Feed aggregator

Qualys Announces Passing of Philippe Courtot, it's CEO of the Past 20 Years

Info Security - Mon, 06/07/2021 - 12:11
Qualys Announces Passing of Philippe Courtot, it's CEO of the Past 20 Years

Cloud security firm Qualys has announced the sad news of the passing of its former CEO, chairman and leader for the past 20 years, Philippe Courtot, at the age of 76.

Courtot oversaw the significant growth of Qualys since becoming its CEO in March 2001, initially investing in the company in 1999 when it was founded. His vision to build a cloud delivery platform that would allow for scanning any network on a global scale became realised in Qualys’ global expansion over the past two decades. It first went public in 2012.

Under his leadership, Qualys completed several acquisitions. In recent years these include Second Front Systems and endpoint detection and response startup Spell Security.

Born in 1944 in France, Courtot began his career selling minicomputers before arriving in the US in 1981. After a spell as CEO of Thomson CGR Medical, he founded email platform provider cc:Mail in 1988, achieving a 40% market share before selling the business to Lotus in 1991. He was then appointed president and CEO of Verity before joining Signio, where he oversaw its acquisition by VeriSign.

Courtot was also involved in several initiatives to support the security industry’s role more generally.  These include supporting the formation of the Cloud Security Alliance in 2008, founding the Trustworthy Internet Movement and CSO Interchange, and becoming a trustee for The Internet Society.

Additionally, he received a number of personal awards for his work in security over the years. In 2019, Courtot picked up the Decade of Vision Leadership Award from the Cloud Security Alliance. Last year Courtot received the Benefactor Award from the International Systems and Security Association (ISSA) Education Foundation for supporting cybersecurity and cybersecurity education.

Commenting, Sumedh Thakar, Qualys president and CEO, said: “Philippe was my mentor and advisor; the entire Qualys team and I are deeply saddened by his passing, and our thoughts and prayers are with his family. We are forever grateful for Philippe’s exceptional leadership, vision and passion for helping enterprise customers with practical solutions to the biggest challenges around security. He was dedicated to making life easier for everyone from security analysts through to CISOs.”

Sandra E. Bergeron, Qualys’ lead independent director, stated: “The board and company are incredibly saddened at the loss of Philippe. He was a transformational leader with a passion for business and cybersecurity, who cared deeply about Qualys and its employees. We look forward to honoring him by continuing to grow the company based on his vision.”

Categories: Cyber Risk News

Colonial Pipeline Incident Sparks 'Help Desk' Phishing Attacks

Info Security - Mon, 06/07/2021 - 10:54
Colonial Pipeline Incident Sparks 'Help Desk' Phishing Attacks

Researchers have discovered a new phishing campaign designed to spread ransomware and steal data by capitalizing on interest in the recent Colonial Pipeline outage.

Security vendor Inky spotted the malicious emails, which said several Microsoft 365 customers were targeted.

Emails were spoofed to appear as if sent from the recipient’s “Help Desk.” They were instructed to click on a malicious link in order to download a critical “ransomware system update” to protect their organization from the same fate as Colonial Pipeline.

“The malicious emails were sent from newly created domains (ms-sysupdate.com and selectivepatch.com) controlled by cyber-criminals. The domain names, sufficiently plausible to appear legitimate, were nonetheless different enough so that garden variety anti-phishing software would not be able to use regular expression matching to detect their perfidy,” explained VP of security strategy, Roger Kay.

“Both domains were registered with NameCheap, a registrar popular with bad actors. Its domains are inexpensive, and the company accepts Bitcoin as payment for hosting services (handy for those trying to remain anonymous). The malicious links in the emails belonged to — surprise — the same domain that sent the emails.”

The download itself is, in fact, Cobalt Strike — a legitimate pen-testing tool often used in ransomware attacks and data exfiltration and which could be used in this instance to control targeted systems.

Anti-phishing software must be used to mitigate the risks posed by such attacks in conjunction with well-thought-out policies such as IT teams never asking employees to download certain file types, Kay concluded.

In related news, it has been reported that the DarkSide group responsible for the attack on Colonial Pipeline may have breached the critical infrastructure organization via a single compromised password.

A Mandiant VP working on the case reportedly claimed that the VPN account log-in allowed remote attackers to infiltrate the company’s network, even though the account was no longer in use at the time. The credential was subsequently found on the dark web, meaning it may have been previously reused across multiple accounts.

Categories: Cyber Risk News

Latvian Woman Charged with Developing Malware for Trickbot

Info Security - Mon, 06/07/2021 - 10:05
Latvian Woman Charged with Developing Malware for Trickbot

A 55-year-old Latvian woman has been charged on multiple counts for her alleged role in developing malware for the infamous Trickbot group.

On Friday, Alla Witte, aka “Max,” was charged with 19 counts of a 47-count indictment after being arrested in February in Miami.

The indictment claimed that she helped develop code related to the control, deployment, and payments of ransomware and software to track authorized users of the malware and tools and protocols to store stolen login credentials.

