Elizabeth Buse joins F5 Networks Board of Directors

F5 Networks announced the appointment of Elizabeth Buse, former CEO of Monitise PLC, to its Board of Directors. Ms. Buse, 59, joins F5’s Board, effective today, and brings broad financial services industry expertise and public company board experience. With Ms. Buse’s appointment, F5’s Board expands to 12 members, 10 of whom are independent. “Elizabeth’s experience as a CEO of a global financial services technology company and her understanding of both the internal and consumer-facing application … More

The post Elizabeth Buse joins F5 Networks Board of Directors appeared first on Help Net Security.

Google removes 17 Joker -infected apps from the Play Store

Google removed this week 17 Android apps from its Play Store because they were infected with the Joker (aka Bread) malware, Zscaler revealed.

Security researchers from Zscaler spotter 17 apps in the Play Store that were infected with the Joker (Bread) malware.

The Joker malware is a malicious code camouflaged as a system app and allows attackers to perform a broad range of malicious operations, including disable the Google Play Protect service, install malicious apps, generate fake reviews, and show ads.

The spyware is able to steal SMS messages, contact lists and device information along with to sign victims up for premium service subscriptions.

In October, Google has removed from Google Play 24 apps because they were infected with Joker malware, the 24 malicious apps had a total of 472,000 installs.

In January, Google successfully removed more than 1,700 apps from the Play Store over the past three years that had been infected with the Joker malware.

In February, the infamous Joker malware has found a way to bypass the security checks to be published in the official Play Store, Check Point researchers discovered a new clicker.

In July, Google removed another batch of apps infected with the Joker malware that was discovered by security researchers from Anquanke, the malicious applications had been active since March and allegedly infected millions of devices.

Early September Google removed another six apps that have been spotted by security researchers from Pradeo.

Now Google removed 17 new Android apps, which were reported by ZScaler, from the Play Store.

“Our Zscaler ThreatLabZ research team has been constantly monitoring the Joker malware. Recently, we have seen regular uploads of it onto the Google Play store.” reads the post published by ZScaler. “Once notified by us, the Google Android Security team took prompt action to remove the suspicious apps (listed below) from the Google Play store.”

According to the experts the 17 different samples were uploaded to Google Play in September 2020 and they had a total of 120,000 downloads.

Below the list of the infected apps discovered on the Google Play store:

  • All Good PDF Scanner
  • Mint Leaf Message-Your Private Message
  • Unique Keyboard – Fancy Fonts & Free Emoticons
  • Tangram App Lock
  • Direct Messenger
  • Private SMS
  • One Sentence Translator – Multifunctional Translator
  • Style Photo Collage
  • Meticulous Scanner
  • Desire Translate
  • Talent Photo Editor – Blur focus
  • Care Message
  • Part Message
  • Paper Doc Scanner
  • Blue Scanner
  • Hummingbird PDF Converter – Photo to PDF
  • All Good PDF Scanner

The analysis published by ZScaler includes details about the tactics used by the Joker malware author to bypass the Google Play vetting process.

In a first attack scenario detailed by the experts, for some of the Joker variants, the final payload was delivered via a direct URL received from the C2 server. In this variant, the C&C address was hidden in the code itself with string obfuscation. 

In a second download scenario, some infected apps used a stager payload to retrieve the final payload. In this case, the stager payload URL encoded in the code itself was encrypted using Advanced Encryption Standard (AES).

In a third scenario, some groups of infected Google Play store apps were using two-stager payload downloads to retrieve the final payload. The Google Play infected app downloads the stage one payload, which in turn downloads the stage two payload, which finally loads the end Joker payload.

Unlike previous two scenarios, the infected app contacts the C&C server for stage one payload URL, which hides it in response location header.

Additional technical details, including Indicators of Compromise (IoCs), are included in the report published by ZScaler.

“We recommend paying close attention to the permission list in the apps that you install on your Android device. Always watch out for the risky permissions related to SMS, call logs, contacts, and more. Reading the comment or reviews on the app page aslo helps identify compromised apps.” concludes the report.

Pierluigi Paganini

(SecurityAffairs – hacking, Google Play)

The post Google removes 17 Joker -infected apps from the Play Store appeared first on Security Affairs.

Security Affairs newsletter Round 283

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

IPG Photonics high-performance laser developer hit with ransomware
Mozi Botnet is responsible for most of the IoT Traffic
Alleged Activision hack, 500,000 Call Of Duty players impacted
DHS CISA orders federal agencies to fix Zerologon flaw by Monday
Discount Rules for WooCommerce WordPress plugin gets patch once again
FERC, NERC joint report on cyber incident response at electric utilities
US House Passes IoT Cybersecurity Improvement Act
A member The Dark Overlord group sentenced to 5 years in prison
CISAs advisory warns of notable increase in LokiBot malware
German investigators blame Russian DoppelPaymer gang for deadly hospital attack
Hackers hit Luxottica, production stopped at two Italian plants
Operation DisrupTor: police arrested 179 vendors engaged in the sale of illicit good
Data for 600K customers of U.S. fitness chains Town Sports leaked online
Group-IB detects a series of ransomware attacks by OldGremlin
HOW DO PROVIDERS IMPLEMENT INTERNET BLOCKING IN BELARUS?
HOW OPERATORS USE SANDVINE TO BLOCK INDEPENDENT MEDIA IN EGYPT
Rogue employees at Shopify accessed customer info without authorization
Russia-linked APT28 targets govt bodies with fake NATO training docs
Samba addresses the CVE-2020-1472 Zerologon Vulnerability
Alien Android banking Trojan, the powerful successor of the Cerberus malware
Hackers are using Zerologon exploits in attacks in the wild
Instagram RCE gave hackers remote access to your device
Microsoft, Italy and the Netherlands agencies warn of EMOTET campaigns
CISA says federal agency compromised by malicious cyber actor
Cisco fixes 34 High-Severity flaws in IOS and IOS XE software
Fortinet VPN with default certificate exposes 200,000 businesses to hack
Polish police shut down major group of hackers in the country
Source Code of Windows XP, Server 2003 leaked
Twitter warns developers of possible API keys leak
A powerful DDoS attack hit Hungarian banks and telecoms services
Hackers stole more than $150 million from KuCoin cryptocurrency exchange
Victims of ThunderX ransomware can recover their files for free

Pierluigi Paganini

(SecurityAffairs – hacking, Newsletter)

The post Security Affairs newsletter Round 283 appeared first on Security Affairs.

Apple addresses four vulnerabilities in macOS

Apple this week released security updates to address a total of four vulnerabilities affecting macOS Catalina, High Sierra and Mojave.

Apple on Thursday announced to have patched four vulnerabilities affecting macOS Catalina, High Sierra and Mojave.

“This document describes the security content of macOS Catalina 10.15.7, Security Update 2020-005 High Sierra, Security Update 2020-005 Mojave.” reads the advisory published by Apple.

One of the flaws addressed by Apple is an out-of-bounds read, tracked as CVE-2020-9973, that affects the Model I/O component. The exploitation of the flaw involves the processing of a malicious USD file, it could lead to arbitrary code execution or a trigger DoS condition. This vulnerability was reported by the Cisco Talos researcher Aleksandar Nikolic and affects all versions of macOS.

The second issue addressed by Apple is an arbitrary code execution vulnerability, tracked as CVE-2020-9961, that affects the ImageIO component. The exploitation of the flaw involves the use of malicious image files. This vulnerability was reported by the researcher Xingwei Lin from Ant Group Light-Year Security Lab and affects macOS High Sierra and Mojave

The third flaw, tracked as CVE-2020-9968, affects the sandbox and can be exploited by a malicious application to access restricted files.

The issue was reported by Adam Chester of TrustedSec and affects all versions of macOS.

The fourth issue fixed in macOS, tracked as CVE-2020-9941, affects the Mail component in the High Sierra OS. The vulnerability can be exploited by a remote attacker to “unexpectedly alter application state.” The flaw was reported by researchers from the FH Münster University of Applied Sciences in Germany.

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)

The post Apple addresses four vulnerabilities in macOS appeared first on Security Affairs.

Microsoft took down 18 Azure AD apps used by Chinese Gadolinium APT

Microsoft removed 18 Azure Active Directory applications from its Azure portal that were created by a Chinese-linked APT group Gadolinium.

Microsoft announced this week to have removed 18 Azure Active Directory applications from its Azure portal that were created by a China-linked cyber espionage group tracked as APT group Gadolinium (aka APT40, or Leviathan).

The 18 Azure AD apps were taken down by the IT giant in April, Microsoft also published a report that includes technical details about the Gadolinium’s operation.

“Microsoft took proactive steps to prevent attackers from using our cloud infrastructure to execute their attacks and suspended 18 Azure Active Directory applications that we determined to be part of their malicious command & control infrastructure.” states Microsoft’s report.

GADOLINIUM abuses Microsoft cloud services as command and control infrastructure, the experts uncovered a spear-phishing campaign using messages with weaponized attachments.

The threat actor uses a multi-stage infection process and heavily leverages PowerShell payloads. In mid-April 2020, the GADOLINIUM actors launched a COVID-19 themed campaign, upon opening the messages, the target’s system would be infected with PowerShell-based malware payloads.

Once infected computers, the threat actors used the PowerShell malware to install one of the 18 Azure AD apps.

The hackers used an Azure Active Directory application to configure the victim endpoint with the permissions needed to exfiltrate data a Microsoft OneDrive storage under their control.

GADOLINIUM Azure

“The use of this PowerShell Empire module is particularly challenging for traditional SOC monitoring to identify. The attacker uses an Azure Active Directory application to configure a victim endpoint with the permissions needed to exfiltrate data to the attacker’s own Microsoft OneDrive storage.” continues the analysis. “From an endpoint or network monitoring perspective the activity initially appears to be related to trusted applications using trusted cloud service APIs and, in this scenario,, no OAuth permissions consent prompts occur. “

Microsoft also took down a GitHub account that was used by the Gadolinium group as part of a 2018 campaign.

Microsoft’s report also includes Indicators of Compromise (IoCs) for the Gadolinium campaign.

Pierluigi Paganini

(SecurityAffairs – hacking, Gadolinium)

The post Microsoft took down 18 Azure AD apps used by Chinese Gadolinium APT appeared first on Security Affairs.

Week in review: Infosec career misconceptions and challenges, early warning signs of ransomware

Here’s an overview of some of last week’s most interesting news and articles: CISA orders federal agencies to implement Zerologon fix If you had any doubts about the criticality of the Zerologon vulnerability (CVE-2020-1472) affecting Windows Server, here is a confirmation: the US Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive instructing federal agencies to “immediately apply the Windows Server August 2020 security update to all domain controllers.” What are the traits … More

The post Week in review: Infosec career misconceptions and challenges, early warning signs of ransomware appeared first on Help Net Security.

Microsoft Shutters Azure Apps Used by China-Linked Hackers

Researchers: Hacking Group Used Cloud Infrastructure for Phishing Attacks
Microsoft removed 18 apps from its Azure cloud platform that were being used by hackers as part of their command-and-control infrastructure, according to company researchers. The threat group, called Gadolinium, was abusing the infrastructure to launch phishing email attacks.

A powerful DDoS attack hit Hungarian banks and telecoms services

Hungarian financial institutions and telecommunications infrastructure were hit by a powerful DDoS attack originating from servers in Russia, China and Vietnam

A powerful DDoS attack hit some Hungarian banking and telecommunication services that briefly disrupted them. According to telecoms firm Magyar Telekom, the attack took place on Thursday and was launched from servers in Russia, China and Vietnam.

Magyar Telekom revealed that the attack was very powerful, it is one of the biggest cyberattacks that ever hit Hungary.

“The volume of data traffic in the attack was 10 times higher than the amount usually seen in DDoS events, the company said.” reported the Reuters agency.

“That means that this was one of the biggest hacker attacks in Hungary ever, both in its size and complexity.” reads a statement issued by the company.

“Russian, Chinese and Vietnamese hackers tried to launch a DDoS attack against Hungarian financial institutions, but they tried to overwhelm the networks of Magyar Telekom as well,”

The distributed denial of service attack was able to disrupt the services of some of the banks in the country causing temporary interruptions in Magyar Telekom’s services in certain parts of the capital, Budapest.

The cyber attack was also confirmed by the Hungarian bank OTP Bank in a statement.

“There was a DDoS attack on telecom systems serving some of the banking services on Thursday,” reads the statement issued by the bank.

“We repelled the attempt together with Telekom that was also affected and the short disruption in some of our services ended by Thursday afternoon.”

Pierluigi Paganini

(SecurityAffairs – hacking, Hungary)

The post A powerful DDoS attack hit Hungarian banks and telecoms services appeared first on Security Affairs.

Victims of ThunderX ransomware can recover their files for free

Good news for the victims of the ThunderX ransomware, cybersecurity firm Tesorion has released a decryptor to recover their files for free.

Cybersecurity firm Tesorion has released a free decryptor for the ThunderX ransomware that allows victims to recover their files.

ThunderX is ransomware that appeared in the threat landscape recently, infections were discovered at the end of August 2020. 

Researchers developed a decryptor for the ransomware after they have discovered a bug in the encryption process implemented by the threat.

This decryptor can recover for free files encrypted by the current version of the ThunderX ransomware that appends the .tx_locked extension to the filename of the decrypted files.

In order to recover the files, victims have to upload a copy of the readme.txt ransom note and an encrypted file to receive a decryption key.

ThunderX

The decryptor can be downloaded from the website of the NoMoreRansom project that already has helped victims of multiple ransomware to save more than one hundred million of ransom.

When the decryption process is completed, the decryptor will show a summary of the files successfully and those once for which the recovery failed.

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post Victims of ThunderX ransomware can recover their files for free appeared first on Security Affairs.

8 Ways to Help Senior Adults Stay Safe Online These Days

senior looking at smartphone

8 Ways to Help Senior Adults Stay Safe Online These Days

Technology has come in handy for most of us during these days of pandemic distancing. But for the -at-risk, homebound senior population, technology has been a lifeline connecting them to family members, online services, and healthcare. Still, this unprecedented shift to virtual life has also come with potential risks that seniors and their families should keep in mind.

According to a Pew study, senior adults continue to become more digitally connected, but adoption rates continue to trail younger users, and digital divides remain. The study also revealed that 77% of older adults needed assistance when it came to learning how to use technology.

If you are a senior or someone helping a senior become more tech-savvy, online safety should be a priority. Here are just some of the risks seniors may encounter and some helpful ways to stay safe.

Secure home routers and devices. Be sure to change your router’s default username and password to something strong and unique. Also, change the default passwords of any connected device before connecting to your home network. IoT (Internet of Things) devices are all the technologies under your roof that can connect such as security systems, healthcare monitors, hearing aids, and smart TVs.  These technologies are embedded with sensors or software that can connect and exchange data with other household devices — and each must be secured to close privacy gaps. There are also routers with embedded security, to help secure the home from threats, no matter what devices is connected to the home network.

Use strong passwords. Strong passwords are essential for in-home devices, personal devices, social media sites, and any healthcare or banking portal. Creating a strong password is also a front-line defense against identity theft and fraud.  For seniors, keeping passwords in one place is important, but can be hard to remember them all.  comprehensive security software  includes password management functionality, which makes it easer, to create and safely archive your passwords. -.

Avoid scams. There are a number of scams that target seniors. Phishing scams are emails that look legitimate that end up taking millions from seniors every year. For this reason, never click on suspicious links from government agencies, banks, hospitals, brokerages, charities, or bill collectors unless you are certain they are legitimate. Scammers use these malicious links to con people out of giving away cash or personal data that can be used to create a number of fraudulent accounts. Consider protecting all personal devices with a comprehensive security solution.

Use a personal VPN. A Virtual Private Network (VPN) encrypts (or scrambles) your data when you connect to the Internet and enables you to browse or bank with your credentials and history protected. To learn about VPNs, watch this video.

Beware of dating scams. People aren’t always who they appear to be online. And while dating scams can happen to any age group, they can be especially harmful to a vulnerable senior who may be lonely and living on a limited income. Love scam red flags: Beware of people who claim to be from the U.S. but often travel or work overseas. Also, avoid people who profess their love too quickly, share personal struggles too soon, and never meet face-to-face.

Take a closer look. Fraudulent websites look very real these days. A secure website will have an “https” in the browser’s address bar. The “s” stands for “secure.” If the web address or URL is just http, it’s not a secure site. Still unsure? Read reviews of the site from other users before making a purchase. Never send cash, cashier’s check, or a personal check to any online vendor. If purchasing, always use a credit card in case there is a dispute.

Never share personal data. Be wary of emails or websites that require you to give personal information, such as your social security number, phone number, account, or family information.  This includes those fun social media quizzes, which are also ways that cybercriminals can find out your personal details, such as a pets name, year you were born, your home town. All those pieces of personal data can be used to commit identity theft.

Monitor financial accounts. Nowadays, it’s essential to review all financial statements for fraudulent activity. If suspicious activity is found, report it to your bank or credit card account immediately. It’s also a good idea to put a credit alert on your accounts to detect potential fraud.

This unique time has issued unique challenges to every age group. However, if you know a senior, keep their potential technology needs in mind. Check in from time to time and offer your help. If you are a tech-savvy senior (and I know many), consider reaching out to peers who may be struggling and afraid to ask. In addition, YouTube has a number of easy-to-understand videos on any tech question. In addition, both Apple and Microsoft stores offer free advice on their products and may also help. Just be sure to visit their official websites to reach legitimate tech support channels.

The post 8 Ways to Help Senior Adults Stay Safe Online These Days appeared first on McAfee Blogs.

Hackers stole more than $150 million from KuCoin cryptocurrency exchange

Singapore-based cryptocurrency exchange KuCoin disclosed a security breach, hackers stole $150 million from its hot wallets.

Singapore-based cryptocurrency exchange KuCoin disclosed a major security incident, the hackers breached its hot wallets and stole all the funds, around $150 million.

Deposits and withdrawals have been temporarily suspended while the company is investigating the security incident.

“We detected some large withdrawals since September 26, 2020 at 03:05:37 (UTC+8). According to the latest internal security audit report, part of Bitcoin, ERC-20 and other tokens in KuCoin’s hot wallets were transferred out of the exchange, which contained few parts of our total assets holdings.” reads a statement published by the company. “The assets in our cold wallets are safe and unharmed, and hot wallets have been re-deployed.”

Hot wallet refers to any cryptocurrency wallet that is connected to the internet, for this reason, they are more exposed to cyber attacks.

Hot wallets are used as temporary storage systems for assets that are currently being exchanged on the exchange.

Cold storage refers to any cryptocurrency wallet that is not connected to the internet, for this reason, they are considered more secure. They usually don’t contain as many cryptocurrencies as do many of the hot wallets.

KuCoin discovered the security breach on September 26 when its staff noticed some large withdrawals from its hot wallets.

The exchange immediately investigated the anomalous operations and discovered the cyber heist of Bitcoin assets, ERC-20-based tokens, along with other cryptocurrencies.

The overall amount of funds stolen by the hackers is greater than $150 million, based on an Etherium address where the stolen funds were transferred.

Today (September 26, 2020), KuCoin CEO Johnny Lyu will provide additional details about the incident in a live stream at 12:30 (UTC+8).

The exchange plans to refund its users using its cold wallets.

This incident is one of the biggest hack ever reported, below a list of most prominent incidents.

Pierluigi Paganini

(SecurityAffairs – hacking, Norway)

The post Hackers stole more than $150 million from KuCoin cryptocurrency exchange appeared first on Security Affairs.

Weekly Update 210

Weekly Update 210

Wow, 4 years already. Regardless of where I've been in the world or the stresses that have been going on in my personal life, every single week without exception there's been a video. This makes 210 of them now, and these days they're live from a much more professional setup in a location that has absolutely no chance of changing for the foreseeable future. Not exactly the way I saw things panning out 4 years ago, but I guess we've all been a bit blindsided on that front. Anyway, on with the show and there's not a lot on the professional front this week due to downtime with the kids over their holidays, but some good audience questions I hope people enjoy. Next week - something I'm very excited about and it has absolutely nothing to do with tech 😊

Weekly Update 210
Weekly Update 210
Weekly Update 210
Weekly Update 210

References

  1. I've done this video every single week for 4 years, no matter where I've been (that's a link to the first one ever - same same but different)
  2. I've been replacing external Ubiquiti access points with in-wall units... and they're awesome! (I'll gradually go through the house and replace all the wall sockets with these)
  3. Was Activision "hacked" or do people just choose bad passwords? (without evidence to the contrary, my money is on the latter)
  4. Sponsored by: Join the Microsoft Reactor community for workshops, panels and events to expand your skillset across a range of technologies and topic areas

Emotet Trojan is back as the world unlocks

A threat actor named Emotet Trojan has been in the wild for more than 5 years, and now it is back after a 5 months break. It has spread globally, infecting new as well as old targets. It is re-launched with multiple Malspam Campaigns to distribute in all sectors. We…

Yesterday was a dress rehearsal – It’s time to confront real uncertainty

Business leaders are expected to make big decisions. This is especially true in uncertain times when many might lack the boldness to move forward. With COVID-19, timelines have been crushed as overnight a huge percentage of employees have been relocated to home offices. Suddenly, leaders find they no longer have weeks or months to make…

The post Yesterday was a dress rehearsal - It’s time to confront real uncertainty first appeared on IT World Canada.

Source Code of Windows XP, Server 2003 leaked

The source code for Microsoft’s Windows XP and Windows Server 2003 operating systems was published as a torrent file on bulletin board website 4chan.

The source code for Microsoft’s Windows XP and Windows Server 2003 operating systems was published as a torrent file on the bulletin board website 4chan. This is the first time that the source code of Microsoft’s 19-year-old operating system was leaked online.

The leaker goes online with the moniker billgates3 and claims to have collected the source code over the course of the last few months.

The leaker also added that the source code for multiple Microsoft operating systems is circulating in the hacking community for years.

“I created this torrent for the community, as I believe information should be free and available to everyone, and hoarding information for oneself and keeping it secret is an evil act in my opinion,” the leaker said,” [Micorsoft] claims to love open source so then I guess they’ll love how open this source code is now that it’s passed around on BitTorrent.”

