Automated fraud attacks against e-commerce retailers have increased in volume, frequency and sophistication, according to new research published today.
The Automated Fraud Benchmark Report: E-commerce Edition by PerimeterX is a new comprehensive annual report based on e-commerce cyber-attack activity over the past year.
Findings draw upon anonymous data collected during live online interactions by millions of consumers and hundreds of millions of bots in 2020. Analysis of the data revealed traffic and threat patterns across hundreds of the world’s largest websites, mobile apps and application programming interfaces (APIs).
Researchers determined that considerable growth occurred across all major types of automated fraud, including gift card cracking, account takeover (ATO), scraping and checkout attacks in 2020.
"The ongoing daily level of attacks was the same as during the most recent Cyber 5 period — the traditional Black Friday through Cyber Monday shopping timeframe," said a PerimeterX spokesperson.
Key findings of the report were that checkout attacks rose 69% in April 2020, and scalper bots drove more than 40% of total shopping cart requests during peak limited-edition sneaker sales.
In September, 85% of all login attempts were ATO attempts, while peak levels of blocked traffic were over 95% in four months.
Researchers also observed that every major US holiday in 2020 saw increases in gift card fraud.
The report reveals that a broader range of online merchants faced automated fraud attacks last year as cyber-criminals expanded into new industries and started to target smaller businesses with greater frequency.
"What’s clear is that automated fraud has no season. The ‘new normal’ rate of automated attacks far outpaces previous seasonal peaks, and retailers should plan for elevated volumes throughout the year,” said Kim DeCarlis, CMO, PerimeterX.
"Retailers will need to adapt to this new environment of higher automated fraud activity in order to continue to grow their sales and profits, increase efficiency and protect their brands."
DeCarlis added that last year, cyber-criminals were observed trialing their Cyber 5 attack plans in September, a month earlier than usual.
"This compressed the time that development and digital teams had to react and respond to shifting trends in automated attacks and application security,” explained DeCarlis.
The United States Coast Guard is to establish a Cyber Operational Assessments Branch this summer and create its first ever red team.
The planned restructuring, first reported by Federal News Network, will support the cybersecurity work currently being undertaken by the Coast Guard's blue team.
Acting as a cyber adversary, the red team will emulate the behavior of threat actors and perform penetration tests to identify any weaknesses in the Coast Guard's cyber-defenses.
Cyber blue team branch chief, Lt. Kenneth Miltenberger, said his team will continue to fulfill its existing duties, which include performing cooperative vulnerability assessments, security consulting for acquisition operations, and endpoint scanning.
Speaking at a webinar hosted last week by the Advanced Technology Academic Research Center (ATARC), Miltenberger said: “We’re excited to see that kind of fusion — of cooperative assessments, plus [the] red team for some kind of holistic assessments."
Among the tasks assigned to the new Cyber Operational Assessments Branch will be an in-depth analysis of the challenges and opportunities associated with 5G infrastructure.
Dan Massey, the program lead of the Department of Defense’s 5G to NextG Initiative, said 5G infrastructure will help to reduce latency in augmented reality and virtual reality training.
“If I tried to do my AR/VR training by pushing everything back to a data center from Joint Base Lewis-McChord in Washington State back to a data center in the Pentagon, I’m stuck with a number of challenges just in terms of bandwidth, in terms of latency. It’s just not going to work well.
"But if I can distribute some of those key aspects out closer to the edge, almost all the way to the edge itself and combine that with back-end processing that might be happening back at that data center, I think I have the most powerful infrastructure,” said Massey.
Another recent technological development that saw the Coast Guard make the headlines was the military service's decision to establish a UxS Cross Functional Working Group. The group's mission will be to help the Coast Guard exploit the capabilities of existing and future unmanned systems.
Some 84% of global organizations have suffered a serious security incident over the past two years and a majority are expecting another SolarWinds-style supply chain attack, according to a new Splunk report.
The IT data platform provider interviewed 535 security leaders in nine leading economies across multiple industries, to compile its latest report, The State of Security 2021.
Of those that were successfully attacked, email compromise (42%) was the most common incident, followed by data breaches (39%), mobile malware (37%) and DDoS (36%).
However, over three-quarters (78%) expressed concern about more sophisticated supply chain attacks coming in the future.
Cloud complexity is emerging as a major threat to global organizations, with three-quarters (75%) of respondents already using multiple providers. Over half (53%) claimed attacks had increased in this area during the pandemic and 76% that remote workers are harder to secure.
Nearly 90% already run a substantial number of their business-critical applications in the public cloud.
Two of the key challenges of securing cloud environments highlighted by respondents were: maintaining and enforcing consistent policies (50%); and the complexity of using multiple security controls (42%).
Splunk urged organizations to modernize their Security Operations Centers (SOCs) with new SIEM platforms and more automation, such as in user and entity behavior analytics (UEBA) and security orchestration, automation and response (SOAR) tools.
