VMware Cloud Director vulnerability enables a full cloud infrastructure takeover

A code injection vulnerability (CVE-2020-3956) affecting VMware vCloud Director could be exploited to take over the infrastructure of cloud services, Citadelo researchers have discovered. About VMware vCloud Director and CVE-2020-3956 VMware Cloud Director (formerly known as vCloud Director) is a cloud service delivery platform used by public and private cloud providers to operate and manage cloud infrastructure. CVE-2020-3956 was discovered by Citadelo penetration testers during a security audit of a customer’s VMWare Cloud Director-based cloud … More

The post VMware Cloud Director vulnerability enables a full cloud infrastructure takeover appeared first on Help Net Security.

Critical flaw in VMware Cloud Director allows hackers to take over company infrastructure

Researchers disclosed a flaw in VMware Cloud Director platform, tracked as CVE-2020-3956, that could be abused to takeover corporate servers.

Security researchers from hacking firm Citadelo disclosed details for a new critical vulnerability in VMware’s Cloud Director platform, tracked as CVE-2020-3956, that could be abused to takeover corporate servers.

VMware Cloud Director is a cloud service-delivery platform that allows organizations to operate and manage successful cloud-service businesses. Using VMware Cloud Director, cloud providers deliver secure, efficient, and elastic cloud resources to thousands of enterprises and IT teams across the world.

The vulnerability could potentially allow an authenticated attacker to gain access to corporate network, access to sensitive data, and control private clouds within an entire infrastructure.

“A code injection vulnerability in VMware Cloud Director was privately reported to VMware. Patches and workarounds are available to remediate or workaround this vulnerability in affected VMware products.” reads the advisory published by VMware. “VMware Cloud Director does not properly handle input leading to a code injection vulnerability.”

The CVE-2020-3956 flaw is a code injection issue that is caused by the improper input handling that could be triggered by an attacker by sending malicious traffic to Cloud Director, leading to the execution of arbitrary code. The flaw received a score of 8.8 out of 10 on the CVSS v.3 vulnerability severity scale.

The flaw can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface, and API access.

“An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.” continues the advisory.

The vulnerability affects VMware Cloud Director versions 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4.

Experts from Citadelo discovered the issue while conducting a security audit of the cloud infrastructure.of an unnamed Fortune 500 enterprise customer.

In a blog post the researchers explained that a single simple form submission can be manipulated to gain control of any Virtual Machine (VM) within VMware Cloud Director.

“Everything started with just a simple anomaly. When we entered ${7*7} as a hostname for the SMTP server in vCloud Director, we received the following error message: String value has an invalid format, value: [49],” “It indicated some form of Expression Language injection, as we were able to evaluate simple arithmetic functions on the server-side.”

Experts exploited the issue to access arbitrary Java classes (e.g. “java.io.BufferedReader“) and instantiate them by passing malicious payloads.

Citadelo experts were able to perform the following actions triggering the vulnerability:

  • View content of the internal system database, including password hashes of any customers allocated to this infrastructure.
  • Modify the system database to steal foreign virtual machines (VM) assigned to different organizations within Cloud Director.
  • Escalate privileges from “Organization Administrator” (normally a customer account) to “System Administrator” with access to all cloud accounts (organization) as an attacker can change the hash for this account.
  • Modify the login page to Cloud Director, which allows the attacker to capture passwords of another customer in plaintext, including System Administrator accounts.
  • Read other sensitive data related to customers, like full names, email addresses or IP addresses.

Citadelo privately reported the flaw to VMware on April 1, and the company addressed the issues with the release of versions 9.1.0.4, 9.5.0.6, 9.7.0.5, and 10.0.0.2.

The experts also published a proof-of-concept code for the vulnerability.

VMware has also released a workaround to mitigate the risk of exploitation for the flaw.

Pierluigi Paganini

(SecurityAffairs – VMware Cloud Director, cybersecurity)

The post Critical flaw in VMware Cloud Director allows hackers to take over company infrastructure appeared first on Security Affairs.

Researcher Gets $100,000 for Sign in with Apple Zero Day

Researcher Gets $100,000 for Sign in with Apple Zero Day

A security researcher has been awarded $100,000 by Apple after disclosing a critical flaw in the firm’s sign-in process for third-party sites.

Bhavuk Jain discovered the zero-day bug in Sign in with Apple, the Cupertino giant’s supposedly more privacy-centric version of Login with Facebook and Sign in with Google.

The system works in a similar way to OAuth 2.0: users can be authenticated with either a JSON Web Token (JWT), or a code generated by an Apple server which is then used to generate a JWT.

Once the authorization request has been submitted, Apple provides the user with an option, to share their Apple Email ID with the third-party app they’re trying to sign-in to, or not.

“If the user decides to hide the Email ID, Apple generates its own user-specific Apple relay Email ID. Depending upon the user selection, after successful authorization, Apple creates a JWT which contains this Email ID which is then used by the third-party app to login a user,” explained Jain.

“I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.”

The repercussions are pretty serious: an attacker could have used this technique to effect a full takeover of user accounts.

Jain warned that, if popular third-party apps such as Dropbox, Spotify and Airbnb didn’t put in place their own authentication security measures, their users may have been exposed by the bug.

“Apple also did an investigation of their logs and determined there was no misuse or account compromise due to this vulnerability,” he explained.

The researcher received the money by disclosing responsibly to the Apple Security Bounty Program.

Sodinokibi ransomware operators leak files stolen from Elexon electrical middleman

The REvil/Sodinokibi ransomware operators have leaked the files allegedly stolen from the UK power grid middleman Elexon.

In May Elexon, a middleman in the UK power grid network, was the victim of a cyber attack, its systems have been infected with the Sodinokibi ransomware.

The incident impacted only affected the internal IT network, including the company’s email server, and employee laptops

“Hackers have targeted a critical part of the UK’s power network, locking staff out of its systems and leaving them unable to send or receive emails.” reads a post published by The Telegraph.

“Elexon – a key player in the energy market between power station operators and firms that supply households and businesses – said in a statement that its internal systems and company laptops had been affected by the cyberattack. It declined to give further details.”

The company manages electricity supply and demand and distributes the power around the network according to the demand.

