Supermodel turned cook and TV personality Chrissy Teigen has lost contracts with three major American retailers over previous cyber-bullying.
A decade ago, Teigen bullied non-binary teenage reality TV star Courtney Stodden over their marriage to the then 51-year-old actor Doug Hutchinson.
In an interview with The Daily Beast, Stodden said they received a lot of hateful comments online but Teigen's, which were made via the social media platform Twitter, were among the worst.
Stodden said: “She wouldn’t just publicly tweet about wanting me to take ‘a dirt nap’ but would privately DM me and tell me to kill myself. Things like, ‘I can’t wait for you to die.'”
The model has since apologized for her abuse of Stodden, but saying sorry has not prevented Teigen's cooking career from sliding into hot water.
Page Six reported that department store Bloomingdale's scrapped plans to stock Teigen's "Cravings by Chrissy" range of cookware after news of the online abuse came to light. An unnamed source told Page Six that Bloomingdale's and its parent store Macy’s were planning to sell 31 items of Teigen’s kitchen and dining line but pulled out at the last minute.
The supermodel cook is also feeling the heat around her partnership with retailer Target, with whom she exclusively launched her cookware line in 2018. Target stopped selling it shortly after Teigen’s cyber-bullying hit the news, though TMZ reports that the store’s split with the supermodel was decided mutually in December.
In addition to cyber-bullying Stodden, Teigen has also reportedly levied online insults at the actress Quvenzhané Wallis, who was nominated for the Academy Award for Best Actress at age 9 for her role in Beasts of the Southern Wild.
Following Stodden's exposé, Teigen took to Twitter once again, but this time to apologize for her past actions.
“Not a lot of people are lucky enough to be held accountable for all their past bulls–t in front of the entire world. I’m mortified and sad at who I used to be," wrote Teigen.
“I’m so sorry, Courtney. I hope you can heal now knowing how deeply sorry I am.”
Teigen has not apologized for her alleged cyber-bullying of Wallis, who has not spoken publicly about the alleged abuse.
A Nigerian governor's aide has been suspended after being arrested in the United States in connection with a multi-million-dollar unemployment benefits scam.
Abidemi Rufai, aka Sandy Tang, was arrested on Friday at JFK Airport in New York. The 42-year-old resident of Lekki, Nigeria, has been charged with wire fraud.
Rufai is accused of stealing the identities of more than 100 people in Washington state to file fraudulent claims for $350,000 in unemployment benefits, which were then paid into online payment accounts or wired to bank accounts controlled by "money mules."
Some of the proceeds were then allegedly mailed to the Jamaica, New York, address of Rufai’s relative. Law enforcement found more than $288,000 was deposited into an American bank account under Rufai's control between March and August 2020.
The Seattle Times reports Rufai's arrest as being part of a wider investigation into Washington state's $650m unemployment fraud.
Investigators allege that Rufai avoided fraud detection by Washington state's Employment Security Department by making small variations to his email address when registering for financial assistance.
Kiro7 reports that Rufai gave the impression of being multiple applicants by scattering his regular Gmail address with periods. Since periods in email addresses are unrecognized by Gmail, all the messages sent by the Employment Security Department ended up in Rufai's inbox.
Rufai is further accused of filing fraudulent unemployment claims with Hawaii, Wyoming, Massachusetts, Montana, New York, and Pennsylvania.
In Nigeria, Rufai held the position of senior special assistant (SSA) on special duties to the Ogun State governor, Prince Dapo Abiodun.
Reacting through his chief press secretary, Kunle Somorin, to news of Rufai's arrest, Abiodun said: "We received the very disturbing news of the arrest of one of the governor's political appointees, Mr. Abidemi Rufai, in New York over alleged unemployment benefits and fraud in the United States, this morning.
"While the governor cannot be held responsible for the actions of a full-grown adult, especially outside the jurisdiction of Ogun and Nigeria, he has since suspended the suspect from office to enable him answer the charges leveled against him."
HM Revenue & Customs (HMRC) has spent over a quarter of a million pounds (£262,251) on cybersecurity training for its staff during the past two financial years, according to official figures obtained by the Parliament Street think tank following a Freedom of Information request.
The UK’s tax authority spent £111,795 in the most recent financial year (20–21), which was a reduction on the £150,456 invested in 19–20. This funding covered 80 training enrollments in FY 20–21 and 69 in FY 19–20 for staff working in HMRC’s chief digital and information officer group.
The data also provided a breakdown of the types of courses that staff from this group enrolled in. The most popular course, involving 12 attendees, was to become certified in the Art of Hacking, costing a total of £15,978. The next most popular course was a six-day bootcamp to become a certified information systems security professional, which attracted 11 members of staff.
Two employees trained to become certified in Ethical Hacking, while nine took part in an Introduction to Cybersecurity course.
The data revealed that training to become a certified cloud security professional was the most expensive course used by HMRC in 20–21, with £34,103 spent to train seven staff members from the chief digital and information officer group.
Additionally, all HRMC staff (around 9,500) completed a mandatory phishing attacks course during the two-year period, which was free of charge.
Commenting on the data, Edward Blake, area vice president EMEA, Absolute Software, said: “Organizations which handle large volumes of personal financial information like HMRC are a top target for cyber-criminals, so ensuring staff are fully trained with the latest cyber-skills is essential to prevent a potential data breach.
“With the COVID-19 pandemic forcing many employees to work from home, it’s also critical that organizations like HMRC ensure they have complete visibility into the security standards across all devices such as laptops, to ensure encryption is turned on and cyber protection is in place for each and every employee.
“It’s also important that organizations can track, freeze and wipe lost or stolen devices, in the event of loss or theft, to keep taxpayer data completely safe from outsider threats.”
There have been numerous examples of scams involving the impersonation of HMRC during the COVID-19 pandemic, with cyber-criminals looking to use various government financial support schemes as phishing lures throughout the crisis.
Web application vulnerabilities enabled attackers to breach organizations on average twice each last year, with bot-based raids the biggest challenge, according to Barracuda Networks.
The security vendor polled 750 application security decision makers to compile its latest report: The state of application security in 2021.
It revealed that nearly three-quarters (72%) of firms suffered at least one breach from a web app flaw, a third (32%) were hit twice and 14% were compromised three times.
