Feed aggregator

Time to Fix High Severity Apps Increases by Ten Days

Info Security - Tue, 08/24/2021 - 09:59
Time to Fix High Severity Apps Increases by Ten Days

The average time taken to fix high severity application security flaws has increased by ten days in just a month, according to the latest data from NTT Application Security.

The security vendor’s AppSec Stats Flash report for August offers a broad view of the current state of application security across various verticals.

Most important is the data that details how quickly or otherwise organizations are at closing the window of exposure (WoE) between a patch becoming available and one being applied.

Although it found the “time to fix” had dropped overall by two days, from 202 days to 200 days, for high severity vulnerabilities, it increased from 246 days last month to 256 days in this month’s analysis.

The report found that utilities and retail firms, in particular, were performing poorly.

“Applications in the utility space continue to suffer from high window of exposure, with 67% of applications having at least one serious exploitable vulnerability throughout the year,” it noted.

“Retail Trade saw an increase of three base points in its WoE — from 58% last time to 61% this time. As we get closer to the final quarter of the year, there will be an expected increase in the transactions and activity on retail web and mobile applications. As such, applications in this sector are going to be rich targets for exploits.”

The most vulnerable sector was once again the “Management of Companies and Enterprises” vertical.

NTT Application Security warned that vulnerable applications are an increasingly dangerous vector for embedding ransomware and enabling supply chain attacks.

The top five vulnerability types by volume were HTTP response splitting, query language injection, cross-site scripting (XSS), cross-site request forgery and remote file inclusion.

These remain unchanged from previous months, indicating a “systemic failure” to address well-known security issues and making the task of threat actors even easier, the vendor claimed.

Categories: Cyber Risk News

Over a Third of Smart Device Owners Do Not Take Security Measures

Info Security - Tue, 08/24/2021 - 09:42
Over a Third of Smart Device Owners Do Not Take Security Measures

More than a third (35%) of connected device owners in the UK do not take additional security measures to protect their smart home devices and rely solely on inbuilt security features.

This is according to findings from the 2021 Norton Cyber Safety Insights Report: Special Release – Home & Safety, which examined consumers’ at-home online behaviors.

The UK portion of the study revealed a worrying lack of security hygiene for smart devices among British consumers. Only 37% of connected device owners deny permissions to apps on their devices, while just a third (33%) install cybersecurity software. An even lower proportion said they change the default passwords on devices (32%) or regularly update device passwords (30%). Additionally, only 31% of people who own a Wi-Fi router change their router password more than once a year, with 42% admitting they have never changed the password or are not sure how often the password is changed.

More encouragingly, 86% of Brits who own a connected device said they would take action if one of their devices were hacked. The most common of these actions are changing security settings or passwords (53%).

The research, based on an online survey of more than 1000 UK adults by The Harris Poll, found that 71% of UK adults own a smart home device, with smart TVs (52%) and smart speakers/home assistants (33%) the most common types. While many find these devices to be helpful (41%) and convenient (36%), a significant proportion described them as a security risk (24%) and intrusive (22%). Some even said they are not trustworthy (15%), creepy (12%) or scary (8%).

The study also highlighted how the increase in screen time during the COVID-19 pandemic has negatively impacted many consumers’ physical (52%) and mental health (41%), in addition to making them more vulnerable to online harms.  

Sarah Uhlfelder, senior strategic director EMEA at NortonLifeLock, commented: “With Brits admitting to spending 5.5 hours a day looking at screens on top of the time they spend on devices for school or work purposes, it’s inevitable that excessive screen time is making many feel burnt out.

“Make no mistake, technology can and does bring a number of social and educational benefits and, over the past year, we even saw it become a lifeline for many. In the UK, one in five adults (21%) purchased a new smart home or connected device to help them and their family cope with the pandemic as lockdowns increased limitations to our social life and it's somewhat virtualized. But, in an increasingly virtual world, adopting healthy screen time routines and digital safety habits is a vital part of daily life.

“Beyond setting boundaries for device usage and screen time limits, people need to be wary of the risks they might be facing online, too. Being mindful of what you reveal about yourself online and exercising caution around potential scams, fraudulent sites or apps, paired with good password hygiene and device protection from multi-layered security software, can go a long way in helping to keep you and your family safe online.”  

Categories: Cyber Risk News

Microsoft Power Apps Tool Exposed 38 Million Records by Default

Info Security - Tue, 08/24/2021 - 09:40
Microsoft Power Apps Tool Exposed 38 Million Records by Default

A configuration issue with a popular Microsoft development platform has exposed tens of millions of sensitive customer records, including those containing COVID-19 information, according to researchers.

Microsoft Power Apps enables “citizen developers” to create mobile and web-based apps for their businesses.

However, a team from UpGuard found that the portal for the platform was configured to allow public access in many cases, exposing at least 38 million records.

The issue stems from the Open Data Protocol (OData) APIs for retrieving data from Power Apps lists. This is the configuration used to “expose records for display on portals.”

