Feed aggregator

Evil Corp Rebrands Ransomware to Escape Sanctions

Info Security - Tue, 06/08/2021 - 10:58
Evil Corp Rebrands Ransomware to Escape Sanctions

Threat actors behind a notorious Russian cybercrime group appear to have rebranded their ransomware once again in a bid to escape US sanctions prohibiting victims from paying them.

Experts took to Twitter to point out that a leak site previously run by the Babuk group, which famously attacked Washington DC’s Metropolitan Police Department (MPD), had rebranded to “PayloadBin.” The Babuk group claimed that it was shutting down its affiliate model for encrypting victims and moving to a new model back in April.

A ‘new’ ransomware variant with the same name has also been doing the rounds of late, but according to CTO of Emsisoft, Fabian Wosar, it’s nothing more than a copycat effort by Evil Corp.

“Looks like EvilCorp is trying to pass off as Babuk this time. As Babuk releases their PayloadBin leak portal, EvilCorp rebrands WastedLocker once again as PayloadBin in an attempt to trick victims into violating OFAC regulations,” he said.

If that’s correct, it would appear to be the latest in a long line of rebranding by the group from its original BitPaymer effort in a bid to circumvent US sanctions.

Michael Gillespie, the creator of the ID Ransomware service, explained that aside from WastedLocker, the group has used “Hades” and “Phoenix” as new names for the same malware.

Wosar said it was easy to identify the same underlying code in all of those ‘variants.’

“EvilCorp malware sticks out like a sore thumb simply because of the obfuscator they use,” he tweeted. “But the cryptographic scheme is identical, encrypted file format is identical, MO is identical, configuration format is identical, the list goes on and on.”

The group was placed on the US Treasury’s Office of Foreign Assets Control (OFAC) sanctions list in December 2019 after being accused of using the Dridex banking Trojan to steal over $100 million globally.

That meant corporate victims were effectively prohibited from paying the group a ransom or risk themselves being accused of breaking sanctions.

Mitch Mellard, a threat intelligence analyst at Talion, argued that rebranding could be widespread in the underground economy.

“I feel that this situation is somewhat of an indictment of ransomware insurance as a whole. We have reached the point where instead of blanket condemnation of paying ransoms across the board, two lists of criminals have been created,” he added.

“The first list is comprised of actors who have achieved such renown that paying them is actually treated as ... paying criminals. The second list is, by nature of its contents, also entirely criminals, but those who it is somehow acceptable to reward monetarily for their illegal activities.”

Categories: Cyber Risk News

French Antitrust Regulator Slaps $268 Million Fine on Google

Info Security - Tue, 06/08/2021 - 09:52
French Antitrust Regulator Slaps $268 Million Fine on Google

The French antitrust regulator has fined Google €220 million ($268 million) for abusing its dominant position in the online advertising market.

The fine, which Google has not disputed, was levied because the tech giant favored its own Google Ad Manager technologies.

This put competitors — such as publishers News Corp, Le Figaro group and the Rossel La Voix group, who brought the initial complaint — at a disadvantage, according to the Autorité de la concurrence.

The proprietary technologies in question were the DFP ad server — which allows site and app publishers to sell their advertising space — and the SSP AdX sales platform — which enables publishers to sell impressions to advertisers.

Autorité de la concurrence president, Isabelle de Silva, argued that this investigation was the first to look into the algorithmic processes by which online display advertising works.

“The particularly rapid investigation revealed processes by which Google, building on its considerable dominance in ad servers for websites and applications, outperformed its competitors on both ad servers and SSP platforms,” she added.

“These very serious practices penalized competition in the emerging online advertising market, and allowed Google not only to maintain but also to increase its dominant position. This sanction and these commitments will make it possible to re-establish a level playing field for all players, and the ability for publishers to make the most of their advertising space.”

Google France legal director, Maria Gomri, said the firm had “agreed on a set of commitments to make it easier for publishers to make use of data and use our tools with other ad technologies.”

These will be tested and developed over the coming months, with some changes set to be rolled out globally, she added.

Google has been on the receiving end of multiple fines in Europe over recent years, most notably a $1.7 billion antitrust penalty from the European Commission in 2019 — again for abusing its dominant position in the online advertising market.

The tech behemoth was also one of the first to receive a major GDPR fine, when the French regulator CNIL imposed a €50 million penalty for failing to notify users about how their data is used.

Categories: Cyber Risk News

DoJ Seizes Millions in Ransom Paid by Colonial Pipeline to Darkside Hackers

Info Security - Tue, 06/08/2021 - 08:32
DoJ Seizes Millions in Ransom Paid by Colonial Pipeline to Darkside Hackers

The US authorities have scored a rare win in the fight against ransomware after claiming to have seized the majority of the funds paid to Russian ransomware hackers by Colonial Pipeline.

The Department of Justice (DoJ) announced on Monday that it had been able to track and access 63.7 out of the 75 Bitcoins paid by the East Coast fuel transportation company to the DarkSide gang. That amounts to roughly $2.3 million of the $4.4 million reportedly paid to the extorters.

