-tale sign of malicious activity here is the presence of PowerShell scripts, batch files, or other “laying the groundwork” code used to disable protective features.

Next comes data exfiltration, a practice that should be detectable “but never happened in the cases we investigated,” according to Brandt.

REvil affiliate attackers typically spend a few days looking through file servers and bundling large numbers of docs into compressed files in a single location. It’s then usually uploaded to a cloud storage service over the course of a few hours or a day, with Mega.nz favored by most attackers.

There’s a wide variety of different ways to launch the ransomware payload itself, Sophos explained.

“They may push out copies to individual machines from a domain controller, or use administrative commands with WMIC or PsExec to run the malware directly from another server or workstation they control over the internal network of the target organization,” said Brandt.

Another option for REvil affiliates is to reboot a hijacked computer into Safe Mode, with the REvil malware adding itself to the shortlist of apps that can run in this mode.

“In others, we’ve observed the threat actor using WMI to create service entries on the machines they target for encryption,” said Brandt. “The entries contain a long, encoded command string that is impossible to decode unless you know the specific variables it was looking for.”

The sheer variety of REvil affiliate attacks, and by implication, those of other popular ransomware types, may appear challenging, but there are some helpful common best practices.

Sophos recommended MFA and strong passwords, Zero Trust and segmentation, prompt patching of all assets and the locking down of internet-facing services like RDP, among other steps.

Categories: Cyber Risk News

VW Vendor Leaves Data Unsecured

Info Security - Mon, 06/14/2021 - 18:10
VW Vendor Leaves Data Unsecured

A data breach at a Volkswagen vendor has impacted millions of customers and prospective car purchasers across North America. 

The breach occurred after information gathered by the vendor between 2014 and 2019 for sales and marketing purposes was stored electronically in an unsecured file for years. 

The majority of the individuals whose data was compromised were potential buyers or current customers of luxury car brand Audi. The Volkswagen Group formed Audi in 1969 after it bought the Auto Union from rival Daimler-Benz. 

On June 11, the American arm of the Volkswagen Group revealed that an unauthorized third party had obtained small amounts of personal data belonging to customers and prospects from a digital sales and marketing company used by its Audi Volkswagen brands. VW dealers based in Canada and the United States also used the services of the vendor. 

VW identified the source of the incident in May this year but believes that the data could have been illegally accessed at any point between August 2019 and May 2021. 

Information exposed in the security incident included phone numbers and email addresses, and in some cases details of vehicle leasing, purchases, and purchase inquiries. 

Volkswagen said it will offer free credit protection services to the 90,000 Audi customers and interested potential buyers or leasers whose sensitive data was accessed in the data breach. Included in the sensitive data was driver license numbers, Social Security numbers, account or loan numbers, tax identification numbers, and dates of birth.

In a letter sent to customers, VW said: “We take the safeguarding of your information very seriously. We have informed the appropriate authorities, including law enforcement and regulators. 

"We are working with external cybersecurity experts to assess and respond to this situation and have taken steps to address the matter with the vendor.” 

The automaker warned those impacted by the breach to be on the lookout for phishing emails.

Automotive News reported that Audi of America president Daniel Weissland identified the vendor as Shift Digital, of Birmingham, Michigan, in an email sent Thursday. The news source claims that the vendor's identity has been verified by "two dealers with knowledge of the situation."

Categories: Cyber Risk News

REvil Claims Responsibility for Invenergy Hack

Info Security - Mon, 06/14/2021 - 17:13
REvil Claims Responsibility for Invenergy Hack

Ransomware group REvil has claimed responsibility for a recent cyber-attack on a multinational renewable energy company based in the United States.

Invenergy LLC, which is headquartered in Chicago, launched an investigation after unauthorized activity was detected on some of its systems.

In a statement issued on Friday, the company said: "At no time were Invenergy's operations impacted and no data was encrypted." 

Invenergy added that it was complying with data breach disclosure regulations and that it "has not paid and does not intend to pay any ransom.”

Ransomware group REvil declared on its dark web site that it had carried out the cyber-attack on Invenergy. The gang claims to have compromised the company's computer systems and exfiltrated 4 terabytes of data. 

Among the information allegedly taken by REvil are contracts and project data. The gang further claims to have obtained "very personal and spicy" information regarding Invenergy's chief executive officer, Michael Polsky. 

REvil says it has accessed Polsky's personal emails, sensitive details about his divorce from his first wife, Maya, and photographs in which the billionaire magnate is compromised. 

Polsky emigrated from Soviet Ukraine to the United States in 1976 after building up a fortune of $1.5bn, according to Forbes. His divorce in 2007 was reported as one of the most expensive in history after a judge awarded Maya half of Polsky's cash and assets.

REvil's victims include meat-processing company JBS and the Taiwanese Apple supplier Quanta.

The cyber-criminal gang has also claimed responsibility for a recent cyber-attack on Sol Oriens, a 50-person firm based in Albuquerque, New Mexico, which consults for the US Department of Energy’s National Nuclear Safety Administration.

The firm confirmed to CNBC that it detected a "cybersecurity incident" in May. Sol Oriens said that the matter is still under investigation and has been reported to law enforcement. 