The collection of torrent files leaked online is 43GB in size and include the source code for Windows Server 2003 and other older operating systems developed by Microsoft, including:

  • Windows 2000
  • Windows CE 3 
  • Windows CE 4 
  • Windows CE 5 
  • Windows Embedded 7
  • Windows Embedded CE
  • Windows NT 3.5
  • Windows NT 4
  • MS-DOS 3.30 
  • MS-DOS 6.0

According to multiple media, the leaked Windows XP code is related to the SP1 version.

The collection of torrent also includes the source code some Windows 10 internal builds along with the source code for the first Xbox OS that was first leaked online in May.

Even if the Windows XP has reached the end of life, the popular OS is still running on roughly one percent of computers worldwide

The availability of the source code of the Windows XP could allow threat actors to search for zero-day issues that could be exploited in attacks against the tens of millions of PCs are still based on the popular Microsoft OS.

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Windows XP)

The post Source Code of Windows XP, Server 2003 leaked appeared first on Security Affairs.

Facebook Removes More Accounts Linked to Russia

Latest Social Media Crackdown Comes As FBI Issues Fresh Warning on Election Interference
Facebook is again cracking down on fake accounts and pages linked to a Russian IRA troll farm or the country's military intelligence units that were being used for disinformation campaigns. Meanwhile, the FBI issued a fresh warning that threat actors are attempting to target U.S. voting infrastructure.

Threat Roundup for September 18 to September 25

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between September 18 and September 25. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference

20200925-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The post Threat Roundup for September 18 to September 25 appeared first on Cisco Blogs.

Industrial Cyberattacks Get Rarer but More Complex

The first half of 2020 saw decreases in attacks on most ICS sectors, but oil/gas firms and building automation saw upticks.

Texas Software Provider Reports Cyber-attack

Texas Software Provider Reports Cyber-attack

A cyber-attack has struck a Texas company that provides software services to schools and state and local governments across the United States.

Tyler Technologies notified customers on September 23 that its phone and computer systems had been compromised by a bad actor. 

Since the incident, the website of the company has carried the message: "Our Tyler Technologies corporate website is temporarily unavailable. We are aware of the issue and are working to bring the site back online."

Customers are advised to visit Tyler's Online Support Incidents tool for online support access.

In an email sent out to customers, the Plano-based company said that the cyber-incident was uncovered on Wednesday morning. The help of external IT specialists was subsequently enlisted by the company, and law enforcement was informed of the attack.

“Upon discovery and out of an abundance of caution, we shut down points of access to external systems and immediately began investigating and remediating the problem,” Tyler’s chief information officer, Matt Bieri, told KrebsonSecurity.

"We have since engaged outside IT security and forensics experts to conduct a detailed review and help us securely restore affected equipment. We are implementing enhanced monitoring systems, and we have notified law enforcement.”

Bieri went on to say that the extent of the attack appeared to be limited to the company's internal network and phone systems. 

“We currently have no reason to believe that any client data, client servers, or hosted systems were affected,” said Bieri.

Yesterday, Tyler confirmed that the attack had involved ransomware. A statement on the company's website reads: "We have confirmed that the malicious software the intruder used was ransomware. Because this is an active investigation, we will not provide any additional specifics relating to our incident response or our investigation at this time." 

Tyler Technologies employs around 5,300 people. Last year the company brought in revenues of more than $1bn. 

Products sold by the company include appraisal and tax software, public safety software, integrated software for courts and justice agencies, records/document management software solutions, enterprise financial software systems, and transportation software solutions for schools.

Friday Squid Blogging: COVID-19 Found on Chinese Squid Packaging

I thought the virus doesn’t survive well on food packaging:

Authorities in China’s northeastern Jilin province have found the novel coronavirus on the packaging of imported squid, health authorities in the city of Fuyu said on Sunday, urging anyone who may have bought it to get themselves tested.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Migrating an entire university to the cloud, during a pandemic: lessons learned

Read about how Canada's Athabasca University (AU) in Alberta doubled down on virtual education from the perspective of the school's CIO Jennifer Schaeffer

The post Migrating an entire university to the cloud, during a pandemic: lessons learned first appeared on IT World Canada.

Twitter warns developers of possible API keys leak

Twitter is warning developers that their API keys, access tokens, and access token secrets may have been exposed in a browser’s cache.

Twitter is sending emails to developers to warn them that their API keys, access tokens, and access token secrets may have been exposed in a browser’s cache.

According to the social media firm, the browser used by developers may have cached the sensitive data while accessing certain pages on developer.twitter.com.

The developer.twitter.com portal allows developers to manage their apps and attached API keys, along with the access token and secret key for their account.

The social media firm has already fixed the problem by preventing the data to be cached in the browser, but his notification aims at informing users that other users accessed the machine used by developers in the past might have been able to access security tokens and API keys.

Obtaining security tokens and API keys could allow an app to access data for a specific account.

“Prior to the fix, if you used a public or shared computer to view your developer app keys and tokens on developer.twitter.com, they may have been temporarily stored in the browser’s cache on that computer.” reads the message send by Twitter via mail. “If someone who uses the same computer after you in that temporary timeframe knew how to access a browser’s cache, and knew what to look for, it is possible they could have accessed the keys and tokens that you viewed.”

“Depending on what pages you visited and what information you looked at, this could have included your app consumer API keys, as well as the user access token and secret for your own Twitter account.”

The company pointed out that there is no evidence that developer app keys and tokens were compromised, anyway, it recommends users to regenerate API keys and access tokens.

A similar issue was disclosed by Twitter in April, at the time the company announced that some private files sent via direct messages might have stored in the browser cache of Firefox browsers.

Pierluigi Paganini

(SecurityAffairs – hacking, privacy)

The post Twitter warns developers of possible API keys leak appeared first on Security Affairs.

US Federal Agency Compromised by Cyber-Actor

US Federal Agency Compromised by Cyber-Actor

warning has been issued by America's Cybersecurity and Infrastructure Security Agency (CISA) after a malicious cyber-actor compromised a United States federal agency. 

The attacker used valid log-in credentials for multiple users’ Microsoft Office 365 accounts and domain administrator accounts to gain access to the agency's enterprise network. Once inside, the bad actor infected the network with sophisticated malware.

"By leveraging compromised credentials, the cyber threat actor implanted sophisticated malware—including multi-stage malware that evaded the affected agency’s anti-malware protection—and gained persistent access through two reverse Socket Secure (SOCKS) proxies that exploited weaknesses in the agency’s firewall," said CISA in a statement released yesterday.

CISA was alerted to a potential compromise of a federal agency's network via EINSTEIN, an intrusion detection system that monitors federal civilian networks.

Malicious activity was confirmed during an investigation launched by CISA in conjunction with the affected agency.

Investigators found the threat actor logged into a user's Office 365 account remotely, then browsed pages on a SharePoint site and downloaded a file. The threat actor then connected multiple times by Transmission Control Protocol to the victim organization’s virtual private network (VPN) server.

“Immediately afterward, the threat actor used common Microsoft Windows command line processes—conhost, ipconfig, net, query, netstat, ping and whoami, plink.exe—to enumerate the compromised system and network,” stated CISA.

The cyber-criminal copied files and exfiltrated the data via a Microsoft Windows Terminal Services client. Further attacks were planned, as the intruder created a backdoor. 

CISA analysts were not able to determine how the cyber threat actor initially obtained the credentials used in the attack; however, they did come up with a theory involving Pulse Secure.

"It is possible the cyber actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability—CVE-2019-11510—in Pulse Secure," stated CISA, adding that it "has observed wide exploitation of CVE-2019-11510 across the federal government."

The error allows the remote, unauthenticated retrieval of files, including passwords. Patches were released by Pulse Secure in April 2019 for several critical vulnerabilities, including CVE-2019-11510.

No details of when the attack took place or which agency was compromised have been released. 

Ring’s Flying In-Home Camera Drone Escalates Privacy Worries

Privacy fears are blasting off after Amazon's Ring division unveiled the new Always Home Cam, a smart home security camera drone.

Why Encrypted Chat Apps Aren’t Replacing Darknet Markets

Many Vendors of Illegal Drugs, Weapons, Hacking Tools Prefer Markets
With so many cybercrime markets continuing to disappear, why haven't encrypted messaging apps stepped in to fill the gap? They might seem to be the perfect solution to admins stealing buyers' and sellers' cryptocurrency - via an exit scam - or police infiltration. But encrypted apps have their own downsides.

Student Arrested Over Cyber-attacks on Indiana Schools

Student Arrested Over Cyber-attacks on Indiana Schools

A 13-year-old boy has been arrested in the United States after allegedly hacking into an Indiana school district's computer system. 

The unnamed teen was arrested after repeated cyber-attacks were launched against Valparaiso Community Schools. 

School officials reported regular assaults on the district's e-learning systems that disrupted instruction by causing students to become disconnected from their virtual classrooms. 

The alleged hacker is a student at Benjamin Franklin Middle School, a highly rated public school with 820 students and a student-teacher ratio of 18 to 1. 

Police confirmed on September 18 that they had taken the boy into custody on September 17 after school officials discovered he had illegally entered the Valparaiso Community School computer system.

Valparaiso police captain Joe Hall said that the boy is believed to be behind a series of cyber-attacks that have struck schools in the district since the pandemic triggered a shift to online learning. 

The defendant was transported to the Porter County Juvenile Detention Center, where he was charged under a new law with committing an offense against computer users. The law, Indiana Code 35-32-1-8, is a level 6 felony.

Interim School Superintendent Michael Berta said no evidence had been found to suggest that the boy had been working with any accomplices when he allegedly carried out the cybercrimes. 

Berta said by disrupting the e-learning programs introduced in an effort to slow the spread of COVID-19, whoever was responsible had made an already challenging situation even more difficult. 

He added that since the boy's arrest, the disruptions to e-learning had ceased. 

"This has been a very frustrating situation," he told The Times. "We're looking forward to moving on."

Parents were notified by Valparaiso administrators that the school district was working with law enforcement to identify the criminal(s) behind the attacks, which they described as "purposeful and malicious criminal acts."

After hiring experts to combat the cyber-attacks, the district is now investigating ways in which its cyber-defenses can be strengthened against future assaults. 

Nearly a quarter of the district's students are currently engaging in Valparaiso Community Schools' remote learning option.

Cisco fixes 34 High-Severity flaws in IOS and IOS XE software

Cisco patched 34 high-severity flaws affecting its IOS and IOS XE software, some of them can be exploited by a remote unauthenticated attacker.

Cisco on Thursday released security patches for 34 high-severity vulnerabilities affecting its IOS and IOS XE software.

The IT giant issued 25 advisories as part of the September 2020 semiannual IOS and IOS XE Software Security Advisory Bundled Publication.

The company, in direct response to customer feedback, releases bundles of Cisco IOS and IOS XE Software Security Advisories on the fourth Wednesday of the month in March and September of each calendar year.

25 Security Advisories describe a total of 34 vulnerabilities in IOS Software and IOS XE Software.

Some of the issues can be exploited by a remote, unauthenticated attacker to trigger a denial-of-service (DoS) condition, and one flaw could also allow hackers to gain access to sensitive data.

The DoS flaws impacted the Common Open Policy Service (COPS) engine, incorrect packet processing, Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing, RESTCONF and NETCONF-YANG access control list functions, the LPWA subsystem in industrial routers, handling of DHCP messages, the Umbrella Connector component, the Flexible NetFlow version 9 packet processor, the IP Service Level Agreement (SLA) responder feature, the multicast DNS (mDNS) feature, the Zone-Based Firewall, and the Split DNS feature.

Two vulnerabilities can allow authenticated attackers with local access to the target devices to execute arbitrary code. One vulnerability can be exploited by an authenticated attacker to access some parts of the user interface they normally should not be able to access.

The most severe issues addressed by Cisco are:

Cisco IOS XE Software Privilege Escalation VulnerabilitiesCVE-2020-3141CVE-2020-3425High8.8
Cisco IOS XE Software Web UI Authorization Bypass VulnerabilityCVE-2020-3400High8.8

Many of the vulnerabilities were found by Cisco experts during internal assessment of the software.

Cisco confirmed that it has no evidence that the flaws have been exploited by threat actors in attacks in the wild.

Pierluigi Paganini

(SecurityAffairs – hacking, DoS)

The post Cisco fixes 34 High-Severity flaws in IOS and IOS XE software appeared first on Security Affairs.

Microsoft Kills 18 Azure Accounts Tied to Nation-State Attacks

An APT group has started heavily relying on cloud services like Azure Active Directory and OneDrive, as well as open-source tools, to obfuscate its attacks.

Microsoft Endpoint Manager expanding to be single hub for management and endpoint security

At Microsoft Ignite this week, the company announced that Microsoft Endpoint Manager, its unified management solution, is receiving a series of new features to expand its capabilities. Here are some highlights.

Available now are:

Shared iPad for Business lets users log into an iPad with their Azure Active Directory account into a separate partition on the device. This allows companies to deploy shared iPads without worrying about user data overlapping, and lets individuals use their personal iPads for business without compromising security.

In public preview:

Microsoft Tunnel is a remote access solution integrated with Endpoint Manager that allows iOS and Android devices to connect to on-prem applications. It supports both per-app or full device VPNs and split tunnelling and is tied into Conditional Access to ensure devices are compliant with policy.

Mac OS support now provides Macs a first-class management experience, including new enrollment experiences, single sign-on across apps, the ability to deploy scripts to devices, and new managed lifecycle features from Apple.

Coming soon:

Management of virtual desktops or third-party VDI solutions in the same console as management of physical PCs will be in public preview by the end of 2020.

Endpoint Manager’s mobile application management (MAM) is being built into Microsoft Edge on all platforms to allow users to access web apps from personal machines while preventing the data from leaving the browser or other approved location.

The post Microsoft Endpoint Manager expanding to be single hub for management and endpoint security first appeared on IT World Canada.

FinSpy Spyware for Mac and Linux OS Targets Egyptian Organisations

Amnesty International today exposed details of a new surveillance campaign that targeted Egyptian civil society organizations with previously undisclosed versions of FinSpy spyware designed to target Linux and macOS systems. Developed by a German company, FinSpy is extremely powerful spying software that is being sold as a legal law enforcement tool to governments around the world but has also

Why Are Applications Difficult to Secure?

With the onset of digital transformation, applications have become a priority for businesses. They’ve also grown as a target to would-be hackers. We know that securing applications is paramount, but why are they difficult to secure?

Gone are the days where cybersecurity for applications can mimic hard candy – a protective outer shell that surrounds the inner portion. Applications need not only a wall around the application as a whole, but security perimeters to protect individual workloads. This can make applications trickier to secure, with so many more perimeters to defend from breaches and malicious activity!

To understand application security, look no further than the application life cycle – the three-part process that includes development, deployment and testing, and runtime. Each part of this cycle requires different security measures to fully protect an application at each turn.

Application security starts in the development phase, where most tested applications are found to have a security concern in the code. Since the flaws can show up early in the process, it’s important to fix security issues before they’re born. If a problem is not caught in the coding, and the application passes through the rest of the life cycle and into runtime without the issue being solved, major, expensive damages can be expected. Reputation damage due to poor user experience can also be a result.

Beyond development and testing, you’ll need to keep up with an application’s rapidly changing nature while remaining compliant with necessary policies. The difficulty in securing applications stems from the constantly moving and updating workloads living on your application. Securing individual workloads and the many changes that happen to keep your application running can be stressful – depending on if your environment is on-prem, cloud, or hybrid, there is a chance that if one workload is compromised with a breach, the rest will follow. How could this happen? Compromises can float via east-west traffic from workload to workload, relatively undetected. Segmentation is a great risk management option, specifically micro-segmentation, can contain the lateral movement and ultimately reduce your attack surface. Going back to the ‘hard candy’ model, you’re essentially bringing the hard, protective shell into the candy to surround individual portions.

Application security can also be difficult due to the need to remain compliant with various policies. For example, the financial services industry has many regulations that require controls to maintain privacy. As data is transferred between on-prem and cloud environments, these policies create workflows within systems to establish access control. Consistency is key when it comes to this data transfer and remaining compliant, so you need a solution that can bridge these environments through automatic configuration.

You can learn more about Cisco’s solutions for micro-segmentation and policy compliance here: Tetration

With applications housed in cloud or hybrid environments, visibility into network and application behavior is minimized. It’s important to protect the network in which your application is housed. Baselining behavioral patterns helps to find even the smallest violations so that your IT team is alerted to the issue and can quickly counter an attack. This extra layer of protection provides the analysis needed to make sure your application workloads cannot be compromised.

See more about Cisco’s answer to this problem: Stealthwatch

So; what makes applications difficult to secure? The teams managing development of application and securing them are currently two different teams, and having shared context between the two is key to having integrated management of securing application. There are ways to improve your security posture and empower your teams by bringing security and application teams together.

Learn more: Cisco Application-First Security

The post Why Are Applications Difficult to Secure? appeared first on Cisco Blogs.

Automated response with Cisco Stealthwatch

Cisco Stealthwatch provides enterprise-wide visibility by collecting telemetry from all corners of your environment and applying best in class security analytics by leveraging multiple engines including behavioral modeling and machine learning to pinpoint anomalies and detect threats in real-time. Once threats are detected, events and alarms are generated and displayed within the user interface. The system also provides the ability to automatically respond to, or share alarms by using the Response Manager. In release 7.3 of the solution, the Response Management module has been modernized and is now available from the web-based user interface to facilitate data-sharing with third party event gathering and ticketing systems. Additional enhancements include a range of customizable action and rule configurations that offer numerous new ways to share and respond to alarms to improve operational efficiencies by accelerating incident investigation efforts. In this post, I’ll provide an overview of new enhancements to this capability.

 

Benefits: 

  • The new modernized Response Management module facilitates data-sharing with third party event gathering and ticketing systems through a range of action options.
  • Save time and reduce noise by specifying which alarms are shared with SecureX threat response.
  • Automate responses with pre-built workflows through SecureX orchestration capabilities.
The Response Management module allows you to configure how Stealthwatch responds to alarms.

The Response Manager uses two main functions:

  • Rules: A set of one or multiple nested condition types that define when one or multiple response actions should be triggered.
  • Actions: Response actions that are associated with specific rules and are used to perform specific types of actions when triggered.
Response Management module Rule types consist of the six alarms depicted above.

Alarms generally fall into two categories:

Threat response-related alarms:

  • Host: Alarms associated with core and custom detections for hosts or host groups such as C&C alarms, data hoarding alarms, port scan alarms, data exfiltration alarms, etc.
  • Host Group Relationship: Alarms associated with relationship policies or network map-related policies such as, high traffic, SYN flood, round rip time, and more.

Stealthwatch appliance management-related alarms:

  • Flow Collector System: Alarms associated with the Flow Collector component of the solution such as database alarms, raid alarms, management channel alarms, etc.
  • Stealthwatch Management Console (SMC) System: Alarms associated with the SMC component of the solution such as Raid alarms, Cisco Identity Services Engine (ISE) connection and license status alarms.
  • Exporter or Interface: Alarms associated with exporters and their interfaces such as interface utilization alarms, Flow Sensor alarms, flow data exporter alarms, and longest duration alarms.
  • UDP Director: Alarms associated with the UDP Collector component of the solution such as Raid alarms, management channel alarms, high availability Alarms, etc.
Choose from the above Response Management module Action options.

 

Available types of response actions consist of the following:

  • Syslog Message: Allows you to configure your own customized formats based off of alarm variables such as alarm type, source, destination, category, and more for Syslog messages to be sent to third party solutions such as SIEMs and management systems.
  • Email: Sends email messages with configurable formats including alarm variables such as alarm type, source, destination, category, and more.
  • SNMP Trap: Sends SNMP Traps messages with configurable formats including alarm variables such as alarm type, source, destination, category, etc.
  • ISE ANC Policy: Triggers Adaptive Network Control (ANC) policy changes to modify or limit an endpoint’s level of access to the network when Stealthwatch is integrated with ISE.
  • Webhook: Uses webhooks exposed by other solutions which could vary from an API call to a web triggered script to enhance data sharing with third-party tools.
  • Threat Response Incident: Sends Stealthwatch alarms to SecureX threat response with the ability to specify incident confidence levels and host information.

The combination of rules and actions gives numerous possibilities on how to share or respond to alarms generated from Cisco Stealthwatch. Below is an example of a usage combination that triggers a response for employees connected locally or remotely in case their devices triggers a remote access breach alarm or a botnet infected host alarm. The response actions include isolating the device via ISE, sharing the incident to SecureX threat response and opening up a ticket with webhooks.

 

1) Set up rules to trigger when an alarm fires, and 2) Configure specific actions or responses that will take place once the above rule is triggered.

The ongoing growth of critical security and network operations continues to increase the need to reduce complexity and automate response capabilities. Cisco Stealthwatch release 7.3.0’s modernized Response Management module helps to cut down on noise by eliminating repetitive tasks, accelerate incident investigations, and streamline remediation operations through its industry leading high fidelity and easy to configure automated response rules and actions.

To learn more about new Automated Response enhancements, check out the Stealthwatch Release 7.3.0 At-a-Glance and the Release Notes.

Don’t have Stealthwatch? Learn more by visiting https://www.cisco.com/go/stealthwatch or try the solution out for yourself today with a free visibility assessment.

The post Automated response with Cisco Stealthwatch appeared first on Cisco Blogs.

Fortinet VPN with default certificate exposes 200,000 businesses to hack

According to SAM Seamless Network, over 200,000 businesses are using Fortigate VPN with default settings, exposing them to the risk of a hack.

In response to the spreading of Coronavirus across the world, many organizations deployed VPN solutions, including Fortigate VPN, to allow their employers to work from their homes.

The configuration of the VPN solutions is important to keep organizations secure and to avoid dangerous surprises.

According to network security platform provider SAM Seamless Network, over 200,000 businesses that have deployed the Fortigate VPN solution with default settings. This choice could allow an attacker to present a valid SSL certificate and carry out man-in-the-middle (MitM) attacks on employees’ connections.