Such incidents can be extremely damaging for organizations as they could enable attackers to steal sensitive customer information and credentials.
According to the latest Verizon Data Breach Investigations Report (DBIR), attacks on web applications represented 39% of all breaches it analyzed over the past year.
Respondents to the Barracuda Networks study claimed that bad bots were the biggest challenge for defenders (43%) followed by supply chain attacks (39%), vulnerability detection (38%) and securing APIs (37%).
Over two-fifths (44%) of respondents also claimed that malicious bots also led to a successful breach involving vulnerability exploitation.
As well as scanning for and exploiting flaws in web applications, bots can be set to work in price scraping, content scraping, account creation and takeover, fraud, denial of service and denial of inventory, according to Imperva.
The vendor claimed that bad bot traffic stood at 26% of all traffic last year, the highest percentage since it started measuring in 2014.
Supply chain attacks have also gained notoriety since the SolarWinds campaign in which sophisticated nation state operatives planted malware in software updates, breaching the defenses of at least nine US government agencies.
Tim Jefferson, Barracuda’s SVP engineering for data, networks and application security, argued that the rapid shift to remote work in 2020 has made web applications an even bigger target for threat actors.
“Organizations are struggling to keep up with the pace of these attacks, particularly newer threats like bot attacks, API attacks, and supply chain attacks, and they need help filling these gaps effectively,” he added.
Threat actors are “winning the race” to find vulnerable assets to exploit, launching scans within minutes of CVE announcements, a leading security vendor has warned.
The 2021 Cortex Xpanse Attack Surface Threat Report from Palo Alto Networks was compiled from scans of 50 million IP addresses associated with 50 global enterprises, carried out January-March 2021.
The report revealed that as soon as new vulnerabilities are announced by vendors, attackers rush to take advantage, utilizing cheap cloud computing power to back their efforts.
“Scans began within 15 minutes after CVE announcements were released between January and March. Attackers worked faster for the Microsoft Exchange Server zero-days, launching scans within five minutes of Microsoft’s March 2 announcement,” the report noted.
“On a typical day, attackers conducted a new scan once every hour, whereas global enterprises can take weeks.”
Remote Desktop Protocol (RDP) servers accounted for the largest number of security issues (32%), although in this case, attackers aren’t scanning for software vulnerabilities but endpoints that can have their credentials brute-forced or cracked. It’s an increasingly popular initial access vector for ransomware attackers.
Also heavily targeted were misconfigured database servers, exposure to high-profile zero-day vulnerabilities from vendors like Microsoft and F5, and insecure remote access through Telnet, Simple Network Management Protocol (SNMP), Virtual Network Computing (VNC), and other protocols.
However, it was cloud systems that comprised the largest number of critical security issues (79%), according to the report.
Travis Biehn, principal security consultant at Synopsys Software Integrity Group, argued that organizations must minimize their exposure footprint and take zero trust approaches to remote worker security, in order to tilt the balance in their favor.
“The most sophisticated attackers — those who have clear objectives and targets known far in advance — map the corporate network footprint across private data centers and cloud in advance,” he warned.
“They also have automation and infrastructure ready to take advantage of new vulnerabilities before defenses can kick in.”
The boss of a critical East Coast fuel line has admitted he authorized a multimillion-dollar payment to a ransomware group that compromised the organization earlier this month.
Affiliates working with the DarkSide group were blamed by the FBI for the attack, which forced operational systems offline — leading to major fuel shortages across much of America and rising prices for several days.
Colonial Pipeline CEO, Joseph Blount, reportedly admitted that the decision was not taken lightly but was done in the national interest.
“Tens of millions of Americans rely on Colonial: hospitals, emergency medical services, law enforcement agencies, fire departments, airports, truck drivers and the traveling public,” a spokesperson confirmed to The Guardian.
Its report revealed that rapid action from Colonial’s IT team to shut down systems following the incursion, prevented the malware’s spread to operational controls.
However, the payment was apparently made as the firm didn’t know the extent of the damage or the group’s footprint inside its network.
Americans are still being affected by the incident. Although the pipeline was only out-of-action for five days, restarting on May 12, it warned on Tuesday, “it will take some time for the fuel supply chain to fully catch-up.”
Experts welcomed the company’s openness in talking about the incident.
“No company or CEO should be shamed for this. Instead, we should learn from these incidents to understand how attackers got in, what data was actually returned and what could have been done differently to secure a different outcome,” argued Lewis Jones, threat intelligence analyst at Talion.
“Attackers collaborate on their attacks, and the only way to get ahead of them is to collaborate on our defenses.”
Edgard Capdevielle, CEO of Nozomi Networks, added that ransomware breaches are rapidly becoming a case of “when, not if” for organizations.
“Companies need to get into a post-breach mentality, pre-breach, and harden systems so that when they are faced with an attack, they know exactly how they will respond and what they stand to lose depending on their response,” he added.
Cryptocurrency, most notably Bitcoin, has become increasingly popular and valuable in recent years and with it have come a number of associated security risks, according to a pair of security experts speaking at the 2021 RSA Conference on May 19.
Kenneth Geers, external communications analyst at Very Good Security, used the first part of the presentation to explain the history of money and why the US dollar has emerged as the world's dominant reserve currency.
"Good money is scarce, authentic, durable, portable and stable," Geers said. "If digital currency is to survive, thrive and reach its potential, it should have the exact same traits."
Risks from Mining Cryptocurrency
Cryptocurrencies like Bitcoin are generated by a process known as mining.
Kathy Wang, CISO at Very Good Security, explained that essentially what miners are doing is trying to be the first to come up with a solution to a puzzle. That puzzle is a cryptographic hashing algorithm that a computer system, the miner, is trying to solve. Cryptocurrency mining today requires vast amounts of computing power, which has led to different types of cybersecurity risks.Miners are very resourceful, they're very financially motivated, and some of them are attacking and compromising internet-facing computers to gain control of large numbers of resources to conduct mining activities.Kathy Wang
One risk comes from miners that attempt to abuse free resources on the internet provided by cloud and application service providers. Wang explained that what the miners might do is create many free accounts on these cloud infrastructures and get a good deal of computing power, at the expense of the service provider. She noted that such activity is considered to be against the terms of service, but the activity still needs to actually be identified so it can be stopped.