In a statement, the company said that "an unauthorized individual acquired certain documents from our systems. Those documents are currently under review, and we are working with a third-party technological forensic firm to determine the scope of potential data that may have been involved.”

Categories: Cyber Risk News

Biden Opposes Conditional Handover of Cyber-criminals

Info Security - Mon, 06/14/2021 - 16:32
Biden Opposes Conditional Handover of Cyber-criminals

The possibility of a deal allowing for the conditional handover of cyber-criminals between the United States and Russia has been extinguished by American president Joseph Biden. 

Russian president Vladimir Putin said on June 13 that he would be willing to make an arrangement with the United States whereby the two countries would exchange cyber-criminals in accordance with agreed-upon  conditions. 

Putin, who is due to meet with Biden at a bilateral summit in Geneva on June 16, voiced the comments during an interview broadcast on state television.

Putin said he thought issues such as the environment, strategic stability, and Libya and Syria were of great importance to both Russia and America, and that he believed a bilateral dialogue would be established at Wednesday's meeting.

Biden is expected to raise at the summit the issue of recent ransomware attacks on businesses based in the United States, including meat supplier JBS and the Colonial Pipeline, that the US says stemmed from Russia. 

US officials have alleged that the Russian government, though not directly responsible for carrying out such attacks, habitually turns a blind eye to cyber-criminals operating inside Russia who attack foreign targets.

Asked if Russia would enter into an agreement to locate and prosecute cyber-criminals, Putin said Russia's actions were dependent on Washington and Moscow's reaching a formal and mutual deal.

"If we agree to extradite criminals, then of course Russia will do that," said Putin. "We will do that, but only if the other side, in this case the United States, agrees to the same and will extradite the criminals in question to the Russian Federation."

He added: "The question of cybersecurity is one of the most important at the moment because turning all kinds of systems off can lead to really difficult consequences."

When asked about Putin’s proposal Biden said: “I’m open to it if there’s crimes committed against Russia that, in fact, are . . . [where] the people committing those crimes are being harbored in the US. I’m committed to holding them accountable.”

United States national security advisor Jake Sullivan later stated that Biden would pledge only to hold accountable American hackers who undertake illegal cyber-attacks internationally.

Categories: Cyber Risk News

54% of Senior Executives Struggling to Keep up with Threat Landscape

Info Security - Mon, 06/14/2021 - 12:41
54% of Senior Executives Struggling to Keep up with Threat Landscape

According to a new report by Fujitsu, more than half (54%) of senior executives have struggled to adapt security policies to changes in the threat landscape and working practices.

The survey, which Fujitsu carried out in September 2020, provides further evidence that many organizations are at higher risk of cyber-attacks due to the shift to remote working during COVID-19, with cyber-criminals taking advantage of the rising number of connections and devices to target corporate systems.

The findings also indicated that current cybersecurity training techniques are not suited to the current situation. Close to two-thirds (61%) of employees surveyed said they believe their security training is ineffective, while around three-quarters (74%) of non-technical staff do not find it engaging enough. Additionally, 32% thought their company’s training courses were too long, and 35% said it was too boring or technical.

These feelings may be partly explained by many organizations having a standardized approach to cybersecurity training: 60% of senior executives surveyed for the study admitted that all employees in their business receive the same type of training irrespective of the type of function they perform.

Senior executives also recognized a degree of apathy among their employees when it comes to cybersecurity, with 45% stating that most people in their organization believe this has nothing to do with them.

In response to these issues, encouragingly, over two-thirds (68%) of senior executives stated they recognize that training is most effective when it involves games, rewards or quizzes.

Commenting on the findings, Mike Smit, head of enterprise & cyber security at Fujitsu UK & Ireland, said: “Thanks to the pandemic forcing organizations to move to remote or hybrid working, a number of weak points have been exposed when it comes to cybersecurity and employees are one target that has come under increasing fire from cyber-criminals. 

"Business leaders must understand that having a robust and effective cybersecurity approach relies on more than just IT and technical defenses, it also requires a ‘human firewall’ of trained, vigilant employees.

“In our new hybrid-working world, it is critical that organizations invest in a strategy where all employees receive tailored training that addresses the threats they encounter in their specific roles. This means cybersecurity teams have to get closer to the business areas to understand their specific challenges. Putting the right training in place to ensure your employees are aware of the risks will make a significant difference to an organizations’ overall security posture. And, ultimately, it will build a sense of collective responsibility where every employee is engaged in the security process.”

Categories: Cyber Risk News

Government Wants Startups to Build a More Secure Nation

Info Security - Mon, 06/14/2021 - 09:30
Government Wants Startups to Build a More Secure Nation

The government has issued a call-to-arms to the UK’s burgeoning cybersecurity startups to help it defend the country from malicious online activity.

GCHQ’s National Cyber Security Centre (NCSC) used the Cheltenham Science Festival on Friday to launch NCSC for Startups.

The new program will invite applications from UK startups to develop products designed to defend critical areas of the economy and society.

It’s the successor to the NCSC Cyber Accelerator, a program that reportedly helped over 40 tech companies raise over £100m in external investments.

