Feed aggregator

Amazon Web Services Misconfiguration Exposes Half a Million Cosmetics Customers

Info Security - Thu, 06/17/2021 - 08:48
Amazon Web Services Misconfiguration Exposes Half a Million Cosmetics Customers

Hundreds of thousands of retail customers had their personal data exposed thanks to a misconfigured cloud storage account, Infosecurity has learned.

A research team at reviews site WizCase traced the leaky Amazon S3 bucket to popular Turkish beauty products firm Cosmolog Kozmetik.

The 20GB trove contained around 9500 files, including thousands of Excel files which exposed the personal information of 567,000 unique users who bought items from the provider across multiple e-commerce platforms.

Although the research team discovered no payment information, they did find customers’ full names, physical addresses and purchase details among the leaked orders. In some cases, phone numbers and emails were also exposed.

The oldest orders dated back to 2019, and they went right up to the present day. This indicates that the database is continually updated.

WizCase warned that many of those whose details were exposed may be unaware of the leak, as e-commerce marketplace users often don’t check the names of sellers.

Cosmolog Kozmetik, which also sells under the name “Marketlog,” is commonly found on major Turkish e-commerce platforms Trendyol, Hepsiburada, and Unishop.

WizCase warned that if threat actors managed to find and copy the exposed data, it might put these shoppers at risk of follow-on phishing and fraud, including refund scams. They could even suffer physical theft of packages if attackers track and steal shipments as they arrive at customers’ homes, it added.

“Cyber-criminals are always generating new methods to exploit anyone vulnerable on the internet,” WizCase warned in a blog post detailing the privacy snafu.

“For future purposes, we recommend always inputting the bare minimum of information when making a purchase or setting up an account on the internet. The less information you give hackers to work with, the less vulnerable you are to attack.”

Although WizCase contacted the Turkish CERT, Amazon and Cosmolog Kozmetik about the breach, none had replied at the time of writing.

Categories: Cyber Risk News

US Warns Russia of Cyber-Attack No-Go List

Info Security - Thu, 06/17/2021 - 08:26
US Warns Russia of Cyber-Attack No-Go List

President Biden and his team have warned the Putin administration of 16 critical infrastructure entities that are off-limits for threat actors operating from Russia.

The news came as the two leaders sat down in Geneva for a summit which Biden said was designed to ensure a “stable and predictable” relationship between countries following the turmoil of the Trump years.

After an audacious attack on Colonial Pipeline, which disrupted fuel supplies on the East Coast for days, Biden has been under increasing pressure to confront Putin over the cybercrime groups apparently operating with impunity from Russia.

The two spent “a great deal of time” talking about cybersecurity, said Biden in a post-meeting press conference.

“I talked about the proposition that certain critical infrastructure should be off limits to attack — period — by cyber or any other means. I gave them a list … of 16 specific entities; 16 defined as critical infrastructure under US policy, from the energy sector to our water systems,” he added.

“Of course, the principle is one thing. It has to be backed up by practice. Responsible countries need to take action against criminals who conduct ransomware activities on their territory.”

The two countries will now sit down to work on a deeper agreement on cybersecurity, designed to articulate “what’s off-limits.”

The US hammered out a similar agreement with China back in 2015 when Barack Obama warned Xi Jinping not to allow state-backed spies to target US companies in “economic cybercrime” attacks.

However, that deal soon fell apart as it became clear Beijing had no intention of dropping its plans.

Putin reportedly appeared similarly unapologetic at the Geneva meeting, claiming the Colonial Pipeline attack had nothing to do with the Kremlin. His US sources told him most cyber-attacks originate from the US.

Adam Flatley, former NSA director of operations and now director of threat intelligence at [redacted], said the summit went as expected.

“Both sides went in and stated their positions to set the playing field for the next few years. Russia denied everything, which is totally standard. Biden stated our opposing positions and didn’t cave to any of Putin’s initial demands, most of which were normal,” he explained.

“It looks like we’re back in a more normal world of international relations, which is a good thing. So the real outcome here seems to be that both sides stated their opening positions and will go back home to start pushing their different agendas, and we’ll have to see who has the will and resources to succeed.”

Categories: Cyber Risk News

US Convicts Russian Malware-masker

Info Security - Wed, 06/16/2021 - 18:51
US Convicts Russian Malware-masker

The United States has convicted a Russian cyber-criminal of running a malware-masking service that helped hackers systematically infect victim computers around the world with malware, including ransomware.

On Tuesday, a federal jury in Connecticut found 41-year-old native Estonian Oleg Koshkin guilty of operating a crypting business via multiple websites, including “Crypt4U.com,” and “fud.bz.”

On the websites, Koshkin and his co-conspirators claimed that they could render malicious software such as botnets, remote-access trojans, keyloggers, credential stealers and cryptocurrency miners undetectable by nearly every major provider of antivirus software. 

According to court documents and evidence introduced at trial, Koshkin worked with Kelihos botnet operator Peter Yuryevich Levashov (aka Sergey Astakhov aka Petr Severa) to create a system that would allow Levashov to crypt the Kelihos malware multiple times per day. 

"Koshkin provided Levashov with a custom, high-volume crypting service that enabled Levashov to distribute Kelihos through multiple criminal affiliates," said a Department of Justice spokesperson.

"Levashov used the Kelihos botnet to send spam, harvest account credentials, conduct denial of service attacks, and distribute ransomware and other malicious software." 