“Surprisingly (or not?), we quickly found that under default configuration the SSL VPN is not as protected as it should be, and is vulnerable to MITM attacks quite easily.” reads the analysis published by SAM Seamless Network. “The Fortigate SSL-VPN client only verifies that the CA was issued by Fortigate (or another trusted CA), therefore an attacker can easily present a certificate issued to a different Fortigate router without raising any flags, and implement a Man-In-The-Middle attack. We’ve searched and found over 200k vulnerable businesses in a matter of minutes.”

Experts pointed out that the Fortigate SSL-VPN client only verifies that the CA was issued by Fortigate or by another trusted CA, this allows an attacker to present a certificate issued to a different Fortigate router to carry out a man-in-the-middle attack.

The researchers set up a compromised IoT device that initiates MITM attack using ARP Poisoning, then Forticlient initiates VPN connection. The compromised IoT device serves a signed Fortinet certificate extracted from legacy credentials and forwards the credentials to the original server while stealing them in the middle and spoofs the authentication process.

Fortigate VPN

A digital certificate includes several values such as:

  • Server name – The name of the server this certificate was issued to
  • Public key – The public key used to encrypt the traffic to this server
  • Digital Signature – A digital signature that verifies this certificate was issued by a legitimate authority.
  • Validity – A date this certificate is valid through
  • Issuer information – Information about the issuer of the certificate (the same entity that signed the certificate)

Every time a client connects to a server, the client verifies the following information:

  • The certificate’s Server Name matches the server that the client attempted to connect to
  • The certificate validity date has not passed
  • The certificate’s digital signature is correct
  • The certificate was issued by an authority that this client trusts

The main problem is related to the use of default self-signed SSL certificates by organizations. 

The Fortigate router comes with a default SSL certificate that is signed by Fortinet, which is a self-signed certificate that includes the router’s serial number as the server name for the certificate.

Fortigate VPN

Experts highlight that Fortinet’s client does not verify the Server Name at all, this means that any certificate will be accepted issued either by Fortinet or any other trusted CA. An attacker can re-route the traffic to his server, display his own certificate, and then decrypt the traffic, below a video PoC of the attack.

“In this video you can how we decrypt the traffic of the Fortinet SSL-VPN client and extract the user’s password and OTP. An attacker can actually use this to inject his own traffic, and essentially communicate with any internal device in the business, including point of sales, sensitive data centers, etc. This is a major security breach, that can lead to severe data exposure.” continues the report.

Unfortunately, Fortinet has no plans to address the vulnerability, it recommends users to manually replace the default certificate and make sure that the connections are protected from MitM attacks.

Currently, Fortinet provides a warning when the users are using the default certificate.

“You are using a default built-in certificate, which will not be able to verify your server’s domain name (your users will see a warning). It is recommended to purchase a certificate for your domain and upload it for use.” reads the warning.

Pierluigi Paganini

(SecurityAffairs – hacking, Fortigate VPN)

The post Fortinet VPN with default certificate exposes 200,000 businesses to hack appeared first on Security Affairs.

Microsoft Windows XP Source Code Reportedly Leaked Online

Microsoft's long-lived operating system Windows XP—that still powers over 1% of all laptops and desktop computers worldwide—has had its source code leaked online, allegedly, along with Windows Server 2003. Yes, you heard that right. The source code for Microsoft's 19-year-old operating system was published as a torrent file on notorious bulletin board website 4chan, and it's for the very first

Elderly People in the UK Lost Over £4m to Cybercrime Last Year

Elderly People in the UK Lost Over £4m to Cybercrime Last Year

Cyber-criminals stole more than £4m from elderly people in the UK in the financial year 2018-19, data received by the charity Age UK has revealed.

A freedom of information (FOI) request submitted by the charity to the UK’s national fraud reporting center, Action Fraud, showed that the police received 4173 reports of cybercrime from people aged 55+ from April 2018 to March 2019. Of those that became victims, a total loss of just over £4m was recorded. Those in this age group represented 19% of the overall number of reported cybercrime victims in this period.

Prominent examples of cybercrime included phishing, investment fraud, identity theft, fraudulent adverts and blackmail.

Worryingly, the FOI request also revealed that elderly people have been heavily targeted by COVID-19 related fraud in recent months. Of the 3162 instances of COVID-related fraud and cybercrime reported to Action Fraud between March 23 and July 31 2020, 701 involved a victim aged 55+; total losses for these elderly victims amounted to £2.4m in the four months.

The most common forms of COVID-related scams included purchases of fake PPE equipment and phishing texts and emails purporting to be from government and health bodies.

Age UK said cyber-criminals have taken advantage of the increasing number of elderly people relying on the internet for everyday services such as shopping as well as to stay in contact with friends and family during lockdown, in many cases for the first time.

Caroline Abrahams, charity director at Age UK, commented: “During lockdown, the majority of us relied on the internet to stay connected and we know that some older people were also encouraged to go online for the first time. That is  hopefully something they have enjoyed and benefited from and will want to continue now lockdown is being eased. However, unfortunately we also know that cyber-criminals were very active in exploiting the situation, seeking to con older people out of their hard-earned cash.

“Online crime is often highly sophisticated and tough to spot so anyone can be taken in, but if you are new to the internet and learned to use it in a rush, with little support, you are potentially more vulnerable to being caught out.”

How a Phishing Awareness Test Went Very Wrong

Tribune Publishing Co. Employees Outraged at Phishing Test Teasing a Bonus
Training employees to resist phishing emails is key to preventing compromises. But an exercise run by Tribune Publishing Co. created a searing backlash after its phishing exercise tempted employees with bogus bonuses in a year in which they had already endured financial hardships.

Virus vs. Worm: What’s the Difference?

Virus vs. worm – is there any difference? Short answer: yes, definitely, and you should never confuse one with the other. In this article, I’m going to introduce you to the distinctions and similarities between worms and viruses and provide you with a protection guide from which you and your organization can benefit from.

Malware vs. virus vs. worm

Malware depicts any type of malicious software or code implanted on a device with the purpose of causing damage. It includes ransomware, spyware, adware, and other types of harmful programs.

Here is how the National Institute of Standards and Technology (NIST) defines it:

“Malware, also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or otherwise annoying or disrupting the victim.” – NIST Special Publication 800-83

Viruses and worms are other types of malware created to execute malicious functions. In the early days of cyber threats, they were more of a nuisance for organizations and individuals rather than a potential hazard.

However, today’s malware landscape portrays a never-ending battle between cyber defense specialists and malicious hackers, with the global threat environment changing year after year. Now, malicious software has become a serious threat, with over 350,000 new malware strains and potentially unwanted applications (PUA) being created every day, according to the AVTest.

At the current trajectory, it’s no wonder that organizations and consumers are struggling to keep up with their defenses.

But naturally, not all malware types are created equally, and in this article, I’m going to look at two very specific types of malware: viruses and worms.

What is a Computer Virus?

With reference to cybersecurity, “virus” is perhaps the most widely recognized term and is oftentimes used interchangeably with “malware”. However, as I’ve already stated above, “malware” and “viruses” are not synonyms – malware is the all-encompassing term for all types of malicious software, including viruses.

A brief history of computer viruses

The concept of “computer viruses” was first hypothesized by John von Neumann in the late 1940s and further elaborated in a paper published in 1966 (Theory of Self Reproducing Automata) after his death. The piece speculated that it would be possible for a technological organism to behave just like a biological virus, damaging machines through self-replication and having the ability to move from device to device.

The early 1970s marked the beginning of the actual computer viruses – well, sort of. The first virus named Creeper had no malicious purpose and only displayed “I’M THE CREEPER. CATCH ME IF YOU CAN!” message on the screen. In practice, it was an experimental computer program written by Bob Thomas in 1971, in the attempt to find out if a self-replicating program was actually viable. Its first version was designed to move between DEC PDP-10 mainframe computers running the TENEX operating system through the ARPANET (the network that became the technical foundation of today’s Internet).

Image source

A short time later, Ray Tomlinson wrote an enhanced version which did not just move – now it was also capable of self-replicating. Afterward, another program was created by Tomlinson (called Reaper), which was meant to go through the ARPANET and removed Creeper.

If you are curious to find out more and about the history of computer viruses and go through their timeline, I suggest you check out this resource.

Now, let’s go back to what a computer virus is and what it does.

In our HeimdalTM Security glossary, we define viruses as follows:

A computer virus is a type of malicious software capable of self-replication. A virus needs human intervention to run and it can copy itself into other computer programs, data files, or in certain sections of your computer, such as the boot sector of the hard drive. Once this happens, these elements will become infected. Computer viruses are designed to harm computers and information systems and can spread through the Internet, through malicious downloads, infected email attachments, malicious programs, files, or documents. Viruses can steal data, destroy information, log keystrokes and more.” – Heimdal Security Glossary, “Virus” Definition

Various types of viruses act differently. For instance, some may begin replicating and causing damage on a machine as soon as they enter a host, while others may lie dormant and remain undetected until a specific stimulus triggers the execution of the malicious code on the computer system.

Types of viruses

According to TechTarget, there are seven categories of computer viruses.

File infectors

File infector viruses usually attach themselves to program files – typically .com or .exe files. They may infect programs that require execution (including .sys, .ovl, .prg, and .mnu files). In this case, whenever a program is run, the virus runs along as well. Some viruses that infect files come as totally contained programs or scripts sent to email notes as an attachment.

Macro viruses

In applications like Microsoft Word and other programs, these viruses target macro language commands directly. In Word, macros are sequences that are stored for commands or keystrokes inserted in documents. Macro viruses in a Word file will apply their malicious code to the valid macro sequences. In more recent versions of Word, Microsoft removed macros by default; as a result, hackers used social engineering schemes to persuade targeted users to allow macros and trigger the virus. Microsoft introduced a new function in Office 2016 that enables security managers to selectively permit macro usage only for trustworthy workflows, as well as ban macros within an enterprise, as macro viruses have seen a revival in recent years.

Overwrite viruses

These are specially designed to delete the data of a file or program. An overwrite Virus starts replacing files with its own code after infecting a system. These viruses may corrupt particular files or applications or destroy all files on an affected computer. New code can be inserted in files and apps through an overwrite virus, which allows it to propagate to additional files, software, and systems.

Polymorphic viruses

A polymorphic virus is a malware type that, without modifying its basic functions or functionality, is able to modify itself or morph its underlying code. This approach enables it to avoid being detected by antimalware software that relies on signature recognition. When a security tool detects the signature of a polymorphic virus, it will then change itself in such a way that it can no longer be identified by its initial signature.

Resident viruses

They embed themselves in a system’s memory. To infect new files or programs the original virus program is not necessary – even if the original virus is removed, when the operating system loads a particular application or operation, the version stored in memory will be enabled. Resident viruses are troublesome because, by residing in the RAM of the device, they can bypass anti-virus and antimalware tools.

Rootkit viruses

A rootkit virus is a form of malware that installs an unwanted rootkit on an infected device with the ability to radically alter or disable features and programs, allowing cyber attackers total control over the system. Rootkit viruses were designed to circumvent antivirus software, which only scanned apps and files.

System or boot-record infectors

These viruses corrupt executable code discovered on a disk in some system locations. They connect to the DOS boot sector on USB thumb drives or the Master Boot Record on hard disks. In a standard attack case, storage devices containing a boot disk virus are received by the user. Files on the external storage unit will corrupt the system while the victims’ operating system is running. The boot disk virus will be triggered by rebooting the system. An infected computer-connected storage device will change or even replace the original boot code on the infected system so that the virus is automatically loaded and executed as part of the Master Boot Log when the system is next booted. Boot viruses are now less prevalent as physical storage media are less reliant on today’s devices.

Notorious computer viruses

Below you can see some examples of the most devastating computer viruses in history:

ILOVEYOU

ILOVEYOU is thought to be one of the worst viruses ever created. With about $10 billion worth of damage, it has managed to destroy 10% of computers around the world. Its severity had been so high that large companies and governments were forced to close their mailing systems to avoid contamination.

Being developed by two Filipino programmers, Reonel Ramones and Onel de Guzman, it was based on social engineering and fooled individuals into opening an email attachment, that posed as a harmless TXT file. At that time (the year 2000), Windows did not show the extension of files. When the victim clicked on the file, the virus would send itself to everyone in the mailing list and overwrote files with itself, which made the device unbootable. At that time, the two malicious hackers were not charged, as no laws existed when the cyber crimes took place.

Melissa

In late March 1999, the Melissa virus started spreading like wildfire on the Internet. Although it was not meant to steal money or the users’ data, it did produce a lot of damage. The email servers of over 300 companies and governments become affected and some of them had to be closed completely – even Microsoft was one of the victims. Around 1 million accounts had been infected.

The virus emerged by corrupting the victims’ Microsoft Word software, using a macro to attack their Outlook email system and send emails to the first 50 contacts in the target’s list. The messages tricked people into opening attachments titled “sexxxy.jpg” or “naked wife” or by deceitfully asserting, “Here is the document you requested … don’t show anyone else ;-).” Being based on social engineering, many people fell prey.

Shamoon

The Shamoon virus was created for cyber-warfare, being designed by cybercriminals to fight against oil companies of Saudi Arabia and Qatar. It transferred malicious content from an infected computer to other network-attached computers. The actions of the virus and the result of the infection of the malware differs from other malware types. What this specific virus did is it took files from an infected computer, uploaded them to the attacker’s device, and then deleted them. Then, it overwrote the infected system’s master boot record, rendering it impossible to use.

What is a Computer Worm?

Unlike viruses, worms don’t rely on users’ intervention to be able to propagate.

In short, a worm is a malware type that can move and copy itself from device to device as a self-contained program. The capability to function independently is what separates worms from other types of malware without the need for a host file or to infiltrate code on the host machine, which makes them superior to viruses and consequently, more dangerous.

Worms rely on vulnerabilities found in a system. While viruses may trick you into activating them or attempt to exploit holes in applications using social engineering tactics, a worm finds flaws in the OS that allow it to install and make copies of itself.

The Morris Worm is widely known as the first major malware of any type and the first computer worm that actually had a real-life impact. Set loose in November 1988, the worm was designed by Robert Morris, a graduate student at Cornell University at that time. He launched the attacks from the MIT servers, allegedly to conceal its action.

A shortlist of famous computer worms

The spread of computer Worms resulted in some of the most devastating malware attacks of all time. Below I’ve listed some of the most dangerous ones in history.

Stuxnet

The Stuxnet Worm was first seen during the summer of 2010, being originally aimed towards Iran’s nuclear facilities. It managed to destroy multiple centrifuges in the country’s Natanz uranium enrichment facility by causing them to burn themselves out. According to Stuxnet’s log files, a company called Foolad Technic appeared to be the first victim. A random worker’s USB drive is thought to have initially launched the worm, which then spread to Microsoft Windows computers.

MyDoom

On January 26, 2004, MyDoom emerged and distributed through email and via a P2P network. The virus was written in the C++ programming language and emerged from Russia, producing a backdoor in the operating system of the victims’ computer. The virus launched a denial of service (DDoS) attack on Feb 1, 2004, and it stopped spreading itself on Feb 12. The backdoors produced during the initial infections remained active, even after the infection spread.

Sasser

A 17-year-old German named Sven Jaschan developed the Sasser worm. What this malware did is it once it corrupted a device, it started looking for other vulnerable computers, scanning for random IP addresses to find its next victims. Even though it did not cause any physical damage, it was the root cause of DDoS attacks. For instance, it stopped one-third of the post offices in Taiwan, closed 130 branches of a bank in Finland, and lead to the cancellation of several rail and transatlantic flights.

Computer Worm vs. Virus

As I’ve already mentioned before, both viruses and worms can cause major damage to your organization and spread quickly. What sets them apart is the way in which they self-replicate, with viruses requiring the aid of users, while worms are able to act on their own.

Virus

Worm

A virus requires a user to either purposely or inadvertently spread the infection, without the knowledge or permission of a system administrator. A computer worm is a stand-alone malware that self-replicates and does not require any form of human intervention to propagate – for instance, it can rely on security vulnerabilities.

How do viruses and worms spread?

Viruses need human activity (such as the execution of an infected program) to propagate, as described above. Worms, however, can spontaneously spread, without the user doing anything.

Yet, how do devices become infected with a virus or worm, in the first place?

The most common methods of infection are:

  • Email. Social engineering tactics and infected email attachments or malicious links go hand in hand. Email is one of the most widely used methods for delivering viruses and worms.
  • Infected websites. Viruses and worms can be delivered in the form of infected banners or pop-ups on webpages, sometimes even on legitimate sites.
  • Security flaws. Oftentimes, vulnerabilities found in systems allow ill-intentioned actors to exploit them and inject malware into an organization’s systems. Worms are able to scan networks, identify vulnerabilities, and then exploit them.
  • P2P downloads: Pirated games or TV shows illegally downloaded from unauthorized sources may also bring along unwanted malicious software, including worms and viruses.

How to protect your business against viruses and worms

While viruses and worms have an enormous capacity for destruction, if you follow some best practices you will be able to prevent them. Always staying vigilant and carefully examining the email attachments you receive (especially from unknown senders), not clicking on suspicious links, and updating your software are a few essential steps you and your colleagues can take to prevent cyber incidents.

We strongly believe cybersecurity awareness is one of the best defenses against malware and thus, we advocate for continuous cybersecurity education. However, as human errors are oftentimes inevitable and can have dire consequences, organizations must undertake additional protection measures. Although running an enterprise antivirus software is a vital first step, it won’t keep your company safe from certain employee behavior such as clicking malicious links or using outdated versions of your software.

HeimdalTM Security’s Thor Premium Enterprise integrates state-of-the-practice capabilities that support secure systems and strengthen an organizations’ security, privacy, and uphold cyber resiliency based on the latest threat intelligence and cyber-attack data.

More precisely, our complete endpoint security solution covers Threat Hunting, Prevention, and Mitigation thanks to its DNS filtering technology (which proactively blocks known and yet unknown malware infections, phishing attacks, and data exfiltration), a next-gen Antivirus, and a vulnerability management tool (for software deployment, inventory, and automatic patching).

Heimdal Official Logo

Simple Antivirus protection is no longer enough.

Thor Premium Enterprise

is the multi-layered Endpoint Detection and Response (EDR) approach
to organizational defense.
  • Next-gen Antivirus which stops known threats;
  • DNS traffic filter which stops unknown threats;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

Bottom Line

In conclusion, both viruses and worms can spread rapidly and cause damage – from mild to catastrophic. The main difference between them is how they self-propagate, with viruses requiring a host’s intervention and worms working independently. The consequences of virus or worm infections may lead to issues related to the performance of devices, money and data loss, and even reputational damage or even extensive, nation-wide attacks.

How do you keep up with your organization’s defense against viruses and worms? Leave your comments in the section below!

The post Virus vs. Worm: What’s the Difference? appeared first on Heimdal Security Blog.

Sodinokibi Ransomware 101: Origin, Victims, Prevention Strategies

Cyberattacks have become a part of our reality, but have you ever wondered what might happen if your company gets targeted? You probably imagine that you would lose some money and a great deal of time, maybe fire an employee or too, lose a few clients and have your reputation tainted or eventually even deal with a lawsuit. If these aren’t serious and bad enough for you to take cybersecurity seriously, let me tell you this: cyberattacks have just turned deadly. It happened this month in Germany,  where “A person in a life-threatening condition passed away after being forced to go to a more distant hospital due to a ransomware attack.” Speaking of ransomware…you should pay particular attention to Sodinokibi ransomware. 

Sodinokibi ransomware is a perfect example of Ransomware-as-a-Service, a cybercrime that involves two groups teaming up for the hack: the code authors who develop the ransomware and the affiliates that spread it and collect the ransom. 

As SecurityBoulevard says, Sodinokibi is “the apparent heir to a strain known as GandCrab. The security community believes GandCrab is responsible for 40 per cent of all ransomware infections globally. It has taken in around $2 billion in ransom. Then, earlier this year, the creators of GandCrab announced the malware’s retirement.” 

Discovered in April 2019, Sodinoki is a highly evasive and upgraded ransomware, which uses a special social engineering move – the ones who spread it threaten to double the ransom if not paid within a certain number of days. This aspect makes Sodinoki ransomware dangerous for companies of all sizes. Also known as Sodin or REvil, Sodinokibi shortly became the 4th most distributed ransomware in the world, targeting mostly American and European companies. 

How does Sodinokibi ransomware work? 

Most of the times, Sodinokibi ransomware is spread by brute-force attacks and server exploits, but it’s not uncommon either to get infected through malicious links or phishing. Exploiting an Oracle WebLogic vulnerability and often bypassing antivirus software, Sodinokibi downloads a .zip file with the ransom code, written in JavaScript, moves through the infected network and encrypts files, appending a random extension to them. Particularly dangerous is the fact that Sodinokibi may reinstall itself as long as the original ransom code is not deleted. 

Does Sodinokibi ransomware steal data? 

Stealing data from ransomware victims before encrypting devices and using the stolen files as leverage to get paid is a tactic that the Maze Ransomware operators have started to bring into force. Since then, Sodinokibi, DoppelPaymer and Nemty followed their lead. 

According to BleepingComputer, until March 2020, the Sodinokibi ransomware operators had published over 12 GB of stolen data “allegedly belonging to a company named Brooks International”. Moreover, “other hackers and criminals have started to distribute and sell this data on hacker forums”, as you can see in the image below “where a member is selling a link to the stolen data for 8 credits, which is worth approximately 2 Euros”: 

sodinokibi ransomware - being sold

Source: BleepingComputer

Who fell victim to Sodinokibi ransomware? 

Among the first victims of Sodinokibi ransomware were two Florida states. SecurityBoulevard describes the attacks from May 2019: 

The City of Riviera Beach, Florida, agreed to pay $600,000 for the decryption key to unlock their files. Weeks later, the city of Lake City, Florida, relented to a $450,000 ransom payment as well. Each of these cities faced service disruption after being infected. Some of these services included email, phones, police records, the public works department, the library, 911 emergency, and general offices. Because these towns do not have the personnel or knowledge base to remediate these attacks, paying the ransom seemed to be the best bet.

These attacks were followed by another impressive one, against Texas:  

In a highly coordinated attack, hackers were able to bring down 22 separate municipalities, including the cities of Borger and Keene. The perpetrators of the attack then asked for a collective $2.5 million to release everyone caught in the net. Fortunately, the infected Texas municipalities received state-issued resources from Texas A&M University and the Texas Military Department.

