Feed aggregator

Hackers Steal Data from United Nations

Info Security - Thu, 09/09/2021 - 17:23
Hackers Steal Data from United Nations

Hackers have broken into the computer network of the United Nations and made off with data, according to researchers at cybersecurity firm Resecurity

Bloomberg reports that the unidentified cyber-criminals behind the theft appear to have gained access simply by using login credentials stolen from a UN employee. 

Entry was gained by logging in to the employee’s Umoja account. Umoja, which means “unity” in Kiswahili, is the enterprise resource planning system implemented by the UN in 2015.

It has been theorized that the username and password used in the cyber-attack were purchased from a website on the dark web.

Gene Yoo, chief executive officer at Resecurity, said: “Organizations like the UN are a high-value target for cyber-espionage activity. 

“The actor conducted the intrusion with the goal of compromising large numbers of users within the UN network for further long-term intelligence gathering.”

Researchers found that the UN’s systems were first accessed by hackers on April 5, 2021, and that network intrusions continued to take place until August 7. 

No evidence was found to suggest that the attackers had damaged or sabotaged the UN’s computer network. The hackers seem to have been motivated instead by a desire to collect information. 

Resecurity said that after reporting the security incident to the UN, it worked with the organization’s security team to determine the scale of the intrusion. 

While the UN reportedly believes the attack was a reconnaissance mission by hackers who took nothing but screenshots of the organization’s compromised network, Resecurity researchers say that data was stolen in the incident. 

Yoo told Bloomberg that the UN ceased communicating with Resecurity after proof of data theft was provided to the organization.

“This attack had been detected before we were notified by the company cited in the Bloomberg article, and corrective actions to mitigate the impact of the breach had already been planned and were being implemented,” UN spokesman Farhan Haq told the DailyMail.com.

“At that time, we thanked the company for sharing information related to the incident and confirmed the breach to them.”

Haq added that the United Nations is frequently targeted by cyber-attacks, including sustained campaigns. 

Categories: Cyber Risk News

Security Now a "Thankless Task" For 80% of IT Teams

Info Security - Thu, 09/09/2021 - 10:00
Security Now a "Thankless Task" For 80% of IT Teams

Securing the new hybrid workplace may require significant changes to culture, policy and technology after new HP research revealed significant pushback from remote workers during the pandemic.

The tech giant surveyed over 1000 IT decision-makers and more than 8400 workers across the globe to compile its latest HP Wolf Security study, Rebellions & Rejections.

It revealed that nearly all (91%) IT leaders had felt pressure to compromise on security during the pandemic, with three-quarters (76%) admitting security took a backseat to business continuity.

As a result, 83% of IT teams believe the increase in home workers has created a “ticking time bomb” for a corporate network breach.

These fears are reflected in the uncompromising attitudes of those workers — particularly the younger cohort.

Almost half (48%) of younger workers (18-24 years old) claimed security tools were a hindrance, and nearly a third (31%) have tried to bypass corporate policies to get work done.

Over half (54%) claimed to be more worried about meeting deadlines than exposing their organization to data breaches. In comparison, two-fifths (39%) were unsure what their security policies say or even if their company has them.

Ian Pratt, global head of security for personal systems at HP Inc, warned that breaches could result from users bypassing internal security controls and policies.

“If security is too cumbersome and weighs people down, then people will find a way around it. Instead, security should fit as much as possible into existing working patterns and flows, with technology that is unobtrusive, secure-by-design and user-intuitive,” he added.

“Ultimately, we need to make it as easy to work securely as it is to work insecurely, and we can do this by building security into systems from the ground up.”

The dynamic is also taking its toll on IT teams. Some 83% said trying to set and enforce corporate security policies is impossible given the lines between personal and professional are so blurred. In comparison, 80% said security was becoming a “thankless task” as no one listens anymore.

HP CISO, Joanna Burkey, argued that employee education and engagement is the first step towards improving security for the hybrid workplace. She added that IT teams should also re-evaluate policies to take account of the new working environment.

Categories: Cyber Risk News

Attacker Breakout Time Now Less Than 30 Minutes

Info Security - Thu, 09/09/2021 - 09:15
Attacker Breakout Time Now Less Than 30 Minutes

The average time it takes threat actors to move from initial access to lateral movement has fallen by 67% over the past year, putting extra pressure on security operations (SecOps) teams, according to CrowdStrike.

The findings come from the security firm’s own investigations with customers across around 248,000 unique global endpoints.

For incidents where this “breakout time” could be derived over the past year, it averaged just 1 hour 32 minutes. However, in over a third (36%) of intrusions, adversaries managed to move laterally to additional hosts in under 30 minutes.

That reportedly makes the job of incident responders more challenging. With lateral movement comes the discovery of data to exfiltrate and new systems to deploy ransomware on. 

Zeki Turedi, EMEA CTO, CrowdStrike, told Infosecurity that once lateral movement occurs, incidents become harder and more costly to resolve.

“In simple terms, it is easier to deal with a threat actor when they are on one machine than multiple,” he added.

