Feed aggregator

91% of Industrial Organizations Can Be Penetrated by Hackers

Info Security - Wed, 09/01/2021 - 13:00
91% of Industrial Organizations Can Be Penetrated by Hackers

More than nine in 10 (91%) industrial organizations are vulnerable to cyber-attacks, according to a new report by Positive Technologies.

The study found that external attackers can penetrate the corporate network in all these organizations, and once inside, can obtain user credentials and complete control over the infrastructure in 100% of cases. In over two-thirds (69%) of these cases, external attackers can steal sensitive data from the organization, including information about partners and company employees and internal documentation.

In addition, penetration testers from Positive Technologies gained access to the technological segment of the network of 75% of organizations. This then enabled them to access industrial control systems (ICS) in 56% of cases.

Once malicious actors gain access to ICS components, they have the opportunity to cause severe damage and even fatalities — this includes shutting down entire productions, causing equipment to fail and triggering industrial accidents.

Positive Technologies said there is a range of factors that are making these organizations vulnerable to hackers. For example, during recent PT NAD pilot projects, its experts uncovered numerous suspicious events in the internal network of each industrial company. In one case, PT NAD registered an RDP connection to an external cloud storage, enabling 23 GB of data to be transferred to the address of this storage via RDP and HTTPS.

The vendor also noted that industrial companies often use outdated software and commonly save connection parameters (username and password) in a remote access authentication form, allowing attackers to connect to the resources of an isolated segment without credentials when they obtain control over such a computer.

The potential impact of an attack on an industrial organization was demonstrated during a virtual cyber-range at The Standoff 2021. In one scenario, within two days, attackers gained control of the gas station, halting the gas supply and causing an explosion.

Olga Zinenko, senior analyst at Positive Technologies, commented: “Today, the level of cybersecurity at most industrial companies is too low for comfort. In most cases, internet-accessible external network perimeters contain weak protection, device configurations contain flaws, and we find a low level of ICS network security and the use of dictionary passwords and outdated software versions present risks.”

Categories: Cyber Risk News

Ransomware Attacks Soar 288% in First Half of 2021

Info Security - Wed, 09/01/2021 - 10:55
Ransomware Attacks Soar 288% in First Half of 2021

The number of ransomware attacks surged by 288% between the first and second quarters of 2021 as double extortion attempts grew, according to the latest data from NCC Group.

Analyzing incidents dealt with by its own Research Intelligence and Fusion Team (RIFT) throughout 2021, the firm claimed nearly a quarter (22%) of data leaks in the second quarter came from the Conti group.

Conti typically gains initial network access to victim organizations via phishing emails, it claimed.

Next came Avaddon, which accounted for 17% of incidents, although this variant is now thought to be inactive.

Unsurprisingly, nearly half (49%) of victims with known locations in Q2 were based in the US, followed by 7% in France and 4% in Germany.

Christo Butcher, global lead for threat intelligence at NCC Group, argued that no organization in any sector is safe from ransomware today.

“We’ve seen targets range from IT companies and suppliers to financial institutions and critical national infrastructure providers, with ransomware-as-a-service increasingly being sold by ransomware gangs in a subscription model,” he added.

“It’s therefore crucial for organizations to be proactive about their resilience. This should include proactive remediation of security issues, and operating a least-privilege model, which means that if a user’s account is compromised, the attacker will only be able to access and/or destroy a limited amount of information.”

According to separate data from Group-IB, ransomware attacks grew by 150% year-on-year in 2020, with the average extortion amount doubling.

However, it’s difficult to get an accurate vendor-neutral picture of how threats are developing over time. Coveware, for example, maintains that despite the ramping up of media coverage since the Colonial Pipeline incident, “in reality, the volume and severity of ransomware attacks have been extreme but relatively stable for at least 18 months.”

This week, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) released an alert warning organizations to plan for possible threat activity ahead of weekends and holidays.

Categories: Cyber Risk News

CISA: Plan Now to Avoid Labor Day Breach

Info Security - Wed, 09/01/2021 - 10:15
CISA: Plan Now to Avoid Labor Day Breach

The US authorities have used the week before Labor Day to warn organizations about the risk of cyber-threats timed to coincide with holidays and weekends.

The FBI and Cybersecurity and Infrastructure Security Agency (CISA) alert noted that ransomware attacks in particular are more likely to hit home on these days, when offices are closed and IT incident responders will not be at their desks.

Most recently, the major Kaseya supply chain attack on MSPs and their downstream customers occurred over the July 4 weekend in the US. On Memorial Day weekend, there was an attack on meat processing giant JBS USA, while the infamous Colonial Pipeline outage began on the Mother’s Day weekend in the US.

Although the agencies don’t have any intelligence suggesting a similar attack this coming weekend, it urged public and private sector organizations to be alert in the days preceding.