In August 2019, Sodinokibi operators targeted PerCSoft, a company specialized in backup services for UK dental offices: more than 400 dental offices were affected during the attack. PerCSoft claimed that no data was accessed during the attack they presented as a virus infection, but it would appear that “a private Facebook group of IT professionals serving the dental industry shared […] screenshots that hint that the victim firm has paid the ransom to decrypt the data.” 

The most notable example of a Sodinokibi ransomware attack is probably the one on Travelex, a famous currency exchange company. On this subject, SecurityBoulevard notes: 

An unnamed source within Travelex disclosed to The Wall Street Journal (WSJ) that the company paid $2.3 million in Bitcoin in an effort to restore functionality to its systems following a ransomware attack. Travelex was hit with a ransomware attack on New Year’s Eve, and it took a couple of weeks to restore some of its basic services, with the consumer side having to wait until February. The breadth of the attack was staggering, as the hackers infiltrated the company’s infrastructure six months before attacking with ransomware. Hackers didn’t just linger around the network. They used the time to exfiltrate valuable information, 5GB in total, which they then used to blackmail the company after deploying ransomware. […] In the Travelex attack, the hackers used Sodinokibi ransomware and an unpatched critical vulnerability in Pulse Secure VPN servers. Companies were warned about this particular VPN vulnerability, but some companies didn’t update their systems in time.

What can you do to prevent Sodinokibi Ransomware? 

As Fernando Ruiz, head of operations at Europol’s European Cybercrime Center says, “Criminals behind ransomware attacks are adapting their attack vectors, they’re more aggressive than in the past – they’re not only encrypting the files, they’re also exfiltrating data and making it available”. 

In order to defend your company from this kind of menace, you need to approach the matter from various angles: 

sodinokibi ransomware - prevention strategy

The first one is education-oriented:

BACKUP YOUR DATA! 

This might seem tech-related, but we think of it more as common knowledge: how could you not have backups for your essential data? You should store it both online and offline and take time to test your ability to revert to backups during a potential incident. 

Train your employees!

User awareness is one of the most reliable methods to prevent an attack, so make sure you take the time to educate your employees and advise them to report to the security teams as soon as they notice something unusual. They should be aware of phishing techniques and other social engineering tactics cybercriminals may use to get into your organisation.

The second one – technology-related:

Keep your systems up-to-date. 

Updates help you close security holes that many viruses use to enter your computers. Since dealing with patches is a resource and time-consuming task, the best option for you to stay safe from Sodinokibi and other ransomware would be to deploy an automated solution like our X-Ploit Resilience Patch Management Software.  

Heimdal Official Logo

Antivirus is no longer enough to keep an organization’s systems secure.

Thor Foresight Enterprise

Is our next gen proactive shield that stops unknown threats
before they reach your system.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

Protect your email. 

Many hackers rely on you not paying attention to what your emails actually contain and hope you’ll get infected by opening a malicious attachment or clicking on a fake link. Try to always hover over the links you want to access to make sure they lead where they’re supposed to lead and never open attachments or access links received from unknown, unexpected or unwanted sources. You should also think about an email protection solution, like our MailSentry Email Security

Heimdal Official Logo

Email communications are the first entry point into an organization’s systems.

MailSentry

is the next-level mail protection system which secures all your
incoming and outgoing comunications
  • Deep content scanning for attachments and links;
  • Phishing, spear phishing and man-in-the-email attacks;
  • Advanced spam filters which protect against sophisticated attacks;
  • Fraud prevention system against Business Email Compromise (BEC);
Try it for FREE today Offer valid only for companies.

Get a reliable antivirus. 

A good antivirus is essential for the cybersecurity of any company. To be as protected as you can be, we recommend you to choose a powerful tool that can offer DNS filtering, real-time scanning, traffic-based malware blocking and multi-layered AI-powered protection. You can also consider our Thor Premium Enterprise – a multi-layered security suite that brings together threat hunting, prevention, and mitigation in one package, for the best endpoint protection.

Heimdal Official Logo

Simple Antivirus protection is no longer enough.

Thor Premium Enterprise

is the multi-layered Endpoint Detection and Response (EDR) approach
to organizational defense.
  • Next-gen Antivirus which stops known threats;
  • DNS traffic filter which stops unknown threats;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

Wondering what to do in case of infection and how to remove Sodinokibi Ransomware?

In case your company is attacked or you hear that someone you know has troubles with Sodinokibi ransomware, the first thing you should know or tell them is to not pay the ransom! As the FBI says, 

 In some cases, victims who paid a ransom were never provided with decryption keys. In addition, due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key. Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. Regardless of whether you or your organisation have decided to pay the ransom, the FBI urges you to report ransomware incidents to law enforcement. Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable […], and prevent future attacks.

You can try to remove the ransomware and, at least partially, restore your data by following a few steps: 

Step 1: Remove Sodinokibi ransomware through “Safe Mode with Networking”

MalwareGuide explains: 

– for Windows XP / Windows 7

Boot the PC in “Safe Mode”. Click on the “Start” option and continuously press on F8 during the start process until the “Windows Advanced Option” menu appears on the screen. Choose “Safe Mode with Networking” from the list. Now, a Windows home screen appears on the desktop and work-station is now working on “Safe mode with networking”.

– for Windows 8

Go to the “Start Screen”. In the search results select settings, type “Advanced”. In the “General PC Settings” option, choose the “Advanced startup” option. Again, click on the “Restart Now” option. The work-station boots to “Advanced Startup Option Menu”. Press on “Troubleshoot” and then “Advanced options” button. In the “Advanced Option Screen”, press on “Startup Settings”. Again, click on the “Restart” button. The work-station will now restart into the “Startup Setting” screen. Next is to press F5 to boot in Safe Mode in Networking.

– for Windows 10

Press on the Windows logo and on the “Power” icon. In the newly opened menu, choose “Restart” while continuously holding the “Shift” button on the keyboard. In the newly open “Choose an option” window, click on “Troubleshoot” and then on the “Advanced Options”. Select “Startup Settings” and press on “Restart”. In the next window, click on the “F5” button on the keyboard.

Step 2: Delete Sodinokibi ransomware using “System Restore”

At this step, MalwareGuide suggests: 

During the “Startup”, continuously press on the F8 key until the “Advanced Option” menu appears. From the list, choose “Safe Mode with Command Prompt” and then press “Enter”. In the newly opened command prompt, enter “cd restore” and then press “Enter”. Type: rstrui.exe and Press “ENTER”. Click “Next” on the new window. Choose any of the “Restore Points” and click on “Next”. (This step will restore the work-station to its earlier time and date prior to Sodinokibi ransomware infiltration in the PC. In the newly opened windows, press on “Yes”.

After the process is complete, you should use an anti-malware tool to scan for any Sodinokibi ransomware files left. 

Sodinokibi Ransomware: Wrapping Up 

Since there is no free decryption tool or a foolproof method that can completely decrypt Sodinokibi ransomware encrypted files and paying the ransom to get your data back from the hackers shouldn’t be an option, prevention remains the most effective approach. 

Whatever you choose, please remember that Heimdal™ Security always has your back and that our team is here to help you protect your home and your company and to create a cybersecurity culture to the benefit of anyone who wants to learn more about it. 

Drop a line below if you have any comments, questions or suggestions – we are all ears and can’t wait to hear your opinion!

The post Sodinokibi Ransomware 101: Origin, Victims, Prevention Strategies appeared first on Heimdal Security Blog.

Hashtag Trending – New Microsoft Office; Google Maps COVID overlay; Shopify employees steal data

Microsoft will release a new perpetual Office license in 2021, you’ll soon be able to use Google Maps to keep tabs on COVID outbreaks in your area, and Shopify nabs two employees who stole customer data.

The post Hashtag Trending - New Microsoft Office; Google Maps COVID overlay; Shopify employees steal data first appeared on IT World Canada.

Who is Tech Investor John Bernard?

John Bernard, the subject of a story here last week about a self-proclaimed millionaire investor who has bilked countless tech startups, appears to be a pseudonym for John Clifton Davies, a U.K. man who absconded from justice before being convicted on multiple counts of fraud in 2015. Prior to his conviction, Davies served 16 months in jail before being cleared of murdering his wife on their honeymoon in India.

The Private Office of John Bernard, which advertises itself as a capital investment firm based in Switzerland, has for years been listed on multiple investment sites as the home of a millionaire who made his fortunes in the dot-com boom 20 years ago and who has oodles of cash to invest in tech startups.

But as last week’s story noted, Bernard’s investment company is a bit like a bad slot machine that never pays out. KrebsOnSecurity interviewed multiple investment brokers who all told the same story: After promising to invest millions after one or two phone calls and with little or no pushback, Bernard would insist that companies pay tens of thousands of dollars worth of due diligence fees up front.

However, the due diligence company he insisted on using — another Swiss firm called Inside Knowledge — also was secretly owned by Bernard, who would invariably pull out of the deal after receiving the due diligence money.

Neither Mr. Bernard nor anyone from his various companies responded to multiple requests for comment over the past few weeks. What’s more, virtually all of the employee profiles tied to Bernard’s office have since last week removed those firms from their work experience as listed on their LinkedIn resumes — or else deleted their profiles altogether.

Sometime on Thursday John Bernard’s main website — the-private-office.ch — replaced the content on its homepage with a note saying it was closing up shop.

“We are pleased to announce that we are currently closing The Private Office fund as we have reached our intended investment level and that we now plan to focus on helping those companies we have invested into to grow and succeed,” the message reads.

As noted in last week’s story, the beauty of a scam like the one multiple investment brokers said was being run by Mr. Bernard is that companies bilked by small-time investment schemes rarely pursue legal action, mainly because the legal fees involved can quickly surpass the losses. What’s more, most victims will likely be too ashamed to come forward.

Also, John Bernard’s office typically did not reach out to investment brokers directly. Rather, he had his firm included on a list of angel investors focused on technology companies, so those seeking investments usually came to him.

Finally, multiple sources interviewed for this story said Bernard’s office offered a finders fee for any investment leads that brokers brought his way. While such commissions are not unusual, the amount promised — five percent of the total investment in a given firm that signed an agreement — is extremely generous. However, none of the investment brokers who spoke to KrebsOnSecurity were able to collect those fees, because Bernard’s office never actually consummated any of the deals they referred to him.

PAY NO ATTENTION TO THE EMPTY BOOKSHELVES

After last week’s story ran, KrebsOnSecurity heard from a number of other investment brokers who had near identical experiences with Bernard. Several said they at one point spoke with him via phone or Zoom conference calls, and that he had a distinctive British accent.

When questioned about why his staff was virtually all based in Ukraine when his companies were supposedly in Switzerland, Bernard replied that his wife was Ukrainian and that they were living there to be closer to her family.

One investment broker who recently got into a deal with Bernard shared a screen shot from a recent Zoom call with him. That screen shot shows Bernard bears a striking resemblance to one John Clifton Davies, a 59-year-old from Milton Keynes, a large town in Buckinghamshire, England about 50 miles (80 km) northwest of London.

John Bernard (left) in a recent Zoom call, and a photo of John Clifton Davies from 2015.

In 2015, Mr. Davies was convicted of stealing more than GBP 750,000 from struggling companies looking to restructure their debt. For at least seven years, Davies ran multiple scam businesses that claimed to provide insolvency consulting to distressed companies, even though he was not licensed to do so.

“After gaining the firm’s trust, he took control of their assets and would later pocket the cash intended for creditors,” according to a U.K. news report from 2015. “After snatching the cash, Davies proceeded to spend the stolen money on a life of luxury, purchasing a new upmarket home fitted with a high-tech cinema system and new kitchen.”

Davies disappeared before he was convicted of fraud in 2015. Two years before that, Davies was released from prison after being held in custody for 16 months on suspicion of murdering his new bride in 2004 on their honeymoon in India.

Davies’ former wife Colette Davies, 39, died after falling 80 feet from a viewing point at a steep gorge in the Himachal Pradesh region of India. Mr. Davies was charged with murder and fraud after he attempted to collect GBP 132,000 in her life insurance payout, but British prosecutors ultimately conceded they did not have enough evidence to convict him.

THE SWISS AND UKRAINE CONNECTIONS

While the photos above are similar, there are other clues that suggest the two identities may be the same person. A review of business records tied to Davies’ phony insolvency consulting businesses between 2007 and 2013 provides some additional pointers.

John Clifton Davies’ former listing at the official U.K. business registrar Companies House show his company was registered at the address 26 Dean Forest Way, Broughton, Milton Keynes.

A search on that street address at 4iq.com turns up several interesting results, including a listing for senecaequities.com registered to a John Davies at the email address john888@myswissmail.ch.

A Companies House official record for Seneca Equities puts it at John Davies’ old U.K. address at 26 Dean Forest Way and lists 46-year-old Iryna Davies as a director. “Iryna” is a uniquely Ukrainian spelling of the name Irene (the Russian equivalent is typically “Irina”).

A search on John Clifton Davies and Iryna turned up this 2013 story from The Daily Mirror which says Iryna is John C. Davies’ fourth wife, and that the two were married in 2010.

KrebsOnSecurity sought comment from both the U.K. police district that prosecuted Davies’ case and the U.K.’s National Crime Agency (NCA). Neither wished to comment on the findings. “We can neither confirm nor deny the existence of an investigation or subjects of interest,” a spokesperson for the NCA said.

This Week in Security News: Cybercriminals Distribute Backdoor with VPN Installer and New ‘Alien’ Malware can Steal Passwords from 226 Android Apps

 

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how threat actors are bundling Windscribe VPN installers with backdoors. Also, read about a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications.

 

 

Read on:

 

Windows Backdoor Masquerading as VPN App Installer

This article discusses findings covered in a recent blog from Trend Micro where company researchers warn that Windows users looking to install a VPN app are in danger of downloading one that’s been bundled with a backdoor. The trojanized package in this specific case is the Windows installer for Windscribe VPN and contains the Bladabindi backdoor.

The Evolution of Malicious Shell Scripts

The Unix-programming community commonly uses shell scripts as a simple way to execute multiple Linux commands within a single file. Many users do this as part of a regular operational workload manipulating files, executing programs and printing text. However, as a shell interpreter is available in every Unix machine, it is also an interesting and dynamic tool abused by malicious actors.

Microsoft Says It Detected Active Attacks Leveraging Zerologon Vulnerability

Hackers are actively exploiting the Zerologon vulnerability in real-world attacks, Microsoft’s security intelligence team said on Thursday morning. The attacks were expected to happen, according to security industry experts. Multiple versions of weaponized proof-of-concept exploit code have been published online in freely downloadable form since details about the Zerologon vulnerability were revealed on September 14 by Dutch security firm Secura BV.

Stretched and Stressed: Best Practices for Protecting Security Workers’ Mental Health

Security work is stressful under the best of circumstances, but remote work presents its own challenges. In this article, learn how savvy security leaders can best support their teams today — wherever they’re working. Trend Micro’s senior director of HR for the Americas, Bob Kedrosky, weighs in on how Trend Micro is supporting its remote workers.

Exploitable Flaws Found in Facial Recognition Devices

To gain a more nuanced understanding of the security issues present in facial recognition devices, Trend Micro analyzed the security of four different models: ZKTeco FaceDepot-7B, Hikvision DS-K1T606MF, Telpo TPS980 and Megvii Koala. Trend Micro’s case studies show how these devices can be misused by malicious attackers.

New ‘Alien’ Malware Can Steal Passwords from 226 Android Apps

Security researchers have discovered and analyzed a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications. Named Alien, this new trojan has been active since the start of the year and has been offered as a Malware-as-a-Service (MaaS) offering on underground hacking forums.

Government Software Provider Tyler Technologies Hit by Possible Ransomware Attack

Tyler Technologies, a Texas-based provider of software and services for the U.S. government, started informing customers this week of a security incident that is believed to have involved a piece of ransomware. Tyler’s website is currently unavailable and in emails sent out to customers the company said its internal phone and IT systems were accessed without authorization by an “unknown third party.”

U.S. Justice Department Charges APT41 Hackers Over Global Cyberattacks

On September 16, 2020, the United States Justice Department announced that it was charging five Chinese citizens with hacking crimes committed against over 100 institutions in the United States and abroad. The global hacking campaign went after a diverse range of targets, from video game companies and telecommunications enterprises to universities and non-profit organizations. The five individuals were reportedly connected to the hacking group known as APT41.

Phishers are Targeting Employees with Fake GDPR Compliance Reminders

Phishers are using a bogus GDPR compliance reminder to trick recipients – employees of businesses across several industry verticals – into handing over their email login credentials. In this evolving campaign, the attackers targeted mostly email addresses they could glean from company websites and, to a lesser extent, emails of people who are high in the organization’s hierarchy.

Mispadu Banking Trojan Resurfaces

Recent spam campaigns leading to the URSA/Mispadu banking trojan have been uncovered, as reported by malware analyst Pedro Tavares in a Twitter post and by Seguranca Informatica in a blog post. Mispadu malware steals credentials from users’ systems. This attack targets systems with Spanish and Portuguese as system languages.

A Blind Spot in ICS Security: The Protocol Gateway Part 3: What ICS Security Administrators Can Do

In this blog series, Trend Micro analyzes the impacts of the serious vulnerabilities detected in the protocol gateways that are essential when shifting to smart factories and discusses the security countermeasures that security administrators in those factories must take. In the final part of this series, Trend Micro describes a stealth attack method that abuses a vulnerability as well as informs readers of a vital point of security measures required for the future ICS environment.

Major Instagram App Bug Could’ve Given Hackers Remote Access to Your Phone

Check Point researchers disclosed details about a critical vulnerability in Instagram’s Android app that could have allowed remote attackers to take control over a targeted device just by sending victims a specially crafted image. The flaw lets attackers perform actions on behalf of the user within the Instagram app, including spying on victim’s private messages and deleting or posting photos from their accounts, as well as execute arbitrary code on the device.

Addressing Threats Like Ryuk via Trend Micro XDR

Ryuk has recently been one of the most noteworthy ransomware families and is perhaps the best representation of the new paradigm in ransomware attacks where malicious actors go for quality over sheer quantity. In 2019, the Trend Micro™ Managed XDR and Incident Response teams investigated an incident concerning a Trend Micro customer that was infected with the Ryuk ransomware.

What are your thoughts on the Android Instagram app bug that could allow remote access to user’s phones? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Cybercriminals Distribute Backdoor with VPN Installer and New ‘Alien’ Malware can Steal Passwords from 226 Android Apps appeared first on .

A closer look at Microsoft Azure Arc

The promise of Azure Arc is providing the simplicity of the cloud control plane inside the data center. A year after announcement with the core platform now going GA, we thought it would be a good time for a deeper dive to see how Azure Arc actually works.

Cyber Security Today – More ransomware, another clumsy employee, beware of these social media tricks, online gamers attacked and more

Today's podcast reports on a suspected ransomware attack on a US firm, another clumsy employee leaves a database open, social media  users being tricked and why online gamers are targeted by hackers

The post Cyber Security Today - More ransomware, another clumsy employee, beware of these social media tricks, online gamers attacked and more first appeared on IT World Canada.

1Password and Privacy.com let consumers create virtual cards to ensure safe online payments

Two companies founded on security and privacy are partnering to make online payments quicker and safer. Password manager 1Password and virtual card platform Privacy.com announced an API integration that lets users create virtual cards in their browser quickly and safely when they need to make a payment. The FTC reports that credit card fraud is by far the most common type of identity theft, occurring in 41.8% of all identity theft reports. According to Javelin … More

The post 1Password and Privacy.com let consumers create virtual cards to ensure safe online payments appeared first on Help Net Security.

Mount Locker Ransomware Demanding Ransom Payments in the Millions

A new ransomware strain called “Mount Locker” is demanding that victims pay multi-million dollar ransom payments to recover their data. According to Bleeping Computer, the ransomware first began making the rounds in July 2020. The malicious actors responsible for this threat took a cue from other crypto-malware gangs by stealing victims’ unencrypted data and threatening […]… Read More

The post Mount Locker Ransomware Demanding Ransom Payments in the Millions appeared first on The State of Security.

Facebook Takes Down More Beijing-Backed Fake Accounts

Facebook Takes Down More Beijing-Backed Fake Accounts

Facebook has been forced to remove over 150 fake accounts tied to Beijing’s efforts to influence public opinion in south-east Asia.

The social media giant describes influence operations like this as “coordinated inauthentic behavior” (CIB), as those behind them use fake profiles to “mislead people about who they are and what they are doing.”

In total, Facebook removed 155 accounts, 11 Pages, nine Groups and six Instagram accounts for violating its policy against CIB on behalf of a government or foreign entity

Although those coordinating the campaign used VPNs and other techniques to try and stay hidden, they were traced back to the Fujian province of China. They sought both to amplify their own content and like and comment on the posts of others, particularly about naval activity in the geopolitical flashpoint of the South China Sea.

“In south-east Asia where this network focused most of its activity, they posted in Chinese, Filipino and English about global news and current events including Beijing’s interests in the South China Sea; Hong Kong; content supportive of President Rodrigo Duterte and Sarah Duterte’s potential run in the 2022 Presidential election; criticism of Rappler, an independent news organization in the Philippines; issues relevant to the overseas Filipino workers; and praise and some criticism of China,” noted head of security policy, Nathaniel Gleicher.

“In the US, where this network focused the least and gained almost no following, they posted content both in support of and against presidential candidates Pete Buttigieg, Joe Biden and Donald Trump.”

He claimed that over 133,000 accounts followed the fake Pages and over 66,000 people joined at least one of the Groups, with 150 accounts following the fake Instagram profiles.

This is the second time China has been implicated in CIB: a year ago a small network of fake accounts was revealed to be trying to influence public opinion on the Hong Kong protests.

The Chinese government has also been blamed for orchestrating similar campaigns on Twitter.

Fortinet VPN with Default Settings Leave 200,000 Businesses Open to Hackers

As the pandemic continues to accelerate the shift towards working from home, a slew of digital threats have capitalized on the health concern to exploit weaknesses in the remote work infrastructure and carry out malicious attacks. Now according to network security platform provider SAM Seamless Network, over 200,000 businesses that have deployed the Fortigate VPN solution—with default

#COVID19 Pushes More Fraud Online

#COVID19 Pushes More Fraud Online

Fraudsters are increasingly moving online to cash-in on the COVID-19 pandemic, although overall unauthorized fraud losses dropped in the first half of 2020, according to UK Finance.