It also advocated a zero trust approach, enhanced staff training and improved insight into network behavior to spot lateral movement more effectively.
“That modernized SOC will include an arsenal of the best tools and customization available. But that can create its own headaches, in terms of training and the ability to understand an incident with data from multiple sources,” the report concluded.
“In a complex, multi-cloud, multi-service environment, it’s essential to be able to see across all that data, not just traditional security data. This highest-level, end-to-end perspective is vital not only to security and compliance efforts, but to successful development and operations as well. A consolidated view of the data creates a single source of truth for security and IT teams.”
Take-up of cyber-insurance has almost doubled over the past four years, but premiums surged during 2020 due to more frequent attacks, according to a new congressional report.
Watchdog the Government Accountability Office (GAO) was ordered to study the industry in the National Defense Authorization Act for fiscal year 2021.
Citing data from global insurer Marsh McLennan, the GAO revealed that the percentage of clients opting to take out cyber-specific insurance policies had risen from 26% in 2016 to 47% in 2020.
However, a surge in successful cyber-attacks of late has had two negative consequences: rising premiums and reduced coverage limits for some sectors.
The GAO claimed that, according to a recent survey of insurance brokers, prices had risen 10-30% in late 2020. It also singled out healthcare and education as two sectors where insurers are now offering lower coverage limits.
Although not named in the update, ransomware is a key factor driving these trends. It was the biggest source of insurance claims in the first half of 2020, according to insurer Coalition.
Many have argued that insurers’ continued coverage perpetuates the ransomware problem as it encourages more threat actors to target organizations, knowing that the ransom will be reimbursed by providers.
Axa recently took a stand against this trend in France by resolving to stop reimbursing payments to threat actors, although it will still cover other losses incurred by attacks.
The GAO report explained that providers are also now offering more cyber-specific packages to clients. However, a lack of common terminology, such as what constitutes cyber-terrorism, can lead to inconsistencies in policies and coverage, it warned.
Confectionary giant Mondelez and global legal firm DLA Piper both sued their insurers in 2019 following major losses incurred after NotPetya. Their providers refused to pay-out due to wrangles over policy and definitions of exactly what kind of attack the global malware constituted.
Published on the third anniversary of the GDPR coming into force, the survey highlighted that security leaders and data protection officers (DPOs) are even more concerned about legal settlements for data subjects than they are about regulatory fines (85%) following a serious data breach.
As a result of these concerns, 91% of the 250 security leaders and DPOs in the UK polled revealed they have taken out new cyber-insurance policies or increased their cover to protect themselves from financial exposure because of GDPR.
These fears appear well founded, with high awareness among consumers of the increased rights afforded to them under GDPR also demonstrated by the study. It showed that nearly half (47%) of the 2000 UK consumers surveyed would join a class-action lawsuit against an organization that had leaked their data. Additionally, over two-thirds (67%) said they were aware they have the right to take legal action against an organization that experiences a breach that exposes their personal data.
Tony Pepper, CEO at Egress explained: “The financial cost of data breach has always driven discussion around GDPR – and initially, it was thought hefty regulatory fines would do the most damage. But the widely unforeseen consequences of class action lawsuits and independent litigation are now dominating conversation.
“Organizations can challenge the ICO’s intention to fine to reduce the price tag, and over the last year, the ICO has shown leniency towards pandemic-hit businesses, such as British Airways, letting them off with greatly reduced fines that have been seen by many as merely a slap on the wrist. With data subjects highly aware of their rights and lawsuits potentially becoming ‘opt-out’ for those affected in future, security leaders are right to be nervous about the financial impacts of litigation.”
Commenting, Lisa Forte, partner at Red Goat Cyber Security LLP, said: “The greatest financial risk post breach no longer sits with the regulatory fines that could be issued. Lawsuits are now common place and could equal the writing of a blank cheque if your data is compromised. European countries haven’t typically subscribed to a litigious way of regulating the behavior of companies. That is now changing and without explicit government intervention companies will need to accept they need deeper pockets to cover the lawsuit gold rush we are starting to see."
"The recent Google case that currently sits with the UK Supreme Court could make group claims 'opt out' instead of 'opt in'", Lisa Forte continued. "That will inevitably mean that every single customer affected would be entered into the group action. That should be a huge worry for companies. Companies need to really prioritize preventative measures both technical and human and have a tested incident plan in place.”
It’s three years today since the GDPR was launched across Europe but UK businesses are still failing to meet some of its most basic reporting requirements, CrowdStrike has warned.
The security vendor polled a sample of 500 UK business decision makers between April 30 and May 10 to better understand uptake of the legislation, and the Data Protection Act 2018, which applies its principles in UK law.
Unfortunately, the poll found that just 42% of UK firms that have been breached report the incident to the regulator within 72 hours, as required by law.