They flagged the following as among the main tactics for ransomware threat actors: phishing and brute forcing unsecured remote desktop protocol (RDP) endpoints; deploying dropper malware for reconnaissance and other tasks; exploitation of vulnerabilities and MSPs; and use of credentials purchased on the dark web.

The alert suggests a number of mitigations for organizations, including offline backups, securing RDP, vulnerability scans and patching, multi-factor authentication, network segmentation, and user training on phishing awareness.

It also suggested organizations engage in “pre-emptive” threat-hunting on their networks to spot the signs of suspicious activity and mitigate attacks before they cause any damage.

“Threat actors can be present on a victim network long before they lock down a system, alerting the victim to the ransomware attack,” it said. “Threat actors often search through a network to find and compromise the most critical or lucrative targets. Many will exfiltrate large amounts of data.”

Jake Williams, co-founder and CTO at incident response specialist, BreachQuest, argued that most ransomware attacks could be thwarted by following CISA’s advice.

“This is especially true for reviewing logs. Threat actors could certainly perform lateral movement while staying out of logs, but with the plethora of potential victims with horrible cyber-hygiene there’s currently no need to do so,” he added.

“Extremely basic levels of cybersecurity hygiene and monitoring are enough to achieve early detection of today’s ransomware adversaries.”

Categories: Cyber Risk News

Banksy NFT Scammer Returns £240,000 to Victim

Info Security - Wed, 09/01/2021 - 09:35
Banksy NFT Scammer Returns £240,000 to Victim

An online scammer who duped an art collector into spending over £240,000 for a non-fungible token (NFT) has returned the money, according to the BBC.

The unnamed investor told the news site that he bought the NFT after being alerted to its sale by an anonymous person in his community on Discord on Monday morning.

Their tip-off took him to the website of famous British street artist Banksy, which had just launched a new NFT page. That page included a link to an auction site selling an NFT called “Great Redistribution of the Climate Change Disaster.”

However, unknown to the man, the link he clicked on appears to have been inserted on the site by the scammer.

It took him to an auction site where Banksy’s supposed first-ever NFT was up for sale. The individual is said to have bid 90% more than rival bidders to secure the token — subsequently sending the funds via Ethereum to the scammer.

"It does seem to be some hack of the site. I confirmed the URL on PC and mobile before bidding. I only made the bid because it was hosted on his site,” he told the BBC. "When the bid was accepted I immediately thought it was probably fake.”

However, in a bizarre twist, the fraudster had returned all the money except for a £5000 transaction fee by the same evening.

"The refund was totally unexpected. I think the press coverage of the hack plus the fact that I had found the hacker and followed him on Twitter may have pushed him into a refund,” the victim noted.

"I feel very lucky when a lot of others in a similar situation with less reach would not have had the same outcome.”

It’s still unclear exactly how the scammer managed to hack Banksy’s website to insert the offending link.

A spokesperson for the Bristol-based artist confirmed: "The artist Banksy has not created any NFT artworks.”

NFTs are a unit of data stored on a blockchain that provide proof of digital ownership for items like artworks, which can then be traded online.

However, they’re also fertile ground for cyber-criminals looking for ways to extract money from buyers, according to ESET cybersecurity specialist, Jake Moore.

“It is vital — as with any online transaction — to purchase from a verified location, but unfortunately this advice becomes redundant when legitimate websites are hacked,” he warned.

“Those looking to buy should remain largely sceptical of NFTs while they are in these early stages and always err on the side of caution. Scammers are very good at manipulating people, and the makeup of NFTs themselves is easily abused due to the lack of a physical product or service.”

Categories: Cyber Risk News

Victim of Cyber-Theft Sues Parents of Alleged Culprits

Info Security - Tue, 08/31/2021 - 19:16
Victim of Cyber-Theft Sues Parents of Alleged Culprits

A man from Colorado is suing the parents of two British youths who he claims stole Bitcoin worth nearly $800K from his digital wallet. 

Cyber-thieves used malware to swipe 16.4 Bitcoin from Andrew Schober back in January 2018 when he was attempting to move his crypto-currency between virtual wallets. 

To track his stolen funds, the aggrieved party hired private investigators, spending approximately $10,000 to discover who had swiped his crypto.  

After investigators fingered two British lads who were minors at the time the offense was committed as the perpetrators of the theft, Schober wrote to one of the boys' parents. 

In his letter of December 2019, Schober communicated that he would not take legal action against the boy's parents if the stolen funds were returned.

After receiving no response to his letter, Schober filed an official complaint against Benedict Thompson and Oliver Read and their parents.

In the complaint, Schober describes Thompson and Read as "skilled software developers and computer science students" who created and deployed clipboard hijacking malware and then used it to steal his 16.4552 bitcoins.

Schober says the Bitcoin stolen from him "accounted for approximately 95% of his net wealth at the time" and that its loss has placed him "in a severe state of distress for the past three years."

In the complaint, Schober alleges that Thompson and Read hit his wallet with malware that used a “Man-in-the-Middle” attack vector.