The news is a coup for the newly launched DoJ Ransomware and Digital Extortion Task Force, which coordinated the operation.

Law enforcers were apparently able to review the public Bitcoin ledger and track the transfers to a specific address, for which the FBI had a private key, enabling it to access and seize the funds.

Deputy attorney general, Lisa Monaco, argued that “following the money” is still one of the most powerful tools investigators have in tracking down and disrupting cybercrime.

“Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises,” she added.

“We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks. Today’s announcements also demonstrate the value of early notification to law enforcement; we thank Colonial Pipeline for quickly notifying the FBI when they learned that they were targeted by DarkSide.”

Experts welcomed the news.

“It has become clear that we need to use several tools to stem the tide of this serious problem, and even law enforcement agencies need to broaden their approach beyond building cases against criminals who may be beyond the grasp of the law,” argued John Hultquist, VP of analysis at Mandiant Threat Intelligence.

“In addition to the immediate benefits of this approach, a stronger focus on disruption may disincentivize this behavior, which is growing in a vicious cycle.”

Categories: Cyber Risk News

Hacker Group Gunning for Musk

Info Security - Mon, 06/07/2021 - 18:19
Hacker Group Gunning for Musk

A hacking group has released a video slamming self-proclaimed Martian Emperor Elon Reeve Musk for his alleged callousness over the impact his cryptocurrency vacillations may have had upon the fortunes of the average working person.

Anonymous accuses the billionaire Tesla CEO and SpaceX founder, CEO, and chief engineer of using his immense wealth and influence to toy with cryptocurrency markets with no regard for how others might be affected.

"The games you have played with the crypto markets have destroyed lives," said the group in their latest video.

Musk’s messages on social media have had a major impact on the cryptocurrency market. In March, a few weeks after Tesla revealed it had bought $1.5bn of Bitcoin, the electric carmaker said that it would accept the cryptocurrency as payment.

Two months later, Musk sent the price of the world's biggest cryptocurrency tumbling by around 15% after tweeting that Tesla had suspended vehicle purchases using Bitcoin due to concerns over the cryptocurrency's environmental impact.  

Musk, whose family formerly owned half an emerald mine in Zambia, tweeted: "We are concerned about rapidly increasing use of fossil fuels for Bitcoin mining and transactions, especially coal, which has the worst emissions of any fuel."

The billionaire, whose fortune The Times alleged is fueled by children working in dangerous lithium mines, added: "Cryptocurrency is a good idea on many levels and we believe it has a promising future, but this cannot come at great cost to the environment."

In their latest video, Anonymous claims that Musk's "carefully created public image is being exposed." Citing allegations that Tesla risks the health and safety of its employees in pursuit of ever-greater profits, the hacking group claims Musk's interest in climate change is not founded in concern for humanity but instead stems from "a superiority and savior complex."

Anonymous goes on to claim that Tesla makes most of its money not by selling cars, but via government subsidies. 

"Tesla has also made more money holding Bitcoin for a few months than they did in years of selling cars," said the hackers, before alleging that Tesla bought its Bitcoin with government subsidies. 

Categories: Cyber Risk News

CloudQuest Acquired by Deloitte

Info Security - Mon, 06/07/2021 - 16:43
CloudQuest Acquired by Deloitte

Deloitte Touche Tohmatsu Limited today announced its acquisition of CloudQuest, a cloud security posture management (CSPM) provider based in Cupertino, California. 

Multinational professional services network Deloitte said that the deal will bolster its current cloud cybersecurity offerings with CloudQuest's cloud-native security capabilities "to more seamlessly manage security workflows, reduce risk and improve data security."

Vikram Kunchala, Deloitte risk & financial advisory cyber cloud leader and principal, Deloitte & Touche LLP, said that the Covid-19 pandemic had not delayed the adoption of cloud technologies. 

"While the global pandemic slowed some things, it didn't slow cloud migration or cloud reliance for the vast majority of organizations," said Kunchala.

"As organizations work to build or advance their security postures for cloud or hybrid-cloud environments, we're expanding and diversifying our services and solutions portfolio to help our clients continuously monitor, prevent and remediate security threats."

Bolting on CloudQuest's business will allow Deloitte to continue to expand its portfolio of cloud security orchestration, automation and response (SOAR) services and solutions. 

"We see incredible opportunity in novel approaches that help organizations securely transform and operate while also realizing competitive advantage," said Deborah Golden, Deloitte risk & financial advisory cyber and strategic risk leader and principal, Deloitte & Touche LLP, "and we're continually investing to bring the most innovative solutions to our clients.

"Our acquisition of CloudQuest represents our profound commitment to transforming alongside our clients, competing vigorously in the market, and aggressively building out tech-enabled approaches that position Deloitte cyber as an unquestionable business enabler."

Financial terms of the deal were not disclosed. CloudQuest is Deloitte's second cyber acquisition in 2021, preceded by cyber-threat hunting firm Root9B, LLC (R9B).