However, where it differs is that, whereas the accelerator required startups to participate in 10-week programs at set points of the year, NCSC for Startups will see continuous onboarding of successful applicants over the coming 12 months.

The idea is to drive more opportunities for these companies in the process.

Those chosen to participate will receive support from NCSC and GCHQ experts and NCSC partner Plexal, which is described as an “innovation center” with its own industry partners across the UK’s cybersecurity ecosystem.

Participating startups will be eligible to apply for funding, although there were no further details on how much.

“We want to work with the UK’s thriving cybersecurity industry to explore new ideas that will make the UK the safest place to live and work online,” said NCSC deputy director for cyber growth, Chris Ensor.

“NCSC for Startups offers the potential for even greater collaboration than ever before, and I would encourage startups to come forward and help us in our mission.”

The industry appeared to get a welcome boost from the pandemic last year, as demand for security services surged due to the mass switch to remote working.

According to one report, funding for UK cyber startups surged 940% in the first few months of the pandemic. That amounted to £496 million raised by investors in the first half of 2020, almost as much as the total figure for 2019 (£521 million).

Categories: Cyber Risk News

G7 Turns Up the Heat on Putin Over Ransomware Attacks

Info Security - Mon, 06/14/2021 - 08:54
G7 Turns Up the Heat on Putin Over Ransomware Attacks

G7 leaders confirmed their commitment to urgently tackling ransomware on Sunday, as a senior British security chief will warn today that cyber-criminals represent a more significant threat than state-sponsored espionage.

The Carbis Bay communique, published after a three-day summit of world leaders in Cornwall, singled Russia out by name — urging Vladimir Putin to “identify, disrupt and hold to account” cyber-criminals operating from the country.

“We commit to work together to urgently address the escalating shared threat from criminal ransomware networks,” it added. “We call on all states to urgently identify and disrupt ransomware criminal networks operating from within their borders, and hold those networks accountable for their actions.”

Lindy Cameron, CEO of GCHQ offshoot the National Cyber Security Centre (NCSC), will reportedly tell an audience today that Britain’s failure to tackle ransomware is “far more worrying” than the “malicious strategic threat” of state-backed online espionage.

She will reportedly add that, in a dangerous development, the ransomware-as-a-service (RaaS) model has democratized the ability to launch attacks and that such raids are “often enabled and facilitated by states acting with impunity.”

Hostile states such as Russia are long thought to have tolerated cybercrime groups operating from within their borders, as long as attacks are targeted at organizations in rival nations.

However, with recent attacks on key fuel and food supply chains in the US, the scrutiny of world leaders has been turned towards such policies.

Despite the rhetoric, the lines between financially motivated cybercrime and nation-state activity are, in fact, increasingly blurring.

An HP report from April claimed that governments now routinely buy exploits and hacking tools from the cybercrime underground and often recruit criminal operators to help with specific stages of threat campaigns.

Categories: Cyber Risk News

Global Police Close Record Number of Fake Pharma Sites

Info Security - Mon, 06/14/2021 - 08:25
Global Police Close Record Number of Fake Pharma Sites

A global policing operation has led to the closure of over 110,000 websites and online marketplaces selling fake pharmaceuticals, according to the international organization Interpol.

The organization said that Operation Pangea XIV involved law enforcement, customs and regulatory officers from 92 countries.

As well as the removal of 113,020 fake sites — the largest number since the long-running operation began in 2008 — counterfeit medicines and COVID-19 testing kits were seized after raids and checks on suspicious packages.

In the UK, for example, the authorities shut down 43 websites and removed 3100 ad links and seized three million fake medicines and devices worth over $13 million.

Many drugs were hidden amidst other items such as clothing, jewellery, baby toys and food.

In Qatar, officials apparently discovered 2,805 painkillers secreted inside tins of baked beans.

During the week of action, May 18-25, fake and unlicensed COVID-19 kits accounted for over half of all medical devices obtained by police. Some 277 arrests were also made worldwide, and potentially dangerous pharmaceuticals worth more than $23 million were seized, Interpol said.

In Italy, the authorities recovered over 500,000 fake surgical masks and 35 industrial machines used for production and packaging — illustrating the scale of many underground operations.

In total, global police took nine million devices — including syringes, catheters, masks and testing kits — and pharmaceuticals, including painkillers, steroids and anti-cancer drugs.

Interpol secretary-general, Jürgen Stock, warned that fake pharmaceuticals and testing kits are putting public health at risk at a dangerous time.

“As the pandemic forced more people to move their lives online, criminals were quick to target these new ‘customers’,” he added.

“Whilst some individuals were knowingly buying illicit medicines, many thousands of victims were unwittingly putting their health and potentially their lives at risk.”

In March last year, a previous iteration of Operation Pangea led to the seizure of $14 million worth of fake goods.

Categories: Cyber Risk News

COO Charged in Georgia Hospital Cyber-attack

Info Security - Fri, 06/11/2021 - 18:55
COO Charged in Georgia Hospital Cyber-attack

The chief operating officer of an IoT security company has been indicted by a federal grand jury over a cyber-attack carried out on a hospital in Georgia. 

Vikas Singla, of Marietta, Georgia, was arraigned on Thursday for his alleged role in the 2018 attack on Gwinnett Medical Center that exposed patients' personal data. 