“For a threat actor to start moving laterally they must have already done some basic reconnaissance of the network, but more importantly have credentials to allow them to start moving across the network. At this point they potentially have the keys to the kingdom (network) and can start moving and causing disruption quickly.”

Threat actors are also becoming more stealthy. In 68% of detections indexed by CrowdStrike, no malware was used at all. This means “living off the land” techniques and legitimate tooling was employed to stay under the radar of traditional security tools.

In total, the vendor detected a 60% increase in attempted intrusions across all verticals and geographic regions between July 2020 and June 2021 versus a year previous.

Not all of this activity is about data collection and ransomware deployment. CrowdStrike recorded a 100% year-on-year increase in crypto-jacking in interactive intrusions.

When it came to targeted intrusions, China-based threat actors were the most prolific by far, accounting for 67% of incidents. Next came unattributed state-backed attackers (20%), then Iran (7%) and North Korean (5%) actors.

Categories: Cyber Risk News

Berners-Lee Joins ProtonMail Following Privacy Debacle

Info Security - Thu, 09/09/2021 - 08:46
Berners-Lee Joins ProtonMail Following Privacy Debacle

Tim Berners-Lee has joined the advisory board of ProtonMail, just days after the encrypted email service was criticized for unmasking the identity of a user for French police.

The worldwide web inventor was a scientist at the European Organization for Nuclear Research (CERN) at the same time as ProtonMail CEO Andy Yen, and helped to sketch the initial plans for what is now the world’s largest encrypted email service, with over 50 million users.

“I’m delighted to join Proton’s advisory board and support Proton on their journey. I am a firm supporter of privacy, and Proton’s values to give people control of their data are closely aligned to my vision of the web at its full potential,” he said in a statement.

However, the Geneva-headquartered firm’s privacy-first credentials took a blow this week after it emerged that it had complied with a request from the Swiss authorities to hand over the identity of a French climate change activist using the service.

Although ProtonMail says it will not comply with requests from “foreign” law enforcement, the case highlighted for some just how authorities outside of Switzerland could work around this policy.

The firm was also forced to row back on confusing messaging that made it seem like user accounts were anonymous by default and that IP logging only occurs in “extreme criminal cases.” While open to interpretation, the individual concerned does not appear to fall under the latter category but rather operates the Parisian chapter of the pressure group Youth for Climate.

The following used to appear on the firm’s website: “No personal information is required to create your secure email account. By default, we do not keep any IP logs that can be linked to your anonymous email account. Your privacy comes first.”

However, today, the site talks about its service as “email that respects privacy and puts people (not advertisers) first.”

Users who want to stay anonymous on ProtonMail would be best placed using its onion site or potentially using the ProtonVPN service. Swiss law prevents the firm from monitoring the IP addresses of its VPN users.

“We are also deeply concerned about this case and deplore that the legal tools for serious crimes are being used in this way,” said Yen in a blog post explaining the case.

“In this case, Proton received a legally binding order from Swiss authorities which we are obligated to comply with. There was no possibility to appeal this particular request.”

Categories: Cyber Risk News

Data Breach Lawsuit Against Sonic Will Proceed

Info Security - Wed, 09/08/2021 - 17:50
Data Breach Lawsuit Against Sonic Will Proceed

Litigation filed against American fast-food chain Sonic over a 2017 data breach has been allowed to proceed.

Financial institutions brought a lawsuit against Sonic Corp after it emerged that financial data belonging to customers of the restaurant had been stolen in a cyber-attack. The attacker(s) installed malware on a point-of-sale system used at hundreds of Sonic franchises.

In a data breach notice issued at the time of the attack, Sonic stated: “Sonic Drive-In has discovered that credit and debit card numbers may have been acquired without authorization as part of a malware attack experienced at certain Sonic Drive-In locations.”

Sonic is based in Oklahoma City and has nearly 3,600 locations across 45 US states. An investigation into the attack found that customers’ payment card data had been exposed at more than 700 Sonic franchised drive-in locations. 

Under Sonic’s franchise agreement, the franchisees were required to give Sonic access to their transaction data through a Sonic-managed virtual private network (VPN). Hackers accessed this data using VPN credentials issued to a transaction-processing service by Sonic. 

Sonic has argued that the plaintiffs can’t prove that it was guilty of “affirmative acts” that exposed its customers to an “unreasonably high risk of harm.” According to the restaurant chain, any blame for the breach lies with the point-of-sale vendor that it employed, Infor Restaurants Services Inc. 

On Tuesday in Cleveland, Ohio, US District Judge James Gwin turned down Sonic’s request to grant summary judgement. Gwin found that material facts in the case “remain unresolved” and that Sonic owed an obligation to the financial institutions that had brought the case.

"Sonic had a duty to prevent the criminal acts of hackers because Sonic's affirmative acts created a risk of harm, and Sonic knew or should have known that the risk of hacking made its flawed security practices unreasonably dangerous," said Gwin.  

In the ruling, Gwin cited several actions allegedly performed by Sonic that had created risk. Among these was creating a "permanently-enabled VPN tunnel" that allowed anyone with Infor credentials and a remote user credential to access the system without multi-factor authentication.