The Kelihos botnet included at least 50,000 compromised computers around the world when it was dismantled in 2017 by the FBI following Levashov's arrest in Barcelona. After extradition to the United States, Levashov pleaded guilty in 2018 to one count of causing intentional damage to a protected computer, one count of conspiracy, one count of wire fraud, and one count of aggravated identity theft.

Koshkin was arrested in California in September 2019 and has been detained since his arrest. He faces a maximum penalty of 15 years in prison and is scheduled to be sentenced on September 20.

Pavel Tsurkan, Koshkin’s co-defendant, is charged with aiding and abetting Levashov in causing damage to 10 or more protected computers and also with conspiring to cause damage to 10 or more protected computers.

Acting Assistant Attorney General Nicholas McQuaid of the Justice Department's Criminal Division said: “The verdict should serve as a warning to those who provide infrastructure to cyber-criminals: the Criminal Division and our law enforcement partners consider you to be just as culpable as the hackers whose crimes you enable, and we will work tirelessly to bring you to justice.”

Categories: Cyber Risk News

Deloitte Acquires Terbium Labs

Info Security - Wed, 06/16/2021 - 17:03
Deloitte Acquires Terbium Labs

All of the assets of Terbium Labs have been acquired by multinational professional services network Deloitte Touche Tohmatsu Limited (Deloitte).

The acquisition of the Baltimore-based digital risk protection company was announced by Deloitte on June 15. 

Terbium Labs was found in 2013 to help organizations detect and remediate data exposure, theft, or misuse across the digital landscape. In 2019, the company announced a $2m investment from the Omidyar Network, a philanthropic investment firm created by eBay founder Pierre Omidyar and his wife, Pam.

Deloitte said acquiring the dark web intelligence firm will boost its cyber practice in its Detect & Respond suite offering.

Services and solutions offered by Terbium Labs include a digital risk protection platform that uses artificial intelligence, machine learning and patented data fingerprinting technologies to identify the illegal use of sensitive data online.

"Finding sensitive or proprietary data once it leaves an organization's perimeter can be extremely challenging," said Kieran Norton, Deloitte risk & financial advisory's infrastructure solution leader and principal.  

"Adding Terbium Labs' business to our portfolio will offer our clients one more way to continuously monitor for — and, when appropriate, minimize the impact of — data exposed on the open, deep, or dark web," he added.

"Our industry-leading cyber practice is focused on providing our clients with new and innovative ways to transform their cyber risk postures as they endeavor to strengthen their trust equity, resilience and security," added Deborah Golden, Deloitte risk & financial advisory cyber and strategic risk leader and principal.

"As regulations change and new capabilities become available, we're strategically investing to offer advanced approaches to monitor digital assets privately and securely and to reduce time from event to remediation. These investments are powerful individually in bringing improved outcomes for our clients and transformational together by helping our clients become higher performing and more agile in the face of new threats and more efficient in their operations." 

Terbium Labs is Deloitte's third cyber acquisition this year. The network purchased Root9B, LLC (R9B) in January and announced its acquisition of cloud security posture management provider CloudQuest on June 7.

Categories: Cyber Risk News

IAB Tech Lab Accused of “World’s Largest Data Breach”

Info Security - Wed, 06/16/2021 - 16:28
IAB Tech Lab Accused of “World’s Largest Data Breach”

The IAB Technology Laboratory (IAB Tech Lab), which develops ad-industry standards, is being sued by the Irish Council for Civil Liberties (ICCL) for allegedly being responsible for "the world's largest data breach."

A non-profit digital media consortium established in 2014 and based in New York, the IAB Tech Lab's 650-member community includes Facebook, Google and Amazon.

In a lawsuit filed by ICCL senior fellow Johnny Ryan on May 18 in a court in Hamburg, the IAB Tech Lab comes under fire for real-time bidding, a process during which data is shared between ad brokers and other companies while advertising space is being auctioned as a website loads.

Despite the case's having been filed nearly a month ago, the IAB Tech Lab told a BBC reporter who reached out to the consortium for comment for an article that went live Wednesday that it was not familiar with Ryan's claim.

"We are reviewing the allegations in conjunction with our legal advisers and will respond in due course, if appropriate," said an IAB Tech Lab spokesperson.

Ryan, who worked as an advertising-industry professional before joining the ICCL, claims that when a user loads an app or web page that carries advertising, their data is shared with hundreds of ad brokers. 

The brokers use the data to sell the ad space that splashes onto the screen while the page loads. According to Ryan, users who see empty ad spaces that then fill with ads are watching their own data being auctioned in real time. 

Ryan said user data shared in the process includes "inferences of your sexual orientation, religion, what you're reading, watching, and listening to, your location."

He said it is multi-million-dollar industry that most internet users know nothing about.

The IAB Tech Lab provides publicly available two- and three-digit codes, each of which represents a piece of user data. For example, a household with an income lower than $10k is given the code 60. 

Ryan alleges that providing that data – which IAB Tech Lab calls "audience taxonomy" – breaches EU privacy rules because users have not actively consented to this collection and dispersion of their data. 

He said: "The law needs to apply and sweep the industry so you can still have your bid requests but without personal data changing hands."

Categories: Cyber Risk News

Members of Clop Ransomware Gang Arrested in Ukraine

Info Security - Wed, 06/16/2021 - 15:39
Members of Clop Ransomware Gang Arrested in Ukraine

Members of the notorious FIN11 (Clop) ransomware gang have been arrested today by the Ukrainian police in conjunction with Interpol and law enforcement from the US and South Korea.