“We are advising you that today that ELEXON’s internal IT systems have been impacted by a cyber attack. BSC Central Systems and EMR are currently unaffected and working as normal. The attack is to our internal IT systems and ELEXON’s laptops only.” reads a post published by the company on its website. “We are currently working hard to resolve this. However please be aware that at the moment we are unable to send or receive any emails.”

The company took down the email server in response to the attack, according to Elexon, the systems use to manage the UK’s electricity transit were not impacted.

The company published a second message to announce that it has discovered the root cause of the incident, and that is was working to restore the internal network and employee laptops. Elexon also added that the BSC Central Systems (and their data) and EMR were not impacted and are continuing to work as normal. 

Two weeks later, Sodinokibi operators published 1,280 files allegedly stolen from the company on their leak site. The files contain passports of Elexon staff members and an apparent business insurance application form. 

Even if the company did not reveal details on the attack, experts from security firm Bad Packets reported that Elexon had been running an outdated version of Pulse Secure VPN server, if confirmed threat actors could have exploited it to access the internal network.

Elexon did not pay the ransom and restored operation from backups, for this reason, Sodinokibi operators decided to leak the stolen files.

Recently Sodinokibi ransomware group claimed to have stolen gigabytes of legal documents from the entertainment and law firm Grubman Shire Meiselas & Sacks (GSMLaw) that has dozens of international stars and celebrities among its clients.

The list of clients of the law firm includes famous artists like Chris Brown, Madonna, Lady Gaga, Nicki Minaj, Elton John, Timbaland, Robert de Niro, Usher, U2, and Timbaland.

Sodinokibi isn’t the unique ransomware gang that is threatening to publish data of the victims to force to pay the ransom, other gangs are DopplePaymerMazeNefilimNemtyRagnarLocker, and NetWalker.

Pierluigi Paganini

(SecurityAffairs – Sodinokibi, cybersecurity)

The post Sodinokibi ransomware operators leak files stolen from Elexon electrical middleman appeared first on Security Affairs.

Contact Tracing: De-mystifying How an App Designed to Track People Can Ensure User Privacy and Security

Many governments in many countries around the world recognise that contact tracing plays a very important part to reduce the spread of the deadly disease, COVID-19. In this article, we take a look at the conventional method of contact tracking and comparing it against how technology helps contact tracing and its pro’s and con’s. Traditional […]… Read More

The post Contact Tracing: De-mystifying How an App Designed to Track People Can Ensure User Privacy and Security appeared first on The State of Security.

Critical VMware Cloud Director Flaw Lets Hackers Take Over Corporate Servers

Cybersecurity researchers today disclosed details for a new vulnerability in VMware's Cloud Director platform that could potentially allow an attacker to gain access to sensitive information and control private clouds within an entire infrastructure. Tracked as CVE-2020-3956, the code injection flaw stems from an improper input handling that could be abused by an authenticated attacker to

Lean into zero trust to ensure security in times of agility

Bad actors are rapidly mounting phishing campaigns, setting up malicious websites and sending malicious attachments to take full advantage of the pandemic and users’ need for information, their fears and other emotions. More often than not, the goal is the compromise of login credentials. Many organizations grant more trust to users on the intranet versus users on the internet. Employees working from home – while unknowingly browsing potentially malicious websites and clicking on doctored COVID-19 … More

The post Lean into zero trust to ensure security in times of agility appeared first on Help Net Security.

How to successfully operationalize your micro-segmentation solution

Introducing a new security model into your existing infrastructure can be challenging. The task becomes even more daunting when starting with a new host-based or micro-segmentation solution. If you’ve decided on a host-based approach to segmentation, I’d like to share, based on personal experience, some advice and best practices on using this type of solution in your organization. Discovery The business case that drove your organization to adopt a host-based segmentation solution will serve as … More

The post How to successfully operationalize your micro-segmentation solution appeared first on Help Net Security.

Got Backups?

Eventually, we all have an accident or get hacked. And when we do, backups are often the only way to recover. Backups are cheap and easy; make sure you are backing up all of your personal information at home (such as family photos) on a regular basis.

Not all IT budgets are being cut, some are increasing

At a high level—and contrary to conventional wisdom – not all IT budgets are being cut. Even with the economic challenges that COVID-19 has posed for businesses, almost 38 percent of enterprises are keeping their IT budgets unchanged (flat) or actually increasing them. Yellowbrick Data received responses from more than 1,000 enterprise IT managers and executives, uncovering their infrastructure priorities during this era of economic uncertainty and disruption. “The survey brought to light some trends … More

The post Not all IT budgets are being cut, some are increasing appeared first on Help Net Security.

Security remains a major concern for enterprise IoT integration

Most companies see strong business drivers to adopt IoT as part of a broader digital transformation process. Improved efficiency and productivity, improved product/service quality, and improved customer retention and experience ranked highest as objectives. Implementation concerns, particularly around security, remain, Syniverse reveals. The study was conducted across 200 enterprise executives in North America and Europe in several key vertical industries already using or in the process of deploying IoT, including financial services, retail, manufacturing, healthcare … More

The post Security remains a major concern for enterprise IoT integration appeared first on Help Net Security.

How businesses are adapting IT strategies to meet the demands of today

Businesses are are adapting IT strategies, reprioritizing cloud adoption and automated database monitoring due to the effects of a global lockdown, remote working and a focus on business continuity, according to Redgate. The report, which surveyed nearly 1,000 respondents in April 2020, reveals that while performance monitoring and backups remain the most common responsibilities for database professionals, managing security and user permissions have leapt to third and fourth place, respectively. However, there seems to be … More

The post How businesses are adapting IT strategies to meet the demands of today appeared first on Help Net Security.

Save almost 50% on CISSP training: Offer ends June 15

With the globally recognized (ISC)² CISSP certification, you prove your cybersecurity expertise to the world. Save nearly 50% on CISSP Online Instructor-Led Training when bundled with your exam. Now thru June 15, 2020, you can purchase both for just $1,995. Promotional pricing is $1,296 for the course (normally $2,495!) plus $699 for the certification exam. Use the coupon code EXAMBUNDLECISSP at checkout. The training & exam bundle includes: Online Instructor-Led Training course completed over 8 … More

The post Save almost 50% on CISSP training: Offer ends June 15 appeared first on Help Net Security.