"Mr. Schober believed he was communicating only with his own crypto-currency wallet, but because of the malware, either Benedict or Oliver or both intercepted and altered the communications between Mr. Schober and the Bitcoin blockchain," it states. 

Schober claims that the parents of the alleged cyber-thieves "knew or reasonably should have known that their child engaged in illegal computer abuse(s) and/or crypto-currency theft(s) in a careless and/or reckless manner" and that they "failed to take reasonable steps" to prevent their son from committing illegal computer abuse and/or crypto-currency theft.

Neither Thompson nor Read has denied Schober's accusations. The defendants have argued that Schober's suit should be dismissed as the statute of limitations on the theft elapsed prior to the date on which the claim was filed.

Categories: Cyber Risk News

Indonesians Told to Delete Unsecured Tracing App

Info Security - Tue, 08/31/2021 - 18:07
Indonesians Told to Delete Unsecured Tracing App

The Indonesian government is exhorting the public to delete a COVID-19 test and trace app that left users' personal information exposed on an unsecured server.  

The data breach in the Indonesian government’s electronic Health Alert Card (eHAC) program was discovered by a research team at vpnMentor led by Noam Rotem and Ran Locar. 

The program and the eHAC app were created in 2021 to monitor the coronavirus infection status of people entering the country. Obtaining an eHAC was mandatory for any traveler, including native Indonesians, when entering the Republic from overseas or taking a domestic flight within Indonesia. 

Researchers discovered that the app's developers "failed to implement adequate data privacy protocols and left the data of over 1 million people exposed on an open server."

In total, 2GB of data belonging to the Republic's Ministry of Health were exposed on an Elasticsearch server. Researchers said the data included more than 1.4 million records and that approximately 1.3 million individuals had been impacted. 

Information left unsecured included Personal Identifiable Information (PII), medical records, contact details, travel information, and COVID-19 infection status. 

Researchers noted: "Had the data been discovered by malicious or criminal hackers, and allowed to accumulate data on more people, the effects could have been devastating on an individual and societal level."

The database of unprotected records was discovered by researchers on July 15. It was reported to the Ministry of Health on July 21 and to the Indonesian Computer Emergency Response Team (ID-CERT) on July 22. 

“Our team discovered eHAC’s records with zero obstacles, due to the lack of protocols put in place by the app’s developers," wrote researchers in a blog post detailing the leak. 

"Once they investigated the database and confirmed the records were authentic, we contacted the Indonesian Ministry of Health and presented our findings.”

Despite twice flagging the open database to the Indonesian government and CERT, the researchers only received a response about the security incident in August after contacting Indonesia’s National Cyber and Encryption Agency (BSSN), which shut down the server on August 24.  

The eHAC app has now been integrated into a new app called PeduliLindungi. However, the Health Ministry, which publicly responded to the research findings earlier today, urged eHAC users to delete the app as a precaution.

Categories: Cyber Risk News

Illinois Physicians Notify 600K Patients of Data Breach

Info Security - Tue, 08/31/2021 - 17:05
Illinois Physicians Notify 600K Patients of Data Breach

The largest independent group of physicians in Illinois is notifying hundreds of thousands of patients that their personal information may have been exposed.

DuPage Medical Group (DMG) said that patient data could have been compromised when its computer network was hacked last month. 

On Monday, DMG announced that it would be mailing letters to 600,000 patients to warn them of the potential threat to their data's security.

Patient information that may have been accessed by the hackers includes names, addresses, dates of birth, diagnosis codes, information on medical procedures, and treatment dates. For some patients, there is a chance that their Social Security number may also have been compromised.

The cyber-attack, which took place on July 13, caused a network outage at DMG. Third-party cyber-forensic specialists hired to investigate the security incident determined that unauthorized actors had gained access to the DMG network between July 12, 2021, and July 13, 2021, and that it was they who had caused the outage.

In a statement published Monday, DMG said: "With the assis­tance of the forensic specialists, DMG conducted a thorough and time-consuming review of its systems to under­stand whether any patient information may have been impacted as a result of this event. 

"On August 17, 2021, we determined that certain files stored within our environment that contained patient information may have been impacted by this incident."

The group said that the exposed data did not include any financial account numbers and that the investigation found no evidence of data misuse following the attack. 

Since being targeted by hackers, DMG has implemented additional cybersecurity mea­sures and says it is reviewing existing security policies "to further protect against future inci­dents and improve our technol­ogy roadmap to better serve patients."

DMG is offering free credit monitoring and identity theft protection to those individuals affected and potentially affected by this incident.

The group has also established a dedicated call center to field questions from concerned patients regarding the possible data breach. 

Patients are advised to remain vigilant against fraud and identity theft and to review their account statements, credit reports, and explanation of benefits forms for suspicious activity.

Categories: Cyber Risk News

UK Government Considers New Regulations for Video Streaming Platforms

Info Security - Tue, 08/31/2021 - 15:29
UK Government Considers New Regulations for Video Streaming Platforms

The UK government is considering introducing new regulations for video-on-demand (VoD) services to protect users from harmful material such as misinformation.