Categories: Cyber Risk News

US Considers Limiting CISA Director’s Term

Info Security - Wed, 09/08/2021 - 16:49
US Considers Limiting CISA Director’s Term

The United States is considering putting a cap on the amount of time an individual can work in the role of director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). 

Bipartisan House lawmakers introduced legislation this week that proposes limiting the term of the top cybersecurity role to five years. 

If passed into law, the proposed CISA Cybersecurity Leadership Act would also reaffirm that the role of CISA director requires Senate approval after presidential nomination. 

Among the politicians who have voiced their support for the bill is Representative Andrew Garbarino, who is a ranking member on the House Homeland Security Committee’s cybersecurity subcommittee. 

“The current threat landscape is ever changing and expanding to include a multitude of cyber risks. We must evolve along with it to be best prepared to mitigate these threats,” said Garbarino in a statement Tuesday. 

"With cyber attacks on the rise, CISA, the lead federal civilian cybersecurity agency for the United States, needs consistent and stable leadership presiding over our nation's cyber preparedness."

He added: "This bipartisan bill will remove any uncertainty from the CISA Director role so that the Director can focus squarely on strengthening our cyber posture.”

House Homeland Security Committee Chairman Bennie Thompson, ranking member John Katko, cybersecurity subcommittee Chairwoman Yvette Clarke, and Reps. Jim Langevin, Mike Gallagher and Ralph Norman are also sponsoring the bill. 

In a joint statement Tuesday, Thompson and Clarke said: "As the cyber threats facing the nation continue to evolve, we need steady leadership at the Cybersecurity and Infrastructure Security Agency.”

The first person to hold the position of CISA director was Christopher Krebs. He was fired from the role via a tweet in November 2020 by then President Donald Trump. 

CISA’s current director, Jen Easterly, was nominated by President Joe Biden in April 2021 and was unanimously confirmed by the Senate on July 12, 2021. 

According to CISA’s website: “As director, Ms. Easterly leads CISA’s efforts to protect and defend civilian government networks, manage systemic risk to national critical functions, and collaborate with State, Local, Tribal, and Territorial partners as well as with the private sector to ensure the security and resilience of the Nation’s cyber and physical infrastructure.”

Categories: Cyber Risk News

NCCoE Releases Cybersecurity Guide for First Responders

Info Security - Wed, 09/08/2021 - 15:49
NCCoE Releases Cybersecurity Guide for First Responders

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has released the final version of a Cybersecurity Practice Guide for first responders. 

The NIST Cybersecurity Practice Guide SP 1800-13, Mobile Application Single Sign-On: Improving Authentication for Public Safety First Responders (PSFRs) was developed in collaboration with industry stakeholders and NIST’s Public Safety Communications Research Lab. 

To provide emergency care and support, PSFR personnel rely on mobile platforms to access public safety data. Among the data that PSFRs must access in the performance of their roles is personally identifiable information, law enforcement sensitive information, and protected health information. 

The new Cybersecurity Practice Guide was created with the aim of resolving authentication issues so that sensitive data can be accessed by PSFRs both securely and quickly enough to prevent any delay in the provision of potentially life-saving care. 

Public safety organizations can use the guide to define requirements for mobile application single sign-on (SSO) and multi-factor authentication (MFA) implementation and improve interoperability among mobile platforms, applications, and identity providers (IdPs).

Included in the guide is advice on how to enhance the efficiency of PSFRs by cutting down on the number of authentication steps, the time it takes to access critical data, and the number of credentials that must be managed.

“This practice guide describes a reference design for multi-factor authentication and mobile single sign-on for native and web applications while improving interoperability among mobile platforms, applications, and identity providers, regardless of the application development platform used in their construction,” said the NCCoE.

The products described in the NIST Cybersecurity Practice Guide are standards-based commercially available or open-source products. 

In the guide, PSFRs are urged to be aware of the potential risks associated with using mobile platforms and applications. 

The guide warns users that “complex passwords are harder to remember and input to IT systems” and that “mobile devices exacerbate this issue with small touchscreens that may not work with gloves or other PSFR equipment, and with three separate keyboards among which the user must switch.”

Categories: Cyber Risk News

Stress and Burnout Affecting Majority of Cybersecurity Professionals

Info Security - Wed, 09/08/2021 - 10:26
Stress and Burnout Affecting Majority of Cybersecurity Professionals

Over half (51%) of cybersecurity professionals are kept up at night by the stress of the job and work challenges, according to CIISec’s 2020/21 State of the Profession report.

The survey of 557 security professionals found that stress and burnout have become a major issue during the COVID-19 pandemic. This is partly due to overwork — the study found almost half (47%) of respondents work 41+ hours a week, with some working up to 90.

Additionally, 80% said that staff across organizations have been more anxious or stressed during the crisis. This is concerning as numerous studies have demonstrated that people are more vulnerable to being duped by cyber-criminals while feeling stressed or burnt out.

The study also analyzed other pressures the pandemic has placed upon the security industry. While more than half (53%) of cybersecurity pros said their budgets are rising, this is not enough to keep up with their organizations’ threats. More than two-thirds (69%) believe that risks to their organization’s data have increased due to staff working from home.