Trickbot started life several years ago as a banking Trojan. However, subsequent iterations turned it into a multi-purpose modular threat used by cyber-criminals to gain access to victims’ networks and deploy additional malware, including ransomware.

According to the Department of Justice (DoJ), Witte and her co-conspirators stole money and sensitive information globally from individuals and businesses, including banks, beginning November 2015.

Trickbot apparently helped them steal online banking logins and other personal information, including credit card numbers, emails, passwords, dates of birth, social security numbers and addresses. The DOJ alleged that Witte and her co-conspirators used bank account access to steal funds and launder money.

Witte is charged with:

  • One count of conspiracy to commit computer fraud and aggravated identity theft
  • One count of conspiracy to commit wire and bank fraud affecting a financial institution
  • Eight counts of bank fraud affecting a financial institution
  • Eight counts of aggravated identity theft
  • One count of conspiracy to commit money laundering

The crimes she’s accused of could land Witte with a maximum sentence of over 300 years.

The group is accused of infecting tens of millions of computers and stealing millions of dollars over the past six years.

“The Trickbot malware was designed to steal the personal and financial information of millions of people around the world, thereby causing extensive financial harm and inflicting significant damage to critical infrastructure within the United States and abroad,” said acting US attorney, Bridget Brennan, of the Northern District of Ohio.

“Federal law enforcement, along with assistance provided by international partners, continue to fight and disrupt ransomware and malware where feasible. We are united in our efforts to hold transnational hackers accountable for their actions.”

Categories: Cyber Risk News

Warning of New Ransomware Surge in Education Sector

Info Security - Mon, 06/07/2021 - 08:34
Warning of New Ransomware Surge in Education Sector

The UK’s leading cybersecurity authority has updated its guidance on ransomware following a spate of attacks on the education sector.

GCHQ spin-off, the National Cyber Security Centre (NCSC), said it was investigating another rise in threats targeting schools, universities and colleges.

“Ransomware attacks can have a devastating impact on organizations, with victims requiring a significant amount of recovery time to reinstate critical services. These events can also be high profile in nature, with wide public and media interest,” the NCSC said.

“In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records as well as data relating to COVID-19 testing.”

Recent trends highlighted by the organization include the targeting of networks through VPNs and remote desktop protocol (RDP) endpoints, by exploiting unpatched bugs or weak passwords/lack of multi-factor authentication (MFA). It also pointed to the threat from phishing emails and other unpatched systems like Microsoft Exchange Server.

Using legitimate tools such as Mimikatz, PsExec, and Cobalt Strike is also widespread in enabling lateral movement that traditional security tools have trouble spotting, the NCSC added.

Recently, researchers have seen attempts to sabotage backup/auditing devices to make data recovery more complex, encrypt entire virtual servers, and use scripting environments like PowerShell to deploy tooling and malware.

In April, both the University of Portsmouth and the University of Hertfordshire suffered network outages lasting days after ransomware threat actors struck.

The Harris Federation, which runs 50 primary and secondary academies in the London area, was struck in March, impacting nearly 40,000 pupils.

The NCSC's updated report recommended a defense-in-depth approach to protection, including MFA, anti-virus, prompt patching, and disabling macros and scripting environments to help disrupt ransomware attack vectors.

Categories: Cyber Risk News

US to Treat Ransomware Like Terrorism

Info Security - Fri, 06/04/2021 - 18:18
US to Treat Ransomware Like Terrorism

A senior official at the United States Department of Justice (DOJ) has said that ransomware attacks in America are to be investigated with a similar urgency as incidences of terrorism.

The official told news agency Reuters that cyber-assaults using this particular type of malware are to be prioritized more highly now following a passel of ransomware attacks against entities in the US and elsewhere.

Ransomware victims in recent weeks have included the Colonial Pipeline, meat supplier JBS, the Steamship Authority of Massachusetts, and Fujifilm.

Reuters reports that internal DOJ guidance on ransomware was received by US attorney’s offices across the country on Thursday. Recipients were told that information regarding ransomware investigations in the field must be shared with a recently created task force based in Washington.

“It’s a specialized process to ensure we track all ransomware cases regardless of where it may be referred in this country, so you can make the connections between actors and work your way up to disrupt the whole chain,” said principal associate deputy attorney general at the Justice Department, John Carlin.

The Colonial attack is cited in the guidance as a prime example of the “growing threat that ransomware and digital extortion pose to the nation.”

It reportedly reads: “To ensure we can make necessary connections across national and global cases and investigations, and to allow us to develop a comprehensive picture of the national and economic security threats we face, we must enhance and centralize our internal tracking."

The specialized process described by Carlin is typically used in cases of national security. Central notification will now be compulsory for investigations into counter anti-virus services, illicit online forums or marketplaces, cryptocurrency exchanges, bulletproof hosting services, botnets and online money laundering services.

“We’ve used this model around terrorism before but never with ransomware,” said Carlin. 

He added: “We really want to make sure prosecutors and criminal investigators report and are tracking ... cryptocurrency exchanges, illicit online forums or marketplaces where people are selling hacking tools, network access credentials – going after the botnets that serve multiple purposes.”