Cybersecurity Must be an Integral Part of any Pandemic Response Plan from Now On

Sometimes the best way to inform ourselves about how cybersecurity is dealing with a new threat, technology, or situation is to just ask. COVID-19, and the resulting lockdowns, quarantines and economic changes certainly counts as a ‘situation’ for cybersecurity. While it would be nice if cybersecurity could temporarily take a backseat while people and organizations […]… Read More

The post Cybersecurity Must be an Integral Part of any Pandemic Response Plan from Now On appeared first on The State of Security.

Zyxel launches USG FLEX series of mid-range firewalls for small- and medium-sized businesses

As remote working becomes the new normal, businesses face the challenge of keeping their business secure while meeting the needs of a more flexible workforce. Zyxel Networks announced USG FLEX, a new series of mid-range firewalls designed for small- and medium-sized businesses (SMBs) to keep up with the workplace mobility, connectivity and security requirements post-pandemic. Zyxel’s new USG FLEX 100, USG FLEX 200 and USG FLEX 500 firewalls feature upgraded hardware and software power that … More

The post Zyxel launches USG FLEX series of mid-range firewalls for small- and medium-sized businesses appeared first on Help Net Security.

Aruba’s AI-powered infrastructure optimizes customers’ reimagined work environments

Aruba, a Hewlett Packard Enterprise company, unveiled a suite of innovative workplace solutions and a new vision for three return to work scenarios – returning to the office and venues, working from home, and ultimately, the office reimagined. With Aruba’s AI-powered, cloud-native networking solutions as their foundation, each scenario provides pragmatic steps organizations can take today to expedite business recovery and implement contact tracing and touchless solutions that enhance the health and wellness of employees … More

The post Aruba’s AI-powered infrastructure optimizes customers’ reimagined work environments appeared first on Help Net Security.

New BitSight capabilities enable more effective third-party cyber risk management

BitSight, the Standard in Security Ratings, announced several new, innovative capabilities within its BitSight for Third-Party Risk Management solution that provide intelligent recommendations, operational guidance, and risk prioritization to enable more effective third-party cyber risk management. The enhanced platform helps organizations achieve greater operational efficiency and measurably reduce risk across their extended business ecosystem. “Third-party ecosystems are expanding rapidly and organizations of all shapes and sizes struggle to create effective risk management programs,” said Dave … More

The post New BitSight capabilities enable more effective third-party cyber risk management appeared first on Help Net Security.

YouAttest’s cloud-based tool automates reporting and auditing services for Okta’s Identity Cloud

YouAttest, an innovator in the Identity Governance & Administration (IGA) market, announced the general availability of YouAttest’s Identity Compliance Solution (ICS), the first cloud-based tool which automates reporting and auditing services for Okta‘s Identity Cloud. YouAttest has joined the Okta Integration Network (OIN) and its ICS products have completed certification with the Okta SSO and security methodology. This solution automates and accelerates verification of security roles and permissions, used by organizations for a wide range … More

The post YouAttest’s cloud-based tool automates reporting and auditing services for Okta’s Identity Cloud appeared first on Help Net Security.

nCipher provides control of customer-managed keys and critical assets in Azure

nCipher Security, an Entrust Datacard company, announces its support for new key import method (BYOK) for Azure Key Vault, allowing customers to generate and transfer encryption keys to Azure Key Vault using an on-premises or as a service nShield HSM, giving them complete control over both their keys and their data security. While cloud service providers follow best practices to protect data, subscribers are still ultimately responsible for the security of their data in the … More

The post nCipher provides control of customer-managed keys and critical assets in Azure appeared first on Help Net Security.

Arc integrates with Akamai, Catchpoint and MuleSoft to enhance its capabilities for enterprise customers

Arc Publishing, the premier content management platform from The Washington Post, announces it has expanded its integration with industry-leading software from Akamai, Catchpoint and MuleSoft, greatly enhancing its capabilities for enterprise customers worldwide to ensure they have access to the best-in-class tools on the market. These additions build on Arc’s advanced integration of Amazon Web Services (AWS) and position the business for continued growth among enterprise brands and media companies. “Operational continuity, ease of use, … More

The post Arc integrates with Akamai, Catchpoint and MuleSoft to enhance its capabilities for enterprise customers appeared first on Help Net Security.

oneM2M welcomes new members to accelerate IoT market development through interoperability

International standards initiative oneM2M announced it has welcomed a range of new members as organizations around the world seek to accelerate the development of the Internet of Things (IoT) market through greater interoperability. A cybersecurity specialist, research institutes, service providers and the Universidad Politécnica de Madrid’s faculty of computer science are among the latest companies to join the organization. The newest additions to oneM2M’s vast membership come from America, Asia, Europe and Russia, demonstrating the … More

The post oneM2M welcomes new members to accelerate IoT market development through interoperability appeared first on Help Net Security.

CirrusHQ secures £400,000 growth investment, appoints Alastair Mills as Chairman

CirrusHQ announced it has secured a £400,000 growth capital investment plus the appointment of Alastair Mills as the company’s new Chairman. CirrusHQ will use the funds to build its presence in the UK, most notably in the education sector where it is the first and only UK Consulting Partner to hold the AWS Education Competency and the Well Architected Framework certification. The company also specialises in public sector and enterprise deployments. CirrusHQ focuses exclusively on … More

The post CirrusHQ secures £400,000 growth investment, appoints Alastair Mills as Chairman appeared first on Help Net Security.

Cygilant appoints Kevin Gannon as new Vice President of Engineering

Cygilant, provider of Cybersecurity-as-a-Service to mid-sized organizations, announced that Kevin Gannon has joined the Cygilant team as the company’s new Vice President of Engineering. Based in the company’s newly opened Belfast office and reporting directly to Cygilant’s CEO, Kevin is responsible for leading the company’s engineering efforts. In this role, Kevin will build out a strong and diverse software engineering center of excellence, drive forward the company’s R&D agenda, and ultimately ensure a high quality … More

The post Cygilant appoints Kevin Gannon as new Vice President of Engineering appeared first on Help Net Security.

Safeguarding Connectivity: The Security Implications of Telecoms

Telecommunications, the exchange of information by electronic means, helps keep the world connected. You can thank modern telecom companies (think AT&T, Verizon, etc.) for that, as they’ve helped form economies and entire business infrastructures. From email and messaging to phone calls and video calls, telecoms have become an intrinsic part of our lives, allowing users to interact no matter where they are, which is important now more than ever.