Additionally, 65% said that the pandemic made security reviews, audits, and overseeing processes more difficult. In comparison, 66% agreed that the forced cancellation of education events, including training sessions, has widened the skills gap in the sector.

Encouragingly, the pandemic appeared to have some positive impacts regarding security awareness and increased expenditure. Around three-fifths (59%) of cybersecurity professionals think the industry has got better at defending systems from attacks and protecting data during 2020, and 62% said the sector had improved its response to security incidents, data losses, outages and breaches when they occur.

The respondents were also asked about what they felt were the most important skillsets required for those joining the industry. Analytical thinking/problem-solving was ranked top, while communication skills were viewed as much less important.

CIISec observed that lack of diversity continues to be a significant problem in the sector, with men making up 81% of survey respondents.

Amanda Finch, CEO of CIISec, commented: “Lockdown has had a considerable impact on security professionals. The move to remote working has not only made processes harder to manage and data harder to secure but has been accompanied by a huge rise in threats and attacks. Adding to this, the survey shows a lack of career opportunity was one of the top sources of stress. It’s clear the industry needs to do more to highlight the available opportunities and what skill sets and knowledge security professionals need to move to the next level on their chosen career path. Without this, the industry will struggle to recruit and retain talent, only widening the skills gap.”

Categories: Cyber Risk News

Attacks on IoT Devices Double Over Past Year

Info Security - Wed, 09/08/2021 - 09:15
Attacks on IoT Devices Double Over Past Year

The number of attacks targeting IoT devices has almost doubled from the second half of 2020 to the first six months of this year, according to Kaspersky.

The Russian cybersecurity firm collected data from a network of honeypots to mimic vulnerable devices and invite attacks.

Although these honeypots were on the receiving end of around 639 million cyber-attacks in the final six months of 2020, the figure had soared to over 1.5 billion by the first half of 2021.

So far this year, most of these attacks have been attempted using the telnet protocol, which is typically used to access and manage devices remotely. Over 872 million, or nearly 58%, of the total was accounted for this way. The rest used SSH (34%) and web (8%) channels.

Once compromised, IoT devices can be conscripted into botnets and used to mine illegally for crypto-currencies, launch DDoS attacks, steal personal data and more.

“Since IoT devices, from smartwatches to smart home accessories, have become an essential part of our everyday lives, cybercriminals have skilfully switched their attention to this area. We see that once users’ interest in smart devices rose, attacks also intensified,” explained Kaspersky security expert Dan Demeter.

“Some people believe they aren’t important enough to be hacked but we’ve observed how attacks against smart devices intensified during the past year. Most of these attacks are preventable. That’s why we advise smart home users to install a reliable security solution, which will help them stay safe.”

However, the challenge with IoT devices is that they can’t support traditional endpoint security agents. That means that security must be plugged in at the smart home network layer.

Other steps recommended by Kaspersky included prompt patching of any firmware updates and changing any factory default passwords to stronger, more complex credentials.

The vendor also urged smart home users to reboot any devices behaving oddly if they’re infected with malware, as this can sometimes help eliminate the malicious code.

If you liked this article, be sure to check out these upcoming Online Summit sessions:

Categories: Cyber Risk News

REvil Ransomware Group is Back as "Happy Blog" Returns

Info Security - Wed, 09/08/2021 - 08:50
REvil Ransomware Group is Back as "Happy Blog" Returns

An infamous ransomware group that appeared to shutter its operations following a major supply chain attack on IT software provider Kaseya seems to be back in business.

The REvil/Sodinokibi variant has been used by countless affiliates to extort money from companies as diverse as now-defunct Travelex, Jack Daniels-maker Brown-Forman and meat processing giant JBS.

Last year it claimed to have amassed a fortune of $100m through its efforts.

However, widespread condemnation following the July Kaseya attack, which impacted thousands of downstream customers, including schools, appeared to have forced the group offline. The attack itself garnered attention from the very top level of the US government, with President Biden ordering his intelligence agencies to investigate.

Some speculated that it was simply lying low and would likely return with different branding.

However, that doesn’t appear to be the case, with the group’s “Happy Blog” site now back up and running, according to Recorded Future. The site is where it publishes data exfiltrated from its victims in order to force them to pay up.

“At the time of writing, the website is still listing the same victims it listed at the time of its shutdown on July 13,” the threat intelligence firm claimed.

“In addition, REvil’s ‘payment portal,’ where victims are told to go and negotiate with the REvil gang, has also been restored at the same old dark web .onion URL.”

Some speculated back in July that REvil threat actors, thought to be located within Russia, had been told to tone down their activity by the Kremlin after high-level geopolitical meetings with Washington.

The White House has issued repeated statements warning that it reserves the right to go after cyber-criminals wherever they’re located if governments purportedly harboring them refuse to take action. 

If you liked this article, be sure to check out these upcoming Online Summit sessions:

Categories: Cyber Risk News

CISA Urges Firms to Mitigate New Windows RCE Bug

Info Security - Wed, 09/08/2021 - 08:24
CISA Urges Firms to Mitigate New Windows RCE Bug

The US authorities are urging IT teams to follow newly released guidance from Microsoft designed to help mitigate a flaw in Windows currently under active exploitation.