FBI director Christopher Wray said that the agency is investigating around 100 kinds of ransomware, many of which are linked to criminal operators in Russia.

Categories: Cyber Risk News

More US Kids Warned About Internet Than Unsafe Sex

Info Security - Fri, 06/04/2021 - 17:34
More US Kids Warned About Internet Than Unsafe Sex

More American parents are warning their children about the dangers of going online than about the importance of sexual safety, according to new research.

A survey of over 1,000 parents in the United States conducted by InMyArea.com found that 89% of parents with children aged 12 or older have had an intentional talk about internet safety with their children. By contrast, only 66% of American parents with kids aged 12 or older had purposefully discussed sexual safety with their offspring.

Of those parents with kids aged 12+ who talked to their children about staying safe online, more than half (60%) had engaged in more than one discussion about the topic. By contrast, only 37% of parents with children aged 12 or older had talked to their children more than once about sexual safety.

The survey focused on parents with children aged between 6 and 17. Findings revealed that 82% of parents had talked to their kids about internet safety, with 51% having more than one intentional talk on the subject. 

The two most popular internet safety topics covered by parents were protecting personal information (81%) and stranger danger (79%). 

More than half of parents had discussed social media and mental health (53%) and cyber-bullying (51%) with their kids. 

Sex wasn't the only issue to take a backseat behind the internet in discussions around safety. Researchers found that only 79% of parents with children aged 15 or older had talked to their kids about driving/vehicle safety. 

Of all the parents surveyed, outdoor/wilderness safety had been addressed by just 60%, and fire safety by just 69%. 

The survey found a discrepancy between parents' views on age-restricted internet access and social media policies. 

"Most survey respondents believed their children should reach 14 to 15 years of age before having unsupervised access to social media," said an InMyArea.com spokesperson. "Yet major platforms, including Facebook, Instagram, Snapchat, and Twitter, require users to be 13 before making an account."

Results revealed parents' leading internet concerns for their children as being targeted by a predator (67%), seeing sexually explicit content (65%) and seeing graphic or violent content (60%). More than half (56%) worried that their children would be cyber-bullied.

Categories: Cyber Risk News

Biden Expands Trump’s Investment Ban on Chinese Firms

Info Security - Fri, 06/04/2021 - 15:51
Biden Expands Trump’s Investment Ban on Chinese Firms

President Joe Biden's latest executive order has expanded a ban on investing in Chinese companies with alleged links to defense or surveillance technology sectors that was introduced by former president Donald Trump.

The Trump administration issued an executive order on November 12, 2020, barring US entities from investing in a clutch of PRC companies including smartphone-maker Huawei, China Telecommunications Corp., China Unicom Ltd., and China Mobile Communications Group Co.

On Thursday, Biden signed an order blocking Americans from investing in 59 companies based in the People's Republic of China, including leading microchip-maker Semiconductor Manufacturing International Corp. and the republic's biggest server manufacturer, Inspur.

Defense companies that made it onto Biden’s list included Aviation Industry Corp. of China, Ltd., China North Industries Group Corp., China Aerospace Science and Industry Corporation Ltd., and China Shipbuilding Industry Co.

In 2019, Biden declared that the Chinese were "not bad folks" and that China, which has the world's second largest economy, was "not competition for us."

In the executive order signed yesterday, Biden wrote that "additional steps are necessary to address the national emergency declared in Executive Order 13959 of November 12, 2020 (Addressing the Threat From Securities Investments That Finance Communist Chinese Military Companies), including the threat posed by the military-industrial complex of the People’s Republic of China (PRC) and its involvement in military, intelligence, and security research and development programs, and weapons and related equipment production under the PRC’s Military-Civil Fusion strategy. 

"In addition, I find that the use of Chinese surveillance technology outside the PRC and the development or use of Chinese surveillance technology to facilitate repression or serious human rights abuse constitute unusual and extraordinary threats, which have their source in whole or substantial part outside the United States, to the national security, foreign policy, and economy of the United States, and I hereby expand the scope of the national emergency declared in Executive Order 13959 to address those threats.” 

The prohibitions will take effect on August 2, 2021. The US Treasury Department has said it will update the list of barred companies on a “rolling basis” and that they "fully expect" to add more companies to it in the months ahead.

Categories: Cyber Risk News

CISOs Agree That Traditional Application Security Measures Don't Work

Info Security - Fri, 06/04/2021 - 14:11
CISOs Agree That Traditional Application Security Measures Don't Work

Nearly three-quarters (71%) of CISOs aren’t confident that code in cloud-native architectures is free of vulnerabilities before it goes into production, according to new research from Dynatrace.

The software intelligence firm polled 700 global security chiefs in large enterprises with over 1,000 employees to better understand their concerns over microservices, containers, and Kubernetes in development.

Some 89% claimed their use had created dangerous application security blind spots.

These challenges appear to be compounded by time-to-market pressures and existing tools and processes not fit-for-purpose in the new cloud native era.