The banking industry body’s 2020 Half Year Fraud Update revealed some promising headline findings.

Unauthorized fraud losses were down 8% year-on-year to £374.3m, while authorized push payment (APP) losses remained static at around £208m, although the number of APP cases jumped 15% over the period.

However, the bigger picture is that cyber-criminals are turning away from traditional methods of fraud such as contactless (down 20%) and cheque (down 78%) due to the reduced number of face-to-face transactions during the pandemic.

As a result, more fraud is migrating online in phishing emails and texts and unsolicited scam phone calls designed to harvest personal and financial details. These social engineering efforts may include impersonation of government officials, banking staff, airlines and travel agencies, and IT and software providers, UK Finance said.

The bad news is that the impact of these changes in fraud patterns is yet to be fully revealed, as the stolen data in many cases has yet to be used in follow-on fraud.

Elsewhere, UK Finance claimed that e-commerce fraud in the first half of the year, at £183m, was largely the same as in 1H 2019. However, remote banking fraud losses soared 21% to reach £80m, while the number of cases jumped 59% year-on-year to nearly 30,000.

UK Finance said it has also seen a rise in investment scams, with FCA-regulated firms often spoofed in advertising on search engines and social media sites. There’s also been a spike in purchase scams, including sale of counterfeit or non-existent PPE and home testing kits.

UK Finance managing director of economic crime, Katy Worobec, urged the public to stop and think before responding to unsolicited messages or calls.

“Criminals have ruthlessly adapted to this pandemic with scams exploiting the rise in people working from home and spending time online. These range from investment scams promoted on social media and search engines to the use of phishing emails and fake websites to harvest people’s data,” she added.

“The banking industry is working hard to protect customers from this threat, with almost £7 in £10 of fraud prevented in the first half of this year, but we need the public to remain vigilant against scams and remember that criminals are experts at exploiting events like COVID-19 to impersonate trusted organizations.”

CISA says federal agency compromised by malicious cyber actor

Cybersecurity and Infrastructure Security Agency (CISA) revealed that a hacker breached a US federal agency and exfiltrated data.

Cybersecurity and Infrastructure Security Agency (CISA) revealed that a hacker breached a US federal agency and threat actors exfiltrated data.

CISA published a detailed incident report related to the incident but didn’t disclose the name of the hacked agency. Threat actors implanted a malware in the network of an unnamed federal agency that was able to avoid detection.

“The Cybersecurity and Infrastructure Security Agency (CISA) responded to a recent threat actor’s cyberattack on a federal agency’s enterprise network.” reads the analysis report published by CISA. “By leveraging compromised credentials, the cyber threat actor implanted sophisticated malware—including multi-stage malware that evaded the affected agency’s anti-malware protection—and gained persistent access through two reverse Socket Secure (SOCKS) proxies that exploited weaknesses in the agency’s firewall.”

The intrusion was detected by the EINSTEIN, the CISA’s intrusion detection system that is used to monitor federal civilian networks.

The threat actors initially leveraged compromised credentials for Microsoft Office 365 (O365) accounts, domain administrator accounts, and credentials for the agency’s Pulse Secure VPN server.

“First the threat actor logged into a user’s O365 account from Internet Protocol (IP) address 91.219.236[.]166 and then browsed pages on a SharePoint site and downloaded a file (Data from Information Repositories: SharePoint [T1213.002]). The cyber threat actor connected multiple times by Transmission Control Protocol (TCP) from IP address 185.86.151[.]223 to the victim organization’s virtual private network (VPN) server (Exploit Public-Facing Application [T1190]).” continues the report.

CISA analysts speculate the attackers obtained the credentials from an unpatched agency VPN server by exploiting the CVE-2019-11510—in Pulse Secure.

Once the attackers logged into Office 365 accounts, they attempted to view and download help desk email attachments with “Intranet access” and “VPN passwords” in the subject line. The attackers have done it to gather additional information on the target network, they also enumerated the Active Directory and Group Policy key and changed a registry key for the Group Policy.

In order to establish Persistence and Command and Control on the federal agency network, the attackers created a persistent Secure Socket Shell (SSH) tunnel/reverse SOCKS proxy.

The intruders connected a hard drive in the agency’s network they controlled as a locally mounted remote share.

“The mounted file share allowed the actor to freely move during its operations while leaving fewer artifacts for forensic analysis,” the report continues.

The attacker created a local account on the network that allowed them to browse the local network, run PowerShell commands, and exfiltrate data stored in compressed Zip files with several files and directories on them. CISA couldn’t confirm if the attacker exfiltrated these ZIP archives.

According to CISA, the malware installed on the network of the federal agency was able to overcome the agency’s anti-malware protection, and inetinfo.exe escaped quarantine.

Additional technical details, including Indicators of Compromise (IoCs) are included in the Analysis Report published by CISA.

Pierluigi Paganini

(SecurityAffairs – hacking, federal agency)

The post CISA says federal agency compromised by malicious cyber actor appeared first on Security Affairs.

Zerologon Windows Server Flaw Used in Active Attacks

Zerologon Windows Server Flaw Used in Active Attacks

Microsoft has warned that a critical vulnerability it patched in August is now being actively exploited in the wild, enabling attackers to remotely control a target organization’s Windows domain.

Also known as “Zerologon,” CVE-2020-1472 is a critical elevation of privilege bug affecting Windows 2008 and more recent versions. It exists when an attacker uses the Netlogon Remote Protocol to establish a vulnerable secure channel connection to a domain controller, according to Microsoft.

According to the US Cybersecurity and Infrastructure Security Agency (CISA) it could allow an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services — and with them the entire network.

In a sign of the criticality of the bug, CISA issued an emergency directive a week ago ordering all federal civilian agencies to patch the flaw by end-of-play last Monday. It poses an “unacceptable risk” to government IT systems, it said in the alert.

Although at the time, only proof-of-concept exploits were circulating, the vulnerability is now being actively used in attacks, Microsoft warned yesterday.

“Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks,” it tweeted.

“We will continue to monitor developments and update the threat analytics report with latest info. We strongly recommend customers to immediately apply security updates for CVE-2020-1472. Microsoft 365 customers can use threat and vulnerability management data to see patching status.”

Although many organizations may have delayed patching due to concerns over disruption to legacy apps, Axonius CEO, Dean Sysman, argued that many may not even know they’re running exposed systems.

“Despite having many tools that provide data on assets and networks, these solutions and the data they provide are often siloed, outdated and lack actionable context,” he added.

“Security teams find it nearly impossible to maintain a comprehensive asset inventory and know whether those assets are properly secured. Without this visibility, organizations are at risk — even in the case of known vulnerabilities.”

Scott Caveza, Tenable research engineering manager, urged system administrators to take immediate action.

“Given the flaw is easily exploitable and would allow an attacker to completely take over a Windows domain, it should come as no surprise that we’re seeing attacks in the wild,” he said.

“Administrators should prioritize patching this flaw as soon as possible. Based on the rapid speed of exploitation already, we anticipate this flaw will be a popular choice amongst attackers and integrated into malicious campaigns.”

Report Outlines Importance of Providing Engaging User Awareness Training

Report Outlines Importance of Providing Engaging User Awareness Training

The way cybersecurity awareness training is conducted in organizations has a huge bearing on employees’ subsequent security outlook and behaviors, according to a new report from Osterman Research.

The researchers discovered that users who found security training “very interesting” were over 13-times more likely to make “fundamental changes” to how they think about security compared to those who considered the training “boring.”

The survey of 1000 US everyday employees, IT managers and decision makers also found that the quantity of security awareness training given makes a major difference, with the ability of staff to spot and deal with security threats such as phishing and business email compromise improving as more training is provided.

Encouragingly, it appears as though organizations are set to place much greater emphasis on security awareness training going forward, with around 45% of employees surveyed expecting to spend 15 minutes or more per month in training by mid-2021, a substantial rise from 26% in 2020. In addition, this type of training was regarded as just as important as technology in dealing with security threats by respondents.

Despite this, the authors said that although organizations generally want to establish a strong cybersecurity culture, IT, security and business leaders are not effectively conveying that idea to a large proportion of their employees, with senior IT and business management much more enthusiastic about security awareness training than non-management employees.

Overall, the report noted that “security and IT leaders, their staff members, and business leaders are largely onboard with the idea that developing a strong cybersecurity culture is important; everyday employees, however, are much less convinced about the importance of doing so, indicating that the goal of developing a robust security culture has not yet been achieved in most organizations.”

Lisa Plaggemier, chief strategist at MediaPRO, which co-sponsored the research, added: “Security awareness training doesn’t do anyone any good if they sleep through it. You can deliver the best security advice in the world, but if no one is listening, you might as well be talking to a brick wall.

“Good security awareness training should get and keep your attention. That’s what it means to be engaging.”

Polish police shut down major group of hackers in the country

Polish police dismantled a major group of hackers that was behind several criminal activities, including ransomware attacks, and banking fraud.

Polish authorities have dismantled a major hacker group that was involved in multiple cybercrime activities, including ransomware attacks, malware distribution, SIM swapping, banking fraud, running rogue online stores, and even making bomb threats at the behest of paying customers.

The gang, composed of four suspects, in believed to be among the most active groups in the country.  

“Today, the Polish authorities are announcing the arrest of 4 suspected hackers as part of a coordinated strike against cybercrime. Those arrested are believed to be among the most active cybercriminals in the country.” reads the press release published by the Europol. 

“This operation was carried out by the Polish Police Centre Bureau of Investigation (Centralne Biuro Śledecze Policji) under the supervision of the Regional Prosecutor’s Office in Warsaw (Prokuratura Regionalna w Warszawie), together with the cybercrime departments of provincial police headquarters and Europol.”

The arrests are the result of an investigation that begun in May 2019, when the group sent a first bomb threat to a school in Łęczyca after being paid by an individual named Lukasz K..

According to local media, the hackers spoofed the email of a businessman that was a rival of the victim, for this reason, the police arrested him and detained the man for two days in prison. Once the police understood that he was extraneous to the attack, the man was released out of jail and hired a private investigator to discover who was behind the bomb alert.

When the group of hackers discovered that the man was released, they hacked a Polish mobile operator and generated invoices for thousands of zlotys in the name of both the detective and the businessman.

The group is behind several bomb threats that targeted multiple organizations, including the Western Railway Station in Warsaw and 1,066 kindergartens across the country.

According to Europol’s press release, the gang was involved in many other criminal activities, including:

  • Malware distribution: two members of the gang were involved in the distribution of malware, such as Remote Access Tools (RAT) and mobile malware, to over 1000 people across Poland. The malware was distributed through phishing messages impersonating government institutions. According to the news site Zaufana Trzeciastrona, the hackers distributed both Windows and Android malware, including Cerberus, Anubis, Danabot, Emotet, and njRAT.
  • SIM swapping:  Personal data, including bank account credentials, stolen with malware were used by hackers in SIM SWAPPING attacks. Crooks were able to steal over €147 000 (PLN 662 000) from their victims’ bank accounts.
  • E-commerce fraud: one member of the gang was running 50 fake online shops and defrauded approximately 10,000 people.

Zaufana Trzeciastrona revealed the name of the individuals arrested by the police:

  • Kamil S., once, during the ToRepublic times, known as Razzputin (now he used other pseduonyms),
  • Paweł K., operating under the pseudonym Manster_Team, until recently the role of a “banker”,
  • Janusz K., one of the most active and versatile perpetrators of most of the crimes described below, IT technician
  • Łukasz K., also an important figure in the underground world
  • as well as Mateusz S., Radosław S., Joanna S. and Beata P.

Pierluigi Paganini

(SecurityAffairs – hacking, hackers)

The post Polish police shut down major group of hackers in the country appeared first on Security Affairs.

Using virtualization to isolate risky applications and other endpoint threats

More and more security professionals are realizing that it’s impossible to fully secure a Windows machine – with all its legacy components and millions of potentially vulnerable lines of code – from within the OS. With attacks becoming more sophisticated than ever, hypervisor-based security, from below the OS, becomes a necessity. Unlike modern OS kernels, hypervisors are designed for a very specific task. Their code is usually very small, well-reviewed and tested, making them very … More

The post Using virtualization to isolate risky applications and other endpoint threats appeared first on Help Net Security.

CEO Fraud

CEO Fraud / BEC is a type of targeted attack. It commonly involves a cyber criminally pretending to be your boss, then tricking or fooling you into sending the criminal highly sensitive information or initiating a wire transfer. Be highly suspicious of any emails demanding immediate action and/or asking you to bypass any security procedures.

Layered security becomes critical as malware attacks rise

Despite an 8% decrease in overall malware detections in Q2 2020, 70% of all attacks involved zero day malware – variants that circumvent antivirus signatures, which represents a 12% increase over the previous quarter, WatchGuard found. Malware detections during Q2 2020 Attackers are continuing to leverage evasive and encrypted threats. Zero day malware made up more than two-thirds of the total detections in Q2, while attacks sent over encrypted HTTPS connections accounted for 34%. This … More

The post Layered security becomes critical as malware attacks rise appeared first on Help Net Security.

What are the most hack-resistant industries?

Government and financial service sectors globally are the most hack-resistant industries in 2020, according to Synack. Government and financial services scored 15 percent and 11 percent higher, respectively, than all other industries in 2020. Government agencies earned the top spot in part due to reducing the time it takes to remediate exploitable vulnerabilities by 73 percent. Throughout the year, both sectors faced unprecedented challenges due to the global pandemic, but still maintained a commitment to … More

The post What are the most hack-resistant industries? appeared first on Help Net Security.

Large vendor ecosystems and low visibility increase third-party cyber risk

80% of organizations experienced a cybersecurity breach that originated from vulnerabilities in their vendor ecosystem in the past 12 months, and the average organization had been breached in this way 2.7 times, according to a BlueVoyant survey. The research also found organizations are experiencing multiple pain points across their cyber risk management program as they aim to mitigate risk across a network that typically encompasses 1409 vendors. The study was conducted by Opinion Matters and … More

The post Large vendor ecosystems and low visibility increase third-party cyber risk appeared first on Help Net Security.

Expansion opportunities in the next-generation wireless BSS market

Business support systems (BSS) are necessary to provide the fast-changing requirements in 5G and enhance customer experiences, a Frost & Sullivan research reveals. They also help communication service providers (CSPs) deliver personalized service experiences for consumers and businesses. BSS market could experience a slowdown Vendors have introduced advanced BSS features, including the ability to support flexible deployments (core and edge) and options for network slice lifecycle management, which are critical in helping CSPs deliver on … More

The post Expansion opportunities in the next-generation wireless BSS market appeared first on Help Net Security.

Honeywell launches web-based user interface that provides orgs complete situational awareness

Honeywell announced the release of Pro-Watch Integrated Security Suite, a software platform designed to help protect people and property, optimize productivity and ensure compliance with industry regulations. The platform provides complete visibility of all connected systems and the scalability of the software makes it easy to grow with the changing needs of a business. Pro-Watch Intelligent Command is a web-based user interface that provides organizations complete situational awareness of their security system to protect people, … More

The post Honeywell launches web-based user interface that provides orgs complete situational awareness appeared first on Help Net Security.

TIBCO Any Data Hub: Simplifying data unification

TIBCO empowers its customers to connect, unify, and confidently predict business outcomes, solving the world’s most complex data-driven challenges. TIBCO announced the launch of the TIBCO Any Data Hub, an all-encompassing data management blueprint that embraces distributed data environments. The framework offers necessary capabilities to support the demand for accurate and consistent data across the organization with trust and control, aligning IT and the business. Organizations continue to encounter issues managing inconsistent data and unifying … More

The post TIBCO Any Data Hub: Simplifying data unification appeared first on Help Net Security.

Intel announces new processors enhanced specifically for essential IoT applications

Intel announced new enhanced internet of things (IoT) capabilities. The 11th Gen Intel Core processors, Intel Atom x6000E series, and Intel Pentium and Celeron N and J series bring new artificial intelligence (AI), security, functional safety and real-time capabilities to edge customers. With a robust hardware and software portfolio, an unparalleled ecosystem and 15,000 customer deployments globally, Intel is providing robust solutions for the $65 billion edge silicon market opportunity by 2024. “By 2023, up … More

The post Intel announces new processors enhanced specifically for essential IoT applications appeared first on Help Net Security.

SolarWinds expands monitoring capabilities within the Cisco Meraki Marketplace

SolarWinds announced an expansion of their monitoring capabilities within the Cisco Meraki Marketplace, which is now able to integrate the Cisco Meraki Dashboard API with SolarWinds N-central. Through this expanded integration, MSPs will be able to more easily discover and monitor Cisco Meraki devices from within their N-central dashboards. The announcement further underscores the SolarWinds commitment to fuel partner success and help MSPs create a more connected and efficient ecosystem. The integration will include routers, … More

The post SolarWinds expands monitoring capabilities within the Cisco Meraki Marketplace appeared first on Help Net Security.

CrowdStrike acquires Preempt to provide zero trust security architecture and threat protection

CrowdStrike announced it has agreed to acquire Preempt Security, provider of zero trust and conditional access technology for real-time access control and threat prevention. Under the terms of the agreement, CrowdStrike will pay approximately $96 million to acquire Preempt Security, subject to adjustments. The acquisition is expected to close during CrowdStrike’s fiscal third quarter, subject to customary closing conditions. Customers are actively looking for effective technologies that enhance their abilities to detect advanced adversaries that … More

The post CrowdStrike acquires Preempt to provide zero trust security architecture and threat protection appeared first on Help Net Security.

FiRa Consortium adds 21 new members to drive expansion of UWB technology

The FiRa Consortium announced fast-paced growth of its member network. Across its six membership levels, the FiRa Consortium has recently added 21 new members, each bringing expertise in support of expanding the use of UWB technology to establish an interoperable UWB-enabled ecosystem. Thales, the newest Sponsor member, takes a seat on the FiRa Consortium Board of Directors, joining industry leaders Allegion, Bosch, HID, NXP, Qorvo and Samsung. Thales aims to bring its expertise to promote … More

The post FiRa Consortium adds 21 new members to drive expansion of UWB technology appeared first on Help Net Security.

Drop Everything and Secure Remote Workforce, Gartner Warns

10 Top Near-Term Security Projects Start With Revisiting Security for Remote Workers
Revisiting remote workforce security defenses, simplifying cloud access controls and pursuing risk-based vulnerability management and passwordless authentication are among the 10 security projects that all organizations should consider for this year and next, according to advisory firm Gartner.

Lessons to Learn From Shopify Data Breach

Security Experts Call for 'Zero Trust' Approach, Enhanced IAM
Shopify's announcement this week that two employees inappropriately accessed transactional data from 200 of the merchants that use its e-commerce platform demonstrates the importance of taking a "zero trust" approach to security and improving identity and access management capabilities, security experts say.

Microsoft Security—detecting empires in the cloud

Microsoft consistently tracks the most advanced threat actors and evolving attack techniques. We use these findings to harden our products and platform and share them with the security community to help defenders everywhere better protect the planet.

Recently, the Microsoft Threat Intelligence Center (MSTIC) observed the evolution of attacker techniques by an actor we call GADOLINIUM using cloud services and open source tools to enhance weaponization of their malware payload, attempt to gain command and control all the way to the server, and to obfuscate detection. These attacks were delivered via spear-phishing emails with malicious attachments and detected and blocked by Microsoft 365 Defender, formerly Microsoft Threat Protection (MTP), and able to be detected using Azure Sentinel.

As these attacks were detected, Microsoft took proactive steps to prevent attackers from using our cloud infrastructure to execute their attacks and suspended 18 Azure Active Directory applications that we determined to be part of their malicious command & control infrastructure. This action helped transparently protect our customers without requiring additional work on their end.

GADOLINIUM is a nation-state activity group that has been compromising targets for nearly a decade with a worldwide focus on the maritime and health industries. As with most threat groups, GADOLINIUM tracks the tools and techniques of security practitioners looking for new techniques they can use or modify to create new exploit methods.

Recently, MSTIC has observed newly expanded targeting outside of those sectors to include the Asia Pacific region and other targets in higher education and regional government organizations. As GADOLINIUM has evolved, MSTIC has continued to monitor its activity and work alongside our product security teams to implement customer protections against these attacks.

Historically, GADOLINIUM used custom-crafted malware families that analysts can identify and defend against. In response, over the last year GADOLINIUM has begun to modify portions of its toolchain to use open-source toolkits to obfuscate their activity and make it more difficult for analysts to track. Because cloud services frequently offer a free trial or one-time payment (PayGo) account offerings, malicious actors have found ways to take advantage of these legitimate business offerings. By establishing free or PayGo accounts, they can use cloud-based technology to create a malicious infrastructure that can be established quickly then taken down before detection or given up at little cost.

The following GADOLINIUM technique profile is designed to give security practitioners who may be targeted by this specific actor’s activity insight and information that will help them better protect from these attacks.

2016: Experimenting in the cloud

GADOLINIUM has been experimenting with using cloud services to deliver their attacks to increase both operation speed and scale for years. The image in Figure 1 is from a GADOLINIUM controlled Microsoft TechNet profile established in 2016. This early use of a TechNet profiles’ contact widget involved embedding a very small text link that contained an encoded command for malware to read.

An image of a GADOLINIUM controlled Microsoft TechNet profile established in 2016.

Figure 1: GADOLINIUM controlled TechNet profile with embedded malware link.

2018: Developing attacks in the cloud

In 2018 GADOLINIUM returned to using Cloud services, but this time it chose to use GitHub to host commands. The image in Figure 2 shows GitHub Commit history on a forked repository GADOLINIUM controlled. In this repository, the actors updated markdown text to issue new commands to victim computers. MSTIC has worked with our colleagues at GitHub to take down the actor accounts and disrupt GADOLINIUM operations on the GitHub platform.

An image of a GitHub repository controlled by GADOLINIUM.

Figure 2: GitHub repository controlled by GADOLINIUM.