CloudQuest CEO Vijay Sarathy, who co-founded the company in 2017, said: "Joining Deloitte will enable us to expand our capabilities, helping organizations protect against the next generation of security threats, promote continued innovation and agility, and foster more efficient cloud security capabilities. 

"This new chapter is one that my co-founders Ramesh Menon, Nishan Sathyanarayan and I always hoped to achieve, as we worked to help those in the cloud accelerate their cybersecurity efforts." 

Categories: Cyber Risk News

California City Hid Cyber-attack

Info Security - Mon, 06/07/2021 - 15:58
California City Hid Cyber-attack

A California city whose police department recently revealed it had been victimized by cyber-criminals has now acknowledged it suffered an earlier cyber-attack in 2018.

Azusa's 63-officer police department was targeted by the DoppelPaymer ransomware gang late last winter. The attack was kept secret while officials worked with the FBI, Los Angeles County Sheriff’s Department, and ransomware consultants to try to retrieve hundreds of highly sensitive files encrypted in the incident. 

In April, a stash of the department's documents was leaked online after the city elected not to pay the ransom demanded by the gang. Among the information leaked were criminal case files and payroll data containing Social Security numbers, driver’s license numbers, medical information, and financial account information.

The city finally publicly acknowledged the hack on May 27 to coincide with the start of Memorial Day weekend, when America's attention typically flits away from the news cycle and toward outdoor social activities and honoring the fallen. 

Azusa PD issued a “notification of data security breach” stating that it had been hit by a “sophisticated ransomware attack” and that "certain Azusa Police information was acquired by the unauthorized individual."

Now the city has said that it was attacked with ransomware by another unnamed cyber-criminal organization in the fall of 2018. Azusa City Manager Sergio Gonzalez said that the city’s insurers, Chubb, paid $65,000 to regain control of 10 data servers at the police department that were taken over by the hackers for more than a week.

“We were able to unlock one server after the ransom was paid but immediately after found a free key to unlock all other locked servers,” Gonzalez said in an email. 

“No information was compromised. Our servers were just locked."

Gonzalez said that the 2018 attack had not been reported because an investigation had determined that no data had been exposed in the incident. 

"We verified with forensic experts that no data was compromised," wrote Gonzalez. "That’s essentially why we did not and were not required to report it (publicly).”

Whittier Daily News reports that the 2018 attack began when a city employee opened an email and clicked on a malicious link. 

Categories: Cyber Risk News

Google's FLoC: Privacy Gone Amok?

Info Security - Mon, 06/07/2021 - 15:57
Google's FLoC: Privacy Gone Amok?
Categories: Cyber Risk News

Qualys Announces Passing of Philippe Courtot, it's CEO of the Past 20 Years

Info Security - Mon, 06/07/2021 - 12:11
Qualys Announces Passing of Philippe Courtot, it's CEO of the Past 20 Years

Cloud security firm Qualys has announced the sad news of the passing of its former CEO, chairman and leader for the past 20 years, Philippe Courtot, at the age of 76.

Courtot oversaw the significant growth of Qualys since becoming its CEO in March 2001, initially investing in the company in 1999 when it was founded. His vision to build a cloud delivery platform that would allow for scanning any network on a global scale became realised in Qualys’ global expansion over the past two decades. It first went public in 2012.

Under his leadership, Qualys completed several acquisitions. In recent years these include Second Front Systems and endpoint detection and response startup Spell Security.

Born in 1944 in France, Courtot began his career selling minicomputers before arriving in the US in 1981. After a spell as CEO of Thomson CGR Medical, he founded email platform provider cc:Mail in 1988, achieving a 40% market share before selling the business to Lotus in 1991. He was then appointed president and CEO of Verity before joining Signio, where he oversaw its acquisition by VeriSign.

Courtot was also involved in several initiatives to support the security industry’s role more generally.  These include supporting the formation of the Cloud Security Alliance in 2008, founding the Trustworthy Internet Movement and CSO Interchange, and becoming a trustee for The Internet Society.

Additionally, he received a number of personal awards for his work in security over the years. In 2019, Courtot picked up the Decade of Vision Leadership Award from the Cloud Security Alliance. Last year Courtot received the Benefactor Award from the International Systems and Security Association (ISSA) Education Foundation for supporting cybersecurity and cybersecurity education.

Commenting, Sumedh Thakar, Qualys president and CEO, said: “Philippe was my mentor and advisor; the entire Qualys team and I are deeply saddened by his passing, and our thoughts and prayers are with his family. We are forever grateful for Philippe’s exceptional leadership, vision and passion for helping enterprise customers with practical solutions to the biggest challenges around security. He was dedicated to making life easier for everyone from security analysts through to CISOs.”

Sandra E. Bergeron, Qualys’ lead independent director, stated: “The board and company are incredibly saddened at the loss of Philippe. He was a transformational leader with a passion for business and cybersecurity, who cared deeply about Qualys and its employees. We look forward to honoring him by continuing to grow the company based on his vision.”