"Blocking crypto-mining activity, just like any detection work, is very much an arms race," Wang said.
She noted that detecting indicators of crypto-mining activity can include conducting analysis of DNS traffic or monitoring for specific streams or patterns in network packets. As defenders are trying to identify the crypto-mining activity, she warned, the miners are also reacting to that activity and are working hard to avoid being detected.
Another risk Wang spoke about is cryptojacking.
"Miners are very resourceful, they're very financially motivated, and some of them are attacking and compromising internet-facing computers to gain control of large numbers of resources to conduct mining activities," Wang said.
Among the ways that cryptojacking is executed is with malware, such as WannaMine, which users are somehow tricked into installing by malicious sites.
Cryptocurrency Wallets Under Attack
Wang emphasized that the security pillars of confidentiality, integrity and availability all apply to cryptocurrency as well.
One of the key points of attack in the cryptocurrency world is what are known as cryptocurrency wallets. These are typically software-based vaults or "wallets" where users store the private cryptographic keys for the cryptocurrency they hold.
"If you get access to a cryptocurrency wallet, you effectively own the currency," Wang said.
Attackers have been going after cryptocurrency wallets in different ways. One approach cited by Wang is with the ElectroRAT malware that is able to take over vulnerable wallets. Wang explained that the malware is placed on cryptocurrency forums in ads and in posts that entice users to click and download a particular app to help them get more Bitcoin. Ironically, once they install the app, the only one who gets more Bitcoin is the attacker.
"It was able to evade signature-based malware-detection capabilities for quite some time because it was written from scratch," Wang said.
Zero Trust for Crypto
One of the ways that users can protect themselves from the risk of an account takeover is by using a zero trust approach.
With zero trust, access is very restricted to only provide the bare minimum permissions. For example, Wang said that access to a cryptocurrency wallet could be restricted to only a specific user utilizing a specific device. Additionally, implementing multi-factor authentication schemes can help to further secure access.
While cryptocurrency's popularity is growing, Geers said in the near term it's unlikely that Bitcoin will challenge the US dollar. The future, however, is less certain.
"The security risks have to be better understood and addressed, and the speed in the payment system needs to be faster," Geers said. "So it will take time, but over the long term there will be plenty of interest in cryptocurrency."
The pandemic has forever changed people's relationship with technology, and with it their expectations of user privacy, according to a pair of privacy experts speaking at the 2021 RSA Conference on May 19.
Julie Brill, chief privacy officer at Microsoft, noted that during the pandemic increasing numbers of people came to realize that they can work from home, learn from home, and socialize and still be deeply productive. With that increased reliance on technology has come growing awareness and concern about the privacy implications of different technologies and online services.
"People are saying more and more that they're concerned about how their data is being used and that they want more privacy," Brill said. "They want companies to do more, and they want governments to do more, to ensure that their data is well protected."
While access to online services has been a way of life during the pandemic, Brill emphasized that the pandemic should not be the reason why people are being asked to give up their privacy. In her view, it should be the case that companies that are providing online tools to schools, community groups and other end users need to be thinking about ensuring they are providing trusted technology.
In the absence of a comprehensive privacy law, which is still the state of affairs in the US, Brill said that it's critical that groups and individuals can trust the technologies they are using to go about daily life.People's relationship to who they are and how they want to be portrayed has often been framed in the context of control, empowerment and engagement.Julie Brill
Defining Privacy Harm
A key challenge with privacy is precisely determining how it is violated in the eyes of the law, in terms of harm that can occur that is quantifiable, according to Danielle Citron, Jefferson Scholars Foundation Schenck Distinguished Professor in Law at the University of Virginia.
Citron observed that existing privacy laws in the US are not well suited to the problems of the 21st century. She noted that privacy laws that exist were made in an era when there was mass media publishing stories about people and advertisers using someone's face without permission.
"Now so many of our 21st-century problems are about the collection, the use and the sale of information," Citron said. "Tort law and civil claims haven't quite caught up, and courts really insist upon really tangible harms that are financial and physical."
The Promise of Privacy Laws
In Brill's view, emerging standards and privacy laws such as the European Union's GDPR are positive steps.
While there isn't yet a national data privacy rule in the US, there are currently multiple rules in different states, including California and Virginia, with more to come in the months ahead. Brill said that she sees a lot of hopes and aspirations for privacy laws for a few reasons.
Brill commented that privacy laws are about choosing when the individual wants to engage and having the ability to choose how their personal data is used. In her strong view, privacy is a fundamental right and foundational to other basic human rights.
"People's relationship to who they are and how they want to be portrayed has often been framed in the context of control, empowerment and engagement," Brill said. "And when you really think about it, that's what privacy laws are about."
New details into the notorious SolarWinds nation-state attack and its fallout were provided by Sudhakar Ramakrishna, CEO of SolarWinds, during a keynote session on Day 3 of the virtual RSA Conference 2021, which was hosted by Laura Koetzle, VP and group director at Forrester.
This included the revelation that the attackers may have accessed the system as early as January 2019, and an expression of remorse for comments made during his congressional appearance about the attack in February 2021.
Starting the session, Ramakrishna explained that he was first informed of the attacks while sitting down to his birthday dinner on December 12, 2020, after receiving a phone call from the company’s legal officer. Ramakrishna was at the time still waiting to take up the position of CEO at SolarWinds on January 4, 2021.
Koetzle asked Ramakrishna whether he ever considered backing out of taking the role as more details about the scale of the incident emerged in the following days. While a number of friends had advised him to do so, Ramakrishna said that “he decided to persevere with this opportunity” after speaking to the SolarWinds chairman, Bill Bock. He was given continuity and support from the previous CEO, Kevin Thompson, as he began the role in January, which helped him enact a fast response to the event.
With SolarWinds believing as many as 18,000 of its customers had been affected by the breach, as that was the number that had downloaded the malicious update, Ramakrishna explained that in the immediate aftermath, the SolarWinds security team looked to contact everyone possible to try to address their concerns and questions.