The Department of Digital, Culture, Media and Sport (DCMS) has launched a consultation on the new provisions to level the regulatory playing field between mainstream VoD services and traditional broadcasters in the UK, like the BBC and Sky.

Currently, in the UK, video streaming services such as Netflix, Amazon Prime Video and Disney+ are not subject to Ofcom’s Broadcasting Code, which sets out standards for content, including harmful or offensive material, accuracy, fairness and privacy. This means that viewers of VoD content are much more likely to be exposed to harmful content, such as pseudoscience documentaries or misleading health advice.

The government’s plans have come amid a surge in popularity for on-demand services in recent years, exacerbated during the COVID-19 lockdowns. Ofcom data has shown that 75% of UK households have used a subscription VoD service as of this year.

The UK’s departure from the EU means that the government is free to go beyond minimum standards set out in the revised Audiovisual Media Services Directive. This legislation governs EU-wide coordination of national legislation on all audiovisual media.

As part of the consultation, the DCMS is asking whether UK audiences watching TV-like VoD programs would like a similar level of protection to when they are watching traditional TV. Additionally, it wants to ensure that any regulatory change is proportionate and does not curtail essential protections such as freedom of speech.

Culture Secretary Oliver Dowden commented: “We want to give UK audiences peace of mind that however they watch TV in the digital age, the shows they enjoy are held to the same high standards that British broadcasting is world-renowned for.

“It is right that now we have left the EU, we look at introducing proportionate new rules so that UK audiences are protected from harm.”

Categories: Cyber Risk News

Ransomware May Have Cost US Schools Over $6bn in 2020

Info Security - Tue, 08/31/2021 - 11:00
Ransomware May Have Cost US Schools Over $6bn in 2020

Scores of ransomware attacks on US schools and colleges last year may have cost them over $6bn, according to a new report published today.

Security testing site Comparitech analyzed the 77 attacks reported by educational institutions nationwide in 2020 and calculated the cost to these victims from estimated downtime and recovery time.

Rransom costs are difficult to gauge given most schools kept their payments secret. However, the research team was able to work out average downtime (seven days) and recovery time (55.4 days) from roughly half of all incidents.

It then applied a third-party 2017 estimate for the cost of downtime averaged across 20 sectors.

While the eventual figure of $6.6bn for total downtime cost in 2020 is speculative, it can be used to provide interesting comparisons with 2019 ($8.2bn) and 2018 ($623.7m).

Comparitech claimed that 2020 saw 1,740 schools and colleges and potentially 1.4m students affected, an increase of 39% and 67% respectively on 2019 figures. This is despite the actual number of attacks in 2020 coming in 20% lower than the figure for the previous year.

“This suggests hackers targeted larger school districts with bigger annual budgets, hoping to cause greater disruption and increase their ransom payment demands,” Comparitech argued.

“This trend looks as though it has continued in 2021, too, exemplified by the bizarre $40 million ransom request made to Broward County Public Schools in April.”

Ransom demands in 2020 varied dramatically from just $10,000 to over $1m, although the researchers were only able to find mention of these for nine out of the 77 attacks it analyzed.

From January 2018 to June 2021, Comparitech logged 222 separate ransomware attacks on US schools and colleges, impacting 3,880 schools and nearly three million students.

Downtime alone is estimated to have cost these victim organizations over $17.3bn, with recovery costs adding millions, if not billions, to the total, it said.

Categories: Cyber Risk News

Fines Issued by the ICO Surge by 1580% in 2020/21

Info Security - Tue, 08/31/2021 - 09:47
Fines Issued by the ICO Surge by 1580% in 2020/21

The Information Commissioner’s Office (ICO) issued a record £42m in fines during the financial year 2020/21, representing a 1580% increase on the previous year, according to an analysis by international law firm RPC.

This figure was mainly comprised of penalties imposed by the UK’s data protection watchdog for two high-profile data breaches that resulted in millions of people's personal data being compromised. In October 2020, a £20m fine was issued to British Airways for security failings that enabled a cyber-attack to take place in 2018, leading to personal data of 429,612 customers and staff being accessed. In the other case, in October 2020, hotel chain Marriott International was fined £18.4m by the ICO over a data breach that saw an estimated 339 million guest records exposed globally.

Both of these fines were significantly lower from the figures originally proposed by the ICO, with the body taking into account the economic damage of COVID-19 on these businesses.

In addition to these blockbuster fines for data breaches, there was also a four-fold rise in the number of fines related to nuisance messaging and cold calling issued by the ICO in 2020/21 compared to the previous year.

Richard Breavington, partner at RPC, commented: “Clearly, the ICO will impose blockbuster fines when it wants large organizations to sit up and take notice. However, overall the ICO has been very fair in terms of the levels of fines it has set.