“Lists pull data from tables, and limiting access to the list data that a user can see requires enabling Table Permissions,” explained UpGuard.

“‘To secure a list, you must configure Table Permissions for the table for which records are being displayed and also set the Enable Table Permissions Boolean value on the list record to true.’ If those configurations are not set and the OData feed is enabled, anonymous users can access list data freely.”

UpGuard said it first discovered the privacy issue in May. However, after securing one customer, it wondered whether others had lists set to be accessed anonymously via OData feed APIs, exposing sensitive data.

UpGuard said it found over a thousand anonymously accessible lists across several hundred portals. Among the organizations exposed in this way were American Airlines, Ford and multiple public sector entities.

“Among the examples of sensitive data exposed via OData APIs were three Power Apps portals used by American governmental entities to track COVID-19 tracing or vaccination and a portal with job applicant data including Social Security Numbers,” said UpGuard.

Microsoft eventually responded by notifying government customers of the issue and putting several mitigations in place to reduce the likelihood of accidental misconfiguration.

Categories: Cyber Risk News

Mass Exploitation of Exchange Server ProxShell Bugs

Info Security - Tue, 08/24/2021 - 09:27
Mass Exploitation of Exchange Server ProxShell Bugs

Tens of thousands of global Microsoft Exchange servers could be at risk after threat actors began exploiting three so-called “ProxyShell” vulnerabilities.

The three bugs were discovered in the April Pwn2Own competition and patched by Microsoft in April and May. However, the tech giant only assigned CVEs to them in July, complicating efforts by some sysadmins to check if their systems were vulnerable.

In the meantime, threat actors managed to take publicly available information on the vulnerabilities and craft exploits for the three bugs.

Now the Cybersecurity and Infrastructure Security Agency (CISA) has urged vulnerable organizations to patch the flaws.

“Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473CVE-2021-34523, and CVE-2021-31207. An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine,” it said.

“CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May 2021 — which remediates all three ProxyShell vulnerabilities—to protect against these attacks.”

Security experts have warned that threat actors actively scan for vulnerable servers to install web shells on, enabling further malicious activity. The situation calls to mind the four zero-day ProxyLogon bugs patched in March, which were exploited far and wide.

Huntress Lab said it had seen over 140 web shells installed across 1900+ unpatched servers in just 48 hours last week.

The bugs are apparently also being used in conjunction with the recently revealed PetitPotam vulnerability to deliver LockFile ransomware.

Symantec explained the threat in an updated blog post yesterday.

Categories: Cyber Risk News

AT&T Denies Data Breach

Info Security - Mon, 08/23/2021 - 20:49
AT&T Denies Data Breach

Telecommunications company AT&T has trashed claims that the personal data of 70 million of its customers has been stolen by the threat actor ShinyHunters.

The cyber-thief, whose previous exploits have affected Microsoft, Dave, Tokopedia, Pixlr, Mashable, and Havenly among others, posted news of the data theft on an underground hacking forum earlier this month. 

On the forum, ShinyHunters shared a small sample of the data they claim to have swiped from AT&T. The threat actor also offered to sell the whole database for the price of $1m. 

Researchers at RestorePrivacy analyzed the sample of data shared by the threat actor. 

"We examined the sample, and it appears to be authentic based on available public records. Additionally, the user who posted it has a history of major data breaches and exploits," wrote researchers in a blog post. 

They added: "While we cannot yet confirm the data is from AT&T customers, everything we examined appears to be valid."

Researchers believe that ShinyHunters has accessed customer data including names, phone numbers, physical addresses, email addresses, Social Security numbers, and birth dates. 

The hacker told RestorePrivacy that all the allegedly stolen data related to AT&T customers located in the United States. While they would not reveal how they obtained the data, ShinyHunters did say that they had accessed three encrypted strings of data that included dates of birth and Social Security numbers. 

In an update to a blog post published August 19, the researchers said that AT&T had denied the breach.

An AT&T corporate communications officer told RestorePrivacy: "Based on our investigation today, the information that appeared in an internet chat room does not appear to have come from our systems."

Researchers described the company's response as "interesting" and noted that "the claim that this was posted in an 'internet chat room' is simply not correct. It was posted in a well-known hacking forum by a user with a history of large (and verified) exploits." 

The communication company's comment came as no shock to ShinyHunters. 

The threat actor told researchers: "It doesn’t surprise me. I think they will keep denying until I leak everything."

Categories: Cyber Risk News

Poly Network Hacker Returns Remaining Funds

Info Security - Mon, 08/23/2021 - 18:09
Poly Network Hacker Returns Remaining Funds

Every token swiped in the world's biggest ever crypto-currency heist has now been returned to the victim organization. 

A cyber-thief hit blockchain connection platform Poly Network on August 10, stealing crypto-currency worth more than $610m. After a blockchain keeper's private key was leaked, the attacker exploited a code vulnerability to change the “keeper role” of two blockchain contracts so that any transaction was possible. 