He was also asked about how SolarWinds is supporting its customers now. Ramakrishna explained it was a step-by-step approach. “What started out as a reactive measure turned into learning about and addressing issues, and at the foundation of what we’re trying to do is transparency,” he said, adding that the company had worked with its global partners to develop the Orion Assistant Program. This offers extra support to those customers that do not have the resources to upgrade or rebuild, and “in many cases [involved] working side by side with them as they completed their upgrades.”"The foundation of what we’re trying to do is transparency"
Ramakrishna noted that his previous experience in dealing with security incidents as CEO at Pulse Secure has helped him deal with the fallout of the SolarWinds attacks. In these prior incidents, the response “was rooted in being transparent, being communicative and updating everybody on progress, even at times when you do not have all the details in place.”
The discussion then moved on to the details that have subsequently been discovered about the attack. When asked exactly how the attackers were able to stay undetected for such a long period of time, Ramakrishna emphasized the sophisticated nature of the perpetrators. “The tradecraft that the attackers used was extremely sophisticated where they did everything possible to hide in plain sight,” he explained, adding that “they were able to cover their tracks at every step of the way. Given the resources of a nation-state, it was very difficult for one company . . . to uncover.”
Interestingly, Ramakrishna said that SolarWinds has since “stumbled across” some old configurations of code, which enabled it to figure out what the attackers did. After assessing “hundreds of terabytes of data and thousands of virtual build systems,” it was discovered “that the attackers may have been in the environment as early as January 2019,” which is much earlier than initially thought. “They were doing very early reconnaissance activities in January 2019, which explains what they were able to do in September/October 2019,” he added.
When reflecting on his, and SolarWinds’, response to the attacks, Ramakrishna expressed regret for comments he made during his testimony to Congress in February 2021, which concerned the exposure of a weak FTP password by an intern at the company back in 2017. He outlined: “I have long held a belief system and an attitude that you never flog failures – you want your employees, including interns, to make mistakes and learn from those mistakes . . . so what happened at the congressional hearing where we attributed it to an intern was not appropriate and is not what we are about.”
Finally, Ramakrishna revealed that another way the company’s response could have been improved was to have coordinated a better media response, stating it was not prepared for being thrust into the limelight in the way it was. “I wish we had more resources, more proactive outreach. We’ve learned from that and we continue to grow our communications team,” he outlined.
A lawsuit filed against an American healthcare provider over a 2020 data breach has been allowed to proceed, but only for one patient.
UHS employs around 90,000 people at the approximately 400 care centers and hospitals it operates in the United Kingdom, Puerto Rico, and the United States.
Sensitive data belonging to UHS was exfiltrated in September last year when the company was targeted by the Ryuk ransomware gang.
All UHS sites in Puerto Rico and the US were affected by the cyber-attack, which caused the company's IT systems to go offline for a month. Some scheduled appointments were postponed as a result.
The Fortune 500 healthcare organization said in March that the attack had cost it an estimated $67m in downtime and related expenses.
The law firm Morgan & Morgan filed a lawsuit in the US District Court, Eastern District of Pennsylvania against UHS on behalf of three patients who accused the healthcare company of negligence, breach of implied contract, breach of fiduciary duty, and breach of confidence.
Claims made by two of the plaintiffs who said that the data breach had made them vulnerable to fraud and identity theft were dismissed by US District Judge Gerald McHugh as too speculative in an opinion filed Monday.
However, McHugh adjudged that Motkowicz had sufficient grievance to proceed. When Motkowicz's surgery was canceled because of the attack, he was forced to take additional time off work. This caused him to lose his health insurance through his employer, with the result that he had to purchase an insurance policy at a higher price.
Referring to the two claimants whose claims he dismissed, McHugh said: "A court is still left to speculate . . . whether the hackers acquired plaintiffs' (private health information) in a form that would allow them to make unauthorized transactions in their names, as well as whether plaintiffs are also intended targets of the hackers’ future criminal acts."
Of Motkowicz, McHugh said: “Plaintiff’s injury is not speculative, as his financial expenditures allegedly occurred in response to the data breach and the corresponding cancellation of his surgery."
The Data-to-Everything Platform providers shared news of their proposed acquisition on Tuesday. The terms of the deal have not been disclosed.
TruSTAR was founded in 2016 by Patrick Coughlin and Paul Kurtz on the mission to make threat detection and response simpler and more efficient. The company has more than 50 clients, including BNP Paribas, LogMeIn and Rackspace.
"They share our passion for the value of data and the power of turning data into doing," said Splunk's senior vice president, cloud and chief product officer, Sendur Sellakumar.
"I’ve been very impressed with the growth not only of their solution but of their business."
Sellakumar went on to identify three core principles that Splunk and TruSTAR share. The first of these was the view that organizations "need a unified, data-centric view across their cloud environments, paired with the right analytics at the right time, for intelligent detection and response."
According to Sellakumar, both companies also hold the notion that the most effective way to accelerate efficiencies in the SOC is "to prioritize data with a focus on automation, improving your MTTD and MTTR outcomes."
The third principle to which TruSTAR and Splunk adhere is that "managing and integrating internal and external sources of intelligence accelerates outcomes across the security operations lifecycle, delivering customers critical and timely value," said Sellakumar.
TruSTAR is known for its Intelligence Platform, through which its customers can operationalize all sources of security intelligence across their teams, tools and partners.
Should the acquisition go ahead as planned, TruSTAR’s capabilities will be added to the Splunk Data-to-Everything Platform, allowing customers to autonomously improve their detection and response workflows with information from third-party threat intelligence sources as well as from their internal historical intelligence.
“We founded TruSTAR to help security teams unlock the signal in their data to accelerate automation and power seamless intelligence sharing while preserving privacy in the cloud,” said TruSTAR CEO Coughlin.
“We're thrilled to join Splunk. Combining TruSTAR with Splunk's leading enterprise data platform will bring security and IT teams to a new level of integration, automation and resilience.”
The ransomware gang DarkSide extorted more than $90m in Bitcoin before allegedly disbanding its illegal operation, according to new research.
Analysts at London-based blockchain analytics firm Elliptic said in a report published Tuesday that they had discovered a now empty digital wallet that had contained the proceeds of ransomware attacks engineered by the cyber-criminal gang.
"In total, just over $90m in Bitcoin ransom payments were made to DarkSide, originating from 47 distinct wallets," wrote Elliptic's co-founder and chief scientist, Dr. Tom Robinson.