In a statement published today, the Ukrainian police revealed it has arrested six people alleged to be part of the financial cybercrime gang FIN11, which is believed to be behind many high-profile cyber-attacks. These include the attacks exploiting vulnerabilities in Accellion’s FTA product earlier this year, enabling it to access the system of aircraft manufacturer Bombardier.

In the statement, the police outlined its belief that the six suspects “carried out ransomware-type malware attacks on the servers of US and Korean companies.” This includes encrypting personal data of employees and financial reports of the Stanford University School of Medicine, the University of Maryland and the University of California.

The police added that it had seized cash, cars, and a number of Apple Mac laptops and desktops alongside the arrests. It stated: “Through the joint efforts of law enforcement officers, it was possible to stop the operation of the infrastructure from which the virus is spreading and block the channels for the legalization of cryptocurrencies obtained by criminal means.”

The announcement is the latest in several recent successes for law enforcement agencies in countering cyber-criminal gangs. For example, earlier this month, the US Department of Justice revealed it managed to seize around $2.3m of the $4.4m in cryptocurrency paid to the Darkside gang by Colonial Pipeline following the ransomware attack on the fuel transportation company in May.

Security experts such as Kim Bromley, a senior cyber threat intelligence analyst at Digital Shadows, recognizes the significance of these arrests: “On 16 Jun 2021, Ukrainian police announced the arrest of individuals and the takedown of infrastructure related to the ‘Clop’ ransomware. This activity comes in the aftermath of increased pressure from law enforcement and governments on ransomware groups, following recent attacks on critical national infrastructure in the US. Clop ransomware has been active since February 2019 and targets large organizations for big game hunting. Despite partaking in the ever-popular double-extortion tactic, Clop’s reported activity level is relatively low when compared with the likes of ‘REvil’ (aka Sodinokibi) or ‘Conti’.

“Earlier in the year, the ‘Ziggy’ ransomware shut down its operation, citing an increased scrutiny from law enforcement as the reason. This week, the ‘Avaddon’ ransomware also appear to have ceased operations. Seemingly, the consistent pressure from law enforcement on these threat groups is beginning to have a positive impact.”

John Hultquist, VP of analysis, Mandiant Threat Intelligence, outlined: “The Cl0p operation has been used to disrupt and extort organizations globally in a variety of sectors including telecommunications, pharmaceuticals, oil and gas, aerospace and technology. The actor FIN11 has been strongly associated with this operation, which has included both ransomware and extortion, but it is unclear if the arrests included FIN11 actors or others who may also be associated with the operation.

“The arrests made by Ukraine are a reminder that the country is a strong partner for the US in the fight against cybercrime, and authorities there are making the effort to deny criminals a safe harbor. This is especially relevant as President Biden and Putin discuss the state of cyber-threats emanating from Russia, including the ransomware threat, which has increasingly threatened critical infrastructure and the everyday lives of people around the world.”

Categories: Cyber Risk News

NHS Test and Trace Bolsters its Cybersecurity

Info Security - Wed, 06/16/2021 - 13:28
NHS Test and Trace Bolsters its Cybersecurity

NHS Test and Trace has announced that an early-stage UK company will be in charge of managing its supply chain cybersecurity risks.

Risk Ledger, which was part of the fourth cohort of the government-backed London Office for Rapid Cybersecurity Advancement (LORCA) program to promote cyber scaleups, will allow NHS Test and Trace to utilize its ‘social network’ platform. The platform will enable organizations to connect and share risk data securely, quickly and easily. This move is particularly crucial for the UK’s test and trace service, which involves the continued sharing of sensitive data to help control the spread of COVID-19 as lockdown restrictions ease.

The Risk Ledger platform will provide NHS Test and Trace complete visibility of its supply chain, including data needed to identify, measure and mitigate any cyber threats that emerge.

The importance of securing supply chains has come into sharper focus due to recent high profile incidents, especially the SolarWinds attacks at the end of last year.

Creating the NHS Test and Trace system, which includes an official app, has brought about several privacy and data protection concerns. It is hoped the contract with Risk Ledger, which was a winner in the Department for Digital, Culture, Media, and Sport’s ‘Most Innovative UK Cyber SME of the Year’ competition in May, will help assuage some of these fears.

Minister for Digital Infrastructure Matt Warman MP commented: “The government is working tirelessly to secure the nation online and grow the UK’s £8.9bn cybersecurity industry as we build back better from the pandemic. We’re helping SMEs develop innovative products and services, and it’s great to see Risk Ledger, one of the firms we’ve supported, win this contract to protect the Test and Trace system and support the national effort against coronavirus.”

Haydn Brooks, Risk Ledger CEO and co-founder, welcomed the move: “NHS Test and Trace is essentially the biggest new start-up in the UK healthcare market so we are delighted they have chosen to take advantage of our ability to provide enhanced visibility of their supply chain risks. I am proud we will be part of the effort to secure this incredibly important supply chain.

“Healthcare organizations and their supply chains handle lots of highly sensitive data and have a high rate of data breaches. We have already seen during the COVID-19 pandemic that bad actors are actively targeting supply chains to access data and cause disruption.”

Categories: Cyber Risk News

Football Fever Puts Password Security at Risk

Info Security - Wed, 06/16/2021 - 10:11
Football Fever Puts Password Security at Risk

Security experts have urged users to think more carefully about their password choice after spotting as many as one million based on simple football-related words.