The center, which is now known as Northside Hospital, was a not-for-profit health care network that provided health care services at two hospitals located in Georgia; one was in Duluth and the other in Lawrenceville. 

Singla was the COO and co-founder of Atlanta-based startup Securolytics, which served the health care industry with a cloud-based threat detection and analytics platform that was purpose-built for IoT.

According to the indictment, 45-year-old Singla took part in an attack that disrupted Gwinnett's phone service and network printer service. He is further accused of obtaining information from a digitizing device. 

Prosecutors said that the attack allegedly perpetrated by the Marietta resident was motivated in part by financial gain. 

“This cyber-attack on a hospital not only could have had disastrous consequences, but patients' personal information was also compromised,” said Special Agent in Charge Chris Hacker of the FBI’s Atlanta Field Office. 

“The FBI and our law enforcement partners are determined to hold accountable those who allegedly put people’s health and safety at risk while driven by greed.”

It is alleged that on or about September 27, 2018, Singla, "aided and abetted by others unknown to the grand jury," attacked one or more computers used by Gwinnett Medical Center that operated the Ascom phone system of the Duluth hospital. 

Singla is further accused of attacking one or more computers used by the Duluth and Lawrenceville hospitals that operated 17 different Lexmark printers. 

He is further accused of accessing without authorization a Hologic R2 Digitizer used by the Center in the Lawrenceville hospital.

Singla is charged with 17 counts of intentional damage to a protected computer and one count of obtaining information by computer from a protected computer.

The Department of Justice said that the attack on Gwinnett Medical Center is still being investigated by the FBI. 

Categories: Cyber Risk News

US Launches National AI Task Force

Info Security - Fri, 06/11/2021 - 18:45
US Launches National AI Task Force

The Biden administration has launched a new national artificial intelligence task force to make more government data available to AI researchers.

News of the National Artificial Intelligence (AI) Research Resource Task Force was announced on Thursday by the White House Office of Science and Technology Policy (OSTP) and the National Science Foundation (NSF).

A key role of the task force will be to serve as a federal advisory committee, assisting the creation and implementation of a blueprint for the National AI Research Resource (NAIRR).

The NAIRR is a shared research infrastructure that provides access to computers, high-quality data, educational tools, and user support to AI researchers and science students.

Co-chairing the task force will be Lynne Parker, White House Office of Science and Technology Policy, and Erwin Gianchandani, National Science Foundation.

"The task force will provide recommendations for establishing and sustaining the NAIRR, including technical capabilities, governance, administration, and assessment, as well as requirements for security, privacy, civil rights, and civil liberties," said the White House in a statement released yesterday.

In May 2022, the task force will submit an interim report to Congress detailing a comprehensive strategy and implementation plan. A final report will be submitted in November 2022.

Kudelski Security CEO Andrew Howard told Infosecurity Magazine that releasing data could have both a positive and a negative effect.

“Overall, making data available for research is a good thing. It’s an example of our government working for us as well as increasing transparency. This release of data could lead to new innovations both in an academic and private business context that make our lives better and solve societal challenges," said Howard. 

He warned: "There is also a downside. Depending on the sensitivity and scope of the data released, it could lead to the targeting of individuals and groups, both by companies and adversaries alike."

Howard stressed that any data release should be accompanied by the implementation of appropriate privacy protections.

"This isn’t always easy to do since there are attacks which can allow someone to combine the released data with other pieces of publicly available data to deanonymize individuals in a dataset," lamented Howard.

Categories: Cyber Risk News

McDonald’s Suffers Data Breach

Info Security - Fri, 06/11/2021 - 17:00
McDonald’s Suffers Data Breach

A data breach at fast food restaurant McDonald's has impacted customers and employees in South Korea and Taiwan and company operations in the United States.

The breach, which was first reported Friday by the Wall Street Journal, was the result of a cyber-attack. Hackers who broke into the computer system of McDonald's Corp. accessed only a small number of files before their intrusion was detected.

During their period of unauthorized access, the cyber-criminals stole personal information belonging to delivery customers in Taiwan and South Korea. Information accessed and pilfered included customer emails, phone numbers and addresses.

Employee information stolen by the hackers included the names and contact information of McDonald's workers in Taiwan. The burger servers said no customer payment details were accessed or stolen in the attack. 

McDonald's did not disclose exactly how many files were exposed or the number of people who were affected by the data breach, sharing only that the quantity of files was small. 

The data breach was detected by external consultants hired by McDonald's to investigate an incidence of unauthorized activity on an internal security system. Although access was blocked a week after detection, investigators found that company data in three countries had been breached.

In the United States, the hackers were able to access some business contact details for employees and franchisees. They also compromised restaurant data that included seating capacities and the size of play areas measured in square feet.

McDonald's said no data belonging to US customers was affected and that the exposed employee information did not include any personal or sensitive data. 

Regulators in Asia were notified of the breach on Friday by the McDonald's division in South Korea and Taiwan. The company said it will notify impacted customers and employees.

“Hackers will be quick to exploit the business contact details exposed in this breach, either simply selling the data or using the information to send convincing phishing, smishing or vishing attacks to victims of the breach," commented Tessian CTO & co-founder Ed Bishop.