High severity remote code execution bug CVE-2021-40444 exists in Windows browser engine MSHTML. Microsoft revealed in a note yesterday that the vulnerability is being used in targeted attacks featuring specially crafted Office documents. It could enable a remote attacker to hijack an affected system.

“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,” it explained.

“The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

Although no patch is yet available, Microsoft said that, by default, Office opens documents from the internet in Protected View or Application Guard for Office, which will prevent the attack.

It added that organizations could also disable their installation of all ActiveX controls in Internet Explorer to mitigate the threat. This can apparently be done for all sites by updating the registry.

Reports suggest the attacks spotted in the wild are being launched against customers using Microsoft 365 and Office 2019 on Windows 10.

“Vulnerabilities like these tend to have extremely long lifetimes for exploitation in the wild, highlighting the need for security monitoring and periodic threat hunting,” warned Jake Williams, CTO at incident response firm BreachQuest.

An alert from the US Cybersecurity and Infrastructure Security Agency (CISA) yesterday urged users and administrators to implement the workarounds or mitigations suggested by Microsoft.

If you liked this article, be sure to check out these upcoming Online Summit sessions:

Categories: Cyber Risk News

Cyber-Attack on Washington DC University

Info Security - Tue, 09/07/2021 - 17:09
Cyber-Attack on Washington DC University

Classes were canceled at a private university in Washington DC today following a cyber-attack. 

Unusual activity was discovered on the Howard University (HU) network last Friday by HU's information technology team. On Monday, the university announced that it was working with forensic experts and law enforcement to investigate a suspected ransomware attack. 

While the investigation is ongoing, HU's Enterprise Technology Services (ETS) shut down the university's network.

"The situation is still being investigated, but we are writing to provide an interim update and to share as much information as we safely and possibly can at this point in time, considering that our emails are often shared within a public domain," said HU in a statement.

"Based on the investigation and the information we have to date, we know the University has experienced a ransomware cyberattack."

The university said it found no evidence to suggest that any personal information belonging to students or staff had been accessed, stolen, or exhilarated during the attack. 

While HU works to determine what happened, it has warned those awaiting the return of the network that they may have to be patient. 

"ETS and its partners have been working diligently to fully address this incident and restore operations as quickly as possible; but please consider that remediation, after an incident of this kind, is a long haul – not an overnight solution," wrote the university in a statement.

Classes were canceled on Tuesday, and the campus was closed to all but essential employees. Campus Wi-Fi has also been halted, and access to some apps has been blocked while the investigation is ongoing. 

Howard University said it is taking steps to prevent any data from being accessed by unauthorized third parties. 

"This is a highly dynamic situation, and it is our priority to protect all sensitive personal, research and clinical data," said university officials. 

"We are in contact with the FBI and the DC city government, and we are installing additional safety measures to further protect the University's and your personal data from any criminal ciphering.

Categories: Cyber Risk News

Cybersecurity Student Scams Senior Out of $55K

Info Security - Tue, 09/07/2021 - 16:42
Cybersecurity Student Scams Senior Out of $55K

A British cybersecurity student has scammed an elderly woman out of thousands of dollars by pretending to be a member of Amazon’s technical support team. 

Twenty-four-year-old Ramesh Karaturi contacted his victim over the phone and persuaded her to believe that cyber-attackers had compromised her Amazon account.

Karaturi’s victim, who Cleveland Police said was a Scottish resident in her 60s, was then manipulated into installing what she thought was “protective anti-virus software” onto her computer.

What the woman installed was a program that gave Karaturi remote access to her machine. 

Police said the victim suspected she had been tricked after Karaturi instructed her to leave the downloaded program running on her computer. 

After ending the phone call and unplugging her computer, the suspicious victim contacted her bank. She discovered that two sums totaling nearly £40,000 (around $55,000) had been stolen from her account.

Police at Middlesbrough’s Criminal Investigation Department were able to trace nearly half of the stolen money to a bank account in the name of Teeside University student Ramesh Karaturi. 

Karaturi, whose last known address was Linthorpe Road in Middlesbrough, was arrested on June 11. While being questioned by police, the cybersecurity student admitted receiving stolen money into his bank account.

Karaturi told police that he withdrew the illicit funds in small chunks before sending it to other individuals, letting them use his bank account for illegal purposes in exchange for keeping 15% of the proceeds.  

The Crown Prosecution Service charged the student with three counts of money laundering and one conspiracy to defraud. After being released on bail, Karaturi went before a court and pleaded guilty at the end of July. 

On September 6, Karaturi was sentenced at Teeside Crown Court to five months in prison. 

“This was a cynical ploy to take a large sum of money from a trusting older lady,” said Police Staff Investigator Ian Brown.

He added: “Money was removed from the victim’s account within 24 hours and Karuturi admitted he and an associate then visited various moneygram/foreign exchange centers across the country to try to avoid suspicion, with much of the cash being sent overseas.”