From a Bscscan contract, the threat actor made the following withdrawals: $133,023,777.79, $85,519,813.63, $87,594,029.67, $132,907,573.59, $132,907,574.59 and $133,029927.08 (USD). A further $93,343,903.87 in Ether was withdrawn ($182,628,360.16 USD) from an Etherscan contract.

After the attack took place, Poly Network appealed to the culprit to give back their ill-gotten gains. The attacker responded by saying that they had performed the theft to make a point about security and had always intended to give the proceeds back.

In the days that followed, the attacker began paying back the stolen funds in increments. By August 13, nearly half of the tokens ($260m worth) had been returned to Poly Network in the form of $3.3m worth of Ethereum, $256m worth of Binance Coin, and $1m worth of Polygon. 

While negotiating with Poly Network to return the funds, the hacker was given the name Mr. White Hat by their victim. The platform offered the unknown attacker a job as its chief security advisor and offered to pay them a $500k bug bounty for identifying the flaw exploited in the attack. 

Now the mystery hacker has given its victim access to the final cache of stolen tokens. In a blogpost published on Monday, Poly Network said Mr. White Hat had at last shared with them the private key needed to regain control of the remaining tokens.

"At this point, all the user assets that were transferred out during the incident have been fully recovered," said the organization. "We are in the process of returning full asset control to users as swiftly as possible."

Prior to the theft from Poly Network, the biggest crypto-heist to have occurred took place in 2018 when thieves stole $534.8m from Japanese digital currency exchange Coincheck.

Categories: Cyber Risk News

Hackers Leak Footage of Iranian Prison

Info Security - Mon, 08/23/2021 - 16:34
Hackers Leak Footage of Iranian Prison

A hacking group has leaked what it claims is surveillance footage shot inside an Iranian prison where political prisoners are typically incarcerated.

Silent videos capturing the dire conditions of life inside Tehran's Evin Prison were shared with the media on Sunday by hacktivist group Tapandegan (Palpitations). Iran International reports that the Tapandegan received the images from a hacking group calling itself Edalat-e Ali (Ali's Justice).

The footage shows guards beating a prisoner and guards and prisoners fighting among themselves. In one video, an emaciated prisoner is shown passing out and falling to the ground before being dragged up some stairs.

What appears to be an attempt by one prisoner to end his own life was captured by the CCTV. The footage shows a man breaking a bathroom mirror and attempting to cut open his arm with one of the shards. 

Images in which guards are shown wearing facemasks are believed to date from the COVID-19 pandemic. Much of the videos bear a timestamp from this year or 2020.

Ali's Justice claims to have hacked into the prison's surveillance system a few months ago and stolen hundreds of gigabytes of data. The group said it was exposing the stolen footage now to coincide with the election of Iranian president Ebrahim Raisi.

Some of the footage appears to capture a cyber-attack taking place at the prison. It shows a guard looking on as monitor after monitor in a control room flashes red and then displays the text "cyberattack" along with an image of scales. The message “The Evin prison is a stain on Raisi’s black turban and white beard” then appears.

The Associated Press noted that the computer system in use in the control room appeared to be running Windows 7. With patches no longer provided for this operating system by Microsoft, it would be vulnerable to attack. 

While Edalat-e Ali appear to be a new hacking group, Tapandegan became notorious in 2018 when they hacked into systems at Mashhad International Airport and posted anti-government messages and images on arrival and departure information screens. 

Evin was built in the 1970s and holds around 15,000 people. 

Categories: Cyber Risk News

US State Department Hit By Cyber-Attack

Info Security - Mon, 08/23/2021 - 13:08
US State Department Hit By Cyber-Attack

The U.S. State Department has reportedly suffered a cyber-attack leading to notifications of a possible serious breach being made by the Department of Defense Cyber Command.

Fox News journalist Jacqui Heinrich made the claim in a series of tweets over the weekend. She wrote, “The State Department has been hit by a cyber attack, and notifications of a possible serious breach were made by the Department of Defense Cyber Command.

“It is unclear when the breach was discovered, but it is believed to have happened a couple of weeks ago.”

Heinrich added that the State Department’s mission to evacuate US personnel and allied refugees from Afghanistan has “not been affected” by the incident.

She also tweeted that “the extent of the breach, investigation into the suspected entity behind it, efforts taken to mitigate it, and any ongoing risk to operations remains unclear.”

Reuters then reported that a “knowledgeable source” had informed them that the department had not experienced any significant disruptions or had its operations impeded in any way.

A spokesperson for the State Department was quoted as saying, “The department takes seriously its responsibility to safeguard its information and continuously takes steps to ensure information is protected. For security reasons, we are not in a position to discuss the nature or scope of any alleged cybersecurity incidents at this time.”

Commenting on the story, Sam Curry, chief security officer, Cybereason, said, “The recent cyber-attack against the U.S. State Department is a reminder that anyone and everyone can be hit and will be hit. Today, it is a matter of how quickly threats are discovered and how quickly they are stopped. Overall, the State Department’s networks are big, and they are presumably getting attacked by nation-states, terrorists and other adversaries on a daily basis. However, without more data on the recent attack, it would be premature to make assumptions on the motives or groups involved in this latest action.