2019-2020: Hiding in plain sight using open source

GADOLINIUM’s evolving techniques
Two of the most recent attack chains in 2019 and 2020 were delivered from GADOLINIUM using similar tactics and techniques. Below is a summary view of how these attacks techniques have evolved followed by a detailed analysis of each step that security practitioners can use to better understand the threat and what defenses to implement to counter the attacks.

A summary view of how these attacks techniques have evolved.

Weaponization
In the last year, Microsoft has observed GADOLINIUM migrate portions of its toolchain techniques based on open source kits. GADOLINIUM is not alone in this move. MSTIC has noticed a slow trend of several nation-state activity groups migrating to open source tools in recent years. MSTIC assesses this move is an attempt to make discovery and attribution more difficult. The other added benefit to using open-source types of kits is that the development and new feature creation is done and created by someone else at no cost. However, using open source tools isn’t always a silver bullet for obfuscation and blending into the noise.

Delivery & Exploitation (2019)
In 2019, we discovered GADOLINIUM delivering malicious Access database files to targets. The initial malicious file was an Access 2013 database (.accde format). This dropped a fake Word document that was opened along with an Excel spreadsheet and a file called mm.accdb.core which was subsequently executed. The file mm.accdb.core is a VBA dropper, based on the CactusTorch VBA module, which loads a .NET DLL payload, sets configuration information, and then runs the payload. Office 365 ATP detects and blocks malicious Microsoft Access database attachments in email. A redacted example of the configuration is displayed below.

An image showing the VBA setting config and calling the 'Run' function of the payload.

Figure 3: VBA setting config and calling the “Run” function of the payload

Command and Control (2019)
Having gained access to a victim machine the payload then uses attachments to Outlook Tasks as a mechanism for command and control (C2). It uses a GADOLINIUM-controlled OAuth access token with login.microsoftonline.com and uses it to call the Outlook Task API to check for tasks. The attacker uses attachments to Outlook tasks as a means of sending commands or .NET payloads to execute; at the victim end, the malware adds the output from executing these commands as a further attachment to the Outlook task.

Interestingly, the malware had code compiled in a manner that doesn’t seem to be used in the attacks we saw. In addition to the Outlook Tasks API method described above, the extra code contains two other ways of using Office365 as C2, via either the Outlook Contacts API (get and add contacts) or the OneDrive API (list directory, get and add a file).

Actions on Objective (2019)
GADOLINIUM used several different payloads to achieve its exploitation or intrusion objectives including a range of PowerShell scripts to execute file commands (read/write/list etc.) to enable C2 or perform SMB commands (upload/download/delete etc.) to potentially exfiltrate data.

LazyCat, one of the tools used by GADOLINIUM, includes privilege escalation and credential dumping capability to enable lateral movement across a victim network. Microsoft 365 Defender for Endpoint detects the privilege escalation technique used:

An image ofMicrosoft Defender ATP alert of detected escalation of privilege attempt.

LazyCat performs credential dumping through usage of the MiniDumpWriteDump Windows API call, also detected by Microsoft 365 Defender for Endpoint:

An image of Microsoft Defender ATP alert of detected credential dumping activity.

Delivery (2020)
In mid-April 2020 GADOLINIUM actors were detected sending spear-phishing emails with malicious attachments. The filenames of these attachments were named to appeal to the target’s interest in the COVID-19 pandemic. The PowerPoint file (20200423-sitrep-92-covid-19.ppt), when run, would drop a file, doc1.dotm. Similarly, to the 2019 example, Microsoft 365 Defender for Office detects and blocks emails with these malicious PowerPoint and Word attachments.

Command and Control (2020)
The malicious doc1.dotm had two payloads which run in succession.

  • The first payload turns off a type check DisableActivitySurrogateSelectorTypeCheck  which the second stage needs as discussed in this blog.
  • The second payload loads an embedded .Net binary which downloads, decrypts + runs a .png file.

The .png is actually PowerShell which downloads and uploads fake png files using the Microsoft Graph API to https://graph.microsoft.com/v1.0/drive/root:/onlinework/contact/$($ID)_1.png:/content where $ID is the ID of the malware. The GADOLINIUM PowerShell is a modified version of the opensource PowershellEmpire toolkit.

Actions on Objectives (2020)
The GADOLINIUM PowerShell Empire toolkit allows the attacker to load additional modules to victim computers seamlessly via Microsoft Graph API calls. It provides a command and control module that uses the attacker’s Microsoft OneDrive account to execute commands and retrieve results between attacker and victim systems. The use of this PowerShell Empire module is particularly challenging for traditional SOC monitoring to identify. The attacker uses an Azure Active Directory application to configure a victim endpoint with the permissions needed to exfiltrate data to the attacker’s own Microsoft OneDrive storage. From an endpoint or network monitoring perspective the activity initially appears to be related to trusted applications using trusted cloud service APIs and, in this scenario,, no OAuth permissions consent prompts occur. Later in this blog post, we will provide additional information about how Microsoft proactively prevents attackers from using our cloud infrastructure in these ways.

Command and Control—Server compromise
GADOLINIUM campaigns often involve installing web shells on legitimate web sites for command and control or traffic redirection. Microsoft 365 Defender for Endpoint detects web shells by analyzing web server telemetry such as process creation and file modifications. Microsoft blogged earlier in the year on the use of web shells by multiple groups and how we detect such activities.

Microsoft Defender ATP alerts of suspicious web shell attacks

 

Microsoft Defender ATP alerts of suspicious web shell attacks.

Figure 6: Microsoft Defender ATP alerts of suspicious web shell attacks.

Web shell alerts from Microsoft 365 Defender for Endpoint can be explored in Azure Sentinel and enriched with additional information that can give key insights into the attack. MSTIC’s Azure Sentinel team recently published a blog outlining how such insights can be derived by analyzing events from the W3CIISLog.

Microsoft’s proactive steps to defend customers
In addition to detecting many of the individual components of the attacks through Microsoft’s security products and services such as Microsoft 365 Defender for Endpoint and for Microsoft 365 Defender for Office as described above, we also take proactive steps to prevent attackers from using our cloud infrastructure to perpetrate attacks. As a cloud provider, Microsoft is uniquely positioned to disrupt this attacker technique. The PowerShell Empire scenario is a good example of this. During April 2020, the Microsoft Identity Security team suspended 18 Azure Active Directory applications that we determined to be part of GADOLINIUM’s PowerShell Empire infrastructure (Application IDs listed in IOC section below). Such action is particularly beneficial to customers as suspending these applications protects all customers transparently without any action being required at their end.)

As part of Microsoft’s broader work to foster a secure and trustworthy app ecosystem, we research and develop detection techniques for both known and novel malicious applications. Applications exhibiting malicious behavior are quickly suspended to ensure our customers are protected.

GADOLINIUM will no doubt evolve their tactics in pursuit of its objectives. As those threats target Microsoft customers, we will continue to build detections and implement protections to defend against them. For security practitioners looking to expand your own hunting on GADOLINIUM, we are sharing the below indicators of compromise (IOCs) associated with their activity.

List of related GADOLINIUM indicators

Hashes from malicious document attachments

faebff04d7ca9cca92975e06c4a0e9ce1455860147d8432ff9fc24622b7cf675
f61212ab1362dffd3fa6258116973fb924068217317d2bc562481b037c806a0a

Actor-owned email addresses

Chris.sukkar@hotmail.com
PhillipAdamsthird@hotmail.com
sdfwfde234sdws@outlook.com
jenny1235667@outlook.com
fghfert32423dsa@outlook.com
sroggeveen@outlook.com
RobertFetter.fdmed@hotmail.com
Heather.mayx@outlook.com

Azure Active Directory App IDs associated with malicious apps

ae213805-a6a2-476c-9c82-c37dfc0b6a6c
afd7a273-982b-4873-984a-063d0d3ca23d
58e2e113-b4c9-4f1a-927a-ae29e2e1cdeb
8ba5106c-692d-4a86-ad3f-fc76f01b890d
be561020-ba37-47b2-99ab-29dd1a4312c4
574b7f3b-36da-41ee-86b9-c076f999b1de
941ec5a5-d5bf-419e-aa93-c5afd0b01eff
d9404c7d-796d-4500-877e-d1b49f02c9df
67e2bb25-1f61-47b6-9ae3-c6104e587882
9085bb9e-9b56-4b84-b21e-bd5d5c7b0de0
289d71ad-54ee-44a4-8d9a-9294f19b0069
a5ea2576-4191-4e9a-bfed-760fff616fbf
802172dc-8014-42a9-b765-133c07039f9f
fb33785b-f3f7-4b2b-b5c1-f688d3de1bde
c196c17d-1e3c-4049-a989-c62f7afaf7f3
79128217-d61e-41f9-a165-e06e1d672069
f4a41d96-2045-4d75-a0ec-9970b0150b52
88d43534-4128-4969-b5c4-ceefd9b31d02

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Security—detecting empires in the cloud appeared first on Microsoft Security.

Stay Connected & Protected: Weaving Security Into Our Social Media Habits

Social Media Habits

Stay Connected & Protected: Weaving Security Into Our Social Media Habits

Today, there are so many different avenues where we receive information.

Personally, I prefer finding out what’s going on in the world by scanning my favorite news channels’ websites and by receiving personalized feeds and notifications to my phone. My wife, however, scans social media platforms – from Facebook to Twitter to Instagram – to discover the latest happenings. My teenage daughter spends 2+ hrs a day on social media platforms engaging with her friends.

While were initially meant to help us stay connected, they come with their own handful of security implications. Let’s explore what these threats are and how to stay protected.

Sketchy Links Get Social

Users rely on social media to feel connected. So while the world was social distancing, social media grew more popular than ever before – as of March 2020, people are on social media 44% more worldwide. However, with these platforms being so popular, they’ve become a hotspot for cybercriminal schemes.

There’s a variety of potential threats on social platforms, including misinformation, account takeovers, and phishing scams. The latter threat is all too common, as these platforms have become a popular avenue for cybercriminals to spread troublesome links and websites.

To lure unsuspecting users into clicking on these links, hackers often tap into what consumers care about. These topics have ranged from fake tech support scams to getting verified on Instagram.

Scan Social Safely with McAfee® WebAdvisor

At McAfee, we want users to enjoy a safe online social life. That’s why we created a new McAfee® WebAdvisor feature that scans for dangerous links across six major social media sites – Facebook, Twitter, YouTube, Instagram, Reddit, and LinkedIn – so users can scroll their feeds with confidence. To do this, McAfee WebAdvisor now color codes links across these social platforms, as it has always done for online searches, to show which ones are safe to visit.

It’s important to take advantage of new technologies that help us adapt and grow into security superstars. My family and I are excited to see this new feature roll out across our existing McAfee® Total Protection subscription. That way we can keep up with the latest news and trends, as well as stay connected with family and friends without worrying about any potential threats. I can sleep much better at night knowing that my whole family will be both connected and protected.

Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Stay Connected & Protected: Weaving Security Into Our Social Media Habits appeared first on McAfee Blogs.

Challenging the Status Quo, and Conquering the Fear of Failure

If you haven’t listened to the Security Stories podcast before, it’s a place where you can hear the behind the scenes stories of cybersecurity leaders.

The idea is that they share their experiences (the highs and the lows) so that others in the industry can benefit from this first-hand knowledge.

In the latest episode, we chat to Chris Leach, senior CISO Advisor at Cisco. From his background as an accountant (which he hated!) to venturing into cybersecurity (“I had to learn to speak in bits and bytes, after only speaking in 1s and 0s”), he has a fascinating story to share.

Chris Leach

Chris also has some brilliant insights into how to be a great leader, and he has some really poignant thoughts on resiliency, bouncing back, and dealing with the fear of failure.

Threat trends

Also in today’s episode, Ben Nahorney shares the highlights of his just-published research on threat landscape trends.

The idea behind this work is to shed light on areas where you can quickly have an impact defending your assets, especially if you’re dealing with limited security resources. You can read more about this in Ben’s blog post.

“On this Day”

And finally our ‘On this Day’ feature takes us back to the movies! In honor of the 25th anniversary of the film Hackers, the team sits down to talk about what that movie got right, and perhaps, not so right, with some surprising reveals.

We also discuss what our own movies on cybersecurity would look like, if we were each in charge of screenwriting. 

Listening info

You can listen to this podcast on Apple Podcasts, Spotify, Google Podcasts, or wherever you normally get your podcasts from! You can also listen right here and now:

Upcoming episodes

In October, we’re doubling our production schedule to release episodes on topics that mean a lot to us. These include career advice and the importance of diversity in cybersecurity, and how to protect your loved ones from disinformation campaigns (or “fake news) online.

It would be brilliant if you could subscribe to your podcast feed of choice, so that you don’t miss any of these exciting episodes.

Tanya Forsheit

In case you missed it

In episode 13 we have an interview with Tanya Forsheit, partner at Frankfurt Kurnit Klein & Selz and co-chair of the firm’s privacy & data security group. Tanya is considered one of the world’s leading data privacy 

and security counselors and litigators.

During our chat, we talk about why the United States needs a privacy law at the federal level, similar to what the European Union has done with GDPR. We also talk about what the future holds for data privacy in the next 12-24 months, within the context of COVID-19 and an increasing amount of IoT devices.

 

 

Listen to the podcast here: 

 

See more Security Stories episodes here.

The post Challenging the Status Quo, and Conquering the Fear of Failure appeared first on Cisco Blogs.

Attacks Against Oil and Gas Industry on the Rise

Attacks Against Oil and Gas Industry on the Rise

New research published today by Kaspersky examines a rise in the number of cyber-attacks on industrial control system (ICS) computers used by the oil and gas industry.

Over the first six months of 2020, the percentage of systems attacked in the oil and gas industry increased when compared to the same time period last year. The same trend was discovered at play in the building automation industry.

Researchers noted: "The percentage of ICS computers on which malicious objects were blocked grew from 38% in H2, 2019 to 39.9% in H1, 2020 in the building automation industry and from 36.3% to 37.8% in the oil and gas industry."

Growth in the number of attacks on these sectors occurred as the percentage of industrial control system computers attacked in other industries declined. 

The research appears to indicate that cyber-criminals are moving their focus away from the energy, automotive manufacturing and engineering, and ICS integration industries. 

Kaspersky noted that building automation systems are especially vulnerable to cyber-attacks. 

"They often have a larger attack surface than traditional ICS computers because they are frequently connected to corporate networks and the Internet," wrote researchers. "At the same time, because they traditionally belong to contractor organizations, these systems are not always managed by the organization’s corporate information security team, making them an easier target."

Changes in working practices brought about by COVID-19 have left systems more exposed to attack. 

"With many enterprises forced to work remotely and sign-in to corporate systems from home, ICS have naturally become more exposed to cyberthreats," said Evgeny Goncharov, security expert at Kaspersky.

"With fewer on-site personnel, there are fewer people available to respond and mitigate an attack, meaning the consequences may be far more devastating."

Further findings were that the percentage of ICS computers affected by ransomware grew slightly in H1 2020 when compared to H2 2019 across all industries, with a series of attacks witnessed against medical facilities and industrial companies.

Kaspersky recommended that companies in the oil and gas and building automation industries that use ICS computers regularly update operating systems and application software that are part of the enterprise’s industrial network.

Alien Android banking Trojan, the powerful successor of the Cerberus malware

Security researchers spotted a new strain of Android malware, dubbed Alien, that implements multiple features allowing it to steal credentials from 226 apps.

Researchers from ThreatFabric have discovered and analyzed a new strain of Android malware, tracked as Alien, that implements multiple features allowing it to steal credentials from 226 applications.

Alien first appeared in the threat landscape early this year, its model of sale is Malware-as-a-Service (MaaS) and is advertised on several underground hacking forums.

According to researchers, Alien borrows portions of the source code from the Cerberus malware.

ThreatFabric pointed out that Cerberus operators attempted to sell their project because several issues in the malware remained unsolved for a long time due to shortcomings of the development team in the criminal gang. The delay in addressing the problems allowed Google Play Protect to detect the threat on all infected devices.

Alien is not affected by the same issues and this is the reason of the success of its MaaS model

Alien is considered a next-generation banking trojan that also implements remote-access features into their codebases.

The list of features implemented in Alien is:

  • Overlaying: Dynamic (Local injects obtained from C2)
  • Keylogging
  • Remote access
  • SMS harvesting: SMS listing
  • SMS harvesting: SMS forwarding
  • Device info collection
  • Contact list collection
  • Application listing
  • Location collection
  • Overlaying: Targets list update
  • SMS: Sending
  • Calls: USSD request making
  • Calls: Call forwarding
  • Remote actions: App installing
  • Remote actions: App starting
  • Remote actions: App removal
  • Remote actions: Showing arbitrary web pages
  • Remote actions: Screen-locking
  • Notifications: Push notifications
  • C2 Resilience: Auxiliary C2 list
  • Self-protection: Hiding the App icon
  • Self-protection: Preventing removal
  • Self-protection: Emulation-detection
  • Architecture: Modular

This banking Trojan is an optimal choice for crooks behind multiple fraudulent operations.

Experts discovered that Alien is able to show fake login pages for 226 other Android applications that allow its operators to intercept credentials.

“In the case of Alien, advanced features such as the authenticator-code stealer and notifications-sniffer aside, the features of the Trojan are quite common. As for many Trojans, the target list can be extended dynamically by the renter and applied to all bots enrolled to the botnet. The targeted applications in the appendix of the article are the concatenated list of targets observed in samples found in the wild, growing to over 226 targeted applications so far.” reads the report published by the researchers.

“Although it is hard to predict the next steps of the Alien authors, it would be logical for them to improve the RAT, which is currently based on TeamViewer (and therefore visible when installed and executed on the device).”

Alien is also able to target other apps including Gmail, Facebook, Telegram, Twitter, Snapchat, WhatsApp, as well as cryptocurrency apps

Experts reported that most of the apps targeted by Alien were used by financial institutions mostly in Spain, Turkey, Germany, the US, Italy, France, Poland, Australia, and the UK.

Additional technical details, including Indicators of Compromise (IoCs) are included in the report published by ThreatFabric.

Pierluigi Paganini

(SecurityAffairs – hacking, Banking Trojan)

The post Alien Android banking Trojan, the powerful successor of the Cerberus malware appeared first on Security Affairs.

Microsoft: Attackers Exploiting ‘ZeroLogon’ Windows Flaw

Microsoft warned on Wednesday that malicious hackers are exploiting a particularly dangerous flaw in Windows Server systems that could be used to give attackers the keys to the kingdom inside a vulnerable corporate network. Microsoft’s warning comes just days after the U.S. Department of Homeland Security issued an emergency directive instructing all federal agencies to patch the vulnerability by Sept. 21 at the latest.

DHS’s Cybersecurity and Infrastructure Agency (CISA) said in the directive that it expected imminent exploitation of the flaw — CVE-2020-1472 and dubbed “ZeroLogon” — because exploit code which can be used to take advantage of it was circulating online.

Last night, Microsoft’s Security Intelligence unit tweeted that the company is “tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon vulnerability.”

“We have observed attacks where public exploits have been incorporated into attacker playbooks,” Microsoft said. “We strongly recommend customers to immediately apply security updates.”

Microsoft released a patch for the vulnerability in August, but it is not uncommon for businesses to delay deploying updates for days or weeks while testing to ensure the fixes do not interfere with or disrupt specific applications and software.

CVE-2020-1472 earned Microsoft’s most-dire “critical” severity rating, meaning attackers can exploit it with little or no help from users. The flaw is present in most supported versions of Windows Server, from Server 2008 through Server 2019.

The vulnerability could let an unauthenticated attacker gain administrative access to a Windows domain controller and run an application of their choosing. A domain controller is a server that responds to security authentication requests in a Windows environment, and a compromised domain controller can give attackers the keys to the kingdom inside a corporate network.

Scott Caveza, research engineering manager at security firm Tenable, said several samples of malicious .NET executables with the filename ‘SharpZeroLogon.exe’ have been uploaded to VirusTotal, a service owned by Google that scans suspicious files against dozens of antivirus products.

“Given the flaw is easily exploitable and would allow an attacker to completely take over a Windows domain, it should come as no surprise that we’re seeing attacks in the wild,” Caveza said. “Administrators should prioritize patching this flaw as soon as possible. Based on the rapid speed of exploitation already, we anticipate this flaw will be a popular choice amongst attackers and integrated into malicious campaigns.”

Pushing the Zero Trust Envelope – Cisco is Named a Leader in the 2020 Forrester Zero Trust Wave

I’m proud to share that Cisco has been named a leader in The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q3 2020 report.

“Cisco pushes the Zero Trust envelope the right way,” according to The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q3 2020.

Through our Cisco Zero Trust platform approach we deliver innovative solutions that provide differentiated value, all while maintaining a radically simple approach to security. This has enabled our teams and partners to help tens of thousands of customers during this time of need, rapidly enabling organizations to continue their operations securely when it mattered most.

The impact the past six months have had on organizations cannot be overstated. In a matter of weeks, organizations experienced rapid transformation, moving to an all- or mostly-remote workforce and re-prioritizing business operations and resiliency. We understand that customers need our help now more than ever to navigate this new world.

The shift of the perimeter has been to this point gradual, but Cisco foresaw the road ahead and has been committed to providing security solutions to help customers on this journey. The company’s acquisition of Duo in 2018 is evidence of this commitment. The principles of zero trust were baked into Duo’s core product and ethos and have been fully integrated, providing solutions for the workforce to make sure users and devices can be trusted as they access systems remotely. This complements our workplace solutions designed to secure access to the network and what’s in the network, and our workload solutions that prevent unauthorized access within application environments irrespective of where they are hosted .

Cisco received the highest scores possible in the The Forrester WaveTM report in the criteria of market approach, ZTX advocacy, and ZTX vision and strategy. Members of our team are involved in workgroups such as the FIDO Alliance, developing standards for WebAuthn, and the committee that worked to define NIST’s SP 800-207: Zero Trust Architecture (ZTA) guidance. We launched a Zero Trust Strategy Service to help our customers with implementation plans around adopting zero trust.

Cisco was among the highest scores in the device security and the future state of zero-trust infrastructure criteria. Cisco has been committed to solving customer challenges and delivering security solutions, this is evidenced over the past year with product developments centered around dismantling the barriers of security and providing balance. Improved features and enhancements for endpoint security, network segmentation and micro-segmentation have been delivered across the portfolio, with the notable addition of SecureX for improved visibility, automation and orchestration.