Categories: Cyber Risk News

Colonial Pipeline Incident Sparks 'Help Desk' Phishing Attacks

Info Security - Mon, 06/07/2021 - 10:54
Colonial Pipeline Incident Sparks 'Help Desk' Phishing Attacks

Researchers have discovered a new phishing campaign designed to spread ransomware and steal data by capitalizing on interest in the recent Colonial Pipeline outage.

Security vendor Inky spotted the malicious emails, which said several Microsoft 365 customers were targeted.

Emails were spoofed to appear as if sent from the recipient’s “Help Desk.” They were instructed to click on a malicious link in order to download a critical “ransomware system update” to protect their organization from the same fate as Colonial Pipeline.

“The malicious emails were sent from newly created domains (ms-sysupdate.com and selectivepatch.com) controlled by cyber-criminals. The domain names, sufficiently plausible to appear legitimate, were nonetheless different enough so that garden variety anti-phishing software would not be able to use regular expression matching to detect their perfidy,” explained VP of security strategy, Roger Kay.

“Both domains were registered with NameCheap, a registrar popular with bad actors. Its domains are inexpensive, and the company accepts Bitcoin as payment for hosting services (handy for those trying to remain anonymous). The malicious links in the emails belonged to — surprise — the same domain that sent the emails.”

The download itself is, in fact, Cobalt Strike — a legitimate pen-testing tool often used in ransomware attacks and data exfiltration and which could be used in this instance to control targeted systems.

Anti-phishing software must be used to mitigate the risks posed by such attacks in conjunction with well-thought-out policies such as IT teams never asking employees to download certain file types, Kay concluded.

In related news, it has been reported that the DarkSide group responsible for the attack on Colonial Pipeline may have breached the critical infrastructure organization via a single compromised password.

A Mandiant VP working on the case reportedly claimed that the VPN account log-in allowed remote attackers to infiltrate the company’s network, even though the account was no longer in use at the time. The credential was subsequently found on the dark web, meaning it may have been previously reused across multiple accounts.

Categories: Cyber Risk News

Latvian Woman Charged with Developing Malware for Trickbot

Info Security - Mon, 06/07/2021 - 10:05
Latvian Woman Charged with Developing Malware for Trickbot

A 55-year-old Latvian woman has been charged on multiple counts for her alleged role in developing malware for the infamous Trickbot group.

On Friday, Alla Witte, aka “Max,” was charged with 19 counts of a 47-count indictment after being arrested in February in Miami.

The indictment claimed that she helped develop code related to the control, deployment, and payments of ransomware and software to track authorized users of the malware and tools and protocols to store stolen login credentials.

Trickbot started life several years ago as a banking Trojan. However, subsequent iterations turned it into a multi-purpose modular threat used by cyber-criminals to gain access to victims’ networks and deploy additional malware, including ransomware.

According to the Department of Justice (DoJ), Witte and her co-conspirators stole money and sensitive information globally from individuals and businesses, including banks, beginning November 2015.

Trickbot apparently helped them steal online banking logins and other personal information, including credit card numbers, emails, passwords, dates of birth, social security numbers and addresses. The DOJ alleged that Witte and her co-conspirators used bank account access to steal funds and launder money.

Witte is charged with:

  • One count of conspiracy to commit computer fraud and aggravated identity theft
  • One count of conspiracy to commit wire and bank fraud affecting a financial institution
  • Eight counts of bank fraud affecting a financial institution
  • Eight counts of aggravated identity theft
  • One count of conspiracy to commit money laundering

The crimes she’s accused of could land Witte with a maximum sentence of over 300 years.

The group is accused of infecting tens of millions of computers and stealing millions of dollars over the past six years.

“The Trickbot malware was designed to steal the personal and financial information of millions of people around the world, thereby causing extensive financial harm and inflicting significant damage to critical infrastructure within the United States and abroad,” said acting US attorney, Bridget Brennan, of the Northern District of Ohio.

“Federal law enforcement, along with assistance provided by international partners, continue to fight and disrupt ransomware and malware where feasible. We are united in our efforts to hold transnational hackers accountable for their actions.”

Categories: Cyber Risk News

Warning of New Ransomware Surge in Education Sector

Info Security - Mon, 06/07/2021 - 08:34
Warning of New Ransomware Surge in Education Sector

The UK’s leading cybersecurity authority has updated its guidance on ransomware following a spate of attacks on the education sector.

GCHQ spin-off, the National Cyber Security Centre (NCSC), said it was investigating another rise in threats targeting schools, universities and colleges.

“Ransomware attacks can have a devastating impact on organizations, with victims requiring a significant amount of recovery time to reinstate critical services. These events can also be high profile in nature, with wide public and media interest,” the NCSC said.

“In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records as well as data relating to COVID-19 testing.”