“There’s no shame in being attacked, and disclosing it properly is laudable. There’s a world of difference between an infrastructure beach where a nation-state, rogue group or hacktivist gets in and an information or material breach that causes damage. While the State Department isn’t likely to disclose any further details of this attack, given the current chaos on the ground in Afghanistan and lingering tensions with Russia over the Colonial and JBS attacks and China for carrying out the Microsoft Exchange Server attacks, public and private sector security teams should be on high alert. Also, allies of the US across Europe, Asia-Pacific and Africa should be on high alert. Let’s hope the perception by some that the US is distracted doesn’t lead to more attacks and chaos.”

The revelation has come just weeks after a bipartisan report was published by the Senate Homeland Security and Governmental Affairs Committee, which found “stark” shortcomings in the cybersecurity posture of many federal agencies. The report rated the State Department “effectively a D” regarding its cybersecurity posture, “the lowest possible rating within the Federal Government’s maturity model.”

Curry added, “The State Department attack is one of the reasons for the EDR mandate for the US federal government agencies in the recent White House Executive Order. Having a means of finding the attacks like the one on the State Department as threat actors move in the slow, subtle, stealthy way through networks is the only option in returning defenders to higher ground above threat actors. Advanced prevention, building resilience, ensuring that the blast radius of payloads is minimized and generally using peacetime to foster antifragility is achievable. Today, it’s not about who we hire or what we buy. It’s about how we adapt and improve every day.”

Categories: Cyber Risk News

Infosecurity Europe Moves to ExCeL London in 2022

Info Security - Mon, 08/23/2021 - 10:00
Infosecurity Europe Moves to ExCeL London in 2022

Infosecurity Europe, Europe’s number one information security event, will run from Tuesday 21 to Thursday 23 June 2022 in its new home, ExCeL London.

For many years, Infosecurity Europe, organised by RX (Reed Exhibitions), has taken place at London Olympia. The last two editions of the in-person event have been postponed due to COVID-19.

According to the organizers, the change of venue will allow the event to continually evolve and grow the exhibition and conference program to keep pace with the ever-increasing importance of cybersecurity.

"Infosecurity Europe will run from Tuesday 21 to Thursday 23 June 2022 in ExCeL London"

Nicole Mills, exhibition director at Infosecurity Group, says: “Our fantastic partnership with London Olympia has played an integral part in our journey to become Europe’s premier information security event, and largest community of cybersecurity professionals. In that time, the importance of information security across every facet of society and business has increased enormously, and ExCeL London offers us the perfect platform for the next stage in our development.”

Mills refers to the larger size and greater flexibility of the space and facilities offered at ExCeL London and the regeneration of the local area around ExCeL London.

Simon Mills, Executive Director of ExCeL London, adds: “We are delighted that Infosecurity Europe, the largest gathering of the information security community in Europe, has chosen ExCeL London as its new home.”

Categories: Cyber Risk News

UK Regulator Raises Serious Concerns Over Nvidia-Arm Deal

Info Security - Mon, 08/23/2021 - 09:44
UK Regulator Raises Serious Concerns Over Nvidia-Arm Deal

The UK’s competition authority has raised significant competition concerns over Nvidia’s proposed $40bn takeover of chip designer Arm but did not cite any national security grounds for shelving the deal.

The US-based GPU specialist had wanted to complete the takeover of Cambridge-based Arm within 18 months, but that seems in doubt with the latest review from the Competition and Markets Authority (CMA).

Its report cited “detailed and reasoned submissions from customers and competitors raising concerns” across the globe.

“After careful examination, the CMA found significant competition concerns associated with the merged business’ ability and incentive to harm the competitiveness of Nvidia’s rivals (that is, to ‘foreclose’) by restricting access to Arm’s CPU IP and impairing interoperability between related products, so as to benefit Nvidia’s downstream activities and increase its profits,” it said.

The CMA said the supply of CPUs, interconnected products, GPUs and SoCs could be harmed in this way, across several global markets covering datacenter, IoT, automotive and gaming console applications.

“The CMA found that the foreclosure strategies identified would reinforce each other and would, individually and cumulatively, lead to a realistic prospect of a substantial lessening of competition, and consequently to a stifling of innovation, and more expensive or lower quality products,” the report continued.

The competitions regulator concluded that Nvidia’s suggested remedies would not address these concerns given the complexity of contracts and markets involved, the magnitude of the concerns and the “breadth and technical nature of the offer.”

Arm’s designs are found in most smartphones on the planet and technologies related to military and defense. However, the CMA decision did not reference any concerns over national security.

The UK’s digital secretary will have to decide whether to proceed to a more detailed “phase two” investigation. Lawmakers from the ruling Conservative Party are increasingly pressuring the government not to allow strategically important British companies to be taken over by foreign businesses.

SoftBank acquired Arm for $32bn (£23bn) back in 2016.