“Reference customers spoke highly of the newly improved UIs for administrators and the ability of the system to leverage powerful internal analytics to push the control capabilities outside the perimeter all the way to the user and their devices,” the report notes.

We believe this recognition is a validation that our strategy and vision for customer-centric zero-trust security is working. I want to extend my gratitude to our teams and partners who work to deliver these solutions, and to our customers who trust us to help them operate securely. We won’t rest on our laurels. We’ll continue to work to provide simplified, secure solutions to help our customers achieve zero-trust security. We have a lot in the works. Stay tuned.

Learn More about Cisco Zero Trust and check out the full Forrester Report

The post Pushing the Zero Trust Envelope – Cisco is Named a Leader in the 2020 Forrester Zero Trust Wave appeared first on Cisco Blogs.

US Customs and Border Protection Failed to Safeguard Data

US Customs and Border Protection Failed to Safeguard Data

A review of a facial recognition technology pilot scheme conducted by US Customs and Border Protection (CBP) has found that sensitive biometric data was not adequately protected. 

The Vehicle Face System was trialed last year by CBP. A major cybersecurity incident occurred when subcontractor Perceptics, hired to work on the pilot, transferred copies of CBP's biometric data to its own company network.

The subcontractor obtained access to this data between August 2018 and January 2019 without CBP’s authorization or knowledge. Later in 2019, the Department of Homeland Security experienced a major privacy incident, as the subcontractor’s network was subjected to a malicious cyber-attack.

Subsequently, CBP data, including traveler images from CBP’s facial recognition pilot, appeared on the dark web, triggering a review by the Office of the Inspector General (OIG).

The data breach compromised approximately 184,000 traveler images from CBP’s facial recognition pilot. At least 19 of the images were later posted to the dark web.

In the review, published on September 21, the OIG found "CBP did not adequately safeguard sensitive data on an unencrypted device used during its facial recognition technology pilot."

The OIG also found that Perceptics staff "directly violated DHS security and privacy protocols when they downloaded CBP’s sensitive PII from an unencrypted device and stored it on their own network." 

Perceptics' actions went against a Department of Homeland Security stipulation that requires subcontractors to protect personally identifiable information (PII) from identity theft or misuse.

The OIG made a series of recommendations to the CBP that included implementing USB device restrictions, applying enhanced encryption methods, and routinely assessing third-party equipment supporting biometric data collection to ensure partners' compliance with Department security and privacy standards.

Congress used the FY 2016 Consolidated Appropriations Act to provide CBP with up to $1bn in funding over a 10-year period to develop a biometric entry-exit solution that will monitor travelers to and from the United States. 

To date, CBP’s Biometric Entry-Exit Program Office has focused primarily on air departures, starting with a pilot program at nine airports across the country in 2017.

As of April 2019, CBP had processed 19,829 flights and 2.8 million travelers across 19 airports through its biometric program.

America Moves to Protect Free Speech Online

America Moves to Protect Free Speech Online

The United States Justice Department is calling for legal reform that would make online platforms accountable when they unlawfully censor speech or knowingly facilitate online criminal activity. 

The DOJ, on behalf of the Trump administration, sent draft legislation to Congress yesterday to reform Section 230 of the Communications Decency Act. The draft legislative text implements reforms deemed necessary by the Department in its June Recommendations and follows a year-long review of the statute. 

Current interpretations of the deliberately vaguely worded Section 230 enable online platforms to censor whatever lawful speech they don't agree with, with impunity, feeding the growth of a 'cancel culture' in which only one opinion is permitted and the opportunity for free and open debate is quashed. 

To promote transparency and open discourse, the draft legislation proposes removing the shield of immunity from the hands of online platforms that willfully distribute illegal material or that moderate content in a way that isn't deemed fair to the public. 

"The department’s legislative proposal revises and clarifies the existing language of Section 230 and replaces vague terms that may be used to shield arbitrary content moderation decisions with more concrete language that gives greater guidance to platforms, users, and courts," stated the DOJ yesterday.

The legislative proposal also adds language to the definition of “information content provider” in an attempt to clarify when platforms should be responsible for speech that they “affirmatively and substantively contribute to or modify.”

Further amendments proposed by the DOJ are aimed at incentivizing platforms to address the growing amount of illicit content online, while preserving the core of Section 230’s immunity for defamation claims.

Deputy Attorney General Jeffrey Rosen said: “The Department’s proposal is an important step in reforming Section 230 to further its original goal: providing liability protection to encourage good behavior online."

Legislative carve-outs were suggested that would block online immunity in cases of child abuse, terrorism, cyber-stalking, and for "truly bad actors," allowing victims to seek redress via civil claims. 

“For too long Section 230 has provided a shield for online platforms to operate with impunity,” said US Attorney General William Barr. “Ensuring that the internet is a safe, but also vibrant, open and competitive environment is vitally important to America."

MSP Insight: Netstar Shares Cyber Resilience Strategies for Remote Work

Reading Time: ~ 5 min.

Guest blog by Mit Patel, Managing Director of London based IT Support company, Netstar.

In this article, Webroot sits down with Mit Patel, Managing Director of London-based MSP partner, Netstar, to discuss the topic of remote work during a pandemic and tips to stay cyber resilient.

Why is it important to be cyber resilient, specifically when working remote?

It’s always important to be cyber resilient, but a lot has changed since the start of the COVID-19 lockdown that needs to be taken into consideration.

Remote work has posed new problems for businesses when it comes to keeping data secure. Since the start of lockdown, there has been a significant increase in phishing scams, ransomware attacks and malicious activity. Scammers now have more time to innovate and are using the widespread anxiety of coronavirus to target vulnerable people and businesses.

Moreover, the sudden shift in working practices makes the pandemic a prime time for cyber-attacks. Employees can no longer lean over to ask a colleague if they are unsure about the legitimacy of an email or web page. Instead, they need to be confident in their ability to spot and avoid potential security breaches without assistance.

Remote work represents a significant change that can’t be ignored when it comes to the security of your business. Instead, businesses need to be extra vigilant and prioritise their cyber resilience.

What does cyber resilience mean to you?

It’s important to differentiate between cyber resilience and cyber security. Cyber security is a component of cyber resilience, referring to the technologies and processes designed to prevent cyber-attacks. Whereas, I believe cyber resilience goes a step further, referring to the ability to prevent, manage and respond to cyber threats. Cyber resilience recognises that breaches can and do happen, finding effective solutions that mean businesses recover quickly and maintain functionality. The main components of cyber resilience include, training, blocking, protecting, backing up and recovering. When all these components are optimised, your cyber resilience will be strong, and your business will be protected and prepared for any potential cyber threats.

Can you share some proactive methods for staying cyber resilient when working remote?

Absolutely. But it’s important to note that no solution is 100% safe and that a layered approach to IT security is necessary to maximise protection and futureproof your business.

Get the right antivirus software. Standard antivirus software often isn’t enough to fully protect against viruses. Businesses need to consider more meticulous and comprehensive methods. One of our clients, a licensed insolvency practitioner, emphasized their need for software that will ensure data is protected and cyber security is maximised. As such, we implemented Webroot SecureAnywhere AnitVirus, receiving excellent client feedback, whereby the client stressed that they can now operate safe in the knowledge that their data is secure.

Protect your network. DNS Protection is a critical layer for your cyber resilience strategy. DNS will protect you against threats such as malicious links, hacked legitimate websites, phishing attacks, CryptoLocker and other ransomware attacks. We have implemented DNS Protection for many of our clients, including an asset management company that wanted to achieve secure networks with remote working capability. In light of the current remote working situation, DNS Protection should be a key consideration for any financial business looking to enhance their cyber resilience.

Ensure that you have a strong password policy. Keeping your passwords safe is fundamental for effective cyber resilience, but it may not be as simple as you think. Start by making sure that you and your team know what constitutes a strong password. At Netstar, we recommend having a password that:

  • Is over 10 characters long
  • Contains a combination of numbers, letters and symbols
  • Is unpredictable with no identifiable words (even if numbers or symbols are substituted for letters)

You should also have different passwords for different logins, so that if your security is compromised for any reason, hackers can only access one platform. To fully optimise your password policy, you need to consider multi-factor authentication. Multi-factor authentication goes a step further than the traditional username-password login. It requires multiple forms of identification in order to access a certain email account, website, CRM etc. This will include at least two of the following:

  • Something you know (e.g. a password)
  • Something you have (e.g. an ID badge)
  • Something you are (e.g. a fingerprint)

Ensure that you have secure tools for communication. Collaboration tools, like Microsoft Teams, are essential for remote working. They allow you to communicate with individuals, within teams and company-wide via audio calls, video calls and chat.

When it comes to cyber resilience, it’s essential that your team know what is expected of them. You should utilise collaboration tools to outline clear remote working guidance to all employees. For example, we would recommend discouraging employees from using personal devices for work purposes. The antivirus software installed on these devices is unlikely to be of the same quality as the software installed on work devices, so it could put your business at risk.

Furthermore, you need to be confident that your employees can recognise and deal with potential security threats without assistance. Individuals can no longer lean across to ask a colleague if they’re unsure of the legitimacy of something. They need to be able to do this alone. Security awareness training is a great solution for this. It will teach your team about the potential breaches to look out for and how to deal with them. This will cover a range of topics including, email phishing, social media scams, remote working risks and much more. Moreover, courses are often added and updated, meaning that your staff will be up to date with the latest scams and cyber threats.

Implement an effective backup and disaster recovery strategy

Even with every preventive measure in place, things can go wrong, and preparing for disaster is crucial for effective cyber resilience.

In fact, a lot of companies that lose data because of an unexpected disaster go out of business within just two years, which is why implementing an effective backup and disaster recovery strategy is a vital layer for your cyber resilience strategy.

First, we advise storing and backing up data using an online cloud-based system. When files are stored on the cloud, they are accessible from any device at any time. This is particularly important for remote working; it means that employees can collaborate on projects and access necessary information quickly and easily. It also means that, if your device is wiped or you lose your data, you can simply log in to your cloud computing platform and access anything you might need. Thus, data can easily be restored, and you’re protected from potential data loss.

Overall, disaster recovery plans should focus on keeping irreplaceable data safe. Consider what would happen to your data in the event of a disaster. If your office burned down, would you be confident that all your data would be protected?

You should be working with an IT support partner that can devise an effective and efficient disaster recovery plan for your business. This should set out realistic expectations for recovery time and align with your insurance policy to protect any loss of income. Their goal should be to get your business back up and running as quickly as possible, and to a high standard (you don’t want an IT support partner that cuts corners). Lastly, your IT support provider should regularly test your strategy, making sure that if disaster did occur, they could quickly and effectively restore the functionality of your business.

What else should fellow MSPs keep in mind during this trying time?

In the last four years, cyber resilience has become increasingly important; there are so many more threats out there, and so much valuable information that needs protecting.

We have happy clients because their machines run quickly, they experience less IT downtime, and they rarely encounter viruses or malicious activity. We know that we need to fix customers’ problems quickly, while also ensuring that problems don’t happen in the first place. Innovation is incredibly important to us, which is why we’ve placed a real focus on proactive client advisory over the last 24 months.

That’s where a strong cyber resilience strategy comes into play. MSPs need to be able to manage day-to-day IT queries, while also focusing on how technology can help their clients grow and succeed in the future.There is plenty of advice around the nuts and bolts of IT but it’s the advisory that gives clients the most value. As such, MSPs should ensure they think like a customer and make technological suggestions that facilitate overall business success for their clients.

The post MSP Insight: Netstar Shares Cyber Resilience Strategies for Remote Work appeared first on Webroot Blog.

Microsoft Security: 6 tips for enabling people-centric cybersecurity with security training

Everyone knows about phishing scams, and most of us think we’re too smart to take the bait. Our confidence often reaches superhero levels when we’re logged onto a company network. As Chief Security Advisor for Microsoft, and previously at telco Swisscom, it’s my business to understand how well employees adapt security training into their daily routines. Years of experience have taught me there are commonalities in human behavior that cut across all levels of an organization. Above all, people want to trust the company they work for and the communications they receive. It’s our task to help them understand that yes, their employer is looking out for them, but they also need to be vigilant to protect themselves and their company’s private data.

Tip #1: Make it fun. That means creating training modules that people will actually want to watch. Think of your favorite TV shows. There’s a reason you want to binge every episode. You care about the characters, or you’re at least interested in how their dilemmas work out. A good example is the Fox TV show 24; every episode was one hour in an unfolding storyline with high stakes. Your training program doesn’t need life-or-death consequences, but it should give people a reason to watch beyond just checking a box for compliance.

Tip #2: Make it easy. Your end-user is your customer; so, you need them to buy-in. When investigating new security solutions, I ask: “Could you explain how this works to my mother in thirty minutes or less?” If not, it’s probably not a user-friendly solution. Asking people to create a password with 20 characters consisting of random symbols, cases, and numbers (that they shouldn’t write down) is not easy. For a better option, try passwordless authentication options for Azure Active Directory. If your organization has  Microsoft Defender for Office 365 Plan 2, which includes Threat Investigation and Response capabilities, you can employ Attack Simulator in the Security & Compliance Center to run realistic scenarios. These simulated attacks can help you easily identify vulnerable users before a real attacker comes knocking.

Tip #3: Focus on your highest risk. Nearly one in three security breaches starts with a phishing attack costing the affected organization an average of USD1.4 million. Even after security training, employees still click on phishing links at an average rate of 20 – 30 percent. With the rise in people working from home, new forms, such as consent phishing, have cropped up to take advantage of new vulnerabilities. Direct your resources to where the people in your organization can see the risk is real, and you’ll generate positive engagement.

Tip #4: Be transparent about breaches. No organization can claim 100 percent invulnerability. Let people know they are the first line of defense. Communicating with staff when a successful attack occurs will help them remain alert. It’s okay to provide examples as long as you don’t reveal so much information that it’s obvious who clicked on that fake Zoom invitation. Be careful not to treat employees like children. They need to own their own actions, but shaming won’t make your organization safer.

Tip #5: Avoid a compliance only mindset. Yes, that once-a-year cybersecurity training your people dutifully click through meets the organizational requirement. But gaining employee buy-in means doing more than just checking the box. Schedule a refresher course after a breach, even if the victim happens to be another company. Creating a security program that’s fun and engaging will probably cost more, but ask yourself how high the costs from downtime and lost productivity from a major breach would run. Better to invest those funds in protection upfront.

Tip #6: Communicate and educate continuously. Make security news part of your normal staff communications. Talk to your people about the headline-making hacks that target large corporations and government agencies, as well as the smaller identity theft and payment-app scams we all contend with. Talk about supply chain security and the dangers of using unauthorized devices and shadow IT. Cybersecurity threats can feel overwhelming and scary. Communication helps demystify those threats and makes employees feel empowered to protect themselves and their organizations.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft Security: 6 tips for enabling people-centric cybersecurity with security training appeared first on Microsoft Security.

Alien Android Banking Trojan Sidesteps 2FA

A new 'fork' of the Cerberus banking trojan, called Alien, targets victims' credentials from more than 200 mobile apps, including Bank of America and Microsoft Outlook.

Evasive Malware Threats on the Rise Despite Decline in Overall Attacks

Evasive Malware Threats on the Rise Despite Decline in Overall Attacks

Over two-thirds (70%) of all malware attacks involved evasive zero-day malware in Q2 of 2020, which is a 12% rise on the previous quarter, according to WatchGuard Technologies latest Internet Security Report.

Interestingly, the increase in this form of malware, which circumvents anti-virus signatures, has come as overall malware detections fell by 8% compared to Q1. WatchGuard attributes this reduction to the rise in remote working brought about by COVID-19, as less employees are operating behind corporate network perimeters.

Around 34% of attacks were sent over encrypted HTTPS connections, meaning that organizations unable to inspect encrypted traffic will miss over one-third of incoming threats.

The report also showed an increase in JavaScript-based attacks. For instance, the scam script Trojan.Gnaeus, which enables threat actors to hijack control of the victim’s browser with a sophisticated code and forcibly redirects them to domains under the attackers control, comprised nearly one in five of all malware detections.

Threat actors increasingly used encrypted Excel files to hide malware in Q2, according to the report. This included the malware variant Abracadabra, which is delivered as an encrypted Excel file with the password VelvetSweatShop, the default password for Excel documents that allows it to bypass many basic anti-virus solutions.

Additionally, a six-year-old denial of service (DoS) vulnerability affecting WordPress and Drupal made a comeback in this period, and was included in the top 10 of WatchGuard’s list of network attacks by volume.

Commenting on the findings, Corey Nachreiner, CTO of WatchGuard, said: “Businesses aren’t the only ones that have adjusted operations due to the global COVID-19 pandemic – cyber-criminals have too.

“The rise in sophisticated attacks, despite the fact that overall malware detections declined in Q2, likely due to the shift to remote work, shows that attackers are turning to more evasive tactics that traditional signature-based anti-malware defenses simply can’t catch. Every organization should be prioritizing behavior-based threat detection, cloud-based sandboxing, and a layered set of security services to protect both the core network, as well as remote workforces.”   

Small business cyber security: the ultimate guide

If you’re an SME, cyber security might feel seem impossibly complex and filled with endless pitfalls.

Although it’s true that there’s a lot at stake – with ineffective security measures potentially threatening your productivity, your bank accounts, and your employees’ and third parties’ personal data – the path to effective security needn’t be difficult.

In this blog, we explain everything that small business owners need to know about protecting their organisations and reducing the risk of security breaches.

Why cyber security presents unique risks for SMEs

The difficulties that small businesses face when addressing cyber risks can be separated into financial costs and their ability to gain expert advice.

When we talk about ‘cost’, there are several issues at play. First, there is the fact that many small and medium-sized enterprises lack the budget to invest in comprehensive defences.

Second, there are the costs that organisations occur as a result of a security incident. We’ll talk about the specific financial effects of this in more detail below, but it’s worth noting that the first issue clearly affects the other.

SMEs that are reluctant to invest in in cyber security practices are not only more likely to fall victim but will experience exponentially larger costs as a result – and in many cases, the damage will be insurmountable.

You cannot cut corners when it comes to cyber threats. However tight your budget, you must find a way to address cyber security.

That brings us on to the second difficulty that you face: gaining expert advice. The demand for cyber security professionals far outweighs supply, with one report claiming that there will be 3.5 million unfilled jobs in the industry by 2021.

Those with the necessary skills can therefore command a much larger salary, meaning small organisations are being priced out of the market.

SMEs’ best course of action is to look internally – offering existing employees the opportunity to move into a career in cyber security.

Those in an IT background are particularly suited to this career switch, because – although technology only encompasses one aspect of information security – there is a large overlap.

Why SMEs can’t ignore cyber security

Let’s now take a closer look at the repercussions that small organisations face if they don’t properly address cyber security.

  • Business disruption

The first problem that you’ll run into is business disruption. An attack on your systems may paralyse your network or force you to close off parts of your business to make sure cyber criminals can no longer access your data.

In the time it takes you to investigate the cause of the breach and to get your systems back online, you will be unable to perform certain operations and are likely to experience a loss of production.

  • Remedial costs and regulatory fines

Getting up and running again is only your first obstacle. If the incident was serious enough, you will need to contact affected customers as well as your data protection supervisory authority, which in the UK is the ICO (Information Commissioner’s Office).

Notifying customers alone can be an expensive and time-consuming endeavour.

You may have to set up helpdesks so that those affected can get in contact to learn more, or even offer them complementary credit checks to reassure them that the breach has no personal financial implications for them.

In addition to this, the ICO may well decide that the incident was a result of a GDPR (General Data Protection Regulation) violation, in which case you are liable to receive a financial penalty and face legal action.

  • Reputational damage

Finally, the incident might result in long-term reputational damage. It can be hard for organisations to retain customers’ trust – and that’s particularly true for small organisations – so you may experience significant customer churn.

According to CISO’s Benchmark Report 2020, a third of organisations said they experienced reputational damage as a result of a data breach.

Top threats to SMEs

According to Verizon’s 2020 Data Breach Investigations Report, 28% of data breaches involved SMEs. But what makes them so vulnerable?

Their biggest vulnerability is human error. Small organisations are far less likely than larger ones to have systematic staff awareness training programmes in place, meaning there is an increased possibility of someone making an avoidable mistake.

This includes things such as reusing their password on multiple accounts, falling for a phishing scam or failing to properly dispose of sensitive information when it’s no longer needed.

On a similar note, employees at small organisations are more likely to act maliciously – purposely using information in a way that’s detrimental to the organisation.

One reason for this is that smaller organisations are less likely to have monitoring tools to catch them in the act. For example, they might not have access controls installed, which would limit the amount of information that an employee could view.

Without it, any member of staff who wanted to steal sensitive information (perhaps with the intention of selling it on the dark web) could do so, and the organisation would be unable to tell who was responsible.

Another threat that small organisations in particular are vulnerable to is ransomware. This is a type of malware in which criminal hackers lock users out of their systems and demand money for a decryption code.

The most effective way to mitigate the risk of ransomware is to regularly back up your files to an external server. That way, should your systems become infected, you will be able to disconnect them, wipe the data and restore your information using the backups.

This process will take some time – anywhere from a couple of days to a couple of weeks, depending on the size of your operations – but it will be much less expensive and disruptive, and is a far more prudent approach than paying a criminal and hoping that they keep their word.

Unfortunately, many SMEs don’t invest in comprehensive backup strategies, making them an ideal target for crooks.

What can you do to protect your small business from cyber threats?

You can find out more about how to keep your organisation safe by downloading Cyber Security 101 – A guide for SMEs.

As we’ve explained here, cyber security requires careful coordination of people, processes, systems, networks and technologies, but it doesn’t necessarily have to be expensive.

This free guide provides essential advice on how to bolster your defences without breaking the bank. It explains:

  • Common cyber security myths, and how you can avoid making the wrong decisions;
  • Key considerations for developing your cyber security strategy; and
  • Effective and affordable cyber security measures that can provide immediate results.
Find out more

The Weekly Round-up: subscribe now

The post Small business cyber security: the ultimate guide appeared first on IT Governance UK Blog.