Because their networks are so extensive, telecoms are a big target for hackers hoping to gain access to their business and wide customer base. Therefore, it’s important both businesses and consumers become aware of the potential threats to telecoms. Let’s take a look.

The Challenges Faced by Telecoms

While advancements in technology help improve many facets of our everyday lives, they’ve consequentially created challenges for telecoms when it comes to their security. Take the internet of things, for example. From virtual assistants to smartphones, IoT devices help us complete tasks more efficiently and live our lives to the fullest while on-the-go. But as users become more reliant on IoT devices, these gadgets become an equally enticing target for hackers to exploit. Whether it’s gathering personal data from smart devices connected to users’ home networks or accessing corporate data from a remote employee’s laptop, security around IoT is a huge focus for telecoms companies.

AI has also created a huge shift in how businesses operate, and the telecoms industry is no exception. While many telecoms are using AI to improve their security defenses, criminals are also using AI as a means to breach corporate networks – essentially fighting fire with fire.

The Security Risks Impacting Telecoms

Businesses, consumers, government agencies, and even whole countries rely on telecoms companies, so a security attack on one could have serious ramifications. Telecoms companies are finding themselves under fire for two specific types of attacks – one that aims to gain access to their organization, network operations, and data, and another that indirectly targets the company’s subscribers. But what exactly do the repercussions of these attacks entail?

While the prior could lead to a loss of valuable company information and impacted reputation, the latter could lead to a variety of damages. Say a hacker was somehow able to bypass a telecoms company’s security system through an advanced attack and gain access to its customer database – they could then be able to indirectly exploit customers’ mobile devices. Since many users often autosave private information like online account credentials and credit card information for mobile shopping, a hacker could consequentially use this information to conduct credit card fraud or identity theft.

Adding to that, some malware strains have been tailored to attack telecoms. According to ZDNet, Trickbot malware has been updated with a module that uses brute force attacks against a handful of specific targets – one of them being telecoms. The malware pre-selects targets based on IP addresses, indicating that the attackers are going after them specifically. Once Trickbot gains access, the criminals behind the attack can move around the network to steal credentials, sensitive information, and more.

How Telecom Security Can Be Improved

As the gatekeepers for vast amounts of information traveling through its networks, telecoms must prioritize the security of their infrastructures by staying up-to-date on the rapidly evolving security landscape. However, the responsibility of security falls on both the service provider and the consumer. So, what can you do to protect yourself from any telecom-related threats? Start by following these tips:

Use a virtual private network (VPN)

Use a VPN, which allows you to send and receive data across a public network as if it were a private network. A VPN encrypts – or scrambles – your information so others can’t read it, helping to safeguard your data.

Monitor your online accounts

Use ID monitoring tools to be aware of changes or actions that you did not make. These may have been caused by malware and could indicate that your phone or account has been compromised.

Update your software

Developers are always actively working to identify and address security issues. Frequently update your device’s operating systems and apps so that they have the latest fixes and security protections.

Defend your devices with security software

Comprehensive security software across all devices continues to be a strong defensive measure to protect your data and privacy from online threats.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Safeguarding Connectivity: The Security Implications of Telecoms appeared first on McAfee Blogs.

Malwarebytes hires Dariusz Paczuski as senior vice president of marketing

Malwarebytes announced that it has hired Dariusz Paczuski as senior vice president of marketing, to help scale the company’s consumer and enterprise businesses. Paczuski joins Malwarebytes from Verizon Media where he served as vice president of consumer growth marketing, leading global brand, creative, product, and performance marketing for their $7.5B advertising, media, commerce, and subscription businesses – serving nearly 900 million people around the world. “Malwarebytes is at an exciting stage where marketing will help … More

The post Malwarebytes hires Dariusz Paczuski as senior vice president of marketing appeared first on Help Net Security.

Inside Job at Clinics: Mobile Phone Used for Fraud

Worker Sentenced in Case Involving Theft of Patient Data
A former administrative employee of a medical marijuana clinic and several other clinics was recently sentenced to serve time in federal prison after pleading guilty to identity theft and wire fraud. The case illustrates the potential risks posed by employees inappropriately using personal devices.

Researcher Discloses ‘Sign in with Apple’ Zero-Day Flaw

Bug Bounty Hunter Reveals Critical Issue Affecting Third-Party Applications
An independent security researcher disclosed a zero-day vulnerability contained in the "Sign in with Apple" feature that, if exploited, could have resulted in a full account takeover. The vulnerability has been patched, and Apple says it found no account misuse tied to it.

Umbrella with SecureX built-in: Coordinated Protection

This blog was written by David Gormley, Cloud Security Product Marketing Manager at Cisco.

Cybercriminals have been refining their strategies and tactics for over twenty years and attacks have been getting more sophisticated. A successful cyberattack often involves a multi-step, coordinated effort. Research on successful breaches shows that hackers are very thorough with the information they collect and the comprehensive plans they execute to understand the environment, gain access, infect, move laterally, escalate privileges and steal data.

An attack typically includes at least some of the following steps:

  • reconnaissance activities to find attractive targets
  • scanning for weaknesses that present a good entry point
  • stealing credentials
  • gaining access and privileges within the environment
  • accessing and exfiltrating data
  • hiding past actions and ongoing presence

This whole process is sometime called the “attack lifecycle” or “kill chain” and a successful attack requires a coordinated effort throughout the process. The steps above involve many different elements across the IT infrastructure including email, networks, authentication, endpoints, SaaS instances, multiple databases and applications. The attacker has the ability to plan in advance and use multiple tactics along the way to get to the next step.

Security teams have been busy over the past couple of decades as well.  They have been building a robust security practice consisting of tools and processes to track activities, provide alerts and help with the investigation of incidents.  This environment was built over time and new tools were added as different attack methods were developed. However, at the same time, the number of users, applications, infrastructure types, and devices has increased in quantity and diversity.  Networks have become decentralized as more applications and data have moved to the cloud. In most instances, the security environment now includes over 25 separate tools spanning on-prem and cloud deployments. Under these conditions, it’s difficult to coordinate all of the activities necessary to block threats and quickly identify and stop active attacks.

As a consequence, organizations are struggling to get the visibility they need across their IT environment and to maintain their expected level of effectiveness. They are spending too much time integrating separate products and trying to share data and not enough time quickly responding to business, infrastructure, and attacker changes.  The time has come for a more coordinated security approach that reduces the number of separate security tools and simplifies the process of protecting a modern IT environment.