The study found a general lack of awareness and visibility elsewhere: 67% of respondents said they consider themselves “prepared” should they become a breach victim, but only around a third (36%) have actually readied specific protocols to deal with the fallout of such an incident.
Over a fifth (22%) claimed they either don’t know or don’t think the GDPR applies to the UK following Brexit.
What’s more, two-thirds of businesses either don’t know (41%) or underestimated (25%) the maximum amount the Information Commissioner’s Office (ICO) can fine erring companies: 4% of global annual turnover or £17 million, whichever is higher.
Zeki Turedi, EMEA CTO at CrowdStrike, told Infosecurity that many organizations are struggling to understand what a data breach even is, and how much time they have to report it.
“For example, some companies are unaware that simply sending confidential information about an individual to an incorrect email address can trigger the need for a GDPR notification,” he argued.
“The CISO has a critical role to play here, not just in helping to protect the business in the first place, but also in ensuring the company understands its legal requirements when it comes to breaches and is in a position to meet them. The research underlines the continued need to educate organizations on the use of GDPR and how it impacts them.”
Alongside the CISO’s role here, the GDPR also mandates most large organizations appoint a Data Protection Office (DPO) to handle such issues.
An employee of the Federal Bureau of Investigation (FBI) has been accused of stealing classified information and national security documents from her workplace and keeping them at home.
Intelligence analyst Kendra Kingsbury of the FBI's Kansas City Division was charged in a two-count indictment returned under seal by a federal grand jury in Kansas City, Missouri, on Tuesday, May 18.
The federal indictment alleges that 48-year-old Kingsbury took sensitive government material home to her residence in Dodge City for more than a decade.
Kingsbury worked as an intelligence analyst for more than 12 years until she was placed on suspension in December 2017. During her career with the FBI, she held a top-secret security clearance and was assigned to a number of different squads dealing with illegal drug trafficking, violent crime, violent gangs, and counterintelligence.
It is alleged that Kingsbury improperly removed sensitive government materials – including national defense information and classified documents – from June 2004 to December 15, 2017, and kept them at home. According to the indictment, Kimberly had no need to know most, if not all, of the information contained in those materials.
Kingsbury was charged with two counts of having unauthorized possession of documents relating to national defense. The first count relates to numerous secret documents that describe intelligence sources and methods related to US government efforts to defend America against counterterrorism, counterintelligence and cyber-threats.
Detailed in those materials are details of open FBI investigations across multiple field offices and documents relating to sensitive human source operations in national security investigations, intelligence gaps regarding hostile foreign intelligence services and terrorist organizations, and the technical capabilities of the FBI against counterintelligence and counterterrorism targets.
Count two refers to Kingsbury's alleged theft of secret documents that describe intelligence sources and methods related to US government efforts to collect intelligence on terrorist groups. Among these materials is information on al Qaeda members on the African continent, including a suspected associate of Osama bin Laden.
Alan Kohler, Jr., assistant director of the FBI’s Counterintelligence Division, said: “The breadth and depth of classified national security information retained by the defendant for more than a decade is simply astonishing."
A lecturer from the University of Plymouth has won a prestigious international prize for her research in maritime cybersecurity.
Dr. Kimberly Tam's work won her the overall gong and the cybersecurity category in the 2021 Lloyd's Science of Risk prize. Tam was among six academics announced as award winners by insurance and reinsurance market Lloyd's of London on May 21.
The Science of Risk prize is awarded to academics and PhD students who further the understanding of risk and insurance through their scientific research. Runner up in the cybersecurity category was Edward Oughton of George Mason University for his stochastic counterfactual risk analysis for the vulnerability assessment of cyber-physical attacks on electricity distribution infrastructure networks.
Tam's award-winning research focused on a suite of software tools designed to enhance maritime cybersecurity. In conjunction with the University of Plymouth’s Maritime Cyber Threats Research Group, Tam developed a Maritime Cyber Risk Assessment (MaCRA) framework.
"The principles behind the MaCRA framework were first set out in a study published in the WMU Journal of Maritime Affairs in 2019, and co-authored by Dr. Tam and Executive Dean of Science and Engineering, Professor Kevin Jones," said a spokesperson for the University of Plymouth.
"The paper proposed a dynamic risk assessment model that uniquely takes into account both information technology and operational technology, both of which are prevalent in sectors like transportation and critical national infrastructure."
Recognizing the value of the software, the Maritime Research and Innovation UK (MarRI-UK) initiative awarded the University a grant to develop it as an industry-ready solution.
“Receiving the overall 2021 Lloyd’s Science of Risk prize is a big honor. It shows there is real appreciation of the growing threat of cybercrime, and the importance of addressing the challenges it could pose for the globally important maritime sector," said Tam.
"My paper looks at ways the physical and cyber worlds affect each other, and how shifting our concept of risk to be more dynamic can be a useful tool moving forward in a more connected world.”