Categories: Cyber Risk News

T-Mobile Breach Now Affects 54.6 Million Individuals

Info Security - Mon, 08/23/2021 - 09:17
T-Mobile Breach Now Affects 54.6 Million Individuals

Around six million more current and former T-Mobile customers were affected by a recently disclosed data breach, the US carrier has revealed.

The firm said it was confident it had now closed off access and egress points for the attack but admitted that the breach impacted many more individuals than at first thought.

It said 5.3 million more post-paid customers accounts were compromised, exposing names, addresses, date of births, phone numbers, IMEIs and IMSIs. That’s on top of the 7.8 million already breached.

T-Mobile said it had now also determined that phone numbers and IMEI and IMSI information were compromised for these 7.8 million individuals. That puts them at greater risk of SIM swapping fraud.

In addition, an extra 667,000 accounts of former T- Mobile customers have been accessed, compromising customer names, phone numbers, addresses and dates of birth, the carrier said.

This is on top of the 40 million former and prospective customers who had applied for credit and whose details were subsequently stolen by attackers.

Finally, up to 52,000 names related to current Metro by T-Mobile accounts may have been included in the hackers’ haul. However, no other personally identifiable information (PII) was taken from these individuals.

With the additional disclosures, the total figure for the breach now stands at 54.6 million current, former and prospective customers, up from 49 million.

Martin Riley, director of managed security services at Bridewell Consulting, said it was extremely concerning that T-Mobile was only made aware of the original incident after a threat actor started selling stolen customer data online.

“The problem is that working out what has been taken, and when, can be very challenging for many organizations which is why the average breach detection and containment time is still so long,” he added.

“Enterprises need to shift from a security monitoring and notification approach to one focused on threat detection and response. T-Mobile has been subject to numerous attacks in the past few years and needs to act competently and confidently to minimize reputational damage or a decline in public confidence.”

Categories: Cyber Risk News

New LockFile Ransomware Variant Exploits "PetitPotam" Bug

Info Security - Mon, 08/23/2021 - 08:46
New LockFile Ransomware Variant Exploits "PetitPotam" Bug

Researchers are warning of a new ransomware variant spreading globally via exploitation of the “PetitPotam” vulnerability partially patched by Microsoft last week.

Symantec said the “LockFile” variant was first spotted on July 20 in an attack on a US financial services organization and has subsequently targeted at least ten corporate victims around the world up to August 20.

Attacks begin by accessing victims’ Microsoft Exchange servers, although this vector isn’t yet clear.

Days after this initial access was established, threat actors installed a set of tools to the compromised server, including an exploit for CVE-2021-36942 (PetitPoam) and additional files designed to download shell code to help with the exploitation.

First discovered by a French researcher around a month ago, PetitPotam is an NTLM relay attack vulnerability that an attacker can use with low privileges to take over a domain controller.

It’s been reported that Microsoft’s Patch Tuesday fix for the bug has not fully patched the vulnerability.

“Once access has been gained to the local domain controller, the attackers copy over the LockFile ransomware, along with a batch file and supporting executables, onto the domain controller. These files are copied into the ‘sysvol\domain\scripts’ directory,” Symantec explained.

“This directory is used to deploy scripts to network clients when they authenticate to the domain controller. This means that any clients that authenticate to the domain after these files have been copied over will execute them.”

The security giant added that although LockFile appears to be a new ransomware variant, it could have links to “previously seen or retired threats.”

Both DarkSide and REvil/Sodinokibi operations have gone silent in recent months after high-profile affiliate attacks put them in the media spotlight and under the scrutiny of the US government.

The threat actors behind LockFile use a similarly designed ransom note to that used by the LockBit gang and reference the Conti group in the email address they use for communications.

Categories: Cyber Risk News

NYC Teachers' Social Security Numbers Exposed

Info Security - Fri, 08/20/2021 - 18:56
NYC Teachers' Social Security Numbers Exposed

High school students who raised the alarm after discovering a severe data breach involving teachers’ personal information say they were ignored for months. 

In January, students at Brooklyn Technical High School reportedly stumbled across a Google Drive containing documents uploaded by staff and students at schools across New York City. Among the documents were college recommendation letters, classwork, and parent-teacher conference sign-up sheets.

The students could access the files because of a quirk in the school’s education department’s Google Drive sharing settings. A hidden setting automatically allowed anyone with an email address provided by the education department to search for files in Google Drive.

After making the discovery, the students arranged a meeting with a senior staff member at their school and used a PowerPoint presentation to walk them through the data breach. 

“At that point [after the meeting], we thought the issue was going to get taken care of,” one of the students who discovered the breach and who wished to remain anonymous told Chalkbeat.

When the students rechecked the Google Drive in March, they found that even more documents were now accessible. This time, the students could view a school’s payroll document that contained teachers’ salary information, Social Security numbers, phone numbers, and addresses.

The student said they began calling teachers on the list to find one who could remove the document from the drive. 

When a teacher answered, the student said, “he was in shock because no one really expects a 16-year-old to call them at 10 o’clock in the morning saying, ‘I have your Social Security number.’”