Categories: Cyber Risk News

ID Theft Couple on the Run

Info Security - Tue, 09/07/2021 - 16:25
ID Theft Couple on the Run

A couple from California who were convicted of using fake or stolen identities to claim millions of dollars in Covid-19 relief fraud fraudulently have gone on the run.

Authorities said that Encino residents 37-year-old Marietta Terabelian and 43-year-old Richard Ayvazyan cut off their electronic monitoring anklets and absconded.

In June, the husband and wife were found guilty of stealing $21m by using a mixture of stolen and fake identities to submit fraudulent applications to the United States’ Economic Injury Disaster Loan and Paycheck Protection Program (PPP). 

Among the couple’s fake identities used on the loan applications were “Luliaa Zhadko” and “Victoria Kauichko.” To corroborate the IDs, Terabelian and Ayvazyan submitted false documents included fake tax documents and payroll records to the Small Business Administration (SBA).

After an eight-day trial, Terabelian and Ayvazyan were convicted along with Ayvazyan’s brother Arthur Ayvazyan and another family member of conspiracy to commit fraud and wire fraud, 11 counts of wire fraud, eight counts of bank fraud, and one count of conspiracy to commit money laundering. 

Richard Ayvazyan was also found guilty of two counts of aggravated identity theft. 

Evidence presented at the trial showed that all four individuals convicted in the fraud case used the stolen funds to purchase luxury items, including designer clothes, diamonds and property.

“The defendants then used the fraudulently obtained funds as down payments on luxury homes in Tarzana, Glendale, and Palm Desert,” said the Department of Justice in a press release. 

“They also used the funds to buy gold coins, diamonds, jewelry, luxury watches, fine imported furnishings, designer handbags, clothing, and a Harley-Davidson motorcycle.”

The couple made their escape on September 5 before a court had determined their sentences. Each faces a maximum custodial term of 52 years.

CBS Denver reported that Terabelian and Ayvazyan were due to be sentenced in Los Angeles on October 4. 

Authorities are calling for the public’s aid in tracking down the vanished fraudsters.  

In a Tweet posted on Tuesday, the Los Angeles FBI Office wrote: 

(Corrected) Richard Ayvazyan, 43, & Marietta Terabelian, 37, were found guilty in $21 million bank/SBA fraud & are set to be sentenced. The pair allegedly cut monitoring bracelets & are considered fugitives. Please call 3104776565 if you have info as to their location #TipTuesday pic.twitter.com/pyyGOMiVF4

— FBI Los Angeles (@FBILosAngeles) September 1, 2021
Categories: Cyber Risk News

Germany Accuses Russia of Election Meddling Through Cyber-Attacks

Info Security - Tue, 09/07/2021 - 11:13
Germany Accuses Russia of Election Meddling Through Cyber-Attacks

Germany has accused Russia of attempting to influence its upcoming general election through a wave of cyber-attacks.

The German Foreign Ministry said it had “reliable information” that hackers working for Russia’s GRU military intelligence service tried to steal login details of federal and state lawmakers. This is likely for the purpose of misleading voters by posting fake messages from politicians’ accounts ahead of the nation’s federal election on September 26.

Foreign Ministry spokeswoman Andrea Sasse said this was part of a cyber-campaign targeting Germany “for some time.” She attributed it to cyber-espionage group Ghostwriter, who were “combining conventional cyber-attacks with disinformation and influence operations.”

Ghostwriter is a cyber-enabled influence campaign that primarily targets audiences in Lithuania, Latvia and Poland.

Sasse outlined: "The German government has reliable information on the basis of which Ghostwriter activities can be attributed to cyber actors of the Russian state and, specifically, Russia's GRU military intelligence service."

Russia has been accused of interfering in election campaigns throughout the world on numerous occasions over recent years, including in the US and UK.

The question of German ties to Russia has been debated during the current German election campaign, particularly around the future of the gas pipeline Nord Stream 2, which may be a motivating factor for these attacks.

Sasse said: “These attacks could serve as preparations for influence operations such as disinformation campaigns connected with the election.”

She added: "The federal government strongly urges the Russian government to stop these unacceptable cyber activities with immediate effect.” Sasse also revealed the same demand had been made directly to a representative of the Russian Foreign Ministry last week and said the incidents were a “severe strain on bilateral relations.”

Yesterday, a new report by the Crime and Security Research Institute at Cardiff University said Western media channels are systematically manipulated to spread pro-Russian government propaganda and disinformation.

If you liked this article, be sure to check out this upcoming Online Summit session:

Categories: Cyber Risk News

Personal Details of 8,700 French Visa Applicants Exposed by Cyber Attack

Info Security - Tue, 09/07/2021 - 10:50
Personal Details of 8,700 French Visa Applicants Exposed by Cyber Attack

A cyber-attack has compromised the data of around 8700 people applying for French visas via the France-Visas website. 

The French Ministry of Foreign Affairs and the Ministry of the Interior announced on Friday (August 3) that the cyber-attack targeted a section of the site, which receives around 1.5 million applications per month. 