Recent trends highlighted by the organization include the targeting of networks through VPNs and remote desktop protocol (RDP) endpoints, by exploiting unpatched bugs or weak passwords/lack of multi-factor authentication (MFA). It also pointed to the threat from phishing emails and other unpatched systems like Microsoft Exchange Server.

Using legitimate tools such as Mimikatz, PsExec, and Cobalt Strike is also widespread in enabling lateral movement that traditional security tools have trouble spotting, the NCSC added.

Recently, researchers have seen attempts to sabotage backup/auditing devices to make data recovery more complex, encrypt entire virtual servers, and use scripting environments like PowerShell to deploy tooling and malware.

In April, both the University of Portsmouth and the University of Hertfordshire suffered network outages lasting days after ransomware threat actors struck.

The Harris Federation, which runs 50 primary and secondary academies in the London area, was struck in March, impacting nearly 40,000 pupils.

The NCSC's updated report recommended a defense-in-depth approach to protection, including MFA, anti-virus, prompt patching, and disabling macros and scripting environments to help disrupt ransomware attack vectors.

Categories: Cyber Risk News

US to Treat Ransomware Like Terrorism

Info Security - Fri, 06/04/2021 - 18:18
US to Treat Ransomware Like Terrorism

A senior official at the United States Department of Justice (DOJ) has said that ransomware attacks in America are to be investigated with a similar urgency as incidences of terrorism.

The official told news agency Reuters that cyber-assaults using this particular type of malware are to be prioritized more highly now following a passel of ransomware attacks against entities in the US and elsewhere.

Ransomware victims in recent weeks have included the Colonial Pipeline, meat supplier JBS, the Steamship Authority of Massachusetts, and Fujifilm.

Reuters reports that internal DOJ guidance on ransomware was received by US attorney’s offices across the country on Thursday. Recipients were told that information regarding ransomware investigations in the field must be shared with a recently created task force based in Washington.

“It’s a specialized process to ensure we track all ransomware cases regardless of where it may be referred in this country, so you can make the connections between actors and work your way up to disrupt the whole chain,” said principal associate deputy attorney general at the Justice Department, John Carlin.

The Colonial attack is cited in the guidance as a prime example of the “growing threat that ransomware and digital extortion pose to the nation.”

It reportedly reads: “To ensure we can make necessary connections across national and global cases and investigations, and to allow us to develop a comprehensive picture of the national and economic security threats we face, we must enhance and centralize our internal tracking."

The specialized process described by Carlin is typically used in cases of national security. Central notification will now be compulsory for investigations into counter anti-virus services, illicit online forums or marketplaces, cryptocurrency exchanges, bulletproof hosting services, botnets and online money laundering services.

“We’ve used this model around terrorism before but never with ransomware,” said Carlin. 

He added: “We really want to make sure prosecutors and criminal investigators report and are tracking ... cryptocurrency exchanges, illicit online forums or marketplaces where people are selling hacking tools, network access credentials – going after the botnets that serve multiple purposes.”

FBI director Christopher Wray said that the agency is investigating around 100 kinds of ransomware, many of which are linked to criminal operators in Russia.

Categories: Cyber Risk News

More US Kids Warned About Internet Than Unsafe Sex

Info Security - Fri, 06/04/2021 - 17:34
More US Kids Warned About Internet Than Unsafe Sex

More American parents are warning their children about the dangers of going online than about the importance of sexual safety, according to new research.

A survey of over 1,000 parents in the United States conducted by InMyArea.com found that 89% of parents with children aged 12 or older have had an intentional talk about internet safety with their children. By contrast, only 66% of American parents with kids aged 12 or older had purposefully discussed sexual safety with their offspring.

Of those parents with kids aged 12+ who talked to their children about staying safe online, more than half (60%) had engaged in more than one discussion about the topic. By contrast, only 37% of parents with children aged 12 or older had talked to their children more than once about sexual safety.

The survey focused on parents with children aged between 6 and 17. Findings revealed that 82% of parents had talked to their kids about internet safety, with 51% having more than one intentional talk on the subject. 

The two most popular internet safety topics covered by parents were protecting personal information (81%) and stranger danger (79%). 

More than half of parents had discussed social media and mental health (53%) and cyber-bullying (51%) with their kids. 

Sex wasn't the only issue to take a backseat behind the internet in discussions around safety. Researchers found that only 79% of parents with children aged 15 or older had talked to their kids about driving/vehicle safety. 

Of all the parents surveyed, outdoor/wilderness safety had been addressed by just 60%, and fire safety by just 69%. 

The survey found a discrepancy between parents' views on age-restricted internet access and social media policies. 

"Most survey respondents believed their children should reach 14 to 15 years of age before having unsupervised access to social media," said an InMyArea.com spokesperson. "Yet major platforms, including Facebook, Instagram, Snapchat, and Twitter, require users to be 13 before making an account."

Results revealed parents' leading internet concerns for their children as being targeted by a predator (67%), seeing sexually explicit content (65%) and seeing graphic or violent content (60%). More than half (56%) worried that their children would be cyber-bullied.