Over two-thirds (68%) of CISOs said the sheer volume of alerts coming through makes it difficult to prioritize. On average, their teams receive 2,169 flags about potential application security vulnerabilities each month, most of which are false positives, the research claimed.

Over a quarter (28%) said development teams sometimes bypass vulnerability checks to speed up delivery, while three-quarters (74%) said traditional scanning tools and other legacy security controls don’t work in today’s environments.

Bernd Greifeneder, founder and CTO of Dynatrace, argued that the growing use of cloud-native architectures had broken traditional approaches to app security.

“This research confirms what we’ve long anticipated: manual vulnerability scans and impact assessments are no longer able to keep up with the pace of change in today’s dynamic cloud environments and rapid innovation cycles,” he added.

“Risk assessment has become nearly impossible due to the growing number of internal and external service dependencies, runtime dynamics, continuous delivery, and polyglot software development, which uses an ever-growing number of third-party technologies. Already stretched teams are forced to choose between speed and security, exposing their organizations to unnecessary risk.”

Most CISOs questioned for the research agreed that more automation of deployment, configuration and management was needed.

“As organizations embrace DevSecOps, they also need to give their teams solutions that offer automatic, continuous, and real-time risk and impact analysis for every vulnerability, across both pre-production and production environments, and not based on point-in-time snapshots,” said Greifeneder.

Categories: Cyber Risk News

Campaigners Request Meeting with Home Secretary as Part of Computer Misuse Act Review

Info Security - Fri, 06/04/2021 - 13:03
Campaigners Request Meeting with Home Secretary as Part of Computer Misuse Act Review

Campaigners have written to the UK Home Secretary, Priti Patel, welcoming the announced review into the Computer Misuse Act (CMA) and requesting a meeting with her to discuss reform proposals.

The CyberUp Campaign and techUK penned the letter following a joint briefing call on Tuesday May 25 among industry representatives about the review, which Patel first announced in a speech during the CYBERUK 2021 virtual event last month. In her talk, she explained this is part of the UK government’s efforts to ensure law enforcement agencies are equipped with “the right tools and mechanisms to detect, disrupt, and deter our adversaries.”

The government has now opened a call for evidence from across the cybersecurity industry, which closes on June 8, 2021. This is requesting insights into the legislation, including whether current “protections in the CMA for legitimate cybersecurity activity provide adequate cover.”

Welcoming this development, the letter informed the Home Secretary that the CyberUp Campaign and techUK “share the desire to see a legal framework in the UK that is best able to assist UK law enforcement in defending the UK from an ever-evolving array of cyber threats, and that supports a thriving and internationally competitive UK cybersecurity industry.”

Many in the industry have long called for the act to be updated, observing that the cyber and technology landscape has changed substantially since it was first enacted in 1990.

In June 2020, a group of cybersecurity organizations coordinated by the CyberUp Campaign wrote an open letter to the UK Prime Minister Boris Johnson, emphasizing the need for the CMA to be updated. This letter stated: “In 1990, when the CMA became law, only 0.5% of the UK population used the internet, and the concept of cybersecurity and threat intelligence research did not yet exist. Now, 30 years on, the CMA is the central regime governing cybercrime in the UK despite being originally designed to protect telephone exchanges. This means that the CMA inadvertently criminalizes a large proportion of modern cyber-defense practices.”

Commenting on the latest developments, Ollie Whitehouse, CTO of NCC Group and spokesperson for the CyberUp Campaign said: “The goverment consultation represents a once-in-a-generation opportunity for the cyber sector to have our say on the badly out of date Computer Misuse Act, which has been around since the inception of the sector and increasingly acts as a barrier.”

Matt Evans, director at techUK, added: “Through the formal review of the Computer Misuse Act 1990, there is a real opportunity for the UK to future-proof key cybersecurity legislation, allowing industry and law enforcement to better work together to protect citizens and businesses alike.

“This is likely the start of a longer process and techUK will look to ensure that industry plays its role in exploring the potential options and challenges around reform, with a string view that through working towards sensible reforms that can also contribute to the UK’s international competitiveness and leadership in the cyber domain.

"techUK looks forward to engaging with the government throughout the review process on behalf of industry and additionally urges its relevant members to directly input into the Home Office.”

Categories: Cyber Risk News

DNS Attacks on the Rise, Costing $1 Million Each

Info Security - Fri, 06/04/2021 - 10:47
DNS Attacks on the Rise, Costing $1 Million Each

According to new research, cyber-attacks using DNS channels to steal data, DDoS victims, and deploy malware have grown in volume and cost throughout the pandemic.

EfficientIP’s 2021 Global DNS Threat Report was compiled by IDC from interviews with 1,114 organizations across the world about their experiences of last year.

It found that 87% of organizations suffered one or more DNS attack in 2020, up eight percentage points from 2019. On average, victims were hit 7.6 times at the cost of $950,000 per attack.

The most common forms of attack were DNS phishing (49%), DNS-based malware (38%), DDoS (29%), DNS hijacking (27%), DNS tunnelling for command and control (24%), zero-day bugs (23%) and cloud misconfiguration abuse (23%).