"According to DarkTracer, 99 organizations have been infected with the DarkSide malware – suggesting that approximately 47% of victims paid a ransom, and that the average payment was $1.9m."
DarkSide has appeared in the news numerous times for its cyber-attacks, but the gang achieved real infamy earlier this month when it crippled America's Colonial Pipeline with ransomware. From this exploit, which triggered panic buying and fuel shortages along the East Coast, the gang reportedly netted $5m.
Elliptic researchers report that DarkSide's virtual wallet received a ransom payment of 75 Bitcoin from Colonial Pipeline.
The gang shut down its site on the dark web on May 13. Researchers at cybercrime intelligence provider Intel 471 reported that DarkSide had told its hacking partners who use the gang's “ransomware-as-a-service” tools to launch cyber-attacks that sales of its software and released services have ceased.
Before closing its digital doors, DarkSide appeared to be on track to achieve its most profitable month of the last three quarters.
Elliptic researchers found that since October 2020, February had seen the gang collect its biggest Bitcoin haul of more than $20m. May's earnings were close to $15m before DarkSide went dark.
Researchers noted that money extorted by the gang was divided up between those that had developed the ransomware (developers) and those who successfully deployed it (affiliates).
"In the case of DarkSide, the developer reportedly takes 25% for ransoms less than $500,000, but this decreases to 10% for ransoms greater than $5m," they wrote.
"This split of the ransom payment is very clear to see on the blockchain, with the different shares going to separate Bitcoin wallets controlled by the affiliate and developer."
Elliptic said that the DarkSide developer received a total of $15.5m in Bitcoin.
The cybersecurity industry should be placing more consideration on human behaviors to effectively tackle cyber-risks, according to a panel of experts speaking during the DTX: NOW virtual conference.
Lisa Forte, partner at Red Goat Cyber Security, who moderated the session, emphasized that human behaviors simply cannot be ignored when it comes to cybersecurity, noting that people “interact with our technology on a daily basis – whether that’s our staff who are responsible for looking after the data, or whether that’s clients creating unique usernames and passwords on our applications in order to access their own data, the human element comes into all of it.”
The panel first discussed approaches that security teams should use to help prevent people from falling foul of social engineering scams and cyber-attacks. Javvad Malik, security awareness advocate at KnowBe4, believes the starting point is to make people more aware of the threats that are out there. “Giving things a label and a name helps normalize it so people don’t feel like they’re the only ones getting caught out by a particular scam,” he said.
Additionally, this normalization needs to extend to when people are caught out by scams, thereby creating an environment in which there is no shame in admitting to being duped and that encourages frequent reporting of scams to law enforcement, according to Malik.
To help citizens truly understand cyber-risks, Holly Grace Williams, founder at Akimbo Core, said we need to focus on ensuring it is easy for people to do so. This includes the way awareness training is treated in organizations. “Very often I see security awareness programs delivered by companies where either the company doesn’t care about the content of the training and it’s simply a tickbox, or that the content is just on the face of it ineffective,” she noted.
John Graham-Cumming, chief technology officer at Cloudflare, added that digital companies should also be putting more effort into effectively forcing customers to adopt better security behaviors, such as strong passwords and two-factor authentication. He gave the example of systems that are emerging that tell users they are “using a password that has previously been hacked so don’t use that password,” he commented, adding that those outside the security industry “just need help to get into the right spot.”
The panel went on to highlight new ways security teams can bring about positive security behavioral change in people. Malik highlighted the importance of effective marketing to normalize certain behaviors. For example, he believes cybersecurity could learn from the “designated driver” terminology used to stop drunk driving, which was pushed heavily by behavioral scientists onto Hollywood. As this term got written into sitcoms, the concept quickly became normalized, and led to behavior change. “If we approach security from that perspective, we can get better behaviors,” he stated.
Removing the fear of punishment from employees caught out by social engineering attacks such as phishing is another crucial step organizations need to take. Williams noted that, sadly, it is still often the case that single employee mistakes are blamed by organizations for security breaches, which occurred in the wake of the Equinox and SolarWinds attacks. “If your entire organization can fail because one staff member chose a bad password, or clicked a link in an email, there are fundamentally bigger problems to your organization,” she pointed out.
As well as not laying blame for errors, developing the right security culture among all employees in an organization is crucial to preventing tactics such as phishing from being successful. This requires a good relationship being “built in” between security teams and other members of staff, according to Malik. “If the only interaction you have with your security team is when an incident occurs, or when they send a simulated phish out to you and say ‘we caught you out,’ regardless of how good it is, you’re just going to think ‘who are these people and why are they trying to trick me?'” he outlined.
Graham-Cumming agreed, stating that security personnel have to develop a good “bedside manner” in addition to having technical expertise. He said it’s vital to have a relationship with general staff “not just when things have gone bad,” which includes encouraging people to report any concerns they have, even if they turn out not to be security related. “It’s really about openness and honesty and treating people well so they respect what your job is and they feel like you’re somebody they can trust,” he explained.
The UK privacy regulator has fined a QR code provider that abused its access to personal data to spam individuals with direct marketing at the height of the pandemic.
The Information Commissioner’s Office (ICO) explained in a notice yesterday that it fined St Albans firm Tested.me £8000 after it send the marketing email without gaining adequate valid consent from data subjects.
The firm provided clients with contact tracing services by enabling them to offer customers a QR code to scan when arriving at their premises.
However, it used this data to send nearly 84,000 nuisance emails at the height of the COVID-19 pandemic between September and November 2020, the ICO said.
The ICO has also been running checks on other QR code providers to ensure they’re handling people’s data in accordance with the GDPR and its UK equivalent, the Data Protection Act 2018.
It said the checks revealed that most companies understood the laws and the importance of processing personal data fairly and securely.
The regulator’s guidance for firms as the economy starts to reopen following extensive lockdowns, is to make privacy policies clear and simple, follow data protection by design guidance and not to keep any personal data collected for more than 21 days.
Personal data collected for contact tracing is also not to be used for marketing or any other purposes, it said.
QR codes are increasingly used not only to check-in to locations using the NHS Test and Trace app, but by hospitality venues keen to offer customers a hands-free menu experience.
However, the technology doesn’t just represent a privacy risk. Security experts have warned that QR codes could be hijacked by threat actors to download malware and other threats to users’ devices.