In a statement, the ministries claimed that the attack had “been quickly neutralized,” but personal details — including names, passport and identity card numbers, nationalities and dates of birth — had been leaked.

No ‘sensitive’ data (as defined by the GDPR) was compromised, said the government ministries.

In response to this news, Ronnen Brunner, VP of EMEA at ExtraHop, said: “The recent cyber-attack in France, which has compromised the data of around 8700 people applying for visas to live and work in France, has resulted in personal details being leaked, including passport numbers and addresses. The public sector’s responsibility for personal data is a vital part of the public services to continue to build credibility and trust for its citizens and improve the level of service while the security is maintained. 

“This is exactly the reason we see organizations like the Met Police in the UK emphasize network visibility in their cybersecurity strategy.”

He added: “Public sector organizations should adopt privacy standards and controls as regulated markets do, such as banks and healthcare. The EU created GDPR to manage exactly these types of concerns and data leakage incidents, but it’s not enough for public administration to write data privacy legislation. It’s also crucial they meet these requirements themselves.”

Categories: Cyber Risk News

ICO Requests International Support to Tackle Cookie Pop-Ups

Info Security - Tue, 09/07/2021 - 09:47
ICO Requests International Support to Tackle Cookie Pop-Ups

The UK’s Information Commissioner’s Office (ICO) has announced it wants to tackle cookie pop-ups to help protect personal data.

Information Commissioner Elizabeth Denham will call on G7 authorities to work on this issue collectively, presenting a plan to improve the current cookie consent mechanism during a virtual meeting today and tomorrow.

Currently, many people automatically select ‘I agree’ when presented with cookie pop-ups on the internet, which allows websites to keep track of their visits and activities. This means they are giving up far more personal information than they wish.

During the meeting, which Denham is chairing, the ICO will present its vision for the future, in which web browsers, software applications and device settings allow people to set lasting privacy preferences of their choosing rather than making that decision through pop-ups every time they visit a website.

The ICO added that this approach is both technologically possible and compliant with data protection law. It is now hoped that the G7 will leverage their influence to further develop and roll out privacy-oriented solutions to this issue.

Denham commented: “I often hear people say they are tired of having to engage with so many cookie pop-ups. That fatigue is leading to people giving more personal data than they would like.

“The cookie mechanism is also far from ideal for businesses and other organizations running websites, as it is costly and it can lead to poor user experience. While I expect businesses to comply with current laws, my office is encouraging international collaboration to bring practical solutions in this area.

“There are nearly two billion websites out there taking account of the world’s privacy preferences. No single country can tackle this issue alone. That is why I am calling on my G7 colleagues to use our convening power. Together we can engage with technology firms and standards organizations to develop a coordinated approach to this challenge.”

In June, tech giant Google pushed back plans to block third-party cookies on Chrome until at least 2023.

During the G7 meeting, which will include representatives from Organisation for Economic Cooperation and Development (OECD) and the World Economic Forum (WEF), each country will present a specific technology or innovation issue they believe closer cooperation is needed.

Last month, the UK government announced that John Edwards, who currently serves as New Zealand’s privacy commissioner, is its preferred candidate to be the next Information Commissioner.

Categories: Cyber Risk News

Ireland's Gardai Clamps Down on HSE Cyber-Attackers

Info Security - Mon, 09/06/2021 - 16:40
Ireland's Gardai Clamps Down on HSE Cyber-Attackers

Ireland’s national police service, Gardai, has carried out a significant operation targeting the gang behind the ransomware attack on Ireland's Health Service Executive (HSE) in May, which it believes has prevented other such attacks taking place globally. 

On Sunday, a spokesperson said: “A significant disruption operation which targeted the IT infrastructure of a cyber crime group has been conducted by the Garda National Cyber Crime Bureau (GNCCB).

“The Garda National Cyber Crime Bureau have seized several domains used in this and other ransomware attacks." 

May’s ransomware attack on HSE, carried out with Conti ransomware, led to significant disruption to the Irish health service provider and many patients, costing the organization millions of euros. 

Gardai has used a so-called “splash screen” on the web domains to warn potential victims that ransomware has likely targeted their system.

The seizure of the websites reportedly “directly prevented” other ransomware attacks across the world.

“A process has also commenced between the Garda Siochana and their law enforcement partners at Europol and Interpol to provide the details of the visiting URLs to the member countries to ensure that the infected systems are appropriately decontaminated,” the spokesman said.

“To date a total of 753 attempts were made by ICT systems across the world to connect to the seized domains.

“In each instance, the seizure of these domains by the GNCCB investigation team is likely to have prevented a Conti ransomware attack on the connecting ICT system by rendering the initially deployed malware on the victim’s system as ineffective.”

Categories: Cyber Risk News

Pro-Russian Disinformation Systematically Spread Using Western Media Channels

Info Security - Mon, 09/06/2021 - 14:48
Pro-Russian Disinformation Systematically Spread Using Western Media Channels

Western media channels are being systematically manipulated to spread pro-Russian government propaganda and disinformation, according to a new report by the Crime and Security Research Institute at Cardiff University.