Authentication firm Authlogics manages a Password Breach Database — a collection of previous stolen or cracked credentials which that allows it to spot trends and offer industry advice.

It claimed that of the one billion passwords in the trove, over 1.1 million are linked to the beautiful game. These are led by the password “football” (353,993), followed by “Liverpool” (215,842), “Chelsea” (172,727), “Arsenal” (151,936) and “Barcelona” (131,090).

The problem for these users is two-fold: not only are such credentials relatively easy to guess or crack, but if they’re reused across multiple accounts, including corporate ones, it could expose them to credential stuffing.

This is the practice of using automated software to try large numbers of previously breached log-ins simultaneously across multiple accounts, hoping that some will work.

Authlogics cited Google research which claims that over half (52%) of users reuse the same password on multiple accounts, with only a third (35%) using a different credential for all log-ins.

“If your password has been breached on one account, and you are one of the 52% of people who reuse their passwords regularly, you might find other accounts which were not breached also compromised,” Authlogics warned.

“If someone is aware of the amount of passwords that are associated with football, and are able to use social engineering tactics to discover which team an individual supports, they can make a good, educated guess as to their password to not just one, but multiple accounts.”

Password managers can help here by storing and recalling unique and robust credentials for each website and online account. Multi-factor authentication (MFA) is also recommended to bolster authentication security.

Authlogics recommended combining letters, numbers and symbols to increase password strength — even if football-mad users want to include their favorite team in their log-ins.

Categories: Cyber Risk News

Most Ransomware Victims Are Hit Again After Paying

Info Security - Wed, 06/16/2021 - 09:18
Most Ransomware Victims Are Hit Again After Paying

Some 80% of global organizations that have paid a ransom demand experienced another attack, often at the hands of the same threat actors, according to a new study from Cybereason.

The security vendor polled 1,263 cybersecurity professionals in multiple verticals across the US, UK, Spain, Germany, France, the United Arab Emirates, and Singapore to compile its latest report, Ransomware: The True Cost to Business.

It confirmed what law enforcers and commentators have been saying for some time – victim organizations should, if possible, avoid paying their extorters. Some 46% of respondents, rising to 53% in the UK, said they believe the same threat group attacked them the second time.

However, this can be difficult to ascertain definitively given the large number of affiliate groups working with the same malware strains. A Sophos report this week revealed that no two REvil affiliates work in the same way.

Not only does paying a ransom encourage copycat crimes, but there’s no guarantee of a swift return to business-as-usual. Cybereason found that in nearly half (46%) of cases, the victim organization regained access to data following payment, but some or all of it was corrupted.

The report also laid bare the potentially devastating consequences of a successful ransomware attack. Two-thirds (66%) of respondents said they suffered significant revenue loss, over half (53%) said their brand suffered, and a third (32%) lost leadership through dismissal or resignation.

In some cases, an attack can have an existential impact: 29% said they were forced to eliminate jobs following an incident. A quarter (25%) of respondents claimed it led to the organization’s closure.

Big-name organizations from Colonial Pipeline to JBS have recently admitted to paying multimillion-dollar sums to their attackers to mitigate potentially severe customer disruption.

However, Cybereason CEO, Lior Div, was clear about which approach corporate victims should take.

“Paying a ransom demand does not guarantee a successful recovery, does not prevent the attackers from hitting the victim organization again, and in the end only exacerbates the problem by encouraging more attacks,” he argued.

“Getting in front of the threat by adopting a prevention-first strategy for early detection will allow organisations to stop disruptive ransomware before they can hurt the business.”

Categories: Cyber Risk News

IoT Supply Chain Bug Hits Millions of Cameras

Info Security - Wed, 06/16/2021 - 08:37
IoT Supply Chain Bug Hits Millions of Cameras

Security experts have warned of a critical IoT supply chain vulnerability that may affect millions of connected cameras globally, allowing attackers to hijack video streams.

Nozomi Networks revealed the flaw in a popular software component from ThroughTek, which OEMs use to manufacture IP cameras, baby and pet monitoring cameras, and robotic and battery devices.

The bug itself is found in a P2P SDK produced by the firm. In this case, P2P refers to functionality that allows a client on a mobile or desktop app to access audio/video streams from a camera or device through the internet.

Nozomi Networks claimed that the protocol used for transmission of those data streams “lacks a secure key exchange and relies instead it on an obfuscation scheme based on a fixed key.”

This means that unauthorized attackers could access it to reconstruct the audio/video stream — effectively enabling them to snoop on users remotely.

CISA released its own security alert for the ThroughTek P2P SDK yesterday, giving it a critical CVSS score of 9.1. According to the advisory, it affects: versions 3.1.5 and older; SDK versions with nossl tag; and device firmware that does not use AuthKey for IOTC connection, uses the AVAPI module without enabling DTLS, or uses the P2PTunnel or RDT module.

ThroughTek placed the blame firmly on developers who have incorrectly implemented its SDK or failed to update the offering.

It said version 3.3 was introduced in mid-2020 to fix this vulnerability and urged any customers to update the SDK version used in their products.

It also revealed that the bug could lead to unauthorized eavesdropping on camera video and audio and device spoofing and device certificate hijacking.

The case highlights the challenges facing users of IoT and other devices, which have complex supply chains using components from third parties.

Last year, several zero-day vulnerabilities were discovered in a widely used low-level TCP/IP software library that may have impacted hundreds of millions of IoT devices.