Cisco Umbrella with SecureX can make your security processes more efficient by blocking more threats early in the attack process and simplifying the investigation and remediation steps. Umbrella handles over 200 billion internet requests per day and uses fine-tuned models to detect and block millions of threats. This “first-layer” of defense is critical because it minimizes the volume of malicious activity that makes its way deeper into your environment.  By doing this, Umbrella reduces the stress on your downstream security tools and your scarce security talent.  Umbrella includes DNS Security, a secure web gateway, cloud-delivered firewall, and cloud access security broker (CASB) functionality. But no one solution is going to stop all threats or provide the quickly adapting environment described above. You need to aggregate data from multiple security resources to get a coordinated view of what’s going on in your environment but can’t sink all your operating expenses into simply establishing and maintaining the integrations themselves.

That’s where Cisco SecureX comes in. Cisco SecureX connects the breadth of Cisco’s integrated security portfolio – including Umbrella– and your other security tools for a consistent experience that unifies visibility, enables automation, and strengthens your security across network, endpoints, cloud, and applications. Let’s explore some of the capabilities of SecureX, the Cisco security platform and discuss what they mean in the context of strengthening breach defense.

  • Visibility: Our SecureX platform provides visibility with one consolidated view of your entire security environment. The SecureX dashboard can be customized to view operational metrics alongside your threat activity feed and the latest threat intelligence. This allows you to save time that was otherwise spent switching consoles. With the Secure threat response feature, you can accelerate threat investigation and take corrective action in under two clicks.
  • Automation: You can increase the efficiency and precision of your existing security workflows via automation to advance your security maturity and stay ahead of an ever-changing threat landscape. SecureX pre-built, customizable playbooks enable you to automate workflows for phishing and threat hunting use cases. SecureX automation allows you to build your own workflows including collaboration and approval workflow elements to more effectively operate as a team.   It enables your teams to share context between SecOps, ITOps, and NetOps to harmonize security policies and drive stronger outcomes.
  • Integration: With SecureX, you can advance your security maturity by connecting your existing security infrastructure via out-of-the-box interoperability with third party solutions. In addition to the solution-level integrations we’ve already made available; new, broad, platform-level integrations have also been and continue to be developed. In short, you’re getting more functionality out of the box so that you can multiply your use cases and realize stronger outcomes.

Pre-built playbooks focus on common security use cases, and you can easily build your own using an intuitive, drag-and-drop interface. One example of the coordination between Umbrella and SecureX is in the area of phishing protection and investigation. Umbrella provides protection against a wide range of phishing attacks by blocking connections to known bad domains and URLs. SecureX extends this protection with a phishing investigation workflow that allows your users to forward suspicious email messages from their inbox. In addition, a dedicated inspection mailbox starts an automated investigation and enrichment process. This includes data from multiple solutions including Umbrella, email security, endpoint protection, threat response and malware analysis tools. Suspicious email messages are scraped for various artifacts and inspected in the Threat Grid sandbox. If malicious artifacts are identified, a coordinated response action, including approvals, is carried out automatically, in alignment with your regular operations process.

The SecureX platform is included with Cisco security solutions to advance the value of your investment. It connects Cisco’s integrated security portfolio, your other security tools and existing security infrastructure with out-of-the-box interoperability for a consistent experience that unifies visibility, enables automation, and strengthens your security across network, endpoints, cloud, and applications.

Sign up to the SecureX waitlist so you can be first to receive sign-on instructions when it becomes generally available later in June at Cisco.com/go/SecureX 

The post Umbrella with SecureX built-in: Coordinated Protection appeared first on Cisco Blogs.

Cyber Security Roundup for June 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, May 2020.

EasyJet's disclosure of a "highly sophisticated cyber-attack", which occurred in January 2020, impacting 9 million of their customers was the biggest cybersecurity story of May 2020 in the UK. Although no details about this 'cyber-attack' were disclosed, other than 2,208 customers had their credit card details accessed.  


Using terms like "highly sophisticated" without providing any actual details of the cyberattack makes one think back to when TalkTalk CEO Dido Harding described a cyber-attack as "significant and sustained cyber-attack" in 2015. In TalkTalk's case, that cyber attack turned out to be a bunch of teenage kids taking advantage of a then 10-year-old SQL injection vulnerability.  City A.M. described Dido's responses as "naive", noting when asked if the affected customer data was encrypted or not, she replied: "The awful truth is that I don’t know". Today Dido is responsible for the UK governments Track, Test and Trace application, which no doubt will ring privacy alarms bells with some. 

Back to the EasyJet breach, all we know is the ICO and the NCSC are supporting UK budget airline, EasyJet said "We take issues of security extremely seriously and continue to invest to further enhance our security environment. There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing. We are advising customers to be cautious of any communications purporting to come from EasyJet or EasyJet Holidays." 

It will be interesting to see the DPA enforcement line Information Commission's Office (ICO) adopts with EasyJet, especially considering the current COVID-19 impact on the UK aviation industry.  Some security commentators have called ICO a "Toothless Tiger" in regards to their supportive response, an ICO label I've not heard since long before the GDPR came into force. But the GDPR still has a sting its tail beyond ICO enforcement action in the UK, in that individuals impacted by personal data breaches can undertake a class-action lawsuit. So then, it can be no real surprise to law firm PGMBM announce it has issued a class-action claim in the High Court of London, with a potential liability of an eye-watering £18 billion!. If successful, each customer impacted by the breach could receive a payout of £2,000.

The 2020 Verizon Data Breach Investigations Report (DBIR) was released, the most valuable annual report in the cybersecurity industry in my humble opinion. The 2020 DBIR used data compiled before COVID-19 pandemic.  The report analyses 32,002 security incidents and 3,950 confirmed breaches from 81 global contributors from 81 countries.
  • 86% of data breaches for financial gain - up from 71% in 2019 
  • 43% web application (cloud-based) - these attacks have doubled, reflecting the growth in the use of cloud-based services.
  • 67% of data breaches resulted from credential theft, human error or social attacks. 
  • Clearly identified cyber-breach pathways enable a “Defender Advantage” in the fight against cyber-crime 
  • On-going patching successful - fewer than 1 in 20 breaches exploit vulnerabilities
The vast majority of breaches continue to be caused by external actors.
  • 70% with organised crime accounting for 55% of these. 
  • Credential theft and social attacks such as phishing and business email compromises cause the majority of breaches (over 67%), specifically:
    • 37% of credential theft breaches used stolen or weak credentials,
    • 25% involved phishing
    • Human error accounted for 22%
The 2020 DBIR highlighted a two-fold increase in web application breaches, to 43%, and stolen credentials were used in over 80% of these cases. Ransomware had a slight increase, found in 27% of malware incidents compared to 24% in the 2019 DBIR with 18% of organisations reported blocking at least one piece of ransomware last year.