Just over a week ago, Tam's software won the Cyber Den competition run as part of the UK government’s flagship cybersecurity event, CYBERUK.
A hacker from Michigan has admitted to stealing the sensitive data of more than 65,000 University of Pittsburgh Medical Center (UPMC) employees and selling it online.
Federal Emergency Management Agency (FEMA) IT specialist Justin Sean Johnson, known on the dark web by the handles TheDearthStar, Dearthy Star, TDS, and DS, hacked into UPMC's human resources database in January 2014. Six years later, the 30-year-old resident of Detroit was indicted by a federal grand jury in Pittsburgh and subsequently arrested on charges of conspiracy, wire fraud and aggravated identity theft.
Among the data swiped and sold by Johnson was W-2 information and Personally Identifiable Information (PII) that included Social Security numbers, addresses, names and salary information. Conspirators who bought the data from Johnson via forums filed hundreds of false form 1040 tax returns in 2014 using UPMC employee PII.
Hundreds of thousands of dollars of false tax refunds claimed in these false 1040 filings were then converted into gift cards for online marketplace Amazon.com. Conspirators used the gift cards to purchase products that were later shipped to Venezuela.
The lucrative criminal scheme resulted in the loss of approximately $1.7m in false tax return refunds.
UPMC employees were not the only victims of Johnson's proclivity for data theft. From 2014 through 2017 he also stole and sold nearly 90,000 additional sets of PII to buyers on dark web forums, which could be used to commit identity theft and bank fraud.
On May 20, Johnson pleaded guilty to counts 1 and 39 of a 43-count indictment before Chief United States District Judge Mark R. Hornak. Johnson will remain in detention while a date is set for his sentencing.
"Unfortunately, through no fault of their own, the people whose identities are stolen in cases like this are often victimized repeatedly," said Tom Fattorusso, the special agent in charge of IRS–Criminal Investigation at the time of Johnson's arrest.
"Initially, they have to deal with the stress of knowing their personal information was stolen. Criminals then use the stolen information to file false tax returns, or they sell it to other criminals who use it to file false returns. This causes a hardship for the innocent victims when they try to file their own tax returns. Victims are then left to deal with credit issues caused by the unscrupulous actions of the criminals."
American Express is the latest big-name brand to receive a fine from the UK’s data protection regulator after spamming millions of customers.
The Information Commissioner’s Office (ICO) fined American Express Services Europe (Amex) £90,000 after it sent over four million marketing emails to customers who did not want them.
The ICO said it began its investigation after complaints from some of those customers, who claimed to have opted out of receiving the missives.
Amex rejected these complaints, saying the emails were about “servicing” rather than marketing, according to the ICO. The content of these messages apparently included how to get the most out of your card, info on the rewards of shopping online with Amex, and how to download the firm’s app.
However, the ICO disagreed, claiming that a little over four million of the 50 million emails sent as part of this campaign were “a deliberate action for financial gain by the organization” — and as such constituted a marketing effort.
In addition, Amex decided not to review its marketing model following the customer complaints.
Andy Curry, the ICO’s head of investigations, argued that Amex is now facing the “reputational consequences” of making the wrong call.
“The emails in question all clearly contained marketing material, as they sought to persuade and encourage customers to use their card to make purchases,” he added.
“Amex’s arguments, which included that customers would be disadvantaged if they weren’t aware of campaigns, and that the emails were a requirement of its Credit Agreements with customers, were groundless.”
Curry encouraged all companies to revisit their procedures and take time out to better understand the differences between service and marketing emails, ensuring their policies are compliant.
Although the ICO is the UK’s regulator for GDPR, this fine was issued under the country’s Privacy and Electronic Communications Regulations 2003, which state that it’s illegal to send marketing emails to people unless they have freely consented.
Air India has confirmed that 4.5 million passengers have had their personal data exposed in a third-party data breach first disclosed over two months ago.
The incident impacted SITA, an IT provider which claims to serve around 90% of the aviation industry. Attackers compromised servers that operate passenger processing systems for airline clients.
Air India said it first received word of the attack on February 25 this year, but was unable to confirm those affected until SITA informed it on 25 March and 5 April.
“The breach involved personal data registered between August 26 2011 and February 3 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data (but no passwords data were affected) as well as credit card data,” the statement noted.
“However, in respect of this last type of data, CVV/CVC numbers are not held by our data processor.”
Air India claimed that, following the incident, the affected servers were secured, external investigators engaged, credit card issuers were notified and frequent flyer passwords were reset.
“Further, our data processor has ensured that no abnormal activity was observed after securing the compromised servers,” it added.
“While we and our data processor continue to take remedial actions including but not limited to the above, we would also encourage passengers to change passwords wherever applicable to ensure safety of their personal data.”
Finnair, Malaysia Airlines, Japan Airlines and Singapore Airlines were among the other big names affected by the breach.