In April this year, researchers found multiple flaws dubbed “Name:Wreck” in popular IT software FreeBSD and various IoT/OT firmware types, which they claimed could be present in over 100 million devices.

Categories: Cyber Risk News

“Homeless Hacker” Arrested

Info Security - Tue, 06/15/2021 - 18:23
“Homeless Hacker” Arrested

Author and activist Christopher Doyon has been arrested in Mexico in connection with a cyber-attack on the Santa Cruz County government's website carried out more than a decade ago.

Doyon, who calls himself Commander X online, wrote and published the book Behind the Mask about his time as a member of hacking group Anonymous. On social media, the 56-year-old is also known as the Homeless Hacker.

A former resident of Mountain View, California, Doyon was reportedly working on behalf of the self-styled cyber-warrior organization People's Liberation Front back in 2010 when the Massachusetts-based group organized a protest in Santa Cruz.

During the event, more than 50 people camped outside the city's district courthouse to protest the city council’s decision to tackle the issue of homelessness in Santa Cruz by banning camping in the city. 

The protest, which began in July, was broken up by police in October. Doyon was arrested for sleeping in public at the protest but failed to show up for a court date. A warrant was subsequently issued for his arrest. 

It is alleged that in December of 2010, Doyon launched a Distributed Denial of Service (DDoS) attack against Santa Cruz County that knocked out the county's website. 

Doyon was arrested in 2011 and charged with conspiracy to cause intentional damage to a protected computer, causing intentional damage to a protected computer, and aiding and abetting. He was released on bail but didn't show up for his federal court hearing scheduled for February 2012. 

The alleged Santa Cruz County attacker then reportedly fled to Canada, leaving his defense attorney to cover the cost of his $35k bail bond. Doyon's time living on the streets of Toronto was captured by documentary co-producer Ian Thornton. 

Doyon was arrested in Mexico on June 11 by Mexican immigration authorities. On June 12 he was deported to the United States and arrested by FBI agents.  

Doyon appeared before magistrate judge Donna Ryu in US District Court for the Northern District of California to face indictment for his failure to appear in federal court in 2012. He was jailed and is scheduled to appear today for arraignment and identification of counsel.

Categories: Cyber Risk News

Marketplace Selling Stolen Credentials Is Dismantled

Info Security - Tue, 06/15/2021 - 17:55
Marketplace Selling Stolen Credentials Is Dismantled

An online marketplace offering millions of allegedly stolen online account login credentials for sale has been taken down in a coordinated international operation.

Law enforcement agencies in Germany, the Netherlands, Romania, and the United States worked together to disrupt and dismantle the infrastructure of the store named Slilpp.

According to a seizure warrant affidavit unsealed on June 10, the Slilpp marketplace pedaled stolen login credentials, including usernames and passwords for bank accounts, online payment accounts, mobile phone accounts, retailer accounts, and other online accounts, for nearly a decade.

The affidavit states that since 2012, the Slilpp marketplace has been providing a forum and payment mechanism that allowed vendors to sell, and customers to buy, illegally obtained login credentials. 

Buyers later used the login credentials they had purchased through Slilpp to conduct unauthorized transactions such as wire transfers from the related accounts, according to the affidavit.

To date, over a dozen individuals have been charged or arrested by United States law enforcement in connection with the Slilpp marketplace.

A series of servers that hosted the Slilpp marketplace infrastructure and its various domain names were identified and seized by the Federal Bureau of Investigation and its partners working in foreign law enforcement overseas. 

At the time of the seizure and subsequent disruption of the marketplace, the affidavit alleges, stolen account login credentials for more than 1,400 account providers were available for sale on Slilpp. 

The full impact of Slilpp has not yet been determined. Based on existing victim reports, the affidavit states, stolen login credentials sold via the marketplace have been exploited to cause losses in excess of $200m in the United States alone. 

“The Slilpp marketplace allegedly caused hundreds of millions of dollars in losses to victims worldwide, including by enabling buyers to steal the identities of American victims,” said Acting Assistant Attorney General Nicholas McQuaid of the Justice Department’s Criminal Division. 

“The department will not tolerate an underground economy for stolen identities, and we will continue to collaborate with our law enforcement partners worldwide to disrupt criminal marketplaces wherever they are located.”

Categories: Cyber Risk News

IKEA Fined $1.2m for Spying on Employees

Info Security - Tue, 06/15/2021 - 16:28
IKEA Fined $1.2m for Spying on Employees

Swedish furnishing conglomerate IKEA has been fined €1m ($1.2m) for illegally spying on its employees in France and storing their data.

The fine was ordered by a French court on Tuesday after a criminal probe launched in 2012 found that IKEA France had created an elaborate "spying system" to snoop on staff and on customers who had opened disputes.

IKEA, which has 29 stores in France, was found guilty of "receiving personal data by fraudulent means." 

Prosecutors said IKEA France tapped police sources, engaged a private security company, and hired private detectives to illegally acquire confidential information on its workers and prospective employees. 

Data obtained by the company included membership of labor unions or works councils. Investigators were also asked to find out how an employee could afford a new BMW.

In 2012, satirical weekly newspaper Le Canard enchaine published email exchanges between IKEA and private investigators that showed that spying on staff had been de rigueur at the French subsidiary for years.

Prosecutors said that the espionage infrastructure established by the French subsidiary operated for at least a three-year period from 2009 to 2012. After accusing the company of "mass surveillance," prosecutors sought a fine of €2m ($2.4m) against the company.