"The warning for all McDonald's employees and franchisees, then, is to watch out for phishing emails and verify any requests for payments or information with the supposed source via another means of communication before complying with the request."

Categories: Cyber Risk News

Gaming Giant EA Suffers Major Data Breach

Info Security - Fri, 06/11/2021 - 11:34
Gaming Giant EA Suffers Major Data Breach

Hackers have stolen a wealth of data from gaming giant Electronic Arts (EA), including game source code and tools for several popular games, it has been reported.

Cyber-criminals made the claim in blog posts published on underground hacking forums, where they advertised a total of 780GB of data for sale. These posts were viewed and detailed by Motherboard, who EA informed that it had indeed suffered a data breach.

Among the data stolen was the source code for the popular football game FIFA 21 and code for its matchmaking server, and source code and tools for the Frostbite engine, which powers several EA games, including Battlefield. Additionally, the attackers took proprietary EA frameworks and software development kits.

Fortunately, it appears that hackers stole no personal data of customers in the breach, and EA told Motherboard that it does not expect the attack to impact “our games or our business.” This means that players should not be at an increased risk of cyber-attacks, phishing or identity theft.

Tom Van de Wiele, the principal security consultant at F-Secure, explained that the biggest impact of the data theft could that it offers valuable information for EA’s competitors to exploit. He said that “The EA source code and tools have a surprisingly high value to any company that operates in the shadows and want to get a leg up in competing with the bigger game development companies. Being able to steal an algorithm, approach, or game assets themselves and integrate them fast means not having to develop them on your own and means money and effort is saved that can be directed somewhere else. Especially when those games are released to a limited target group or platform where it is almost impossible to prove any wrongdoing or theft of intellectual property.”

Sam Curry, chief security officer at Cybereason, commented: “Oftentimes, there isn’t a lot of good news or optimism resulting from another global giant being breached. However, in the case of EA, they deal in petabytes of information so the reported amount of stolen data is relatively small in the gaming world. I’m not trying to diminish or minimize this compromise as the source code used to develop EA’s popular games has value to competitors and threat actors looking to sell the info on the darkweb.”

Curry also urged EA to share as many details as possible about how the breach occurred. “From initial reports, customer info, financial info or other proprietary information hasn’t been stolen. Behind the scenes, the threat actors either didn’t ultimately get where they wanted to in the network, or the good guys discovered the compromise early enough to limit the damage,” he said.

“EA should continue to be transparent, share as many details as possible and use this compromise as an opportunity to educate other companies in need of improving their own security hygiene. We should all look forward to hearing more from EA relating to this compromise and they have the opportunity to play the role of hero in this situation, as the role of villain or victim isn’t an option.”

Hackers have increasingly targeted the gaming industry in recent years due to its surging popularity. Researchers revealed they discovered 500,000 breached employee credentials and a million compromised internal accounts on the dark web from gaming firms earlier this year. 

Categories: Cyber Risk News

#G7UK: UK and US Strike New Agreements on Cybersecurity

Info Security - Fri, 06/11/2021 - 10:45
#G7UK: UK and US Strike New Agreements on Cybersecurity

The UK and US governments have agreed to work together more closely to tackle cybercrime as well as enhance the security of supply chains and emerging technologies. The announcement has come amid US President Joe Biden’s visit to the UK for the G7 summit, which has started today.

The partnership will be built within the framework of the revitalized Atlantic Charter, first introduced in 1941, and will cover a range of areas in science and technology, including cybersecurity.  

The two nations stated that they intend to cooperate to enhance the resilience and security of critical supply chains, battery technologies and emerging technologies such as AI and quantum. This forms part of their desire to ensure the full potential of future technologies like quantum and 6G are realized in the future.

Additionally, the two governments aim to improve the accessibility and flow of data to support economic growth, public safety, and scientific and technological progress.

More generally, the agreement emphasized the need to ensure liberal and democratic values are embedded into the design and standards governing technology globally. This is an issue that the director of GCHQ, Jeremy Fleming, highlighted in a speech back in April this year.

UK digital secretary, Oliver Dowden, commented: “In the 80 years since the Atlantic Charter was signed, technology has changed the world beyond recognition. But the goals that underpin it still bind the US and UK together today: support for democracy, open societies and free markets.

“Today's announcement marks a new era of cooperation with our closest ally, in which we commit to using technology to create prosperity and guarantee the safety and security of our citizens for years to come.”

Following the announcement, in an interview published in The Daily Telegraph last night, the UK foreign secretary, Dominic Raab, also revealed that the UK and US will work more closely together to “take the fight to cyber-criminals,” especially those targeting vital services like schools and hospitals.

Commenting, Charlie Smith, consulting solutions engineer at Barracuda Networks, said: “This announcement marks a turning point for the war on cyber-criminals, with the UK and US joining forces to root out and bring those responsible to justice. The sharp rise in ransomware attacks against schools, hospitals, local councils, and other critical national infrastructure cannot be underestimated and a concerted effort needs to be made to protect and secure these vital organizations from increasingly brazen attacks.”