REvil (aka Sodinokibi) hackers are said to have stolen celebrity data from a law firm 'Grubman Shire Meiselas & Sacks'. With 756 gigabytes of personal data, emails, and contract details were taken, including Lady Gaga, Madonna, Elton John, Barbara Streisand, Bruce Springsteen and Mariah Carey to name a few. 

Pitney Bowes was hit with ransomware for the second time in 7 monthsPitney Bowes said attackers breached company systems and accessed “a limited set of corporate file shares” that “contained information used by our business teams and functional groups to conduct business-related activities.” News reports state the Maze ransomware group is behind the attack, threatening to post confidential if Pitney Bowes does not pay up.

Amazon's UK website was defaced with racist abuse,  which appeared on multiple listings on its UK website. Amazon has not disclosed how long the racist language remained on the site, but it sparked outrage on Twitter, Amazon said: "We investigated, removed the images in question and took action against the bad actor".

LogMeOnce, a password identity management suite provider, has published a detailed interview with myself titled 'Passwords are and have always been an Achilles Heel in CyberSecurity'. In the Q&A I talk about Passwords Security (obviously), Threat Actors, IoT Security, Multi-Factor Authentication (MFA), Anti-Virus, Biometrics, AI, Privacy, and a bit on how I got into a career in Cybersecurity.

BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

    Bell prepares for year-end spectrum auction by selling 25 data centres to Equinix

    Bell Canada Enterprises (BCE) sold 25 data centres held in 13 data centre sites for CA$1.04 billion to U.S. data centre company Equinix. The transaction ranks Bell Business Markets as the first Equinix Platinum Partner in Canada, and it also means that Bell enterprise customers will gain access to Equinix’s global integrated network and cloud…

    Major Upgrade for Channel Island’s Telecom Network

    Major Upgrade for Channel Island's Telecom Network

    Guernsey is to benefit from a major performance upgrade and security enhancement to its telecom network.

    British technology and network services company Telent Technology Services Ltd. (telent) has been awarded a contract by Sure to upgrade the service provider’s core network.

    Under the contract, Telent will replace Sure’s existing 10G core network with a 100G Juniper Networks core network. The upgrade is being undertaken to allow Sure to deliver faster, more reliable internet connectivity to its consumer and business customers across the island as increasing bandwidth usage and data consumption create what Telent described as "unprecedented demand."

    “Growing data consumption means demand for higher network capacity and speed is growing and service providers must ensure they are delivering on that,” said Shani Latif, sales director at Telent. 

    “This upgrade for Sure will incorporate the latest technologies to ensure a future-proof network, while our experience and knowledge of the service provider market will minimize customer disruption and ensure work is completed efficiently.”

    Once complete, the move to 100G will produce benefits to folks beyond the island's sandy beaches and picturesque bays. As a core network, it will also deliver increased capacity to London and Paris, connecting the Channel Islands to the rest of the world.

    The upgrade will provide extra capacity for growth, future-proofing the network as growing and new technologies, including Fiber-to-the-Home (FTTH) and 5G, are rolled out commercially. 

    Mindful of the need for cybersecurity, Telent will implement a joint Juniper-Corero Distributed Denial of Service (DDoS) solution to provide real-time, automated DDoS protection.

    Sure Group CEO Ian Kelly said that ensuring people can stay connected is more important than ever as the COVID-19 health crisis limps on. 

    “The current situation is a clear reminder that telecoms are a key and growing component of our economy and daily lives,” said Kelly. 

    “This network upgrade is a significant long-term investment to ensure we can continue to meet customer expectations now and in the future. We are pleased to be working with Telent which has a long history and strong reputation in the design, upgrade, build and maintenance of critical networks.”

    Work on the project has already started and is expected to be completed by early 2021.

    Minneapolis City and Police Websites Attacked

    Minneapolis City and Police Websites Attacked

    Police and city websites in Minneapolis have come under cyber-attack as both lawful protests and illegal rioting continue across America. 

    The nationwide social upheaval was triggered by the death of Houston native George Floyd in the city a week ago. Floyd died after 44-year-old police officer Derek Chauvin arrested him and kneeled on his neck for nearly nine minutes despite the handcuffed man's pleas that he could not breathe.

    Floyd, who had recently lost his job due to the COVID-10 pandemic, was arrested after allegedly using forged money to pay a bill at a grocery store. 

    Following Floyd's tragic death, filmed by bystanders who sadly let the chance to intervene slip through their fingers, Chauvin was fired from his job. The former cop was arrested and charged with third-degree murder and second-degree manslaughter on May 29.

    Chauvin's arrest has not put an end to the peaceful protests inspired by the police officer's failure to uphold a sworn promise to protect and serve the public. Nor has it doused the outbreaks of looting and vandalism that have seen American businesses, churches, and educational establishments raided, torched, and destroyed.  

    Some of the city of Minneapolis' public websites and systems were hit by a cyber-attack on Thursday morning. A city spokesperson told The Hill that a denial of service (DoS) attack had resulted in the temporary shutdown of some websites and systems. 

    Within hours of the incident, 95% of affected systems and sites were back up and running. It is not known whether the attack was specifically linked to the protests over Floyd's death or simply timed to exploit a city in turmoil. 

    “Although these types of attacks are not completely unavoidable, they are fairly common, and the City of Minneapolis has proactive measures in place to respond to and mitigate disruptions when they do occur,” the spokesperson said. 

    “The City of Minneapolis IT continues to monitor its cyber platforms to ensure further disruption doesn't happen again.”

    A DoS attack was also levied at the state level. In a news briefing delivered yesterday, Minnesota governor Tim Walz said Minnesota's computers were assaulted on Saturday night.