IKEA admitted to basic rights violations back in 2012, and released a statement declaring that "IKEA fully condemns the practices brought to light."

Although the trial was centered on spying that occurred from 2009 to 2012, prosecutors say the snooping system was set up almost a decade earlier under a former head of IKEA France, Jean-Louis Baillot.

Baillot, who headed the company from 1996 to 2002, denies any wrongdoing and has declared himself "shocked" to be convicted for his role in the scandal. A French court handed Baillot a two-year suspended prison sentence and fined him €50,000 ($60,630) for storing personal data.

Jean-Francois Paris, IKEA's former head of risk management and a central figure in the scandal, admitted to sending lists bearing the names of people "to be tested" to the security firm Eirpace. The testing was so prevalent that it generated annual bills of up to €600,000.

Paris was given a suspended 18-month prison term and fined €10,000. 

Categories: Cyber Risk News

NATO Warns it Will Consider a Military Response to Cyber-Attacks

Info Security - Tue, 06/15/2021 - 15:03
NATO Warns it Will Consider a Military Response to Cyber-Attacks

NATO has warned it is prepared to treat cyber-attacks in the same way as an armed attack against any of its allies and issue a military response against the perpetrators.

In a communique issued by governments attending the meeting of the North Atlantic Council in Brussels yesterday, the military alliance revealed it had endorsed a Comprehensive Cyber Defence Policy, in which a decision will be taken to invoke Article 5 “on a case-by-case basis” following a cyber-attack. Under Article 5 of the NATO treaty, first signed in 1949, when any NATO ally is the victim of an armed attack, it will be considered an attack on all alliance members, who will theoretically take any actions necessary to defend that ally.

The announcement has come amid rising cyber-threats to the alliance, which NATO said are “complex, destructive, coercive, and becoming ever more frequent.” It highlighted recent ransomware and other types of cyber-attacks “targeting our critical infrastructure and democratic institutions, which might have systemic effects and cause significant harm.”

Examples of these kinds of incidents include the ransomware attack on Colonial Pipeline last month, which forced the US’ largest fuel pipeline offline, and the SolarWinds supply chain attacks at the end of 2020, both of which are purportedly conducted by Russian state-backed actors.

NATO has signalled it considers cyber as a legitimate military domain on a number of occasions in recent years, and the new policy clarifies this stance.

“Reaffirming NATO’s defensive mandate, the Alliance is determined to employ the full range of capabilities at all times to actively deter, defend against, and counter the full spectrum of cyber-threats, including those conducted as part of hybrid campaigns, in accordance with international law,” it added.

The communique also warned of the growing security challenge that China poses to the alliance through its “stated ambitions and assertive behavior,” which includes cyber-threats and disinformation campaigns.

Commenting on the communique, Erwan Keraudy, CEO of CybelAngel said, “Traditional forms of war, rules of engagement and conduct have existed in one form or another and have been with us for centuries. But there is no straightforward definition in the cyber world. The lines have been completely blurred. So, NATO re-affirming the rules and conventions governing cyberspace is a positive and proactive step forward in establishing a standard cyber framework.”

Categories: Cyber Risk News

Fake Online Reviews Linked to $152 Billion in Global Purchases

Info Security - Tue, 06/15/2021 - 14:00
Fake Online Reviews Linked to $152 Billion in Global Purchases

Fake online reviews are responsible for an estimated $152 billion in purchases, according to a new study based on data shared by major e-commerce sites.

Customer acquisition security vendor CHEQ teamed up with the University of Baltimore to produce its Fake Online Reviews 2021 report — part of what it claims to be the “first-ever in-depth economic analysis of the full scale of internet harm.”

The report’s headline claim is based on an average rate for fake reviews of 4% across platforms including Amazon, TrustPilot, Yelp and Tripadvisor, and an estimated global e-commerce market size of nearly $4.3 trillion in 2020.

It breaks down to around $28 billion of consumer spending in the US influenced by fake reviews, $6.4 billion in Japan, $5 billion in the UK, $2.3 billion in Canada, and $900 million in Australia.

In the US, travel and fashion (both around $4 billion) are the sectors most affected in purely financial terms, followed by electronics ($3 billion), furniture and homeware ($2 billion) and entertainment ($1 billion).

The report reveals the sheer size of the underground trade in five-star reviews, which it claims are charged at anywhere between 25 cents to $100 per review. Reviewers may be encouraged to purchase an item for ‘review’, which they are then reimbursed for and allowed to keep, sometimes in addition to a commission.

This was the kind of scam uncovered by researchers recently when they discovered a misconfigured database containing the personal details of around 200,000 such reviewers.

However, the same kind of thing is increasingly done by ad fraud bots which are signed up via travel, e-commerce paid search and social campaigns, the report claimed.

Overall, the impact could be to diminish customer trust in online reviews, and therefore in e-commerce itself, and to unduly harm businesses whose rivals have posted fake negative reviews about them online.

“Given the size of the market, the ease of entry and the immediate economic benefits, bad actors remain highly incentivized to engage in fake reviews,” argued report co-author Roberto Cavazos at the University of Baltimore.

“This complex market is adversely influencing our purchases, causing significant economic detriment, creating real revenue losses for businesses, and severely diminishing trust in online purchasing.