Phishing appears to have been particularly popular due to the large number of potentially at-risk remote workers.

These attacks frequently led to cloud service and in-house app downtime, compromised websites, brand damage, lost business and sensitive data theft, the report claimed.

Threat actors often use DNS as it is always on, with traffic whitelisted by most firewalls. That opens up opportunities to hide malware or stolen data in DNS channels, among other things.

However, given its ubiquity, DNS can also play an essential role in securing organizations — especially protecting remote workers and data and application traffic, EfficientIP said.

Half of those surveyed said they use DNS traffic analysis to detect compromised devices, and a quarter 27% send DNS traffic logs to SIEM platforms for analysis.

“While it is positive that companies want to use DNS to protect their increasingly remote workforces, organizations are continuing to suffer the costly impacts of DNS attacks,” said Romain Fouchereau, research manager for European security at IDC.

“As threat actors seek to diversify their toolkits, businesses must continue to be aware of the variety of threats posed, ensuring DNS security is a key priority to preventing these.”

Categories: Cyber Risk News

Chinese Actors Reportedly Breached America's Largest Transport Network

Info Security - Fri, 06/04/2021 - 10:06
Chinese Actors Reportedly Breached America's Largest Transport Network

According to a new report, Chinese threat actors breached North America’s largest transport network in a likely cyber-espionage campaign earlier this year.

The attackers reportedly exploited a zero-day vulnerability in the Pulse Connect Secure remote access product to penetrate the IT systems of New York’s Metropolitan Transportation Authority (MTA) in April.

Although they achieved persistence for several days and compromised three of the transit authority’s 18 computer systems, the MTA claimed that the actors stole no customer or internal data and made no changes to critical systems.

“Our response to the attack, coordinated and managed closely with state and federal agencies, demonstrated that while an attack itself was not preventable, our cybersecurity defense systems stopped it from spreading through MTA systems,” a statement sent to the New York Times revealed.

The MTA is said to have begun a forensic review following warnings about the zero-day by US authorities.

According to the report, the attack involved two sets of Chinese threat groups. A potential target for the attack was insider information on subway cars and rail networks that could allow the country to dominate the global market.

Pulse Secure customers were warned about the bug in late April. As Infosecurity reported at the time, CVE-2021-22893 has a CVSS score of 10.0 and is listed as a critical authentication bypass.

It was being exploited in combination with multiple legacy CVEs in the product from 2019 and 2020 to bypass multi-factor authentication — enabling attackers to install web shells and perform espionage activities.

Brooks Wallace, VP EMEA at Deep Instinct, argued that although the attackers didn’t cause any physical damage to transport networks around New York, they had the opportunity.

“This attack could easily have been a way for the attackers to determine whether or not an isolated infrastructure could be breached and taken down, with plans for a more widespread cyber-attack across the US in the future,” he added.

“Staying at the bleeding edge of innovation is the only way to outpace the attackers. The best protection against attacks such as this one is a multi-layered approach using a variety of solutions. A ‘prevention-first’ mindset is also key.”

Categories: Cyber Risk News

Museum Website Vandalized with X-Rated Ads

Info Security - Thu, 06/03/2021 - 18:39
Museum Website Vandalized with X-Rated Ads

Visitors to a Scottish tourism website were greeted with X-rated images after malicious cyber-criminals plastered its pages with pornographic promotions. 

The independent site eastlothianmuseums.org was set up by organizers ABC to help tourists seeking cultural experiences in East Lothian. 

"People usually tend to overlook museums when they are on a break because these places take time and lot of patience, but we at ABC are dedicated towards changing that mindset and introduce people to museums in East Lothian," said the group. 

But despite describing themselves as a "team that loves museums and wants the natives of Scotland as well as travelers from other countries to know their importance," ABC appears to have abandoned the website.

The East Lothian Courier reports that no news or updates have been posted to the eastlothianmuseums.org site in more than two years. 

After apparently being forsaken by its operators, the site fell into the hands of cyber-criminals hoping to lure victims with links to sexually explicit content. After hacking into the site, the threat actors posted links to adult websites that promise to fulfill "society's darkest fantasies."

In addition to adware, the site was laced with graphic descriptions of sex acts that could be viewed by clicking on certain links.

East Lothian Council said the racy site has now been updated with a security warning. 

"We are aware of this site, which details information on a range of museums and related visitor attractions across the county. It is not linked to or connected with East Lothian Council and our museums service or using the council branding style or logo.

"Anyone connecting to this site will see a security warning which indicates that continued use of the site may cause problems to the user."

Enquiries by the council were unable to establish where the site might be hosted. But misspellings of the word 'whisky' suggest it may not be based in Scotland. 

Dirk Schrader, global vice president of security research at New Net Technologies, commented: “Websites are an easy target for attackers, as they are destined to be publicly available. This means the attacker can scan them with a range of automated penetration tools. 

"Badly maintained websites, using outdated content management systems, are the go-to place for attackers to install reflectors or agents to enable additional attacks."