Although Singapore Airlines said it was not a customer of SITA’s, some of its frequent flyer data was apparently compromised via a fellow Star Alliance member that was.
This isn’t the first data security incident to have affected Air India. Back in 2016 a possible insider attack was detected in which threat actors sought to divert over $23,000 in air miles.
One of America’s largest insurers agreed to pay a $40 million ransom after its IT systems were locked down and data stolen by threat actors, according to a report.
CNA Financial paid its attackers in late March, about a fortnight after the incident, two people familiar with the attack told Bloomberg.
A statement shared with the news site refused to comment on the ransom but claimed that the firm had followed all “laws, regulations and published guidance” when handling the matter. This includes the 2020 guidance published by the US Treasury’s Office of Foreign Assets Control (OFAC), it said.
CNA Financial also noted in a security update that it did “not believe that the systems of record, claims systems, or underwriting systems, where the majority of policyholder data — including policy terms and coverage limits — is stored, were impacted.”
The firm was apparently hit by a variant of the Evil Corp-authored Hades ransomware called Phoenix Locker.
The payment could be the largest ever made to a ransomware group — although not all incidents and payment amounts are disclosed given the commercial sensitivities involved.
Attackers tried to extort $50 million from Acer back in March, although it’s unclear whether they were successful or not.
The FBI urges victims not to do so as it encourages more copycat attacks and does not guarantee that the organization’s stolen files will not be monetized in the future, or that it will even receive a working decryption key.
Insurance companies like CNA Financial have been at the center of fierce debate recently over whether the industry should be assisting customers financially who have been struck by ransomware.
Axa has decided to stop reimbursing new policyholders in France for payments to such threat groups, for example.
Insurers may also be a lucrative target if their attackers manage to find client lists, which would provide them with a handy line-up of companies covered by insurance.
The average payment to ransomware groups increased by 43% from Q4 2020 to the first three months of 2021, according to Coveware.
The Federal Bureau of Investigation's Internet Crime Complaint Center (iC3) logged its six millionth complaint on Saturday.
Between 2019 and 2020, the number of complaints filed with the Center rose by nearly 70%. FBI Special Agent Andrew Sekela believes the increase is linked to the COVID-19 global health pandemic.
He said: "The cyber-actors have absolutely taken every advantage of that opportunity to increase the number of people that they’re targeting, which is why I think we’re seeing an increase again across the board of all different types of fraud schemes and internet crimes."
iC3 was set up 20 years ago, and it took nearly seven years for it to log its first million complaints. However, the Center logged one million complaints in the past 14 months alone.
In a press release, iC3 chief Donna Gregory said, “On one hand, the number holds some positive news. People know how to find us and how to report an incident. But on the other hand, these numbers indicate more people are being affected by online crimes and scams.”
Tyler Shields, CMO at JupiterOne, a Morrisville, North Carolina–based provider of cyber asset management and governance solutions, believes the increase in complaints is linked to a rise in cyber-criminal activity.
"We've seen a significant increase in fraud and online scams in the last 12–24 months. The number of complaints is rising directly in correlation to the increase in attacks," Shields told Infosecurity Magazine.
They added: "Attackers follow the money, and these types of attacks have shown a great return on investment for attackers. Just look at the results from DarkSide's attack campaigns – $90m in 9 months from only 47 victims."
John Morgan, CEO at California cloud cybersecurity detection and response provider Confluera, said verification was harder for employees working from home.
"They can no longer simply turn around to ask others whether an email is legitimate or whether others have also received such notifications," Morgan told Infosecurity Magazine.
He said organizations should educate their employees on contemporary tactics used in cyber-attacks, such as the creation of fake colleagues and companies on LinkedIn.
A business owner who extorted over $3.5m from Spanish-speaking US residents via fraudulent phone calls has been sentenced to more than 10 years in prison.
California resident Angel Armando Adrianzen teamed up with a series of call centers in Peru to run a telemarketing scam that defrauded thousands of victims. Many of those conned by the 46-year-old owner and operator of AAD Learning Center (AAD) were recent immigrants to the United States.
Victims were contacted by callers using internet-based telephone calls. After claiming to be attorneys or government representatives, the callers would falsely tell victims that they hadn't paid for products. Victims were then threatened with legal action, bad credit, prison, or deportation if they didn't immediately pay a fee.
Under the scam, callers also impersonated employees of Spanish-language television channels, radio stations, toothpaste companies, or lawyers calling from a "minor crimes court" or a firm's legal department.
Adrianzen, who ran ADD from April 2011 until at least September 2019, admitted assisting co-conspirators in Peru with establishing and staffing the call centers involved in the scam.
At times, Adrianzen also provided the callers with lists of consumers to call and even scripts of what to say to them to extort payment. Ultimately, Adrianzen processed over $3,500,000 in payments as part of the scheme.