Some 90% of cyber-attacks investigated by a leading security vendor last year involved abuse of the Remote Desktop Protocol (RDP), and ransomware featured in 81%.
The figures come from a new Active Adversary Playbook 2021 compiled by Sophos from the experiences of its frontline threat hunters and incident responders.
It revealed that, while RDP is often used to gain initial access into victim organizations, especially during ransomware attacks, it was also hijacked by attackers in 69% of incidents for lateral movement.
Techniques such as using VPNs and multi-factor authentication (MFA), which focus on preventing unauthorized external access to RDP, won’t work if the attacker is already in the network, Sophos warned.
In fact, it seems as if attackers are increasingly capable of slipping past perimeter defenses to infiltrate networks. The average dwell time for cases investigated by Sophos was 11 days. Considering many of these were ransomware attacks which typically require less time, 264 hours is more than enough for threat actors to do their worst.
“With adversaries spending a median of 11 days in the network, implementing their attack while blending in with routine IT activity, it is critical that defenders understand the warning signs to look out for and investigate,” argued Sophos senior security advisor, John Shier.
“One of the biggest red flags, for instance, is when a legitimate tool or activity is detected in a unexpected place. Most of all, defenders should remember that technology can do a great deal but, in today’s threat landscape, may not be enough by itself. Human experience and the ability to respond are a vital part of any security solution.”
According to ESET, RDP attacks increased by a staggering 768% between Q1 and Q4 2020 as cyber-criminals focused on exploiting a tool used increasingly by remote workers to access their corporate desktops.
Tens of thousands of jobseekers have had their personal information exposed by a misconfigured cloud account, according to researchers.
The firm apparently specializes in recruitment for the building management systems sector, for projects including skyscrapers 22 Bishopsgate and The Shard, Wembley Stadium and the Olympic Stadium, Heathrow Terminal 5 and Crossrail stations.
The 5GB trove contained 21,000 files including CVs featuring personal information such as email addresses, full names, mobile phone numbers, home addresses and social network URLs. Other details included dates of birth, passport numbers and applicant photos, according to Website Planet.
The research team believes that TeamBMS’s IT service provider may have been to blame for the privacy snafu.
If found by threat actors, the data could have been used to commit follow-on identity theft and fraud, and craft phishing attacks designed to steal more personal details or deploy malware.
Website Planet also claimed that the information contained in the bucket could have been used for corporate espionage or to target victims’ homes for burglary.
The research team discovered the leak on December 29 last year, and reached out several times to TeamBMS’s parent company TeamResourcing as well as to the UK CERT. The bucket was finally secured on March 23.
Not only those impacted by the leak but the company itself should be on guard for any suspicious activity going forward, Website Planet claimed.
“FastTrack, and anyone else implicated in this breach, should be vigilant when receiving calls from parties claiming to be clients or associates. In which case, businesses must implement strategies to confidently identify these individuals,” it said.
“It’s crucial that FastTrack, as well as any businesses at-risk of this exposure, implements stringent security measures when storing customer data. Businesses should hire a cybersecurity professional, to be sure that customer data is adequately protected.”
The scourge that is ransomware has had a devastating impact on the lives of ordinary people around the world, but it doesn't have to be that way, according to a panel of experts speaking at the 2021 RSA Conference on May 18.
Ransomware is not a new problem in 2021, and it certainly is not one that appears to be diminishing by any measure; rather, it's growing. Jen Miller-Osborn, deputy director of threat intelligence for Unit 42 at Palo Alto Networks, commented that, according to her firm's research, from 2019 to 2020 the average ransom payment nearly tripled, from $115,123 to $312,493. In that same period the highest ransom payment doubled from $5m to $10m.
"They're just gaining more and more money, and when that happens ransomware becomes more and more popular in the criminal sector," Miller-Osborn said.
The Evolution of Ransomware
Michael Daniel, president and CEO at the Cyber Threat Alliance, explained that over the course of the last decade, ransomware has changed.
"If you look back to, say, 2013, ransomware was typically targeted at an individual's computer, and the average ransom was like 100 or 150 bucks, so it was a fairly minimal affair," Daniel said.
In contrast, in 2021 Daniel noted that the average ransom is more than $300,000, and it's not just individuals being targeted—it's things like schools systems, hospitals and the energy grid.
As the cost and scale of ransomware attacks have grown, so too has the complexity of trying to limit the risk and the ability to shut down attackers. Among the challenges is that the impact of ransomware isn't limited to any one industry or even any one agency within the US government.
Phil Reiner, chief executive officer, Institute for Security and Technology and Ransomware Task Force, explained that one of the primary reasons why the Ransomware Task Force existed was to help deal with the fast-moving threat landscape.
"It takes senior-level, top-down interest in a problem like this to really get after it with the resources that are required, and the prioritization of the issue needs to be raised in order to actually do something differently," Reiner said. "It's not business as usual. This is not just a normal cybersecurity threat—it's a plague."These threat actors, they feel like they can operate this way because they've got safe haven.Phil Reiner
It Is Time for a Comprehensive Approach to End Ransomware
The panelists all agreed that reducing the growth of ransomware will require a coordinated and comprehensive effort across public and private sectors around the world.
"You're not going to solve ransomware with some little silver bullet that just fixes the crypto payments processing problem, you're not going to solve it by just sending Cyber Command after somebody sitting perhaps in Eastern Europe," Reiner said. "These actions all have to happen at the same time if you're really going to effect significant change and shift the trajectory."
Daniel emphasized that disrupting the cryptocurrency element of ransomware will be a critical part of a comprehensive effort. He noted that it is clear that one of the big enablers for ransomware is the growth of cryptocurrencies.
"Cryptocurrency enables payments to occur in a way that the normal financial system can't track or block," Daniel said. "So clearly you're going to have to address that part of the ecosystem, which has nothing to do with cybersecurity directly. "
Increasing Pressure with Law Enforcement Actions
As ransomware attackers can be anywhere in the world, Reiner said that there are different tactics, including economic sanctions, that can and should be used globally to apply pressure to de-incentivize attacks.
"These threat actors, they feel like they can operate this way because they've got safe haven," Reiner said.