Categories: Cyber Risk News

Missing Toddler Chat Group Banned

Info Security - Thu, 06/03/2021 - 18:34
Missing Toddler Chat Group Banned

A partial settlement has been reached in a cyber-bullying case brought by the parents of a missing toddler against the operator of a chat group set up to discuss the fate of their son.

Dylan Ehler was three years old when he vanished from the backyard of his grandmother's home in Truro, Nova Scotia, at around 1:15 pm on May 6, 2020. Searches for the missing child were called off after two weeks, and his whereabouts remain a mystery.

The only trace of the toddler discovered to date were his rubber boots, which were located roughly 150 meters apart along Lepper Brook.

In online discussions of the case, Ehler's parents, Jason Ehler and Ashley Brown, have been variously accused without evidence of involvement in the boy's disappearance and of murdering their son. 

In February, Ehler's parents decided to take April Diane Moulton and Tom Hurley, also known as Tom Hubley, to court, arguing that the accusations and insults posted on a Facebook page administered by the pair constitute cyber-bullying.

The page, which was called "Dylan Ehler Open for Discussions" or "Dylan Ehler Open for Suggestions," at one point had over 17,000 members. 

"It's been horrific quite frankly," said the parents' lawyer, Allison Harris. "They're dealing with looking for their son, and this has taken away from that.

"Every time they go online, they get these kinds of messages, and some of this has spilled over into the community, and that's impacting them as well."

In an order signed late last month in Nova Scotia Supreme Court, Moulton was prohibited from re-opening the now closed Facebook page about Dylan and from starting another one like it. Moulton is also banned from making any further public posts about the missing child or his parents.

Hurley was offered a similar agreement to the one accepted by Moulton but has not accepted it. He reportedly said that since he lives in the same small town as Ehler's parents, he cannot agree to a ban on seeing them. 

The parties are due to meet face to face in court on August 3 for a hearing.

Categories: Cyber Risk News

White House Issues Open Letter on Ransomware

Info Security - Thu, 06/03/2021 - 17:06
White House Issues Open Letter on Ransomware

The White House has sent an open letter to companies in the United States entreating them to urgently act against the threat of ransomware.

Corporate executives and business leaders received a memo on Thursday morning from Anne Neuberger, the National Security Council's top cyber official. In the missive, Neuberger underscored the sweeping danger of ransomware to the private sector.

"All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location," wrote Neuberger. "We urge you to take ransomware crime seriously and ensure your corporate cyber defense match the threat."

Neuberger, who is deputy national security adviser for cyber and emerging technology, called for swift action from corporations and businesses, which she stated have "a distinct and key responsibility” when it comes to America's cybersecurity.

“All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location,” wrote Neuberger in the letter dated Wednesday. “But there are immediate steps you can take to protect yourself, as well as your customers and the broader economy.” 

She added that the impact of ransomware upon a company was directly linked to that company's attitude toward the threat.

“The most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German and other organizations around the world is that companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively,” wrote Neuberger.

The letter follows a recent string of ransomware attacks on American companies. Last month's cyber-assault on the Colonial Pipeline was followed by attacks on global meat supplier JBS and on ferry service the Steamship Authority of Massachusetts.

A threat group known as both REvil and Sodinokibi, believed to have ties with Russia, has been blamed for the cyber-attacks on the Colonial Pipeline and JBS.

"More than any other threat, non-technical executives are familiar with ransomware by name and are already looking for solutions," commented John Bambenek, threat intelligence advisor at Netenrich. "A letter from a White House official isn’t going to change the game in the slightest." 

Categories: Cyber Risk News

Fujifilm Shuts Down Servers to Investigate Possible Ransomware Attack

Info Security - Thu, 06/03/2021 - 16:05
Fujifilm Shuts Down Servers to Investigate Possible Ransomware Attack

Fujifilm is investigating a potential ransomware attack that resulted in the company closing down part of its network.

The company is investigating "possible unauthorized access" to its server, it said in a statement. 

The company first noticed the "possibility" of a ransomware attack on June 1 and took swift action to discontinue all compromised systems. 

"We are currently working to determine the extent and the scale of the issue," it said on its website, and that it "apologises to its customers and business partners for the inconvenience this has caused.

"For some entities, this affects all forms of communications, including emails and incoming calls, which come through the company's network systems," said the company.

In an earlier statement, Fujifilm confirmed that the cyber-attack is preventing the company from accepting and processing orders. 

Japanese organizations have experienced other notable breaches in recent months. In March, Yamabiko, a Tokyo-headquartered manufacturer of power tools and agricultural and industrial machinery, was apparently added to the data leak site used by the Babuk group. 

In May, a subsidiary of Japanese tech giant Toshiba admitted to suffering a cybersecurity breach, reportedly caused by the DarkSide ransomware gang.

Ransomware hackers have gone after larger targets in 2021. This month saw a ransomware attack on the world’s largest meat processing company and May saw a sophisticated ransomware attack on Bose, which resulted in the unauthorized access of personal information on current and former employees.