Categories: Cyber Risk News

Biden Expands Trump’s Investment Ban on Chinese Firms

Info Security - Fri, 06/04/2021 - 15:51
Biden Expands Trump’s Investment Ban on Chinese Firms

President Joe Biden's latest executive order has expanded a ban on investing in Chinese companies with alleged links to defense or surveillance technology sectors that was introduced by former president Donald Trump.

The Trump administration issued an executive order on November 12, 2020, barring US entities from investing in a clutch of PRC companies including smartphone-maker Huawei, China Telecommunications Corp., China Unicom Ltd., and China Mobile Communications Group Co.

On Thursday, Biden signed an order blocking Americans from investing in 59 companies based in the People's Republic of China, including leading microchip-maker Semiconductor Manufacturing International Corp. and the republic's biggest server manufacturer, Inspur.

Defense companies that made it onto Biden’s list included Aviation Industry Corp. of China, Ltd., China North Industries Group Corp., China Aerospace Science and Industry Corporation Ltd., and China Shipbuilding Industry Co.

In 2019, Biden declared that the Chinese were "not bad folks" and that China, which has the world's second largest economy, was "not competition for us."

In the executive order signed yesterday, Biden wrote that "additional steps are necessary to address the national emergency declared in Executive Order 13959 of November 12, 2020 (Addressing the Threat From Securities Investments That Finance Communist Chinese Military Companies), including the threat posed by the military-industrial complex of the People’s Republic of China (PRC) and its involvement in military, intelligence, and security research and development programs, and weapons and related equipment production under the PRC’s Military-Civil Fusion strategy. 

"In addition, I find that the use of Chinese surveillance technology outside the PRC and the development or use of Chinese surveillance technology to facilitate repression or serious human rights abuse constitute unusual and extraordinary threats, which have their source in whole or substantial part outside the United States, to the national security, foreign policy, and economy of the United States, and I hereby expand the scope of the national emergency declared in Executive Order 13959 to address those threats.” 

The prohibitions will take effect on August 2, 2021. The US Treasury Department has said it will update the list of barred companies on a “rolling basis” and that they "fully expect" to add more companies to it in the months ahead.

Categories: Cyber Risk News

CISOs Agree That Traditional Application Security Measures Don't Work

Info Security - Fri, 06/04/2021 - 14:11
CISOs Agree That Traditional Application Security Measures Don't Work

Nearly three-quarters (71%) of CISOs aren’t confident that code in cloud-native architectures is free of vulnerabilities before it goes into production, according to new research from Dynatrace.

The software intelligence firm polled 700 global security chiefs in large enterprises with over 1,000 employees to better understand their concerns over microservices, containers, and Kubernetes in development.

Some 89% claimed their use had created dangerous application security blind spots.

These challenges appear to be compounded by time-to-market pressures and existing tools and processes not fit-for-purpose in the new cloud native era.

Over two-thirds (68%) of CISOs said the sheer volume of alerts coming through makes it difficult to prioritize. On average, their teams receive 2,169 flags about potential application security vulnerabilities each month, most of which are false positives, the research claimed.

Over a quarter (28%) said development teams sometimes bypass vulnerability checks to speed up delivery, while three-quarters (74%) said traditional scanning tools and other legacy security controls don’t work in today’s environments.

Bernd Greifeneder, founder and CTO of Dynatrace, argued that the growing use of cloud-native architectures had broken traditional approaches to app security.

“This research confirms what we’ve long anticipated: manual vulnerability scans and impact assessments are no longer able to keep up with the pace of change in today’s dynamic cloud environments and rapid innovation cycles,” he added.

“Risk assessment has become nearly impossible due to the growing number of internal and external service dependencies, runtime dynamics, continuous delivery, and polyglot software development, which uses an ever-growing number of third-party technologies. Already stretched teams are forced to choose between speed and security, exposing their organizations to unnecessary risk.”

Most CISOs questioned for the research agreed that more automation of deployment, configuration and management was needed.

“As organizations embrace DevSecOps, they also need to give their teams solutions that offer automatic, continuous, and real-time risk and impact analysis for every vulnerability, across both pre-production and production environments, and not based on point-in-time snapshots,” said Greifeneder.

Categories: Cyber Risk News

Campaigners Request Meeting with Home Secretary as Part of Computer Misuse Act Review

Info Security - Fri, 06/04/2021 - 13:03
Campaigners Request Meeting with Home Secretary as Part of Computer Misuse Act Review

Campaigners have written to the UK Home Secretary, Priti Patel, welcoming the announced review into the Computer Misuse Act (CMA) and requesting a meeting with her to discuss reform proposals.

The CyberUp Campaign and techUK penned the letter following a joint briefing call on Tuesday May 25 among industry representatives about the review, which Patel first announced in a speech during the CYBERUK 2021 virtual event last month. In her talk, she explained this is part of the UK government’s efforts to ensure law enforcement agencies are equipped with “the right tools and mechanisms to detect, disrupt, and deter our adversaries.”