    "Before our operation kicked off last night, a very sophisticated denial of service attack on all state computers was executed," said Walz.

    The Advanced Protection Program comes to Google Nest



    The Advanced Protection Program is our strongest level of Google Account security for people at high risk of targeted online attacks, such as journalists, activists, business leaders, and people working on elections. Anyone can sign up to automatically receive extra safeguards against phishing, malware, and fraudulent access to their data.

    Since we launched, one of our goals has been to bring Advanced Protection’s features to other Google products. Over the years, we’ve incorporated many of them into GSuite, Google Cloud Platform, Chrome, and most recently, Android. We want as many users as possible to benefit from the additional levels of security that the Program provides.

    Today we’re announcing one of the top requests we’ve received: to bring the Advanced Protection Program to Nest.  Now people can seamlessly use their Google Accounts with both Advanced Protection and Google Nest devices -- previously, a user could use their Google Account on only one of these at a time.

    Feeling safe at home has never been more important and Nest has announced a variety of new security features this year, including using reCAPTCHA Enterprise, to significantly lower the likelihood of automated attacks. Today’s improvement adds yet another layer of protection for people with Nest devices.

    For more information about using Advanced Protection with Google Nest devices, check out this article in our help center.

    Payment App Data Breach Exposes Millions of Indians’ Data

    Payment App Data Breach Exposes Millions of Indians' Data

    A major data breach at mobile payment app Bharat Interface for Money (BHIM) has exposed the personal and financial data of millions of Indians.

    The breach occurred after BHIM failed to securely store vast swathes of data collected from users and businesses during a sign-up campaign.

    On April 23, researchers at vpnMentor made the alarming discovery that all the data related to the campaign was publicly accessible after being stored in a misconfigured Amazon Web Services S3 bucket.

    "The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals," wrote researchers.  

    Data exposed in the breach included scans of Ardaar cards (India’s national ID cards), Caste certificates, professional and educational certificates, photos used as proof of residence, Permanent Account Number (PAN) cards associated with Indian income tax services, and screenshots captured within financial and banking apps as proof of fund transfers—all documents needed to open a BHIM account.

    Private personal user data contained within these documents included names, dates of birth, age, gender, home address, Caste status, religion, biometric details, fingerprint scans, ID photos, and ID numbers for government programs and social security services.

    Over 7 million records dating from February 2019 were exposed, some of which belonged to people aged under 18 years old.

    After investigating the breach, vpnMentor's team found 409 GB of data stored insecurely by BHIM, which operates via the website www.cscbhim.in. Researchers traced the bucket back to BHIM as it was labeled “csc-bhim.”

    Researchers informed BHIM of their discovery but did not receive a response, so contacted India’s Computer Emergency Response Team (CERT-In). 

    "Many weeks later, we contacted CERT-In a second time," wrote researchers. "Shortly thereafter, the breach was closed."

    The Indian mobile payment app was launched in 2016 to facilitate instant e-payments and money transfers between bank accounts via a user's smartphone. By 2020, the popular app had been downloaded 136 million times, according to non-profit business consortium, the National Payments Corporation of India (NPCI).

    Big GDPR Fines in UK and Ireland: What’s the Holdup?

    Both Countries Have Each Issued Only a Single, Finalized Fine Under EU's Privacy Law
    The EU's General Data Protection Regulation was meant to finally bring in line organizations that didn't treat Europeans' personal data with respect. But two years after the regulation went into full effect, why have both the U.K. and Ireland each issued only one final GDPR fine to date?

    Defending our DoD Customers at Home

    Working from home

    When the COVID-19 pandemic began, I heard that many of our Defense customers would be working from home and immediately thought, “We have to help them do this securely.” Very quickly, however, another issue arose: How were some of them going to do it at all, as they were not set up to enable such an unparalleled transition to remote work environments?

    While DoD had virtual private networks (VPNs) in place, some services needed 10 times the number of available seats on those VPNs. We immediately went to work assisting them in managing these massive needs while maintaining security at the same time. Since then, we’ve continued to support our customers in whatever ways they’ve needed, so they can accomplish their mission with a secure, remote workforce.

    One way we’ve helped customers maintain their security is through an existing contract with DISA for DoD. Under the terms of this contract, McAfee enterprise software is installed on every managed endpoint across the DoD, and DoD employees have access to McAfee Total Protection software for their home use personal devices. Active DoD employees have access to a one-year subscription to McAfee Internet Security for PCs and Macs, preventing malicious attacks and keeping users safe while surfing and downloading files online.

    Not surprisingly, the Home Use Program has been very popular with subscribers in the past couple of months. Given the COVID-19 pandemic, we quickly decided to go beyond our contract requirements and extend the Home Use Program to DoD contractors as well. The Department relies on a talented group of private contractors who sit alongside public sector employees and often perform the same jobs. It made sense to offer them the same at-home protections at no charge, and so we did so.

    At McAfee we’ve been offering advice and assistance since day one of the pandemic. We’ve published several pieces containing advice for working remotely and staying safe, such as: “Working From Home? 5 Tips to Stay Secure,” “Staying Safe While Working Remotely,” and “Scams Facing Consumers in the New Digital WFH Landscape“.

    We’re constantly looking for new ways to help our customers adjust to the changes we’ve all had to make over the last few months – changes that will likely influence how we work and serve those who depend on us long into the future. We’re determined to do whatever we can to assist in these transitions and to ensure that security is a central part of them.

    For more information on the McAfee/DISA home use program, please see the DISA Antivirus for Home Use website: https://www.disa.mil/Cybersecurity/Network-Defense/Antivirus/Home-Use.

    The post Defending our DoD Customers at Home appeared first on McAfee Blogs.

    VMware addresses Fusion flaw introduced in the attempt to fix CVE-2020-3950 issue

    VMware has released an update to address a privilege escalation flaw in VMware for the macOS version of Fusion that was introduced by a previous patch.

    In March, VMware patched a high-severity privilege escalation vulnerability (CVE-2020-3950) in Fusion, Remote Console (VMRC) and Horizon Client for Mac.

    The CVE-2020-3950 is a privilege escalation vulnerability caused by the improper use of setuid binaries, it could be exploited by attackers to escalate privileges to root.

    The flaw was reported by Jeffball of GRIMM and Rich Mirch, VMware assigned it a CVSSv3 base score of 7.3 and rated it as Important severity. The issue impacts Fusion (11.x before 11.5.2), Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for Mac (5.x and prior before 5.4.0) macOS apps.