On March 18, the student notified three officials at the city’s education department of the data breach via email. Earlier this month, the department confirmed a data leak that impacted approximately 3,000 students and 100 employees.

The department told Chalkbeat that confidentiality laws prevented them from confirming that this leak was linked to the data breach reported by the Brooklyn Tech students in March. However, a teacher anonymously told the publication that a data breach notification letter they had received from the department stated that the leak had taken in place in March.

Categories: Cyber Risk News

Former New York Observer Editor Re-charged Over Cyber-stalking

Info Security - Fri, 08/20/2021 - 17:57
Former New York Observer Editor Re-charged Over Cyber-stalking

A former editor of the New York Observer who was pardoned in January for alleged cyber-stalking has been re-charged for a similar, related offense. 

New Jersey resident Kenneth Kurson, also known as Jayden Wagner and Eddie Train, was charged on October 23, 2020, with cyber-stalking three individuals and harassing two additional people. His alleged victims include his former wife, her friend, and a doctor employed by Mount Sinai Hospital. 

Kurson's alleged crimes dated back to November and December 2015, when he and his ex-wife were engaged in divorce proceedings. He was accused of sending harassing emails and impersonating others to leave negative reviews online about the doctor, whom Kurson believed to be responsible for the breakdown of his marriage. 

In January 2021, before Kurson's case could come to court, he was pardoned of interstate stalking and harassment charges by the outgoing U.S. president, Donald Trump.

On August 18, the Manhattan District Attorney's office charged 52-year-old Kurson with felony eavesdropping and computer trespass "for unlawfully accessing communications of his then-wife from September 2015 through March 2016 while he served as Editor-In-Chief of Observer Media Group."

This latest complaint alleges that from September 24, 2015, to March 3, 2016, while still living with his ex-wife, Kurson unlawfully used an electronic monitoring software program commonly known as “spyware” on her computer.

He is accused of obtaining login credentials to her Gmail and Facebook accounts by monitoring her keystrokes. It is alleged that in October 2015, Kurson anonymously shared private Facebook messages.

The DA's office said IP address records indicate that Kurson used the spyware from his computer at the offices of the Observer Media Group in Manhattan, where he was employed at the time as editor-in-chief. 

“We will not accept presidential pardons as get-out-of-jail-free cards for the well-connected in New York,” said District Attorney Cy Vance. 

“As alleged in the complaint, Mr. Kurson launched a campaign of cybercrime, manipulation, and abuse from his perch at the New York Observer, and now the people of New York will hold him accountable. We encourage all survivors and witnesses of this type of cybercrime and intimate partner abuse to report these crimes to our Office.”

Categories: Cyber Risk News

DemonWare Solicits Staff to Deploy Ransomware

Info Security - Fri, 08/20/2021 - 16:57
DemonWare Solicits Staff to Deploy Ransomware

A cyber-criminal group has been emailing employees and asking them to help attack their own companies with malware. 

The insider threat solicitation scheme was discovered by researchers at Abnormal Security. The author of the emails is someone who claims to have links with the DemonWare ransomware group, also known as Black Kingdom and DEMON.

"On August 12, 2021, we identified and blocked a number of emails sent to Abnormal Security customers soliciting them to become accomplices in an insider threat scheme," stated Abnormal Security's Crane Hassold. 

"The goal was for them to infect their companies’ networks with ransomware."

To entice the employees into becoming their criminal accomplices, the email's author offers them a cut of the loot. 

“The sender tells the employee that if they’re able to deploy ransomware on a company computer or Windows server, then they would be paid $1m in Bitcoin, or 40% of the presumed $2.5m ransom," wrote Hassold. 

Employees are told how to launch the ransomware physically or remotely. Interested employees are instructed to contact the sender via an email address or via Telegram. 

This new and rather brazen attack tactic stood out to researchers, who are used to seeing ransomware deployed via other, more subtle, methods. 

"Historically, ransomware has been delivered via email attachments or, more recently, using direct network access obtained through things like unsecure VPN accounts or software vulnerabilities," wrote Hassold. "Seeing an actor attempt to use basic social engineering techniques to convince an internal target to be complicit in an attack against their employer was notable."

Researchers created a fake persona and contacted the attacker asking how they could help in the attack. The attacker sent download links to an executable file that researchers confirmed was ransomware. 

Further communication with the attacker revealed that he picked his targets and found their email addresses on the networking site LinkedIn. 

"You can defeat most social engineering that gets by your technical defenses by using security awareness training and MFA,” commented Roger Grimes, data driven defense evangelist at KnowBe4

“You can worry about disgruntled employees, but while you are doing that, your loyal employee is getting socially engineered. That is your real problem."

Categories: Cyber Risk News

Anti-Money Laundering Fines Fall by 50% in 1H 2021

Info Security - Fri, 08/20/2021 - 09:32
Anti-Money Laundering Fines Fall by 50% in 1H 2021

Global fines for anti-money laundering (AML) and data privacy compliance breaches have fallen by nearly 50% year-on-year in the first half of 2021, but could bounce back quickly as financial crime continues apace, according to Fenergo.