Categories: Cyber Risk News

Third of Staff Use Security Workarounds at Home

Info Security - Tue, 06/15/2021 - 10:21
Third of Staff Use Security Workarounds at Home

Over a third (36%) of workers claim to have picked up bad security behaviors since working from home, potentially putting their employers at risk, according to a new study from Tessian.

The security vendor polled over 4,000 employees in the US and UK across various company sizes and industries, along with 200 IT professionals, to better understand back-to-work trends.

The resulting Back to Work: Security Behaviors Report revealed that many staff found security workarounds since working remotely, with younger respondents in the 16-24 age bracket (51%) and 25-34-year-olds (46%) most likely to have cut security corners. By contrast, just 19% of over-55s said they did.

Nearly a third (30%) also said they feel like they can get away with riskier behavior at home, with half (49%) claiming it’s because they think they aren’t being watched by IT.

Behaviors such as clicking on links in unsolicited messages, using personal devices and online accounts for work, and downloading unsanctioned apps to work devices can expose the organization to enhanced cyber-risk.

In fact, over a quarter of responding employees admitted making a mistake that has compromised company security. These incidents went unreported for fear of disciplinary action or having to take part in more security training, Tessian said.

The good news is that most (70%) IT professionals surveyed believe the return to the office will encourage employees to reengage with security and data protection policies.

However, there are still concerns: over half (54%) of IT leaders are worried that staff will bring infected devices back into the workplace, while 69% said ransomware would be a greater concern when new hybrid ways of working bed in.

Tessian CEO, Tim Sadler, agreed that the hybrid model would be challenging to secure.

“Employees are the gatekeepers to data and systems, but expecting them to be security experts and scaring them into compliance won’t work,” he argued.

“IT leaders need to prioritize building a security culture that empowers people to work securely and productively, and understand how to encourage long-lasting behavioral change over time if they’re going to thrive in this new way of working.”

Categories: Cyber Risk News

No Two REvil Attacks Are the Same, Experts Warn

Info Security - Tue, 06/15/2021 - 09:34
No Two REvil Attacks Are the Same, Experts Warn

According to a new report, no two criminal groups deploy the infamous REvil ransomware variant identically, adding to the challenge for those tasked with detecting and responding to such attacks.

The new study from Sophos details the activity of the affiliates who license the malware itself and handle the break-ins. This ransomware-as-a-service (RaaS) model now accounts for the majority of attacks in the wild.

Initial network access could come from brute-forcing internet-facing services like VPNs, RDP, VNC, and cloud-based management systems. Or it could come from phished or otherwise stolen credentials for legitimate accounts not protected by multi-factor authentication (MFA). Or in some cases, from “piggybacking” from other malware already present on the network.

Brute force password cracking attempts on RDP servers is common: Sophos revealed that one customer experienced 35,000 failed login attempts over a five-minute period, originating from 349 unique IP addresses around the world. 

Suppose they don’t have a functioning credential. In that case, the REvil affiliates are then likely to bide their time, monitoring the target network and/or using tools like Mimikatz to extract passwords for a domain administrator account.

The next stage involves preparing the victim network for a ransomware attack, which Sophos principal researcher, Andrew Brandt, calls “tilling the field.”

“The attackers need to establish a list of internal targets, give themselves domain admin privileges, and use those privileges to shut down or otherwise hobble anything that might impede their attack,” he explained.

“Windows Defender is usually the first to go, but often the attackers will spend some time trying to determine what endpoint protection tools are running on the computers, and may run one or more customized scripts that combine an attempt to kill any running protection process or services, and also to remove any persistence those processes or services might have.”

A tell-tale sign of malicious activity here is the presence of PowerShell scripts, batch files, or other “laying the groundwork” code used to disable protective features.

Next comes data exfiltration, a practice that should be detectable “but never happened in the cases we investigated,” according to Brandt.

REvil affiliate attackers typically spend a few days looking through file servers and bundling large numbers of docs into compressed files in a single location. It’s then usually uploaded to a cloud storage service over the course of a few hours or a day, with Mega.nz favored by most attackers.

There’s a wide variety of different ways to launch the ransomware payload itself, Sophos explained.

“They may push out copies to individual machines from a domain controller, or use administrative commands with WMIC or PsExec to run the malware directly from another server or workstation they control over the internal network of the target organization,” said Brandt.

Another option for REvil affiliates is to reboot a hijacked computer into Safe Mode, with the REvil malware adding itself to the shortlist of apps that can run in this mode.

“In others, we’ve observed the threat actor using WMI to create service entries on the machines they target for encryption,” said Brandt. “The entries contain a long, encoded command string that is impossible to decode unless you know the specific variables it was looking for.”

The sheer variety of REvil affiliate attacks, and by implication, those of other popular ransomware types, may appear challenging, but there are some helpful common best practices.

Sophos recommended MFA and strong passwords, Zero Trust and segmentation, prompt patching of all assets and the locking down of internet-facing services like RDP, among other steps.

Categories: Cyber Risk News

VW Vendor Leaves Data Unsecured

Info Security - Mon, 06/14/2021 - 18:10
VW Vendor Leaves Data Unsecured

A data breach at a Volkswagen vendor has impacted millions of customers and prospective car purchasers across North America. 

The breach occurred after information gathered by the vendor between 2014 and 2019 for sales and marketing purposes was stored electronically in an unsecured file for years. 

The majority of the individuals whose data was compromised were potential buyers or current customers of luxury car brand Audi. The Volkswagen Group formed Audi in 1969 after it bought the Auto Union from rival Daimler-Benz. 