“The overall number of fines arising from cyber-breaches has remained fairly consistent despite a sharp jump in the number of actual cyber-attacks.

“At the outset of the GDPR regime, there was the concern that the ICO would be making full use of its powers to fine, but so far, it seems to only be fining as a last resort.

“The two large fines could have been even higher, but the ICO appears to have taken into account the devastating impact of coronavirus on the travel and hospitality sectors and reduced them. However, businesses shouldn’t become complacent.”

Under the General Data Protection Regulation (GDPR), the maximum fine the ICO can issue is £17.5m or 4% of a company’s total worldwide annual turnover, whichever is higher.

Categories: Cyber Risk News

Report Warns of COP26 Cyber-Threat to Glasgow

Info Security - Tue, 08/31/2021 - 09:10
Report Warns of COP26 Cyber-Threat to Glasgow

Glasgow is bracing itself for potential cyber-attacks on its transport infrastructure and businesses ahead of a key climate summit in November, it has emerged.

Police and security experts told the Sunday Mail that unnamed threat actors could be gearing up to sabotage the next UN Climate Change Conference (COP26), which the UK is hosting.

Government organizations, local businesses and rail networks have all been singled out as potential targets, with Police Scotland launching a specialist team to handle the fallout of any attacks, the report claimed.

Strathclyde Passenger Transport (SPT) is also said to be ramping up security measures ahead of the conference at the SSE in Glasgow.

The SPT runs the Glasgow Subway, one of the oldest underground passenger transit systems globally, which could be a target for ransomware.

Cyber-criminals have in the past targeted New York’s Metropolitan Transport Authority (MTA), San Francisco’s Municipal Transport Agency and, most recently, UK rail franchise Northern Rail.

“We’ve got a separate group looking at cybersecurity,” noted SPT’s head of business strategy and delivery, Gordon Dickson. "In terms of the Subway, we are having to look at our security requirements for that and working closely with emergency services, security and police on the plans.”

The 12-day summit begins on October 31 and will feature tens of thousands of delegates from across the globe. Dignitaries will include the Queen and other heads of state, with rumors that US President Joe Biden may also appear.

The Scottish Business Resilience Centre boasts a range of resources and best practice advice designed to help organizations tackle threats like ransomware. It also runs a cybercrime incident response line for SMEs and third sector organizations and a free “Exercise in a Box” cyber-stress test workshop.

Categories: Cyber Risk News

Bangkok Airways Admits Attackers Stole Passenger Data

Info Security - Tue, 08/31/2021 - 08:34
Bangkok Airways Admits Attackers Stole Passenger Data

Bangkok Airways has admitted that a cyber-attack last week led to the compromise of an unspecified volume of passengers’ personally identifiable information (PII).

The Thai airline claimed in a brief update late last week that although the incident didn’t affect “operational or aeronautical security systems,” it does appear as if personal data has been accessed.

Personal data could include full name, nationality, gender, phone number, email and home address, contact details, passport and historical travel information, partial credit card info and special meal information.

“This incident has been reported to the Royal Thai police as well as providing notification to the relevant authorities. For primary prevention measures, the company highly recommends passengers to contact their bank or credit card provider and follow their advice and change any compromised passwords as soon as possible,” the notice continued.

“In addition to that, the company would like to caution passengers to be aware of any suspicious or unsolicited calls and/or emails, as the attacker may be claiming to be Bangkok Airways and attempt to gather personal data by deception (known as ‘phishing’).”

Although the airline itself didn’t specify how the attackers compromised its IT systems or their intent, the notice appeared online at around the same time as ransomware group LockBit 2.0 published info on the attack.

A tweet citing its leak site claimed the group had 103GB of stolen files from the firm it planned to release.

LockBit 2.0 was also blamed for a compromise at global consultancy Accenture earlier this month. The Australian Cyber Security Centre (ACSC) published details on the group, which first appeared in June, on its website.

It revealed that LockBit 2.0 had been exploiting the CVE-2018-13379 vulnerability in Fortinet FortiOS and FortiProxy in an attempt to gain initial access into victim networks. 

Categories: Cyber Risk News

Rights Group Advises Afghans to Delete Data

Info Security - Mon, 08/30/2021 - 18:19
Rights Group Advises Afghans to Delete Data

A human rights group based in the United States is encouraging Afghans to delete their data to prevent the Taliban from using it against them.

The Deobandi Islamist religious-political movement and military organization seized control of Afghanistan on August 15, two decades after they were removed from power by US-led forces.

With the official American mission to evacuate US citizens and Afghan allies from Afghanistan set to end tomorrow, Human Rights First is advising Afghans who remain in the country to erase their digital footprints.

The group published a Farsi-language version of its guide on how to delete digital history – produced last year to aid activists in Hong Kong – and shared advice on how to evade biometrics.

Welton Chang, chief technology officer at Human Rights First, told Reuters that in the most "dire circumstance," the Taliban could use Afghans' data to target those who had worked with the previous government, its security forces, and its foreign allies.