Categories: Cyber Risk News

Unknown Attacker Chains Chrome and Windows Zero-Days

Info Security - Fri, 06/11/2021 - 09:49
Unknown Attacker Chains Chrome and Windows Zero-Days

Security researchers warn of a series of highly targeted attacks designed to compromise victim networks via Google Chrome and Microsoft Windows zero-day exploits.

The attackers are thought to have first exploited the now-patched CVE-2021-21224 remote code execution bug in Chrome.

“This vulnerability was related to a Type Mismatch bug in the V8 — a JavaScript engine used by Chrome and Chromium web-browsers,” explained Kaspersky. “It allows the attackers to exploit the Chrome renderer process: the processes that are responsible for what happens inside users’ tabs.”

The second stage was an elevation of privilege exploit linked to two separate vulnerabilities in the Microsoft Windows OS kernel. The first, CVE-2021-31955, can lead to the disclosure of sensitive kernel information, while the second, CVE-2021-31956, is a heap-based buffer overflow bug.

Kaspersky claimed that attackers CVE-2021-31956 alongside the Windows Notification Facility (WNF) to create arbitrary memory read/write primitives and execute malware modules with system privileges.

Once they’ve gained a foothold in victim networks by exploiting these three flaws, the stager modules execute a more sophisticated malware dropper from a remote server, which in turn installs to executables masquerading as legitimate Windows files.

One of these is a remote shell module designed to download and upload files, create processes, lie dormant for periods of time, and delete itself from the infected system, Kaspersky said.

Microsoft patched both vulnerabilities in this week’s Patch Tuesday security update round while Google has already fixed the Chrome flaw.

The research team has yet to link the attacks to any known threat actor, so is dubbing the group behind it “PuzzleMaker.”

“Overall, of late, we’ve been seeing several waves of high-profile threat activity being driven by zero-day exploits. It’s a reminder that zero days continue to be the most effective method for infecting targets,” argued Boris Larin, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).

“Now that these vulnerabilities have been made publicly known, it’s possible that we’ll see an increase of their usage in attacks by this and other threat actors. That means it’s very important for users to download the latest patch from Microsoft as soon as possible.”

Categories: Cyber Risk News

China's New "Anti-Sanctions" Law Means Headache for Foreign Firms

Info Security - Fri, 06/11/2021 - 09:09
China's New "Anti-Sanctions" Law Means Headache for Foreign Firms

Western tech firms and other multinationals with a big presence in China could soon find themselves in a difficult position after Beijing passed new retaliatory sanctions laws.

The move is widely seen as a reaction to a string of sanctions put in place by the US and allies in recent months over human rights abuses in Xinjiang and the muzzling of democracy protests in Hong Kong.

The new law passed on Thursday will reportedly enable the government to put individuals or entities on an “anti-sanctions list” if they comply with sanctions from the US and other countries that displease Communist Party leaders.

These individuals and businesses may be denied entry to China, expelled from the country, have assets seized or frozen or be banned from doing business there.

It’s the latest sign of China using its economic might to push back against what it sees as unfair foreign interference in sovereign matters.

However, it could place foreign companies in an impossible situation and force many to choose sides between the world’s two superpowers.

The law was reportedly rushed through China’s rubber-stamp legislature, the National People's Congress (NPC), without a third reading.

Also yesterday, China issued a second draft of a new Data Security Law which will restrict outward flows of “important” data from critical infrastructure (CNI) and non-CNI firms operating in the country — subjecting them to a security review process.

Purportedly, new rules could also prevent foreign companies from disclosing information on their Chinese subsidiaries to a foreign law enforcement agency or court.

Legal analysts have warned that much will hinge on how the authorities interpret the vague term “important.”

Categories: Cyber Risk News

Quantum Breakthrough in Britain Creates 600km Secure Link

Info Security - Fri, 06/11/2021 - 08:35
Quantum Breakthrough in Britain Creates 600km Secure Link

Long-distance quantum-secured data transfer took a step closer this week after Toshiba announced that scientists in the UK have managed to produce a stable prototype that works over 600 kilometers.

Quantum computing is often described as a potential security challenge in that, once states can engineer working machines, they could theoretically crack any public-key cryptography system.

However, the technology could also be used to mitigate this risk by producing “unhackable” information streams using quantum key distribution (QKD).

This is a technology Toshiba Europe scientists are working on in Cambridge. Photons are encoded and transmitted for key generation. Still, if the stream is interrupted by an eavesdropper, the unique properties of quantum physics mean that the sender will be alerted, and it is instantly scrambled.

Up until now, the main challenge in achieving QKD has been the fragility of qubits, or quantum particles, which means that they could be scrambled unintentionally if the fiber cables they’re transmitted through experience temperature or other changes.

Toshiba used a new “dual band” stabilization technique to tackle this.

“This sends two optical reference signals, at different wavelengths, for minimizing the phase fluctuations on long fibers. The first wavelength is used to cancel the rapidly varying fluctuations, while the second wavelength, at the same wavelength as the optical qubits, is used for fine adjustment of the phase,” it said.

“After deploying these new techniques, Toshiba found it is possible to hold the optical phase of a quantum signal constant to within a fraction of a wavelength, with a precision of 10s of nanometers, even after propagation through hundreds of kilometers of fiber. Without cancelling these fluctuations in real-time, the fiber would expand and contract with temperature changes, scrambling the quantum information.”