The government has now opened a call for evidence from across the cybersecurity industry, which closes on June 8, 2021. This is requesting insights into the legislation, including whether current “protections in the CMA for legitimate cybersecurity activity provide adequate cover.”

Welcoming this development, the letter informed the Home Secretary that the CyberUp Campaign and techUK “share the desire to see a legal framework in the UK that is best able to assist UK law enforcement in defending the UK from an ever-evolving array of cyber threats, and that supports a thriving and internationally competitive UK cybersecurity industry.”

Many in the industry have long called for the act to be updated, observing that the cyber and technology landscape has changed substantially since it was first enacted in 1990.

In June 2020, a group of cybersecurity organizations coordinated by the CyberUp Campaign wrote an open letter to the UK Prime Minister Boris Johnson, emphasizing the need for the CMA to be updated. This letter stated: “In 1990, when the CMA became law, only 0.5% of the UK population used the internet, and the concept of cybersecurity and threat intelligence research did not yet exist. Now, 30 years on, the CMA is the central regime governing cybercrime in the UK despite being originally designed to protect telephone exchanges. This means that the CMA inadvertently criminalizes a large proportion of modern cyber-defense practices.”

Commenting on the latest developments, Ollie Whitehouse, CTO of NCC Group and spokesperson for the CyberUp Campaign said: “The goverment consultation represents a once-in-a-generation opportunity for the cyber sector to have our say on the badly out of date Computer Misuse Act, which has been around since the inception of the sector and increasingly acts as a barrier.”

Matt Evans, director at techUK, added: “Through the formal review of the Computer Misuse Act 1990, there is a real opportunity for the UK to future-proof key cybersecurity legislation, allowing industry and law enforcement to better work together to protect citizens and businesses alike.

“This is likely the start of a longer process and techUK will look to ensure that industry plays its role in exploring the potential options and challenges around reform, with a string view that through working towards sensible reforms that can also contribute to the UK’s international competitiveness and leadership in the cyber domain.

"techUK looks forward to engaging with the government throughout the review process on behalf of industry and additionally urges its relevant members to directly input into the Home Office.”

Categories: Cyber Risk News

DNS Attacks on the Rise, Costing $1 Million Each

Info Security - Fri, 06/04/2021 - 10:47
DNS Attacks on the Rise, Costing $1 Million Each

According to new research, cyber-attacks using DNS channels to steal data, DDoS victims, and deploy malware have grown in volume and cost throughout the pandemic.

EfficientIP’s 2021 Global DNS Threat Report was compiled by IDC from interviews with 1,114 organizations across the world about their experiences of last year.

It found that 87% of organizations suffered one or more DNS attack in 2020, up eight percentage points from 2019. On average, victims were hit 7.6 times at the cost of $950,000 per attack.

The most common forms of attack were DNS phishing (49%), DNS-based malware (38%), DDoS (29%), DNS hijacking (27%), DNS tunnelling for command and control (24%), zero-day bugs (23%) and cloud misconfiguration abuse (23%).

Phishing appears to have been particularly popular due to the large number of potentially at-risk remote workers.

These attacks frequently led to cloud service and in-house app downtime, compromised websites, brand damage, lost business and sensitive data theft, the report claimed.

Threat actors often use DNS as it is always on, with traffic whitelisted by most firewalls. That opens up opportunities to hide malware or stolen data in DNS channels, among other things.

However, given its ubiquity, DNS can also play an essential role in securing organizations — especially protecting remote workers and data and application traffic, EfficientIP said.

Half of those surveyed said they use DNS traffic analysis to detect compromised devices, and a quarter 27% send DNS traffic logs to SIEM platforms for analysis.

“While it is positive that companies want to use DNS to protect their increasingly remote workforces, organizations are continuing to suffer the costly impacts of DNS attacks,” said Romain Fouchereau, research manager for European security at IDC.

“As threat actors seek to diversify their toolkits, businesses must continue to be aware of the variety of threats posed, ensuring DNS security is a key priority to preventing these.”

Categories: Cyber Risk News

Chinese Actors Reportedly Breached America's Largest Transport Network

Info Security - Fri, 06/04/2021 - 10:06
Chinese Actors Reportedly Breached America's Largest Transport Network

According to a new report, Chinese threat actors breached North America’s largest transport network in a likely cyber-espionage campaign earlier this year.

The attackers reportedly exploited a zero-day vulnerability in the Pulse Connect Secure remote access product to penetrate the IT systems of New York’s Metropolitan Transportation Authority (MTA) in April.

Although they achieved persistence for several days and compromised three of the transit authority’s 18 computer systems, the MTA claimed that the actors stole no customer or internal data and made no changes to critical systems.

“Our response to the attack, coordinated and managed closely with state and federal agencies, demonstrated that while an attack itself was not preventable, our cybersecurity defense systems stopped it from spreading through MTA systems,” a statement sent to the New York Times revealed.