“We understand that the Taliban is now likely to have access to various biometric databases and equipment in Afghanistan,” the group wrote on Twitter on Monday.

“This technology is likely to include access to a database with fingerprints and iris scans and include facial recognition technology."

On August 25, civil society groups, including Access Now, the Commonwealth Human Rights Initiative, Unwanted Witness and Electronic Frontier Foundation, issued an open statement calling for "an urgent safeguard of digital identity and biometric databases created in Afghanistan by development assistance missions, foreign governments previously aiding Afghan authorities, humanitarian actors, aid agencies, and the private sector vendors whose tools have been deployed to ensure they are not misused against people."

According to the statement there are at minimum three digital identity systems known to have been in use recently in Afghanistan, including the e-Tazkira electronic national identity card system, and an Afghanistan Automated Biometric Identification System maintained by the Afghan Ministry of the Interior with support from the US government.

The third – the US military “Handheld Interagency Identity Detection Equipment” – were seized by the Taliban earlier this month along with the biometric data it stores.

Categories: Cyber Risk News

Cyber-thieves Hit DeFi Platform Again

Info Security - Mon, 08/30/2021 - 17:25
Cyber-thieves Hit DeFi Platform Again

A lending-focused decentralized finance platform has lost millions of dollars’ worth of AMP tokens and crypto-currency after falling victim to a second flash loan attack.

In a flash loan attack, a cyber-thief takes out a loan that requires no collateral – a flash loan – and uses it to manipulate and exploit the markets for financial gain. The criminal uses the capital that they’ve borrowed and pays it back in the same transaction.  

Cyber-thieves drained DeFi protocols Cream Finance and Alpha Finance of funds totaling $37.5m back in February. Now Cream Finance has lost millions of AMP tokens and more than a thousand ether worth over $25m in a similar smart-contract exploit. 

The latest flash loan attack was first reported by PeckShield on social media on Monday. Researchers at the blockchain security firm became suspicious when they came across Ethereum (ETH) records revealing that at least $6m had been drained at 5:44 UTC.

The theft was confirmed by Cream Finance on Monday via a Tweet that read: "C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract."

The platform went on to say that they had "stopped the exploit by pausing supply and borrow on AMP" and that "no other markets were affected."

According to Coinspeaker, the flash loan attack occurred in the early morning of August 30. It may have involved two cyber-thieves and a total of seventeen transactions.

In May, DeFi yield farming aggregator and optimizer for Binance Smart Chan (BSC) and ETH, Pancakebunny, lost close to $3m in a flash loan attack. 

Announcing the attack on Twitter, the company said: “Attention Bunny Fam. Our project has suffered a flash loan attack from an outside exploiter. We will be posting a postmortem, in-depth analysis, but for the time being, we would like to update the community as to how this happened.”

Around a week later, a flash loan attack on Binance Smart Chain DeFi project Bogged Finance saw $3m exploited.

Categories: Cyber Risk News

US DOJ Announces Cyber Fellowships

Info Security - Mon, 08/30/2021 - 16:10
US DOJ Announces Cyber Fellowships

New positions are being created at the United States Department of Justice (DOJ) with the intention of helping prosecutors and attorneys handle emerging national security threats.

The positions are part of a new Cyber Fellowship program, announced by Deputy Attorney General Lisa Monaco on Friday. The fellowship program will be coordinated by the Criminal Division’s Computer Crime and Intellectual Property Section.

In May, Monaco ordered a comprehensive cyber review of the Department of Justice with the purpose of developing actionable recommendations to improve and increase the department’s efforts against digital threats.

The suggestion to create a Cyber Fellowship program is one of the actionable recommendations to have emerged so far from this ongoing 120-day review.

Monaco said attorneys and prosecutors needed to have training if they were to stand a chance against future threat actors. 

“As we have witnessed this past year, cyber threats pose a significant and increasing risk to our national security, our economic security, and our personal security,” said Monaco. 

“We need to develop the next generation of prosecutors with the training and experience necessary to combat the next generation of cyber threats. This Fellowship gives attorneys a unique opportunity to gain the well-rounded experience they need to tackle the full range of those threats.”

Applications to the three-year Cyber Fellowship will be accepted through the Justice Department’s Honors Program application portal. To be accepted into the program, applicants must be able to secure a Top Secret security clearance.

The training will take place in the Washington, DC, area, with fellows' being given the chance to handle a broad range of cyber cases taken on by the department so they can develop a deep understanding of how the DOJ responds to both critical and emerging threats.

In a statement released Friday, the DOJ said: "Fellows can expect to investigate and prosecute state-sponsored cyber threats; transnational criminal groups; infrastructure and ransomware attacks; and the use of cryptocurrency and money laundering to finance and profit from cyber-based crimes."

Fellows will rotate through multiple department components, including the Criminal Division, the National Security Division and the US Attorneys’ Offices, while completing their training.