Using this dual band technique has enabled the research team to implement the so-called Twin Field QKD at distances around three times longer than existing commercial QKD systems.

Secure information exchange of this sort could one day be used to support an entire “quantum internet” of interconnected quantum computers. Given the huge variety of potential applications, the US, EU and China are throwing vast sums of money at such projects.

“QKD has been used to secure metropolitan area networks in recent years. This latest advance extends the maximum span of a quantum link so that it is possible to connect cities across countries and continents without using trusted intermediate nodes,” said Andrew Shields, head of the Quantum Technology Division at Toshiba Europe.

“Implemented along with Satellite QKD, it will allow us to build a global network for quantum secured communications.”

Categories: Cyber Risk News

IT Administrator Sentenced for Sabotaging Employer

Info Security - Thu, 06/10/2021 - 19:23
IT Administrator Sentenced for Sabotaging Employer

Lockdown hasn't ended for one vengeful IT professional who carried out a cyber-attack against his former employer. 

Levi Delgado, of Middletown, Delaware, was sentenced on Wednesday to home confinement after hacking into a company's computer network, deleting its data and disabling user accounts.

The 36-year-old cyber-criminal had been employed as an information technology administrator at a medical center that provides care to under-served communities, but the medical center terminated Delgado’s employment in August 2017. 

After losing his job, Delgado's access to the medical center’s computer network was revoked and the credentials that had allowed him to log in to it were disabled.  

Four days after his termination, Delgado hooked up a personal laptop and accessed the medical center’s computer network without authorization via an administrator account.

After illegally entering the network, Delgado deleted the medical center’s employee user accounts, disabled its computer accounts, and also deleted its file server.  

Delgado’s criminal actions prevented the medical center’s employees from logging in to their computers and blocked them from accessing patient files necessary to conduct operations. 

While no patient personal health information was compromised or accessed, patient appointments and treatments had to be rescheduled because of Delgado's cyber-sabotage. 

Delgado pled guilty in February 2021 to one count of causing damage to a protected computer. 

Yesterday, Leonard Stark, chief United States district judge for the district of Delaware, sentenced Delgado to six months of home confinement and ordered him to pay over $13,000 in restitution.

The case was investigated by the FBI-Baltimore Division’s Cyber Task Force and was prosecuted by Assistant US Attorney Jesse Wenger.

“What Mr. Delgado did was not only intentional, reckless and petty, but also caused a severe disruption in medical care in an underserved community,” said Rachel Byrd, acting special agent in charge of the FBI-Baltimore Field Office. 

“Computer intrusion is a crime and the FBI, and our law enforcement partners, will continue to pursue those who compromise, mishandle or disrupt computer networks.”

Weiss added that their office "is committed to prosecuting any individual who thinks attacking a former employer’s computer network is an acceptable reaction to getting fired.”

Categories: Cyber Risk News

Arrest Made Over Multi-million-dollar BEC Scam

Info Security - Thu, 06/10/2021 - 18:55
Arrest Made Over Multi-million-dollar BEC Scam

Texas law enforcement officers have made an arrest in connection with a multi-million-dollar wire fraud and money laundering scheme involving Business Email Compromise (BEC).

Guillermo Perez was taken into custody Wednesday morning for allegedly defrauding businesses and individuals of more than $2m through cyber-scams and bank fraud schemes.

An indictment unsealed on June 9 accuses 26-year-old Houston resident Perez of participating in the illegal scam from at least October 2018 to October 2019.

Perez is accused of impersonating individuals and businesses over email in the course of otherwise ordinary financial transactions. While posing as someone else, Perez allegedly tricked victims into transferring funds into bank accounts controlled by him and his co-conspirators.

As part of the alleged scheme, Perez provided banks with false and misleading information regarding his and his co-conspirators’ affiliations, then tricked the banks into opening business bank accounts that were fraudulent.

Victims of the BEC scheme, who were unaware that they were acting on false and misleading misrepresentations made by Perez and his co-conspirators, wired more than $2.2m into the fraudulent bank accounts. 

It is alleged that Perez and his co-conspirators, knowing that the transferred cash represented fraud proceeds, moved it out of the fraudulent bank accounts in transactions designed to conceal and disguise its origins and ownership.

The arrest of Perez was announced yesterday by Audrey Strauss, the United States attorney for the Southern District of New York, and Peter C. Fitzhugh, the special agent-in-charge of Homeland Security Investigations (HSI) in New York.

He is charged with one count of conspiracy to commit wire fraud and bank fraud, which carries a maximum sentence of 30 years in prison. Perez is also charged with one count of conspiracy to commit money laundering, which carries a maximum sentence of 20 years in prison.

In a statement issued yesterday, the US Attorney's Office wrote that Strauss praised the investigative work of HSI in the Perez case. 

The prosecution is being handled by the Money Laundering and Transnational Criminal Enterprises Unit. Assistant United States attorneys Emily Deininger and Tara La Morte are in charge of the prosecution.