On June 11, the American arm of the Volkswagen Group revealed that an unauthorized third party had obtained small amounts of personal data belonging to customers and prospects from a digital sales and marketing company used by its Audi Volkswagen brands. VW dealers based in Canada and the United States also used the services of the vendor. 

VW identified the source of the incident in May this year but believes that the data could have been illegally accessed at any point between August 2019 and May 2021. 

Information exposed in the security incident included phone numbers and email addresses, and in some cases details of vehicle leasing, purchases, and purchase inquiries. 

Volkswagen said it will offer free credit protection services to the 90,000 Audi customers and interested potential buyers or leasers whose sensitive data was accessed in the data breach. Included in the sensitive data was driver license numbers, Social Security numbers, account or loan numbers, tax identification numbers, and dates of birth.

In a letter sent to customers, VW said: “We take the safeguarding of your information very seriously. We have informed the appropriate authorities, including law enforcement and regulators. 

"We are working with external cybersecurity experts to assess and respond to this situation and have taken steps to address the matter with the vendor.” 

The automaker warned those impacted by the breach to be on the lookout for phishing emails.

Automotive News reported that Audi of America president Daniel Weissland identified the vendor as Shift Digital, of Birmingham, Michigan, in an email sent Thursday. The news source claims that the vendor's identity has been verified by "two dealers with knowledge of the situation."

Categories: Cyber Risk News

REvil Claims Responsibility for Invenergy Hack

Info Security - Mon, 06/14/2021 - 17:13
REvil Claims Responsibility for Invenergy Hack

Ransomware group REvil has claimed responsibility for a recent cyber-attack on a multinational renewable energy company based in the United States.

Invenergy LLC, which is headquartered in Chicago, launched an investigation after unauthorized activity was detected on some of its systems.

In a statement issued on Friday, the company said: "At no time were Invenergy's operations impacted and no data was encrypted." 

Invenergy added that it was complying with data breach disclosure regulations and that it "has not paid and does not intend to pay any ransom.”

Ransomware group REvil declared on its dark web site that it had carried out the cyber-attack on Invenergy. The gang claims to have compromised the company's computer systems and exfiltrated 4 terabytes of data. 

Among the information allegedly taken by REvil are contracts and project data. The gang further claims to have obtained "very personal and spicy" information regarding Invenergy's chief executive officer, Michael Polsky. 

REvil says it has accessed Polsky's personal emails, sensitive details about his divorce from his first wife, Maya, and photographs in which the billionaire magnate is compromised. 

Polsky emigrated from Soviet Ukraine to the United States in 1976 after building up a fortune of $1.5bn, according to Forbes. His divorce in 2007 was reported as one of the most expensive in history after a judge awarded Maya half of Polsky's cash and assets.

REvil's victims include meat-processing company JBS and the Taiwanese Apple supplier Quanta.

The cyber-criminal gang has also claimed responsibility for a recent cyber-attack on Sol Oriens, a 50-person firm based in Albuquerque, New Mexico, which consults for the US Department of Energy’s National Nuclear Safety Administration.

The firm confirmed to CNBC that it detected a "cybersecurity incident" in May. Sol Oriens said that the matter is still under investigation and has been reported to law enforcement. 

In a statement, the company said that "an unauthorized individual acquired certain documents from our systems. Those documents are currently under review, and we are working with a third-party technological forensic firm to determine the scope of potential data that may have been involved.”

Categories: Cyber Risk News

Biden Opposes Conditional Handover of Cyber-criminals

Info Security - Mon, 06/14/2021 - 16:32
Biden Opposes Conditional Handover of Cyber-criminals

The possibility of a deal allowing for the conditional handover of cyber-criminals between the United States and Russia has been extinguished by American president Joseph Biden. 

Russian president Vladimir Putin said on June 13 that he would be willing to make an arrangement with the United States whereby the two countries would exchange cyber-criminals in accordance with agreed-upon  conditions. 

Putin, who is due to meet with Biden at a bilateral summit in Geneva on June 16, voiced the comments during an interview broadcast on state television.

Putin said he thought issues such as the environment, strategic stability, and Libya and Syria were of great importance to both Russia and America, and that he believed a bilateral dialogue would be established at Wednesday's meeting.

Biden is expected to raise at the summit the issue of recent ransomware attacks on businesses based in the United States, including meat supplier JBS and the Colonial Pipeline, that the US says stemmed from Russia. 

US officials have alleged that the Russian government, though not directly responsible for carrying out such attacks, habitually turns a blind eye to cyber-criminals operating inside Russia who attack foreign targets.

Asked if Russia would enter into an agreement to locate and prosecute cyber-criminals, Putin said Russia's actions were dependent on Washington and Moscow's reaching a formal and mutual deal.

"If we agree to extradite criminals, then of course Russia will do that," said Putin. "We will do that, but only if the other side, in this case the United States, agrees to the same and will extradite the criminals in question to the Russian Federation."

He added: "The question of cybersecurity is one of the most important at the moment because turning all kinds of systems off can lead to really difficult consequences."

When asked about Putin’s proposal Biden said: “I’m open to it if there’s crimes committed against Russia that, in fact, are . . . [where] the people committing those crimes are being harbored in the US. I’m committed to holding them accountable.”

United States national security advisor Jake Sullivan later stated that Biden would pledge only to hold accountable American hackers who undertake illegal cyber-attacks internationally.

Categories: Cyber Risk News