Categories: Cyber Risk News

Mandiant to Re-Emerge After $1.2 Billion FireEye Sale

Info Security - Thu, 06/03/2021 - 14:30
Mandiant to Re-Emerge After $1.2 Billion FireEye Sale

FireEye has agreed to sell its FireEye Products business and brand name to a private equity firm in a deal that will see the Mandiant business it bought several years ago become a standalone company again.

The $1.2 billion all-cash sale to a consortium led by Symphony Technology Group (STG) is expected to close by the end of Q4 2021.

It will see STG acquire FireEye’s network, email, endpoint and cloud security products — alongside its related security management and orchestration platform.

After its acquisition by FireEye in 2014, Mandiant and founder Kevin Mandia were instrumental in expanding the new company’s focus from web, email and data center security to threat intelligence and incident response services.

Over the intervening years, the company has been busy dealing with the aftermath of countless breaches at big-name firms and government organizations.

FireEye’s work investigating an audacious attack on its own systems uncovered the infamous SolarWinds attacks, which subsequently found that at least nine US government agencies were compromised.

FireEye CEO, Kevin Mandia, argued that the separation of the two businesses again would enable the high-growth Mandiant to thrive.

“After closing, we will be able to concentrate exclusively on scaling our intelligence and frontline expertise through the Mandiant Advantage platform, while the FireEye Products business will be able to prioritize investment on its cloud-first security product portfolio,” he added.

“STG’s focus on fueling innovative market leaders in software and cybersecurity makes them an ideal partner for FireEye Products. We look forward to our relationship and collaboration on threat intelligence and expertise.”

William Chisholm, managing partner at STG, argued that FireEye’s cloud-first XDR platform would play a mission-critical role for current and prospective customers.

“We believe that there is enormous untapped opportunity for the business that we are excited to crystallize by leveraging our significant security software sector experience and our market leading carve-out expertise,” he said.

The private equity firm in March agreed to buy McAfee’s enterprise business for $4 billion.

Categories: Cyber Risk News

Secureworks Appoints Wendy Thomas as CEO as Michael Cote Announces Retirement

Info Security - Thu, 06/03/2021 - 13:09
Secureworks Appoints Wendy Thomas as CEO as Michael Cote Announces Retirement

Cybersecurity firm Secureworks has announced the appointment of Wendy Thomas as its next president and CEO. Thomas will take up the reigns from current CEO Michael Cote from September 3, 2021, when he will retire following nearly 20 years at the company.

Thomas, who is currently president of customer success at Secureworks, has more than 25 years’ experience in strategic and functional leadership roles across multiple organizations, including FirstData, Bell South and Internap Network Services.

During her career at Secureworks, which began in 2008 in its finance team, she has worked alongside Cote to successfully conclude a number of high profile business transactions, such as the acquisition of Verisign’s Managed Security Services (MSS) business and DNS and the company’s acquisition by Dell Technologies back in 2011. Prior to becoming president of customer success at Secureworks, she was its chief product officer, where she led the development of numerous solutions, such as its first security analytics product, Secureworks TaegisTM XDR.

Commenting on her appointment, Thomas said: “I know that I speak for everyone at Secureworks in thanking Mike for his leadership and tireless dedication to the company. I appreciate the support of Mike and the Board, and I am proud to work with an exceptional team that is focused on taking decisive actions to transform cybersecurity.”

Cote will leave the organization after almost 20 years, having joined in February 2002 as chairman, president and CEO. Since that time, Secureworks has grown from generating less than $1m in annual revenue to in excess of $550m, with a global presence in over 60 countries.

Cote stated: “Wendy is a proven and respected leader who has been the driving force of our company’s transformation. Her deep knowledge of our business has made her a valued strategic partner for many years, and throughout her tenure she has delivered strong operating results and innovative solutions through a relentless commitment to our customers, our purpose, and our people. I am confident she will lead Secureworks well into the future and I am proud to have her succeed me. I know she will make an outstanding CEO.”

Categories: Cyber Risk News

Ransomware Disrupts Largest Ferry Service in Massachusetts

Info Security - Thu, 06/03/2021 - 10:42
Ransomware Disrupts Largest Ferry Service in Massachusetts

Ransomware actors have disrupted the largest ferry service operating out of Massachusetts, disrupting passengers and commercial traffic.

The Steamship Authority, which runs to Martha's Vineyard and Nantucket, revealed on Twitter that the attack struck early on Wednesday morning, local time.

The outage meant that customers were unable to book or change vehicle reservations online or by phone. However, existing bookings would be honored, and rescheduling or cancellation fees waived, it said.

“There is no impact to the safety of vessel operations, as the issue does not affect radar or GPS functionality. Scheduled trips to both islands continue to operate, although customers may experience some delays during the ticketing process,” the firm said.

“If traveling with the Authority today, cash is preferred for all transactions. The availability of credit card systems to process vehicle and passenger tickets, as well as parking lot fees, is limited.”

In an update late last night, the Steamship Authority said it expected the disruption to continue throughout Thursday June 3. The firm's website was also down at the time of writing.