Daniel suggested that for the federal government, there is a need to increase capabilities across multiple agencies and not just those where the focus is on security. For example, he noted that the Department of Health and Human Services (HHS), the Department of Energy and others need to work with organizations within their respective sectors to make them more resilient to ransomware incidents.
Miller-Osborn advocated for more law enforcement actions to help deter would-be ransomware actors. In her view, many ransomware attackers haven't been too concerned about consequences or the risk of ending up in jail. If there is a coordinated response, where ransomware infrastructure, network and payment operations are all taken down and people are arrested, convicted and get jail time, she expects that behavior will change
"Cybercrimes are never going to go away," Miller-Osborn said. "But the more people we can discourage from doing these kinds of activities, the safer everyone's going to be as a whole."
When a security breach occurs in the US today there is no single authority or national breach reporting law that needs to be adhered to, but that could change in the near future, according to a panel of experts speaking at the 2021 RSA Conference on May 18.
Luke Dembosky, partner at law firm Debevoise & Plimpton LLP, commented that the current state of breach reporting in the US is a patchwork of laws and policies that vary by jurisdiction. He noted that each individual state sets the rules that determine whether an organization has to report to state authorities, as well as impacted individuals, in the event of a data breach.
"It's very challenging for companies that do business across state lines, often to figure out what are all the various potential breach notification obligations," Dembosky said.
The (Solar)Wind Pushing the National Data Breach Reporting Law Forward
Adam Hickey, deputy assistant attorney general, National Security Division at the US Department of Justice, commented that there have been a number of high-profile breaches in recent years that have impacted critical infrastructure across multiple sectors. Without a single reporting framework, the federal government doesn't always get all the data and insight it needs.
"We are challenged getting a handle on the visibility of what's happening," Hickey said.
Among the recent high-profile data breach incidents discussed during the panel was the SolarWinds data breach. Tonya Ugoretz, deputy assistant director at the FBI, commented that a lot of times when there is a push for legislation to close a particular gap, like with the national data breach reporting law, that groundswell is prompted by something that didn't happen, someone who didn't take an action. That's not what happened in the SolarWinds incident.
Ugoretz said that in the SolarWinds incident, it was reported quickly by security vendor FireEye, which itself was a victim of a breach.
"They [FireEye] did the right thing," Ugoretz said. "Almost immediately upon noticing that they were the victim of this very sophisticated intrusion, they reached out to the government."
Part of the way you demonstrate you are taking something seriously and doing everything you can as a business is saying, I'm working with law enforcement to address it.Adam Hickey
She added that this type of quick notification doesn't always happen and the fact that it did may well have helped to prevent even more data loss, which was a theme that Hickey echoed. Hickey said that thanks to FireEye raising its hand and saying, "This is happening on my network," the federal government was able to move quickly to investigate and help limit risk.
Why a National Data Breach Reporting Law Is Needed
Hickey emphasized that a national data breach reporting law is needed to help provide visibility to law enforcement and push out information to enable potential victims to be protected.
As a general rule, Hickey noted, companies are more willing to contact the government and work with law enforcement now than they were ever before, for several reasons.
"In the past, having a data breach used to be kind of a scarlet letter, and there was a shame factor, so you kind of didn't want it to get out," Hickey said. "Now there's sort of a sad understanding that this is a part of the mortality of computer networks."
With the realization that data breaches happen, Hickey said, organizations' attention has turned not just to defense, but also to resilience and reputation.
"Part of the way you demonstrate you are taking something seriously and doing everything you can as a business is saying, I'm working with law enforcement to address it," Hickey commented.
What the National Breach Reporting Law Should Look Like
A key objective for a potential national breach reporting law that all the panelists agreed upon was the idea that it should make reporting a breach easier, not harder, than the current patchwork model.
Ugoretz emphasized that a having a national standard for breach reporting will give companies less to figure out, which is important especially at the moment that they're suffering from an intrusion. She wants to see a law that is clear and concise and that helps victims and law enforcement to figure out what happened and prevent further exposure.
"We think of each of these intrusions, as if it were a murder conducted by a serial killer where whoever is behind it will strike again and they're leaving clues, at each crime scene," Ugoretz said. "This reporting law will help us pick up those clues and share it with others before they then become subsequent victims."
The new US administration’s approach to modernizing the nation’s cybersecurity defenses was laid out by Anne Neuberger, deputy assistant to the president and deputy national security advisor for cyber and emerging technology, National Security Council, during a keynote session on day two of the virtual RSA Conference 2021.
Neuberger began by describing the increasingly dangerous cyber-threat landscape, noting that President Joe Biden’s administration has already had to deal with two large-scale incidents during its first 100 days in office—the SolarWinds and Microsoft Exchange attacks.
“Governments and companies are under constant, sophisticated and malicious attack from nation-state adversaries and criminals,” she outlined, adding that “today, more than ever, cybersecurity is a national security imperative.”
In this environment, Neuberger stated, it is time to shift the mindset from incident response to prevention. “I’ve observed that as a community we’ve accepted that we’ll move from one incident response to the next,” she said. “While we must acknowledge that breaches will happen and prepare for them, we simply cannot let waiting for the next shoe to drop to be the status quo under which we operate.”
With this principle in mind, Neuberger set out three areas the current US federal government is focusing on to enhance the nation’s cybersecurity:
1. Modernize Cyber-defenses
Neuberger stated how the SolarWinds attacks demonstrated that “some of the most basic cybersecurity measures were not systemically rolled out across federal agencies.” These include multi-factor authentication, encryption and endpoint detection.
As well as mandating these basic security hygiene measures in government, Neuberger said the administration is also introducing ways of ensuring the software security it purchases from vendors is up to scratch. She explained that the products the government buys “often include defects and vulnerabilities.” This is being accepted by developers, either because they expect to be able to patch later or they decide to ignore them if they deem the defects to not be sufficiently serious, according to Neuberger.
“That’s not acceptable—it’s knowingly introducing unknown and potentially grave risks that adversaries and criminals then exploit,” she stated.
To tackle this issue, Neuberger revealed it is a priority of the government to ensure the software it buys is built securely from the start, “by potentially requiring federal vendors to build software in a secure development environment.” She added that this approach should have the knock-on effect of enhancing the software security brought by organizations outside of government, such as schools and small businesses.