From Firewalls to Firewalling – The Future of Enterprise Security

With the rapid evolution of security and the plethora of new innovations that have been developed in recent years, it can be easy to forget about the cornerstone technologies that have gotten us to this point. Now that the network perimeter is anything but static, some may wonder if the firewall, for example, is still relevant and effective for protecting today’s enterprise. The answer is yes, now more than ever.

As the landscape has changed, the firewall has adapted. We can’t address today’s rising challenges with yesterday’s firewall. Firewall technology has advanced to keep up with massive shifts in the way we do business. It has evolved to help secure cloud computing, SaaS applications, mobility, remote working, and more, against increasingly stealthy attacks.

Cisco has been leading the charge in this transition, making the firewall a core component of a zero trust security strategy. As a result of these efforts, we were recently named a leader in the 2020 Forrester Wave for Enterprise Firewalls. Cisco was one of only two vendors cited as a leader among Forrester’s evaluation of 11 firewall providers. Specific strengths highlighted in the report include our wide breadth of security offerings, and extensive integration across our portfolio.

Today’s firewall can no longer operate in a silo. It must be part of a cohesive security platform that can quickly adapt to changes in the network environment and threat landscape. And in fact, it should serve as the very foundation of such a platform.

Here’s how Cisco is building the future of firewalling through our platform approach to security:

From firewalls to firewalling

The firewall was traditionally an appliance designed to protect everything inside the network perimeter. However, with today’s enterprise data and applications residing in many different places, and users accessing them from an infinite amount of locations, the conventional perimeter has transitioned into multiple micro-perimeters that need to be secured. Thus, instead of viewing the firewall as a single device, we must now view “firewalling” as more of a functionality – protecting users and data across the network, cloud, endpoints, and applications – and anywhere else attackers may infiltrate.

With Cisco’s Next-Generation Firewall (NGFW), you get world-class security controls wherever you need them, with consistent policy management and enforcement, and in-depth, unified visibility. Cisco goes beyond offering traditional firewall capabilities, incorporating features such as intrusion prevention, URL filtering, application visibility and control, and advanced malware protection, to provide robust defenses against the ever-expanding menu of cyberattacks. And it’s all backed by the industry-leading threat intelligence of Cisco Talos.

Flexible deployment and management

The migration of data to the cloud, and users to remote locations, requires a new level of flexibility when it comes to firewalling technologies. Organizations need a mix of physical, virtual, and cloud-based firewalls to accommodate this shift and secure the data center, remote sites, cloud environments, and everywhere in between. This is especially critical as organizations think about multi-cloud and SASE models. However, with so many different firewall deployments in place, it can sometimes be difficult to manage them all to achieve consistent policies and seamless visibility.

As a worldwide leader in networking and security, Cisco is better positioned than any other vendor to integrate effective firewalling and security controls into your existing infrastructure. We offer a broad range of firewalling options – from physical appliances for various sized environments, to virtual firewalls for public and private clouds, to cloud-delivered firewalls. We also make it easy to embed firewalling capabilities directly into networking technologies such as routers and SD-WAN.

And we offer firewall management to suit a wide variety of requirements – helping you centralize management, reduce complexity, and streamline operations. Cisco Defense Orchestrator helps organizations consistently manage policies across Cisco firewalls and public cloud infrastructure. We reduce time spent on repetitive security management tasks by up to 90 percent, and our simplified approach is further strengthened by the recent introduction of the Cisco SecureX platform, which is included with all Cisco security products.

Platform is a requirement for best of breed

With Cisco, the power of your firewall does not end with your firewall. We’ve built a security platform that enables a more agile and integrated approach for harmonizing policies and enforcement across increasingly heterogeneous networks. Through Cisco SecureX, your firewall becomes part of a tightly woven security ecosystem that shares intelligence, expands visibility, and automates remediation. This way, the rest of your security portfolio acts as a natural extension of your firewall.

According to Mike Schofield, vice president of network and cybersecurity operations at Rackspace, “The Cisco Next-Generation Firewall enables us to provide our customers with advanced features and functionality for defending against evolving threats, all through a single, unified platform.”

As part of a security platform, your firewall can see and stop more threats, accelerating threat response and substantially improving your risk posture. With the ability to integrate both Cisco and third-party technologies into a single platform, you can extend the power of your firewall with functionality such as secure access, network analytics, cloud and endpoint security, workload security and micro-segmentation, and much more. Each integration allows your firewall to grow even stronger, and in turn, the firewall can enrich your entire security ecosystem.

The future of firewalling  

If you’re looking for a new firewalling experience, make sure you select technology that has the features, flexibility, and fortitude to deliver value into the future.

Need to breathe some new life into your firewall?

The post From Firewalls to Firewalling – The Future of Enterprise Security appeared first on Cisco Blogs.

Fuzzing Image Parsing in Windows, Part One: Color Profiles

Image parsing and rendering are basic features of any modern operating system (OS). Image parsing is an easily accessible attack surface, and a vulnerability that may lead to remote code execution or information disclosure in such a feature is valuable to attackers. In this multi-part blog series, I am reviewing Windows OS’ built-in image parsers and related file formats: specifically looking at creating a harness, hunting for corpus and fuzzing to find vulnerabilities. In part one of this series I am looking at color profiles—not an image format itself, but something which is regularly embedded within images. 

What is an ICC Color Profile?

Wikipedia provides a more-than-adequate description of ICC color profiles: "In color management, an ICC profile is a set of data that characterizes a color input or output device, or a color space, according to standards promulgated by the International Color Consortium (ICC). Profiles describe the color attributes of a particular device or viewing requirement by defining a mapping between the device source or target color space and a profile connection space (PCS). This PCS is either CIELAB (L*a*b*) or CIEXYZ. Mappings may be specified using tables, to which interpolation is applied, or through a series of parameters for transformations.

In simpler terms, an ICC color profile is a binary file that gets embedded into images and parsed whenever ICC supported software processes the images. 

Specification

The ICC specification is around 100 pages and should be easy to skim through. Reading through specifications gives a better understanding of the file format, different types of color profiles, and math behind the color transformation. Furthermore, understanding of its file format internals provides us with information that can be used to optimize fuzzing, select a good corpus, and prepare fuzzing dictionaries.

History of Color Management in Windows

Windows started to ship Image Color Management (ICM) version 1.0 on Windows 95, and version 2.0 beginning with Windows 98 onwards. A major overhaul to Windows Color System (WCS) 1.0 happened in Windows Vista onwards. While ICC color profiles are binary files, WCS color profiles use XML as its file format. In this blog post, I am going to concentrate on ICC color profiles.

Microsoft has a list of supported Windows APIs. Looking into some of the obviously named APIs, such as OpenColorProfile, we can see that it is implemented in MSCMS.dll. This DLL is a generic entry point and supports loading of Microsoft’s Color Management Module (CMM) and third-party CMMs such as Adobe’s CMM. Microsoft’s CMM—the ICM—can be found as ICM32.dll in system32 directory. 


Figure 1: ICM32

Windows’ CMM was written by a third-party during the Windows 95 era and still ships more or less with the same code (with security fixes over the decades). Seeing such an old module gives me some hope of finding a new vulnerability. But this is also a small module that may have gone through multiple rounds of review and fuzzing: both by internal product security teams and by external researchers, reducing my hopes to a certain degree. Looking for any recent vulnerabilities in ICM32, we can see multiple bugs from 2017-2018 by Project Zero and ZDI researchers, but then relative silence from 2019 onwards.

Making a Harness

Although there is a list of ICM APIs in MSDN, we need to find an API sequence used by Windows for any ICC related operations. One of the ways to find our API sequence is to search a disassembly of Windows DLLs and EXEs in hope to find the color profile APIs being used. Another approach is to find a harness for open source Color Management Systems such as Little CMS (LCMS). Both of these end up pointing to very small set of APIs with functionality to open color profiles and create color transformations.

Given this information, a simple initial harness was written: 

#include <stdio.h>
#include <Windows.h>
#include <Icm.h>

#pragma comment(lib, "mscms.lib")

int main(int argc, char** argv)
{
    char dstProfilePath[] = "sRGB Color Space Profile.icm";
    tagPROFILE destinationProfile;
    HPROFILE   hDstProfile = nullptr;   

    destinationProfile.dwType = PROFILE_FILENAME;
    destinationProfile.pProfileData = dstProfilePath;
    destinationProfile.cbDataSize = (strlen(dstProfilePath) + 1);

    hDstProfile = OpenColorProfileA(&destinationProfile, PROFILE_READ,
        FILE_SHARE_READ, OPEN_EXISTING);
    if (nullptr == hDstProfile)
    {
        return -1;
    }   

    tagPROFILE sourceProfile;
    HPROFILE   hSrcProfile = nullptr;
    HTRANSFORM hColorTransform = nullptr;     

    DWORD dwIntent[] = { INTENT_PERCEPTUAL, INTENT_PERCEPTUAL };
    HPROFILE hProfileList[2];   

    sourceProfile.dwType = PROFILE_FILENAME;
    sourceProfile.pProfileData = argv[1];
    sourceProfile.cbDataSize = (strlen(argv[1]) + 1);

    hSrcProfile = OpenColorProfileA(&sourceProfile, PROFILE_READ,
        FILE_SHARE_READ, OPEN_EXISTING);
    if (nullptr == hSrcProfile)
    {
        return -1;
    }   

    hProfileList[0] = hSrcProfile;
    hProfileList[1] = hDstProfile;

    hColorTransform = CreateMultiProfileTransform(
        hProfileList,
        2,
        dwIntent,
        2,
        USE_RELATIVE_COLORIMETRIC | BEST_MODE,
        INDEX_DONT_CARE
    );

    if (nullptr == hColorTransform)
    {
        return -1;
    }   

    DeleteColorTransform(hColorTransform);
    CloseColorProfile(hSrcProfile);
    CloseColorProfile(hDstProfile);
    return 0;
}

Listing 1: Harness

Hunting for Corpus and Dictionary

Sites offering multiple color profiles can be found all over the internet. One of the other main source of color profile is images; many image files contain a color profile but require some programming/tools to dump their color profile to stand-alone files.

Simply skimming through the specification, we can also make sure the corpus contains at least one sample from all of the seven different color profiles. This along with the code coverage information can be used to prepare the first set of corpuses for fuzzing.

A dictionary, which helps the fuzzer to find additional code paths, can be prepared by combing through specifications and creating a list of unique tag names and values. One can also find dictionaries from open source fuzzing attempts on LCMS, etc.

Fuzzing

I used a 16-core machine to fuzz the harness with my first set of corpuses. Code coverage information from MSCMS.dll and ICM32.dll was used as feedback for my fuzzer. Crashes started to appear within a couple of days.

CVE-2020-1117 — Heap Overflow in InitNamedColorProfileData

The following crash happens in icm32!SwapShortOffset while trying to read out of bounds:

0:000> r
rax=0000023690497000 rbx=0000000000000000 rcx=00000000000000ff
rdx=000000000000ffff rsi=0000023690496f00 rdi=0000023690496fee
rip=00007ffa46bf3790 rsp=000000c2a56ff5a8 rbp=0000000000000001
 r8=0000000000000014  r9=0000023690497002 r10=0000000000000014
r11=0000000000000014 r12=000000c2a56ff688 r13=0000023690492de0
r14=000000000000000a r15=000000004c616220
iopl=0         nv up ei ng nz ac pe cy
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000293
icm32!SwapShortOffset+0x10:
00007ffa`46bf3790 0fb610          movzx   edx,byte ptr [rax] ds:00000236`90497000=??

0:000> !heap -p -a @rax
    address 0000023690497000 found in
    _DPH_HEAP_ROOT @ 23690411000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                             23690412b60:      23690496f00              100 -      23690496000             2000
    00007ffa51644807 ntdll!RtlDebugAllocateHeap+0x000000000000003f
    00007ffa515f49d6 ntdll!RtlpAllocateHeap+0x0000000000077ae6
    00007ffa5157babb ntdll!RtlpAllocateHeapInternal+0x00000000000001cb
    00007ffa51479da0 msvcrt!malloc+0x0000000000000070
    00007ffa46bf3805 icm32!SmartNewPtr+0x0000000000000011
    00007ffa46bf37c8 icm32!SmartNewPtrClear+0x0000000000000014
    00007ffa46c02d05 icm32!InitNamedColorProfileData+0x0000000000000085
    00007ffa46bf6e39 icm32!Create_LH_ProfileSet+0x0000000000004e15
    00007ffa46bf1973 icm32!PrepareCombiLUTs+0x0000000000000117
    00007ffa46bf1814 icm32!CMMConcatInitPrivate+0x00000000000001f4
    00007ffa46bf12a1 icm32!CWConcatColorWorld4MS+0x0000000000000075
    00007ffa46bf11f4 icm32!CMCreateMultiProfileTransformInternal+0x00000000000000e8
    00007ffa46bf1039 icm32!CMCreateMultiProfileTransform+0x0000000000000029
    00007ffa48f16e6c mscms!CreateMultiProfileTransform+0x000000000000024c
    00007ff774651191 ldr+0x0000000000001191
    00007ff7746514b4 ldr+0x00000000000014b4
    00007ffa505a7bd4 KERNEL32!BaseThreadInitThunk+0x0000000000000014
    00007ffa515aced1 ntdll!RtlUserThreadStart+0x0000000000000021

Listing 2: Crash info

icm32!SwapShortOffset reads unsigned short values, bswaps them and stores at the same location, giving this crash both read and write primitives.

unsigned __int16 *__fastcall SwapShortOffset(void *sourceBuff, unsigned int offset, unsigned int len)
{
  unsigned __int16 *endBuff; // r9
  unsigned __int16 *result; // rax

  endBuff = (sourceBuff + len);
  for ( result = (sourceBuff + offset); result < endBuff; ++result )
    *result = _byteswap_ushort(*result);        // read, bswap and write
  return result;
}

Listing 3: SwapShortOffset decompiled

The crashing function icm32!SwapShortOffset doesn’t immediately point to the root cause of the bug. For that, we need to go one call up to icm32!InitNamedColorProfileData.

__int64 __fastcall InitNamedColorProfileData(__int64 a1, void *hProfile, int a3, _DWORD *a4)
{
  ...
  ...
  errCode = CMGetPartialProfileElement(hProfile, 'ncl2', 0, pBuffSize, 0i64);      // getting size of ncl2 element
  if ( errCode )
    return errCode;
  minSize = pBuffSize[0];
  if ( pBuffSize[0] < 0x55 )
    minSize = 0x55;
  pBuffSize[0] = minSize;
  outBuff = SmartNewPtrClear(minSize, &errCode);                                    // allocating the buffer for ncl2
  ...
  ...
  errCode = CMGetPartialProfileElement(hProfile, 'ncl2', 0, pBuffSize, outBuff);    // reading ncl2 elements to buffer
  if ( !errCode )
  {
    ...
    ...
    totalSizeToRead = count * totalDeviceCoord;
    if ( totalSizeToRead < 0xFFFFFFFFFFFFFFAEui64 && totalSizeToRead + 0x51 <= pBuffSize[0] )  // totalSizeToRead + 0x51 <= element size?
    {
      currPtr = outBuff + 0x54;            // wrong offset of 0x54 is used
      ...
      ...
      do
      {   
        SwapShortOffset((currPtr + 0x20), 0, 6u);
        ...
        --count;
      }while(count)

Listing 4: InitNamedColorProfileData decompiled

Here the code tries to read the ‘ncl2’ tag/element and get the size of the stream from file. A buffer is allocated and the same call is made once again to read the complete content of the element ‘ncl2’. This buffer is parsed to find the count and number of device coordinates, and the values are verified by making sure read/write ends up with in the buffer size. The vulnerability here is that the offset (0x51) used for verification is smaller than the offset (0x54) used to advance the buffer pointer. This error provides a 3 byte out of bound read and write.

The fix for this was pretty straight forward—change the verification offset to 0x54, which is how Microsoft fixed this bug.

Additional Vulnerabilities

While looking at the previous vulnerability, one can see a pattern of using the CMGetPartialProfileElement function for reading the size, allocation, and reading content. This sort of pattern can introduce bugs such as unconstrained size or integer overflow while adding an offset to the size, etc. I decided to pursue this function and see if such instances are present within ICM32.dll.

I found three instances which had an unchecked offset access: CMConvIndexToNameProfile, CMConvNameToIndexProfile and CMGetNamedProfileInfoProfile. All of these functions are accessible through exported and documented MSCMS functions: ConvertIndexToColorName, CMConvertColorNameToIndex, and GetNamedProfileInfo respectively.

__int64 __fastcall CMConvIndexToNameProfile(HPROFILE hProfile, __int64 a2, __int64 a3, unsigned int a4)
{
  ...
  ...
  errCode = CMGetPartialProfileElement(hProfile, 'ncl2', 0, pBuffSize, 0i64);    // read size
  if ( !errCode )
  {
    allocBuff = SmartNewPtr(pBuffSize[0], &errCode);
    if ( !errCode )
    {
      errCode = CMGetPartialProfileElement(hProfile, 'ncl2', 0, pBuffSize, allocBuff);    // read to buffer
      if ( !errCode )
      {
        SwapLongOffset((allocBuff + 12), 0, 4u);         // 12 > *pBuffSize ?
        SwapLongOffset((allocBuff + 16), v12, v13);

Listing 5: CMConvIndexToNameProfile decompiled

The bug discovered in CMConvIndexToNameProfile and the other two functions is that there is no minimum length check for ‘ncl2’ elements and offsets 12 and 16 are directly accessed for both read and write—providing out of bound read/write to allocBuffer, if the size of allocBuffer is smaller than 12.

Microsoft decided not to immediately fix these three vulnerabilities due to the fact that none of the Windows binaries use these functions. Independently, we did not find any Windows or third-party software using these APIs.

Conclusion

In part one of this blog series, we looked into color profiles, wrote a harness, hunted for corpus and successfully found multiple vulnerabilities. Stay tuned for part two, where we will be looking at a relatively less talked about vulnerability class: uninitialized memory.

Instagram RCE gave hackers remote access to your device

Facebook has addressed a critical vulnerability in Instagram that could lead to remote code execution and turn the smartphone into a spying device.

Facebook has fixed a critical remote code execution vulnerability in Instagram that could lead to the hijack of smartphone cameras, microphones, and more. 

The vulnerability, tracked as CVE-2020-1895, was discovered by Check Point, it is a heap overflow issue that resides in Instagram’s image processing and received a CVSS score of 7.8.

“A large heap overflow could occur in Instagram for Android when attempting to upload an image with specially crafted dimensions. This affects versions prior to 128.0.0.26.128,” reads Facebook’s advisory

An attacker could trigger the vulnerability by sending a crafted malicious image to the victim via email, WhatsApp, SMS, or any other communications platform and then saved to a victim’s device.

Then just opening Instagram afterward will allow executing the malicious code on the device. 

“In the attack scenario we describe below, an attacker simply sends an image to the victim via email, WhatsApp or other media exchange platforms. When the victim opens the Instagram app, the exploitation takes place.” reads the analysis published by CheckPoint.

The vulnerability ties on how Instagram uses third-party libraries for image processing, in particular, the open-source JPEG decoder Mozjpeg.

Researchers discovered that the function handling image sizes when parsing JPEG images was flawed and caused a memory overflow during the decompression process.

Check Point experts explained that the issue could be triggered using an image size larger than 2^32 bytes. 

An attacker may have been able to “steal” Instagram’s execution flow and get the code execution within its context and permissions.

A malicious code could allow the hackers to access a device’s phone contacts, camera, GPS data, and files stored into the device. The flaw could also allow to intercept direct messages, delete or post photos without permission, and change the account settings. 

“At the most basic level, the exploitation could be used to crash a user’s Instagram app, denying them access to the app until they delete it from their device and re-install it, causing inconvenience and possible loss of data,” Check Point concludes.

“Our blog post describes how image parsing code, as a third party library, ends up being the weakest point of Instagram’s large system. Fuzzing the exposed code turned up some new vulnerabilities which have since been fixed. It is likely that, given enough effort, one of these vulnerabilities can be exploited for RCE in a zero-click attack scenario. Unfortunately, it is also likely that other bugs remain or will be introduced in the future.”

Pierluigi Paganini

(SecurityAffairs – hacking, Facebook)

The post Instagram RCE gave hackers remote access to your device appeared first on Security Affairs.

Computer Programmer Pleads Guilty to Lying about Silk Road Involvement

A computer programmer pleaded guilty to making false statements about his involvement with the Silk Road underground web marketplace. On Setpember 21, Michael R. Weigand (also known as “Shabang”) surrendered himself and told U.S. District Judge William H. Pauley III that he had lied to federal investigators about his work with Silk Road. Weigand clarified […]… Read More

The post Computer Programmer Pleads Guilty to Lying about Silk Road Involvement appeared first on The State of Security.

ITWC Morning Briefing, September 24, 2020 – Microsoft Ignite recap, MaRS attacks Alberta (in a good way), plus more

To keep up with the firehose of news, we’ve decided to deliver some extra news to you on the side every Monday and Thursday morning. Some of it is an extension of our own reporting that didn’t make its way into a story, while others might be content we’ve bookmarked for later reading and thought…

The post ITWC Morning Briefing, September 24, 2020 - Microsoft Ignite recap, MaRS attacks Alberta (in a good way), plus more first appeared on IT World Canada.

Hashtag Trending – Tesla’s battery goals; Toronto the startup hub; Climate pledges from the corporate world

Tesla’s new battery goals, Toronto is a global powerhouse for startups, and new climate pledges for some of the world’s largest companies.

The post Hashtag Trending - Tesla’s battery goals; Toronto the startup hub; Climate pledges from the corporate world first appeared on IT World Canada.

Instagram photo flaw could have helped malicious hackers spy via users’ cameras and microphones

A critical vulnerability in Instagram’s Android and iOS apps could have allowed remote attackers to run malicious code, snoop on unsuspecting users, and hijack control of smartphone cameras and microphones. The security hole, which has been patched by Instagram owner Facebook, could be exploited by a malicious hacker simply sending their intended victim a boobytrapped […]… Read More

The post Instagram photo flaw could have helped malicious hackers spy via users’ cameras and microphones appeared first on The State of Security.