The digital transformation company claimed that 85 individual fines were levied on global financial institutions for breaches of AML, Know Your Customer (KYC) and data privacy laws in the first six months of 2021 — a drop of 26% on the figure for 1H 2020.

It added that these fines translate into a value of nearly $938m, which is a 46% decline.

The US-led the way with $711m in fines, followed by Switzerland ($85m), Norway ($48m) and the UK ($33m).

Fenergo’s global director of financial crime, Rachel Woolley, noted that the drop comes after a period of several years, which has seen regulators levy record fines in response to significant scandals.

However, the figures could quickly rebound in the second half of the year as several major cases are due to reach their conclusion, she added.

“We continue to see enforcement action-driven, at least in part, by recent Financial Action task Force (FATF) activity as countries facing scrutiny clampdown on perceived weaknesses in their regulatory regimes,” said Woolley.

“We’re also seeing the continuation of the trend in fines aimed at non-financial firms such as gambling companies as regulators look to close the net on criminals.”

Fraud is occurring on a massive scale during the pandemic, especially in the US, which will prompt further investigations into banks that may unwittingly or otherwise have facilitated these crimes, the Fenergo expert noted.

The scale of global money laundering is notoriously difficult to estimate given the failure of regulators, law enforcers and financial institutions to detect and stop nefarious activity. However, the UN believes it could be between 2-5% of global GDP annually, which could mean as much as $4tn or more.

Many in the financial services industry believe the compliance system itself is not fit-for-purpose, with FATF rules ultimately encouraging banks to focus not on reducing money laundering, but on protecting their reputation and bottom line.

Categories: Cyber Risk News

Man Gets Three Years for Stealing Nude Photos from College Victims

Info Security - Fri, 08/20/2021 - 08:48
Man Gets Three Years for Stealing Nude Photos from College Victims

A New York man has been sentenced to three years behind bars after stealing nude images of dozens of female victims whose social media accounts he hacked.

Nicholas Faber, 25, of Rochester, pleaded guilty back in February to one count of computer intrusion causing damage and one count of aggravated identity theft.

From around 2017 to 2019, Faber admitted to working with co-conspirator Michael Fish to access the email accounts of dozens of female college students at the State University of New York (SUNY)-Plattsburgh.

They are said to have used that information to access the victims’ social media accounts, steal intimate photos and movies and even trade them with others online.

According to the Department of Justice, the university was forced to allocate staff and extra funds to identify the compromised accounts, review access logs, reset passwords and notify students and parents.

As reported by Infosecurity earlier this year, Fish is said to have also created and sold collages featuring personal photos, sexually explicit images, and formal graduation photos of the victims.

He pleaded guilty in May to computer hacking, aggravated identity theft, and child pornography offenses and was later charged with obstruction of justice after allegedly submitting six fraudulent letters to a judge attesting to his good character.

Former high school valedictorian Faber, who graduated from SUNY-Plattsburgh in 2017, will also face three years of federal supervision following his release. He has agreed to pay $35,430 in restitution to the university.

The case calls to mind the infamous “Celebgate” iCloud attacks from 2014, in which explicit private photos of around 100 celebrities were stolen from email and social media accounts and leaked online.

It also highlights the importance of strong email and social media security, particularly enabling two-factor authentication where possible.

Categories: Cyber Risk News

Crunch Time for Liquid as Crypto Exchange Loses $97m to Hackers

Info Security - Fri, 08/20/2021 - 08:23
Crunch Time for Liquid as Crypto Exchange Loses $97m to Hackers

A Japanese cryptocurrency exchange is estimated to have lost $97m after threat actors targeted the company.

Tokyo-headquartered Liquid revealed the incident on Thursday evening local time.

“We are sorry to announce that #LiquidGlobal warm wallets were compromised, we are moving assets into the cold wallet,” it said in a brief update. “We are currently investigating and will provide regular updates. In the meantime, deposits and withdrawals will be suspended.”

According to London-based blockchain analysis company Elliptic, the cyber-thieves stole nearly $100m in various currencies, including Ether ($32.5m), XRP ($12.9m), Bitcoin ($4.8m), Tron ($200,000) and Stablecoins ($9.2m).

“This includes $45m in Ethereum tokens, which are currently being converted into Ether using decentralized exchanges (DEXs) such as Uniswap and SushiSwap. This enables the hacker to avoid having these assets frozen — as is possible with many Ethereum tokens,” the firm explained.

“Elliptic has added the addresses associated with the thief to our system, ensuring that our clients will be alerted if they receive any of these funds. Our investigators are also aiding Liquid with tracking the stolen funds.”

With over 800,000 customers, 100+ supported countries, 80 listed digital currencies and a daily trading volume that exceeded $1bn in 2021, Liquid has a large presence in the cryptocurrency market.

However, it’s by no means the first Japanese exchange to be targeted. Mt Gox was undoubtedly the largest, losing around $500m in cyber-attacks back in 2014, forcing it to close.

Other notable victims over the years include Coincheck ($425m), Zaif ($60m), Bitpoint ($32m), and UpBit ($52m).