Categories: Cyber Risk News

Ms. Information Vaccine Campaign Launches

Info Security - Fri, 08/27/2021 - 17:18
Ms. Information Vaccine Campaign Launches

An entertaining new campaign has been launched to combat the sea of misinformation about coronavirus vaccines on social media that was branded an "infodemic" by the World Health Organization.

The Instagram-based campaign was created by healthcare agency FCB Health New York IPG and non-profit group GMHC and is fronted by drag queen and influencer Miz Jade.

As the glamorous and red-headed Ms. Information, the performer imparts facts about COVID-19 and coronavirus vaccines in a comedic style that bemoans the crippling impact of the pandemic on her social life. 

The campaign's creators hope that playfully portraying the virus as the destroyer of a "hot girl summer" will encourage members of the LGBTQ+ community to get vaccinated. 

Ms. Information shares the facts in a fun way in a series of short video clips. Visitors to @therealmsinformation will encounter the drag queen wearing a figure-hugging leopard print dress and matching elbow-length gloves, imparting such witticisms as, “Girl, misinformation is spreading faster than a fire in a wig factory.”

Jason Cianciotto, GMHC’s senior managing director of institutional development & strategy, said that the campaign was a light-hearted alternative approach to putting hard pressure on the public to get vaccinated.

“We recognize that shaming people is not effective and can be detrimental to the well-being of the people we serve,” said Cianciotto. “We don’t want to lose the battle of misinformation about HIV/AIDS and Covid-19.”

Recent data analysis from the Human Rights Campaign Foundation and PSB Insights found a high level of vaccine hesitancy in the black LGBTQ community. 

The data is based on a survey of 22,000 adults in the United States which asked how many LGBTQ people may be unlikely to say they want to get vaccinated. 

Overall, 42% of LGBTQ adults said that they were very likely to get the COVID-19 vaccine compared to just 39% of the general American population. However, only 29% of black LGBTQ said they were likely to get vaccinated. 

In exploring the impact of misinformation about the vaccine on the LGBTQ community, HRCF observed: "Despite the vaccines' being available for free, LGBTQ adults have concerns about the cost of the vaccine, especially LGBTQ adults of color, bisexual adults and transgender adults."

Categories: Cyber Risk News

Microsoft Cloud Databases Exposed

Info Security - Fri, 08/27/2021 - 16:14
Microsoft Cloud Databases Exposed

American multinational technology corporation Microsoft has warned thousands of its cloud computing customers that their data could be accessed, altered or erased, according to a report by Reuters.

Customers were warned that threat actors could even delete their main database by exploiting a vulnerability in Microsoft Azure's flagship Cosmos DB database that has been named ChaosDB.

The alleged flaw was unearthed on August 9 by a team of security researchers, who found that they could get hold of keys that unlock access to databases belonging to thousands of businesses. The researchers are employed by security company Wiz, which was reportedly paid $40,000 by Microsoft for detecting and reporting the serious vulnerability. 

Microsoft told Reuters: "We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure."

However, Reuters reports that Microsoft was not able to immediately fix the issue itself, as the company cannot make changes to customers' keys. Instead, Microsoft emailed its cloud computing customers yesterday and instructed them to cut new virtual keys. 

In its email to customers, Microsoft said: "We have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key."

But the severity of the vulnerability was apparent to Wiz chief technology officer Ami Luttwak. The former CTO at Microsoft's Cloud Security Group said: “This is the worst cloud vulnerability you can imagine. It is a long-lasting secret. This is the central database of Azure, and we were able to get access to any customer database that we wanted.”

In a blog post dedicated to the discovery, Wiz stated that its researchers "were able to gain complete unrestricted access to the accounts and databases of several thousand Microsoft Azure customers, including many Fortune 500 companies."

Luttwak warned that the flaw, which was found lurking in a visualization tool called Jupyter Notebook, may have impacted additional Microsoft customers who have not been notified, since the company only emailed customers whose keys were visible in August.

Camille Charaudeau, vice president of product strategy at CybelAngel, commented that the flaw met all the conditions for "a proper ransomware attack."

Categories: Cyber Risk News

New Cyber Warfare Wing Coming to Ohio

Info Security - Fri, 08/27/2021 - 15:05
New Cyber Warfare Wing Coming to Ohio

The US Air Force has chosen a town nicknamed "Danger City" to be the location for the Air National Guard's first Cyber Warfare Wing.

Mansfield has around 50,000 inhabitants and is situated in the northeastern part of Ohio, midway between Columbus and Cleveland. According to local beer-maker, the Phoenix Brewing Company, the town earned its ominous nickname in the 1970s when businesses fled the downtown area for premises in a suburban shopping mall.

The US Air Force announced on Wednesday that the town's Mansfield-Lahm Air National Guard Base has beaten Minneapolis-St. Paul International Airport in Minnesota to be chosen as the base for a new Cyber Warfare Wing mission.