The researchers said they uncovered evidence that “provocative” pro-Russian or anti-Western statements were being systematically posted in reader comments sections in articles relating to Russia in 32 prominent media outlets across 16 countries. Russian-language media outlets subsequently used these comments as the basis of stories about politically controversial events.

These stories insinuated there is significant support among Western citizens for Russia or President Putin, using headlines such as “Daily Mail readers say…” and “Readers of Der Spiegel think…” They were also picked up and reported by other ‘fringe media’ and websites with track records of spreading disinformation and propaganda, some of whom have been linked to Russian intelligence services by Western security agencies.

In one example highlighted by the study, a small number of comments in a Mail Online story about the Taliban’s takeover in Afghanistan were used in a Russian news article under the headline “The British have compared the rise of the Taliban to power with the end of Western civilization.”

These stories were primarily published in Russia and audiences in Central and Eastern Europe, particularly Bulgaria. In total, the team discovered 242 stories that they believe were generated in this fashion. Among the websites repeatedly targeted by the influence operation are The Daily MailDaily Express and The Times in the UK; Fox News and Washington Post in the US; Le Figaro in France; Der Spiegel and Die Welt in Germany; and La Stampa in Italy.

The report added that there was evidence of coordination between Russian state-owned media and outlets linked to the non-state Patriot Media Group, observed and drew upon these reader comments.

While these activities were first spotted as part of research into online disinformation amid tensions between Ukraine and Russia earlier this year, the Cardiff team believes these tactics have escalated since 2018.

The researchers used data science pattern recognition and detection techniques to reader comments to make their findings, which uncovered multiple unusual behaviors associated with some accounts posting pro-Russian content. These included some users repeatedly changing their personas and locations. At the same time, on specific platforms, pro-Kremlin comments received an unusually high number and proportion of ‘up-votes compared with typical messages. Together, these multiple inauthenticity signals suggest the commenting activity was coordinated.

Professor Martin Innes, director of the Crime and Security Research Institute at Cardiff University, explained: “As mainstream social media platforms have become more alert to the risks of foreign state influence operations, so disinformation actors and propagandists have been seeking new vulnerabilities in the media ecosystem to exploit. By adopting a ‘full spectrum’ media strategy that blends together information from social and mainstream media outlets, this sophisticated campaign has had the potential to shape the thoughts, emotions and behavior of several diverse international audiences in relation to high-profile media stories.

“Most importantly, the particular tactics and techniques used to ‘hack’ the comments function in the media ecosystem make it almost impossible to attribute responsibility for the pro-Kremlin trolling behavior on the basis of publicly available open-source data. It is therefore vital that media companies running participatory websites are more transparent about how they are tackling disinformation and more proactive in preventing it.”

Andy Patel, a researcher with F-Secure’s Artificial Intelligence Center of Excellence, said media channels must do more to prevent comments being posted by nefarious actors on their sites. He says: “Comments sections on news sites attract posts from users with extreme opinions, and thus often precipitate arguments. These discussions are ripe for abuse by trolls and entities wishing to further extremist agendas. The research published by Cardiff University illustrates how such discussion threads can also be weaponized by bad-faith actors. Comments sections on sites such as these should be properly moderated. If this is not possible, the responsible thing to do is to disable comment functionality until proper moderation policies can be put in place.”

Categories: Cyber Risk News

US Cyber Command: Patch Critical Atlassian Bug Now

Info Security - Mon, 09/06/2021 - 09:26
US Cyber Command: Patch Critical Atlassian Bug Now

US government security experts have urged system administrators to patch two critical flaws in widely used Cisco and Atlassian products, exposing them to compromise.

In a rare move, US Cyber Command took to Twitter before the Labor Day holiday weekend on Friday to address the Atlassian bug.

“Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already—this cannot wait until after the weekend,” it warned.

Atlassian issued a patch for the vulnerability in its popular web-based collaboration platform on August 25. The developer said that if exploited, the Open Graph Navigation Library (OGNL) bug would allow an unauthenticated user to execute arbitrary code on a Confluence server or datacenter instance.

OGNL was also exploited by the attackers who breached Equifax in 2018 via Apache Struts 2 vulnerability CVE-2018-11776.

Also, at the end of last week, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert urging admins to patch a critical vulnerability affecting Cisco Enterprise Network Function Virtualization Infrastructure Software (NFVIS).

Impacting version 4.5.1 of the product, CVE-2021-34746 could allow a remote attacker to take control of an affected system.

“This vulnerability is due to incomplete validation of user-supplied input that is passed to an authentication script,” Cisco explained.

“An attacker could exploit this vulnerability by injecting parameters into an authentication request. A successful exploit could allow the attacker to bypass authentication and log in as an administrator to the affected device.”

There are no workarounds to address the vulnerability, leaving patching as the only option for impacted organizations.

The two alerts came as US government experts warned that ransomware threat actors are increasingly likely to strike ahead of holiday weekends.

Alongside prompt patching, national security advisor, Anne Neuberger, recommended organizations deploy multi-factor authentication, up-to-date backups and strong passwords. She also recommended organizations to review their incident response plans.

Categories: Cyber Risk News