Adrianzen was arrested on September 16, 2019, and charged with conspiracy to commit mail fraud and wire fraud, five counts of wire fraud, five counts of mail fraud, and four counts of extortion. While executing search warrants upon Adrianzen's laptop and cell phone, police discovered child sexual abuse material (CSAM).
On November 21, 2019, Adrianzen pleaded guilty to conspiracy to commit mail and wire fraud. Today he was sentenced to serve 121 months in prison followed by fifteen years’ supervised release. He was also ordered to make restitution payments to his victims.
“Today’s sentence serves not only as just punishment for this defendant, but also as notice to others who may prey on vulnerable victims,” said Acting US Attorney Juan Antonio Gonzalez for the Southern District of Florida.
“The Justice Department and its partners will aggressively investigate such criminal activity. We will find you and ensure you are held accountable for your crimes.”
A ransomware gang that launched a "catastrophic" cyber-attack against the Irish health system is now reportedly helping in its recovery.
The attack on the Health Service Executive (HSE) of the Republic of Ireland, carried out with Conti ransomware, started when a single computer stopped working and its user responded to a prompt to click on a link.
HSE was alerted to the attack at 4am on May 14 and subsequently shut down all of its IT systems nationwide. The closure caused the cancellation of appointments, including maternity scans, radiology services and outpatient appointments.
A ransom of $20m was demanded by the attackers to restore files that were encrypted in the attack. The Irish government has said that it has no intention of paying the cyber-criminals who hit the HSE.
On its site on the dark net, the ransomware gang said it would give the decryption tool needed to restore the files to the health service free of charge. However, the gang is still threatening to publish data it claims to have stolen during the attack unless a ransom payment is received.
"We are providing the decryption tool for your network for free," wrote the gang, "but you should understand that we will sell or publish a lot of private data if you will not connect us and try to resolve the situation."
Ireland's minister for health, Stephen Donnelly, said that the ransomware gang's unexpected gift was being trialed.
"No ransom has been paid by this government directly, indirectly, through any third party or any other way. Nor will any such ransom be paid," he told Irish broadcaster RTÉ.
"It came as a surprise to us. Our technical team are currently testing the tool. The initial responses are positive."
In an interview with Malwarebytes, an Irish doctor dealing with the fallout from the attack said: “I have to tell patients, sorry I can’t operate on you. You’ve been fasting, you came a long distance, you rescheduled things to make time for me, maybe you have had to come off work. After all this I have to say sorry, I can’t see you.”
Global cybersecurity leaders may not be practicing what they preach after new research revealed that many are engaging in risky behavior online.
Constella Intelligence polled over 100 global IT security bosses across multiple verticals to compile its latest report, Cyber Risk in Today’s Hyperconnected World.
It revealed widespread poor security practice: a quarter (24%) admitted to using the same passwords across work and personal use and nearly half (45%) connect to public Wi-Fi without using a VPN.
Public Wi-Fi is thought to be so dangerous that the FBI regularly warns the public not to connect when out-and-about.
A similar number (48%) of CISO respondents said they use their work computer to log-in to social networking sites and 77% accept friend requests from people they don’t know, including LinkedIn (63%).
According to MI5, foreign spies have contacted over 10,000 British citizens via LinkedIn over the past five years, using fake profiles.
“The consequences of engaging with these profiles can damage individual careers, as well as the interests of your organization, and the interests of UK national security and prosperity," the government said in a recent awareness campaign.
Security leaders continue to engage in risky behavior even though attacks targeting them increase.
Over half (57%) have suffered an account takeover (ATO) attack in their personal lives — mainly through email (52%) LinkedIn (31%) and Facebook (26%). Nearly three-quarters (74%) said they’d been targeted by a phishing or vishing attack in the past 90 days. In a third (34%) of cases, threat actors impersonated their CEO, according to the report.
“Amidst the rise in cyber-attacks on organizations, many of which are perpetrated through C-suite impersonations, employee cybersecurity awareness is now arguably as important as an organization’s security infrastructure,” said Constella Intelligence CEO Kailash Ambwani.
“As the professional and personal spheres become increasingly digitally intertwined, both leaders and employees must pay close attention to the role each one of us plays in collective cybersecurity hygiene.”
There were 193 billion credential stuffing attempts during 2020 as cyber-criminals looked to capitalize on surging numbers of online users, according to Akamai.
The security vendor’s latest 2021 State of the Internet / Security report revealed the sheer scale of attempts to crack open users’ accounts using previously breached credentials.
Focusing mainly on the financial sector, the report claimed that Akamai detected 3.4 billion credential stuffing attempts targeting the vertical — a 45% increase on the previous year.
Akamai also detected nearly 6.3 billion web application attacks in 2020, over 736 million of which were aimed at financial services organizations — an increase of 62% from 2019.
In the financial services industry, Local File Inclusion (LFI) attacks were the number one web application attack type in 2020, accounting for 52% of the total, followed by SQLi (33%) and cross-site scripting (9%).