“The Steamship Authority continues to work with our team internally, as well as with local, state, and federal officials externally, to address today’s ransomware incident. At this point, we are unable to release or confirm specific details of what occurred,” it said.

Although the target for this attack is relatively minor compared to the recent incidents at Colonial Pipeline and JBS, it proves that no organization is safe from ransomware.

Charles Herring, CTO of WitFoo, argued that poor cyber-hygiene and a lack of coordination between law enforcement and private organizations had enabled cyber-criminals to get ahead in this particular arms race.

“The outer layer of the broken system is that national security and intelligence agencies need access to data collected by law enforcement to inform military and diplomatic strategy and campaigns,” he added.

“We are quickly learning that safely sharing information, while protecting liberties and privacy, is as important to thwarting evolving cybercrime as it was in combating terrorism after 9/11.”

Categories: Cyber Risk News

Three-Quarters of Security Leaders Report Increase in Cyber-Attacks in Past Year

Info Security - Thu, 06/03/2021 - 09:41
Three-Quarters of Security Leaders Report Increase in Cyber-Attacks in Past Year

More than three-quarters (76%) of security leaders have reported an increase in cyber-attacks over the past 12 months, according to VMware’s Global Security Insights Report 2021.

The report also found that the volume of attempts rose by a significant 52% across all affected organizations, emphasizing how accelerated digitization during the COVID-19 pandemic has expanded the attack surface. Indeed, over three-quarters (78%) of those experiencing a cyber-attack pointed to the rise in remote working as the reason for the increase in volume.

Additionally, four out of five (81%) of the 3542 CIOs, CTOs and CISOs surveyed for the research revealed they had suffered a breach in the past 12 months, with 82% of incidents considered material. Despite this, it appears there may be some complacency on the part of many security leaders: only 56% said they fear a material breach in the coming year, while just 41% have updated their security policies and approaches to tackle the extra risks to their organization.

The vast majority (79%) of security leaders noted that attacks have become more sophisticated in the past year, and the leading causes of breaches were reported to be third-party apps (14%) and ransomware (14%). Applications and workloads were seen as the most vulnerable points on the data journey, and 63% of respondents said there is a need for greater visibility over data and apps to pre-emptively detect attacks.

Encouragingly, close to two-thirds (61%) of security leaders agreed they need to adapt their security in light of the expanded attack surface. Securing the cloud looks to be a particular priority, with almost all (98%) respondents either already use, or are planning to shift to, a cloud-first security strategy.

Commenting on the findings, Rick McElroy, principal cybersecurity strategist, VMware said: “The race to adopt cloud technology since the start of the pandemic has created a once-in-a-generation chance for business leaders to rethink their approach to cybersecurity.

“Legacy security systems are no longer sufficient. Organizations need protection that extends beyond endpoints to workloads to better secure data and applications. As attacker sophistication and security threats become more prevalent, we must empower defenders to detect and stop attacks, as well as implement security stacks built for a cloud-first world.”  

Categories: Cyber Risk News

FBI: REvil Ransomware Group Behind JBS Attack

Info Security - Thu, 06/03/2021 - 08:20
FBI: REvil Ransomware Group Behind JBS Attack

The FBI has attributed a major ransomware attack on the world’s largest meat processing company to a notorious group believed to be Russian in origin.

In a brief statement, the Feds blamed REvil (aka Sodinokibi) for the attack on Sao Paolo-headquartered JBS.

“We continue to focus our efforts on imposing risk and consequences and holding the responsible cyber actors accountable. Our private sector partnerships are essential to responding quickly when a cyber intrusion occurs and providing support to victims affected by our cyber-adversaries,” read the statement.

“A cyber-attack on one is an attack on us all. We encourage any entity that is the victim of a cyberattack to immediately notify the FBI through one of our 56 field offices.”

The FBI said it would be working to bring the REvil group to justice for the hack on JBS.

REvil is one of the most prolific and successful groups around today, having targeted organizations as diverse as Apple, Jack Daniels, Travelex and even a law firm linked to Donald Trump.

The ransomware variant was responsible for over 14% of attacks in Q1 2021, remaining at the top of the global list, according to Coveware.

However, it operates as most do today via an affiliate model, so it’s unclear who actually used the malware to attack JBS.

There’s still no word from the meat processing giant on any of its public-facing websites about the attack.

Although, as Infosecurity reported on Tuesday, it appears to have impacted the firm’s servers supporting its North American and Australian operations, which could have significant knock-on effects for the meat supply chain in those regions.

Ronnen Brunner, VP of EMEA at ExtraHop, argued that food supplies could be considered critical national infrastructure.

“Businesses can't be protected all the time, but these attacks succeed due to outdated systems and because many organizations still rely on perimeter defence and signature detection tools. This means once the attacker is inside the network, that organization is completely vulnerable,” he added.

“Businesses must learn from the downfall of others. Visibility is crucial for detecting ransomware quick enough to respond before it's too late."  

Categories: Cyber Risk News