Categories: Cyber Risk News

Texas to Publish Data Breach Notifications

Info Security - Thu, 06/10/2021 - 17:24
Texas to Publish Data Breach Notifications

Lawmakers in Texas have passed a bill requiring notices to be published online of any data breaches involving the personal information of 250 or more Lone Star State residents.

The unanimously passed House Bill 3746, which amends the Texas Business and Commerce Code §521.053, requires the Texas Attorney General's Office to post the breach notifications to its public-facing website.

Notifications must be uploaded to the website within 30 days of receipt, and listings of organizations impacted by a data breach must remain in place for a period of 12 months.

A listing will only be removed if the individual or company does not suffer any further data breaches affecting 250 or more Texas residents during the year-long listing period. 

Under current Texas law, notifications that a security system has been breached must be sent to the state Attorney General within 60 days of detection. 

Included in the breach notice must be a detailed description of the scope of the breach, how it happened, and what sensitive information may have been compromised, exfiltrated, stolen or deleted in the security incident.

Though it may not be a final tally, another detail that must be included in the data breach notice is the number of individuals known to be impacted by the breach at the time it is reported to the State Attorney General. 

Breached individuals and organizations cannot simply report a data breach incident to the Attorney General's Office and walk away. Their notice must include a description of what measures were taken to mitigate the breach and details of what future actions will be taken regarding the incident.

The Office must be informed as to whether law enforcement has been notified and is investigating the breach. It must also be instructed over how many Texas residents have been notified about the breach, by mail or another direct method of communication, at the time the incident is reported.

Before it becomes law, the bill must be signed by Texas governor Greg Abbott. Should it be graced with Abbott's signature, the law will take effect from September 1, 2021.

By passing the new bill, the Texas Legislature has followed in the footsteps of California and Maine.

Categories: Cyber Risk News

#Infosec21: Lack of Vision Explains Cyber Skills Shortage

Info Security - Thu, 06/10/2021 - 15:29
#Infosec21: Lack of Vision Explains Cyber Skills Shortage

The cybersecurity skills gap is caused by a lack of vision in the industry rather than it being a pipeline problem, argued Wendy Nather, head of advisory CISOs at Cisco, during her keynote address on day three of the Infosecurity Europe virtual conference.

Nather, who was recently inducted into the Infosecurity Hall of Fame, believes it is a complete misnomer that there is a lack of talent available to fill the expanding number of security roles. Instead, it is down to the industry “to open our eyes and see what’s in front of us, namely that there are sources of great security talent everywhere.”

Nather then showed a collage of high profile security professionals representing a range of demographics, including those often not associated with technical IT skills, such as older people. She said this demonstrates that anyone from any walk of life has the potential to be successful in the sector.

She added that it is vital to recognize that there is a range of pathways into the security industry, and it is quite possible to move across from a completely different profession. “They just need to be able to innovate and then they can learn the technology,” outlined Nather. “People are capable of learning all sorts of things; you don’t have to go for the person who is exactly like the last person you had in this position."

In fact, it is a great advantage to a security team to have personnel from different backgrounds and experiences. Nather gave the example of hiring a man called John Skaarup, an army veteran of 21 years, based on the mindset he demonstrated during her interview with him. Nather said that “he turned out to be one of the best security colleagues that I have ever had” and is now a cybersecurity officer, running the security operations center at the Texas Department of Transportation.

Nather then offered advice on how those involved in the hiring of security personnel can adapt their practices to open their doors to a much wider pool of talent. She observed that there are already highly knowledgeable people familiar with security but whose skills are not recognized for various reasons. These include the way they speak – if they do not use traditional security terminology. Nather commented: “Just because they don’t know the right lingo doesn’t mean they don’t know the concepts and that they can’t apply their skills.”

Nather also said that organizations need to be more careful about how they word their job descriptions, as they can often come across as overly restrictive to many good candidates. This includes postings asking for “ridiculous amounts of experience” in relatively new areas, like Kubernetes.

She added that this was a particular issue for candidates from underrepresented groups as they are “less likely to apply for positions where they fit the description 100%.” Therefore, asking for too many qualifications risks “cutting out the person who you need for your team.” To help prevent this situation from occurring, Nather believes that senior security personnel should be making this case loud and clear and “fight for latitude in hiring.”

In addition, a greater emphasis on soft skills should be made during the hiring stage, according to Nather. She argued that these types of attributes are just as valuable to an organization as the specific technical expertise, as the right people will be able to add these such skills to their repertoire in any case. For instance, she believes more value should be put on “tact, collaboration, the ability to explain things to anybody using very small words or the talent to be able to create something that people enjoy using.”

Concluding, Nather offered some takeaways for how the cybersecurity industry can grow the skills pipeline and diversify the people working within it. These include taking the initiative to discover and meet people from underrepresented groups rather than simply posting a job online. “To find the best people, you have to put in the work,” she explained.

Finally, Nather provided what she regarded to be the most crucial takeaway of the presentation, which is to recognize that “what I knew back then doesn’t matter now.” Simply put, the cybersecurity industry is evolving so quickly that the ability to adapt and learn new skills now is more important than past experiences in the field. She concluded: “What matters now is that we are all on the same starting line - we are all in the same race to learn. So look for the people you want to run with.”

Categories: Cyber Risk News