Another vital step in this area is to gain visibility into what software is developed securely and what isn’t, as it is currently impossible for customers to make this assessment. Neuberger explained: “Today we place our trust in vendors but we largely do it blindly, because we don’t have a way to measure that trust.”Today we place our trust in vendors but we largely do it blindly, because we don’t have a way to measure that trustAnne Neuberger
She additionally highlighted that the administration is currently working on a pilot program to protect the technology relied upon in critical national infrastructure. This initiative “will facilitate private-sector efforts to install new technologies that provide timely visibility, detection, response and blocking capabilities.” Neuberger noted this is “the first step in a series of efforts we’ll be working on to ensure we can trust the systems underpinning our critical infrastructure.”
2. Return to a More Active Role on Cyber Internationally
Neuberger also emphasized the need for the US to strengthen its global partnerships “to counter adversaries that leverage technology to undermine national and global security.” She highlighted a number of initiatives in this area, including the Quadrilateral Security Dialogue (QUAD), which aim to “counter cyber-threats and hold malicious actors accountable.”
She revealed that one of the administration’s first global cybersecurity initiatives will be a “cooperative effort to counter ransomware,” with this vector becoming increasingly prevalent. She noted: “This represents a national security threat for countries around the world because it can disrupt schools and hospitals and governments’ and companies’ abilities to deliver services. And because of the huge financial cost.”
Neuberger added that it is particularly concerning that ransomware actors are often able to strike by targeting known weaknesses, such as endpoint and software vulnerabilities.
Additionally, the increasing sophistication of ransomware groups, in terms of both their techniques, like the use of fileless malware, and their operational models, including the growth of double-extortion schemes, cannot be ignored. Neuberger commented: “International cooperation to address ransomware is critically important because transnational criminals are most often the perpetrators of these crimes and they often leverage global infrastructure and money laundering networks to do it.”
3. Prepare America’s Future Cybersecurity Posture
As well as focusing on securing today’s technology and infrastructure, Neuberger said another priority of the Biden administration is “to invest in and facilitate the innovation of tomorrow.” As such, the government’s American Jobs Plan has a proposal to invest $180bn in R&D emerging technologies. This covers areas like AI, quantum computing and micro-electronics.
This investment is vital for enhancing the US’s cyber-defenses, according to Neuberger. In particular, she highlighted the future importance of quantum computing in this regard. While this technology “promises to revolutionize certain unsolvable computing problems,” it will also “fundamentally disrupt cybersecurity and the technology platforms on which it’s built.”
This is because quantum computing offers malicious actors new vectors to compromise IT systems, with potentially “devastating” impacts on certain encryption methods, such as isometric encryption, which is “the foundation of our economic and national security communications.”
As such, the American Jobs Plan “reflects a commitment to accelerate US leadership in quantum computing and quantum information science more broadly,” which will help “protect the country from the adversarial use of these technologies.”
Neuberger concluded her talk by saying: “Bolstering the nation’s cybersecurity, safeguarding our critical infrastructure and renewing America’s advantages broadly are fundamental to the Biden administration’s commitment to our national security strategy.”
McAfee senior vice president and CTO, Steve Grobman, took to the virtual stage at RSA Conference on May 18 with a call to action: reconsider the perception of risk by looking at data, not headlines
Grobman claimed that often the information security industry falls into the trap of perceiving risk based on how threats are portrayed in the media.
“A scientific approach is needed to measure risk and help counteract bias,” he said. Groban used the example of a micromart as a way of doing this. A micromart is a unit of risk defined as one-in-a-million chance of death. “We can use micromort to challenge our intuition on what is actually risky and what isn’t,” he said.
“Many of our perceptions about risk in cyber are miscalibrated… We need to use science based on data to counteract the influence of social and traditional media and raw emotions,” Grobman warned.
“Organizations worry about all sorts of threats. Mass malware we see every hour. Spear-phishing attacks on critical employees we see every day. And the rare national state-directed attacks that have the potential to be devastating.
“One observation is that the frequency of an event is inversely proportionate to its impact.”
The impact of a cyber-event, said Grobman, “has multiple levels of nuance. We need to consider the impact to an organization independently from the global impact.”
He gave the examples of WannaCry and NotPetya, which had catastrophic effects and a global impact on numerous organizations around the world, as they spread fast and were highly disruptive. He also gave the example of other attacks that had a huge impact but only on a solo organization.
“We need to examine the different aspects of the damage that emanates from certain attacks, for example, indirect costs, such as regaining environmental integrity, which can be immense.”
“We need to understand the risk/reward benefits when we choose to engage in high-risk areas,” he continued.
Impact, Scale, Frequency
Grobman suggests a risk model that takes all factors into consideration. “Consider impact, scale and frequency. These are the three vectors that matter,” he explained. “This model is all about risk. Risk is the potential for negative outcome, whereas an event is a historical record of what has occurred. Past events don’t predict future outcomes.”Many of our perceptions about risk in cyber are miscalibrated… We need to use science based on data to counteract the influence of social and traditional media and raw emotionsSteve Grobman
However, Grobman advised, “they can provide data to scientifically access the likelihood of future scenarios” in order to understand how to prepare defenses.
McAfee did some research into how what we should worry about aligns with what we do worry about. “We analyzed traditional and social media along with the web activity of McAfee data related to threats. We found that many of the high-profile single organization targeted attacks saw a lot of attention.
“Whereas some campaigns such as trickbot get little media coverage, but organizations need to pay greater attention to them. They act as the catalyst for secondary, high impact attack scenarios.”
Media coverage can inform us about emerging global cyber events, said Grobman, “but we need a more science-based approach. We need to comprehensively evaluate the events that impact organizations.”
In addition, Grobman advises that good cyber-hygiene and good user education to prevent everyday threats, are incredibly important. “We need a combination of technology and cyber-operators to defeat the adversary, because no technology on its own can outsmart or outplay an advanced attacker.”
In conclusion, Gobman said it is critical that “the investments we do make have the strongest benefits compared to the risks they are mitigating.
“My call to action for you is this: let’s make the best cyber-defense decisions possible. Yes, watch the news and monitor your Twitter feed, but be hyper-conscious to counter-balance natural instinct reactions driven by media and hype and ensure that every trade-off and decision you make to defend your organization is based on data and objectivity.”