The MTA is said to have begun a forensic review following warnings about the zero-day by US authorities.

According to the report, the attack involved two sets of Chinese threat groups. A potential target for the attack was insider information on subway cars and rail networks that could allow the country to dominate the global market.

Pulse Secure customers were warned about the bug in late April. As Infosecurity reported at the time, CVE-2021-22893 has a CVSS score of 10.0 and is listed as a critical authentication bypass.

It was being exploited in combination with multiple legacy CVEs in the product from 2019 and 2020 to bypass multi-factor authentication — enabling attackers to install web shells and perform espionage activities.

Brooks Wallace, VP EMEA at Deep Instinct, argued that although the attackers didn’t cause any physical damage to transport networks around New York, they had the opportunity.

“This attack could easily have been a way for the attackers to determine whether or not an isolated infrastructure could be breached and taken down, with plans for a more widespread cyber-attack across the US in the future,” he added.

“Staying at the bleeding edge of innovation is the only way to outpace the attackers. The best protection against attacks such as this one is a multi-layered approach using a variety of solutions. A ‘prevention-first’ mindset is also key.”

Categories: Cyber Risk News

Museum Website Vandalized with X-Rated Ads

Info Security - Thu, 06/03/2021 - 18:39
Museum Website Vandalized with X-Rated Ads

Visitors to a Scottish tourism website were greeted with X-rated images after malicious cyber-criminals plastered its pages with pornographic promotions. 

The independent site eastlothianmuseums.org was set up by organizers ABC to help tourists seeking cultural experiences in East Lothian. 

"People usually tend to overlook museums when they are on a break because these places take time and lot of patience, but we at ABC are dedicated towards changing that mindset and introduce people to museums in East Lothian," said the group. 

But despite describing themselves as a "team that loves museums and wants the natives of Scotland as well as travelers from other countries to know their importance," ABC appears to have abandoned the website.

The East Lothian Courier reports that no news or updates have been posted to the eastlothianmuseums.org site in more than two years. 

After apparently being forsaken by its operators, the site fell into the hands of cyber-criminals hoping to lure victims with links to sexually explicit content. After hacking into the site, the threat actors posted links to adult websites that promise to fulfill "society's darkest fantasies."

In addition to adware, the site was laced with graphic descriptions of sex acts that could be viewed by clicking on certain links.

East Lothian Council said the racy site has now been updated with a security warning. 

"We are aware of this site, which details information on a range of museums and related visitor attractions across the county. It is not linked to or connected with East Lothian Council and our museums service or using the council branding style or logo.

"Anyone connecting to this site will see a security warning which indicates that continued use of the site may cause problems to the user."

Enquiries by the council were unable to establish where the site might be hosted. But misspellings of the word 'whisky' suggest it may not be based in Scotland. 

Dirk Schrader, global vice president of security research at New Net Technologies, commented: “Websites are an easy target for attackers, as they are destined to be publicly available. This means the attacker can scan them with a range of automated penetration tools. 

"Badly maintained websites, using outdated content management systems, are the go-to place for attackers to install reflectors or agents to enable additional attacks."

Categories: Cyber Risk News

Missing Toddler Chat Group Banned

Info Security - Thu, 06/03/2021 - 18:34
Missing Toddler Chat Group Banned

A partial settlement has been reached in a cyber-bullying case brought by the parents of a missing toddler against the operator of a chat group set up to discuss the fate of their son.

Dylan Ehler was three years old when he vanished from the backyard of his grandmother's home in Truro, Nova Scotia, at around 1:15 pm on May 6, 2020. Searches for the missing child were called off after two weeks, and his whereabouts remain a mystery.

The only trace of the toddler discovered to date were his rubber boots, which were located roughly 150 meters apart along Lepper Brook.

In online discussions of the case, Ehler's parents, Jason Ehler and Ashley Brown, have been variously accused without evidence of involvement in the boy's disappearance and of murdering their son. 

In February, Ehler's parents decided to take April Diane Moulton and Tom Hurley, also known as Tom Hubley, to court, arguing that the accusations and insults posted on a Facebook page administered by the pair constitute cyber-bullying.

The page, which was called "Dylan Ehler Open for Discussions" or "Dylan Ehler Open for Suggestions," at one point had over 17,000 members. 

"It's been horrific quite frankly," said the parents' lawyer, Allison Harris. "They're dealing with looking for their son, and this has taken away from that.

"Every time they go online, they get these kinds of messages, and some of this has spilled over into the community, and that's impacting them as well."

In an order signed late last month in Nova Scotia Supreme Court, Moulton was prohibited from re-opening the now closed Facebook page about Dylan and from starting another one like it. Moulton is also banned from making any further public posts about the missing child or his parents.

Hurley was offered a similar agreement to the one accepted by Moulton but has not accepted it. He reportedly said that since he lives in the same small town as Ehler's parents, he cannot agree to a ban on seeing them. 

The parties are due to meet face to face in court on August 3 for a hearing.

Categories: Cyber Risk News