News of the selection followed a visit to the base earlier this month by a site survey team. To advance the new cyber mission, the Air Force plans to retire eight C-130H Hercules from its aging inventory at the 179th Airlift Wing in 2022.

The Air Force plans to create 175 new positions at Mansfield ANGB, which will be STEM and IT focused. 

In a press release issued Thursday, 179th Airlift Wing commander, Col. Todd Thomas, said that the transition from air to desk will be a hard one. 

“Since becoming the Wing Commander, I have always told our Airmen we must do everything in our ability to 'keep the front gate open' and flex to whatever mission allows us to be viable well into the future and aligns with the National Defense Strategy," said Thomas. 

"I am extremely confident our Airmen are capable of shifting focus from tactical air-land and air-drop operations to the cyber battlefield. I look forward to what our Airmen will bring to the cyber fight.”

Ohio governor Mike DeWine welcomed the new mission as "a tremendous win" for the state. 

"Ohio is gaining a leading-edge mission that will strengthen the fabric of the military community and further solidify Ohio as a national leader in cybersecurity excellence," said DeWine. 

"Not only will this new mission bring more jobs into the community, but it will also spur more economic growth and create new opportunities for industry and academic growth."

Categories: Cyber Risk News

FBI Warns Businesses of New Hive Ransomware

Info Security - Fri, 08/27/2021 - 09:37
FBI Warns Businesses of New Hive Ransomware

The FBI has issued a warning to firms about an increasingly prolific new ransomware variant known as Hive.

The Flash alert posted this week noted that the affiliate-based ransomware uses multiple mechanisms to compromise corporate networks, making it harder for defenders to mitigate.

It noted that these include phishing emails with malicious attachments to gain initial access and the hijacking of Remote Desktop Protocol (RDP) to move laterally.

The malware itself looks for and terminates processes linked to backups, anti-virus and file copying to boost its chances of success. Encrypted files end with a .hive suffix.

“The Hive ransomware then drops a hive.bat script into the directory, which enforces an execution timeout delay of one second in order to perform clean-up after the encryption is finished, by deleting the Hive executable and the hive.bat script,” the alert continued.

“A second file, shadow.bat, is dropped into the directory to delete shadow copies, including disc backup copies or snapshots, without notifying the victim and then deletes the shadow.bat file.”

The ransom note, dropped into every impacted directory, warns that if encrypted files are modified, renamed or deleted, they can’t be recovered. In the spirit of modern ransomware operations, which are highly professionalized, there’s also a live chat link to a ‘sales department,’ accessible through a TOR browser, for further communication.

Some victims told the FBI they had received follow-up phone calls from their attackers urging payment. A second tactic is to exfiltrate and publish stolen files on a public leak site.

It’s believed the group, or affiliates associated with Hive, were responsible for the attack on Memorial Health System earlier this month, which disrupted IT systems at nearly all of its 64 clinics and three hospitals.

According to Palo Alto Networks, Hive had breached 28 organizations listed on its leak site as of this week, including a European airline company. It was first discovered in June.

Categories: Cyber Risk News

Critical IoT Camera Flaw Allows for Device Hijacking

Info Security - Fri, 08/27/2021 - 09:08
Critical IoT Camera Flaw Allows for Device Hijacking

Security researchers have discovered another critical bug in IoT security camera systems that could allow attackers to hijack devices.

Nozomi Networks found remote code execution vulnerability CVE-2021-32941 in the web service of the Annke N48PBB network video recorder (NVR) — used by consumers and businesses.

NVRs are an important part of any connected security camera system in that they’re designed to capture, store and manage incoming video feeds from IP cameras.

If exploited, the vulnerability could cause a stack-based buffer overflow, allowing an unauthenticated, remote attacker to access sensitive information and execute code, according to an ICS advisory from the Cybersecurity and Infrastructure Security Agency (CISA).

Nozomi Networks said this could lead to a loss of confidentiality, integrity and device availability. In practice, this means enabling attackers to snoop on or delete footage, change the configuration of motion detector alarms, or halt recording altogether.

As such, a cyber-attack exploiting CVE-2021-32941 could be used to support physical robberies of premises protected by Annke devices.

The bug itself could be exploited directly by attackers to elevate privileges on the system and indirectly in drive-by-download attacks.

“It is sufficient for an administrator, operator, or user to browse a specifically crafted webpage, while simultaneously logged in to the web interface of the device, to potentially cause the execution of external malicious code on the device itself,” warned Nozomi.

Fortunately, Annke acted quickly to fix the issue, releasing new firmware to patch the problem just 11 days after Nozomi’s responsible disclosure.

This is the second critical flaw affecting IoT cameras that Nozomi Networks has found this summer. Back in June it warned of a bug in a popular software component from ThroughTek, which OEMs use to manufacture IP cameras, and baby and pet monitoring cameras.

This could also have allowed attackers to eavesdrop on users.

Another vulnerability was found in ThroughTek’s Kalay platform just last week, affecting potentially millions of devices.

Categories: Cyber Risk News