Some of these attacks may have originated from North Korea. A UN report from 2019 estimated that the Kim Jong-un regime might have amassed as much as $2bn from audacious raids on banks and cryptocurrency exchanges.

The biggest cryptocurrency theft of all time happened only last week when Poly Network lost over $600m to thieves. However, fortunately for the firm, the ‘ethical’ hackers that stole the money had returned most of it within days.

Categories: Cyber Risk News

Women Charged Over Sexually Exploitative Child Modeling Sites

Info Security - Thu, 08/19/2021 - 17:32
Women Charged Over Sexually Exploitative Child Modeling Sites

Four Floridians have been charged in connection with a child sexual abuse material (CSAM) subscription service that produced millions of images and videos of sexualized minors. 

International Florida-based business Newstar Enterprise, which was founded in 2005, built, maintained, hosted, and operated what appeared to be a series of legitimate child modeling websites called Newstar Websites on servers based in the US and abroad.

According to court documents, Newstar was in reality "an internet-based business aimed at for-profit sexual exploitation of vulnerable children under the guise of 'child modeling'."

Some of the images and videos sold via the Newstar Websites showed children as young as 6 years old in sexual and provocative poses, wearing police and cheerleader costumes, revealing swimsuits, pantyhose and miniskirts, thong underwear, and transparent underwear.

Though the images and videos did not depict any minor as completely nude, some of the children were shown engaging in sexually explicit conduct. 

"To populate the Newstar Websites with content, Newstar Enterprise members sourced, enticed, solicited and recruited males and females under the age of 18, some of whom were prepubescent, to use as 'child models' for the Newstar Websites," said the Department of Justice in a statement. 

"Using the recruited child-victims, the Newstar Enterprise produced more than 4.6 million sexualized images and videos to distribute and sell on the Newstar Websites."

The websites attracted users from 101 different countries. Some images were provided free, while other content was unlocked by paying a subscription fee. 

More than $9.4m in income was generated by the websites. Newstar Enterprise employees fraudulently opened merchant and bank accounts in the United States, using a bogus jewelry company to launder the proceeds.

Investigators found most of the children pictured on the site were recruited from Eastern Europe. 

Weston resident 58-year-old Kenneth Power was charged with conspiracy to advertise child pornography and conspiracy to distribute child pornography, but the case against him was dismissed following his death on March 9.

Power's wife, 41-year-old Tatiana Power, was charged with conspiracy to commit money laundering, international promotion money laundering, and concealment money laundering.

Patrice Eileen Wilowski-Mevorah, 53, of Tampa, and Mary Lou Bjorkman, 58, of Lutz, pleaded guilty to laundering money for Newstar Enterprise.

Categories: Cyber Risk News

Coin Ninja CEO Admits Operating Darknet Bitcoin Mixer

Info Security - Thu, 08/19/2021 - 16:09
Coin Ninja CEO Admits Operating Darknet Bitcoin Mixer

A CEO from Ohio has pleaded guilty to being the operator of a darknet-based Bitcoin ‘mixer’ service that laundered more than $300m

Akron resident and CEO of Bitcoin media site Coin Ninja Larry Dean Harmon was at the helm of underground cryptocurrency laundering service Helix for three years, from 2014 to 2017. 

During that time, the 38-year-old creator of crypto-wallet provider DropBit conspired with darknet vendors to launder over 350,000 Bitcoin generated through drug trafficking and other illegal activities.

Helix partnered with several darknet markets, including AlphaBay, Evolution, and Cloud 9, to provide its customers with a way to send Bitcoin to designated recipients while concealing the source or owner of the cryptocurrency.

In exchange for a 2.5% fee, Helix would 'mix' or 'tumble' customers' Bitcoin so that it was untraceable. Harmon advertised Helix on the darknet as a way for customers to conceal their transactions from law enforcement.

Court documents showed that Helix was linked to and associated with the leading search engine on the darknet, “Grams,” which was also run by Harmon. 

Harmon was placed in custody in February 2020, shortly after a warrant was put out for his arrest. On August 18, he pleaded guilty to his part in the Helix money-laundering conspiracy. 

As part of his plea, Harmon agreed to the forfeiture of more than 4,400 Bitcoin, currently valued at more than $200m, and other seized properties that were involved in the criminal conspiracy.

A date has not been set for Harmon's sentencing. The crypto criminal could be handed a maximum prison sentence of 20 years and be ordered to pay a fine of up to $500,000 or twice the value of the property involved in the transaction.

Harmon could further be sentenced to a term of supervised release of not more than three years, and mandatory restitution.

“Darknet markets and the dealers who sell opioids and other illegal drugs on them are a growing scourge,” said Acting US Attorney Channing Phillips for the District of Columbia. 

“They may try to hide their identities and launder millions in sales behind technologies like Helix. But the department and its law enforcement partners will shine a light on their activities, dismantle the infrastructure such criminal marketplaces depend on, and prosecute and convict those responsible.”

Categories: Cyber Risk News