However, globally across all sectors, SQLi was in top spot — accounting for 68% of all web application attacks in 2020 — while LFI attacks came second with 22%.
“The ongoing, significant growth in credential stuffing attacks has a direct relationship to the state of phishing in the financial services industry,” said Steve Ragan, Akamai security researcher and report author.
“Criminals use a variety of methods to augment their credential collections, and phishing is one of the key tools in their arsenal. By targeting banking customers and employees in the sector, criminals increase their pool of potential victims exponentially.”
The report detailed the rise of smishing and phishing attacks against the financial services sector, specifically via two popular toolkits: Kr3pto and Ex-Robotos.
Akamai said threat intelligence company WMC Global detected smishing campaigns launched via Kr3pto which spoofed 11 brands in the UK, across more than 8000 domains since May 2020.
In total, the firm tracked over 4000 campaigns linked to Kr3pto targeting victims via SMS messaging over 31 days in Q1 2021.
“It's important to remember that employees are consumers too, and with the prevalence of work from home, as well as mobile device usage in corporate environments, criminals are not shy about attacking people no matter where they are, which explains the recent growth in SMS-based phishing attacks,” argued WMC Global senior threat hunter, Jake Sloane.
Misconfiguration of back-end cloud services by more than 20 mobile app developers may have exposed the personal data of over 100 million Android users, according to researchers.
A team at Check Point investigated 23 Android applications in a new piece of research, and found users’ emails, chat messages, location, passwords and photos all exposed by poor security practices.
There were three main issues. First, misconfiguration of the real-time databases that developers use to store data in the cloud and synchronize it with every client instantaneously.
In 13 of the apps studied, no authentication was deployed, enabling would-be attackers to access highly sensitive user data such as email addresses, passwords and private chats.
The second security snafu regarded push notification manager services.
“Most push notification services require a key (sometimes, more than one) to recognize the identity of the request submitter,” Check Point explained. “When those keys are just embedded into the application file itself, it is very easy for hackers to take control and gain the ability to send notifications which might contain malicious links or content to all users on behalf of the developer.”
The third issue was with cloud storage: again the researchers were able to find cases where developers had stored keys in the app file itself, enabling attackers to access sensitive user information.
Check Point said some, but not all, of the developers it contacted prior to publication had changed their configurations to mitigate the highlighted issues.
“This is the perfect storm of three issues — cloud misconfigurations, cloud credential leaks, and overly permissive mobile apps collecting more personal information than needed. Mobile apps usually rely on public cloud-based backend services like databases, analytics, and storage which are prime candidates for misconfiguration,” argued Saumitra Das, CTO of Blue Hexagon.
“Additionally, they release their code openly on app stores making it easier for folks to reverse engineer the inner workings. It is a common mistake to leave cloud access keys in code repositories and apps. Simple encodings like base64 are not enough to obscure the access keys which can allow anyone to then get access to customer PII being collected by the app in the cloud.”
As has long been the tradition at the annual RSA Conference, the final panel event is the Top 5 Most Dangerous New Attack Techniques session, and the virtual 2021 edition of the conference was no exception.
Ed Skoudis, fellow and director at SANS Institute, identified undermining software integrity as one of the biggest attack vectors that he is seeing today. Software integrity includes supply chain security for all the embedded libraries and components that make up a modern application.
"Our software development and distribution processes today are focused on speed, getting new code and features out faster," Skoudis said. "They're not focused on trust and cybersecurity, and this is a pretty profound problem."
According to Skoudis, there is no single solution to the problem of software integrity and software supply chain management. The first thing that needs to happen is organizations need to know what software they have in their environments so that they can defend it. The next step is to have a software bill of materials, which essentially identifies all the components that make up a given set of software applications. Skoudis also recommends that organizations integrate threat-hunting activities into their workflows as well to help actively look for potential risks.You may not be able to solve every challenge, but don't get overwhelmed – start somewhere.Katie Nickels
The Risk of Improper Session Handling
Heather Mahalik, director of digital intelligence at SANS Institute, identified improper session handling as a top risk.
Every time a user logs in to an application or a service, some form of access token is granted to enable access to the session. Mahalik warned that some sessions don't properly secure tokens, opening up the possibility that data could be leaked or manipulated.
The risk of improper session handling can be reduced with a number of simple steps. The most obvious that Mahalik suggested is for users to log out of devices and application sessions when they are done.
"Many of us like to leave our screen open, we like to leave our devices available, and we will check the box saying use this access for the next seven days, but that's not secure," Mahalik said. "Developers, I encourage you to make tokens that expire and kick people off the network."
Beware of Artificial Intelligence
Johannes Ullrich, dean of research, SANS Technology Institute, warned that a potential risk comes from artificial intelligence and machine learning that is used for malicious purposes. Ullrich warned that attackers could influence or manipulate machine learning training data sets, which would impact what actions an artificial intelligence system would take.
"Your training data matters, and you need to understand these models," Ullrich said. "So, figure out what they're doing, and figure out how to tune them."
Ransomware Is More Than an Availability Problem
Katie Nickels, certified instructor and director of intelligence at SANS Institute, warned that while ransomware isn't a new threat, the ransomware of 2021 is in fact introducing new risk.
She noted that, historically, ransomware has been discussed as an availability problem. That is, data is encrypted by an attacker, and the user can't get access to the data. In her view, ransomware is no longer just an availability concern; it's also increasingly being linked to data exfiltration. Nickels explained that attackers are now also taking the data and then using it for different purposes, before encrypting data and holding it for ransom.
"In fact, in the fourth quarter of 2020 we found that over 70% of ransomware cases involved some kind of exfiltration and extortion," Nickels said. "This is one of the most dangerous new attack techniques because this is the new normal, thinking about not just the availability, but also the confidentiality of your data, and realizing that adversaries are very likely to exfiltrate and then export your data."
As ransomware has shifted from being just an availability issue, so too have the recommendations on what organizations should do to defend themselves. Simply having an offline backup is not sufficient, according to Nickels. Organizations should also be taking preventative measures like disallowing any file-sharing tools that aren't needed in a network, which can help to prevent some exfiltration from happening.
With the pressures of the pandemic and a seemingly never-ending array of threats that defenders need to be concerned about, Nickels provided an aspirational and inspirational suggestion. She noted that former US president Theodore Roosevelt once said, "Do what you can with what you have, where you are." In her view, that suggestion is an idea that resonates well for IT security professionals.
"You may not be able to solve every challenge, but don't get overwhelmed – start somewhere. Start with improving your detections, whatever that means for your organization," Nickels said. "Do what you can with what you have, where you are, whether it's in cybersecurity or in life."
There are a number of common executive cybersecurity roles today, including chief security officer (CSO) and chief information security officer (CISO), and now it's time to add one more – the chief product security officer (CPSO).
In a session on May 20 at the 2021 RSA Conference, Chris Wysopal, founder and CTO at Veracode, and Joshua Corman, chief strategist for the healthcare sector at CISA, outlined why it's time for organizations to have a chief product security officer (CPSO).
"Software trustworthiness, or rather the lack of trustworthiness, is at the forefront of everyone's mind right now," Corman said.
Corman noted that software development practices really haven't properly considered the consequences of having an insecure development model. For example, during the presentation he pulled up a quote attributed to Reid Hoffman, founder of LinkedIn – If you're not embarrassed by the first version of your product, you've launched too late. Corman emphasized that no physical engineer would say the same thing about a building or a bridge, where failure would result in the loss of life and property.
"We've learned through high-consequence failures in physical engineering," Corman said. "I'm hoping we will find our footing for what it's going to take for digital infrastructure, because as the world increasingly depends on that digital infrastructure, they increasingly are depending on you."The idea is we need this new individual to do something that spans many different many different departments nowChris Wysopal
Enter the Chief Product Security Officer
Having an executive that is dedicated to product security is an important step to help improve security outcomes.
Wysopal explained that a CSO or CISO is typically concerned with an organization's overall security, regulatory compliance and protecting a business's brand. In Wysopal's view, the kind of software that is being developed today is actually adding a lot more risk to the world, and there is a clear and present need to take steps to reduce that risk.
"The idea is we need this new individual to do something that spans many different many different departments now," Wysopal said.
Wysopal said that the role of chief product security officer spans engineering, compliance, supplier management and information risk. He added that it's also important to have both a developer and enterprise risk management view of software security.
"If you're going to be the CPSO you have to go in both directions, you have to engage with the individual developer, and get that individual developer to find and fix the vulnerabilities in the code," Wysopal said. "But on the other hand, you need to look at the bigger picture."
That bigger picture involves understanding the potential impact of an application or product vulnerability. There is also a need to understand that the attack surface for applications has grown significantly in recent years. Wysopal said that with ubiquitous connectivity and public-facing APIs, there are more opportunities for attackers to find vulnerabilities and exploit an application.
Securing Products with Cloud Native Development Approaches
In the application development space, developers in recent years having been making use of cloud native development approaches that can actually aid prospective chief product security officers.
Wysopal said that technologies such as containers and infrastructure-as-code approaches can narrowly define how a specific component of an application should be deployed in a repeatable manner. By reducing the attack surface and defining application deployments as code, Wysopal said that it's possible to deploy faster and actually build a more secure product.
"We can start to take our security tooling that used to be disparate processes, that sometimes were manual, and actually just make them another developer tool that's part of the process," Wysopal said.
Corman advised that prospective chief product security officers should also take advantage of threat modeling to help reduce risk.
"Instead of using buzzwords and marketing terms like zero trust, actually start implementing some of the ideas behind them, like least privilege and trust boundaries," Corman said.