    Mirch and Jeffball, immediately noted that the patch issued by VMware was incomplete, VMware confirmed it a few days later and released a new patch at the end of March. Unfortunately the new fix introduced a new security issue.

    The vulnerability introduced by the second patch, tracked as CVE-2020-3957, is a time-of-check time-of-use (TOCTOU) issue that could allow attackers with low permissions to execute arbitrary code with root privileges.

    Last week, the company releases version 11.5.5, but the issue for VMRC and Horizon Client for Mac are yet to be approved.

    Pierluigi Paganini

    (SecurityAffairs – Fusion, cybersecurity)

    The post VMware addresses Fusion flaw introduced in the attempt to fix CVE-2020-3950 issue appeared first on Security Affairs.

    Webcast: Linux Command-Line Dojo II — Return Of The Sensei

    Last month’s Linux webcast with Hal was a rousing success! He actually broke the record for the most live attendees on a Black Hills webcast. So, of course, we asked him to come back. The crowd in the Command Line Dojo was so large that some of the questions got lost in the shuffle. Sensei […]

    The post Webcast: Linux Command-Line Dojo II — Return Of The Sensei appeared first on Black Hills Information Security.

    How to Create a Culture of Kick-Ass DevSecOps Engineers

    Much like technology itself, the tools, techniques, and optimum processes for developing code evolve quickly. We humans have an insatiable need for more software, more features, more functionality… and we want it faster than ever before, more qualitative, and on top of that: Secure. With an estimated 68% of organizations experiencing zero-day attacks from undisclosed/unknown vulnerabilities

    Joomla Resources Directory (JRD) Portal Suffers Data Breach

    Joomla, one of the most popular Open-source content management systems (CMS), last week announced a new data breach impacting 2,700 users who have an account with its resources directory (JRD) website, i.e., resources.joomla.org. The breach exposed affected users' personal information, such as full names, business addresses, email addresses, phone numbers, and encrypted passwords. The

    Passenger Railroad Service Says Data Breach Might Have Affected PII

    A passenger railroad service announced that a data breach might have affected some passengers’ personally identifiable information (PII). In a “Notice of Data Breach” letter sent to the Attorney General’s Office of Vermont, Amtrak revealed that it had discovered the data breach on April 16 2020. Amtrak looked into the matter and discovered that an […]… Read More

    The post Passenger Railroad Service Says Data Breach Might Have Affected PII appeared first on The State of Security.

    Password Changing After a Breach

    This study shows that most people don't change their passwords after a breach, and if they do they change it to a weaker password.

    Abstract: To protect against misuse of passwords compromised in a breach, consumers should promptly change affected passwords and any similar passwords on other accounts. Ideally, affected companies should strongly encourage this behavior and have mechanisms in place to mitigate harm. In order to make recommendations to companies about how to help their users perform these and other security-enhancing actions after breaches, we must first have some understanding of the current effectiveness of companies' post-breach practices. To study the effectiveness of password-related breach notifications and practices enforced after a breach, we examine­ -- based on real-world password data from 249 participants­ -- whether and how constructively participants changed their passwords after a breach announcement.

    Of the 249 participants, 63 had accounts on breached domains;only 33% of the 63 changed their passwords and only 13% (of 63)did so within three months of the announcement. New passwords were on average 1.3× stronger than old passwords (when comparing log10-transformed strength), though most were weaker or of equal strength. Concerningly, new passwords were overall more similar to participants' other passwords, and participants rarely changed passwords on other sites even when these were the same or similar to their password on the breached domain.Our results highlight the need for more rigorous password-changing requirements following a breach and more effective breach notifications that deliver comprehensive advice.

    News article.

    Aussie Football Site Leaks 70 Million Records

    Aussie Football Site Leaks 70 Million Records

    An Australian football fan site has been found leaking 70 million records, including users’ personal details and racist private messages, via an unprotected Elasticsearch instance.

    The 132GB leak was discovered by SafetyDetectives researchers led by Anurag Sen and is linked to BigFooty.com, a website and mobile app dedicated to Aussie Rules Football, which has around 100,000 members.

    Although the information found in the leak wasn’t always personally identifiable as users are mainly anonymous, some of the private messages seen by the researchers contained email addresses, mobile phone numbers and usernames and passwords for the site and live streams.

    If discovered by cyber-criminals probing for misconfigured databases, the latter may have been useful for credential stuffing attacks on other sites.

    Some user messages featured in the leak contained personal threats and racist content, which could be used by hackers to blackmail the individuals, SafetyDetectives argued.

    “Private messages are fully exposed in the leak and can be traced back to specific users. This includes some high-profile users such as Australian police officers and government employees,” it said.

    “Private information belonging to such individuals, including chat transcripts and email addresses, were found on the database which thereby creates a significant vulnerability in terms of potential blackmail and other reputational damage that could be caused.”

    Technical data relating to the site including IP addresses, access logs, server and OS information and GPS data were also leaked, potentially allowing hackers to compromise other parts of the IT infrastructure, the firm added.

    Although BigFooty didn’t respond to outreach from Sen and his team, the leak was closed shortly after they contacted government agency the Australian Cyber Security Center.

    Over the past few months, SafetyDetectives has discovered similar accidental leaks at two popular money-saving websites and, perhaps most alarmingly, an adult live streaming site.

    Facebook to verify identities on accounts that churn out viral posts

    Hopefully it's a COVID-19 version of what it did post-2016 elections, when it required verification of those buying political or issue ads.

    The team behind the Joomla CMS discloses a data breach

    Maintainers at the Joomla open-source content management system (CMS) announced a security breach that took place last week.

    Last week a member of the Joomla Resources Directory (JRD) team left an unencrypted full backup of the JRD site (resources.joomla.org) on an unsecured Amazon Web Services S3 bucket operated by the company.

    The company did not reveal is third-parties have found and accessed to the S3 bucket.

    “JRD full site backups (unencrypted) were stored in a third-party company Amazon Web Services S3 bucket. The third-party company is owned by a former Team Leader, still Member of the JRD team at the time of the breach.” reads the data breach notification. “Known to the current Team Leader at the time of the breach. (https://volunteers.joomla.org/teams/resource-directory-team) Each backup copy included a full copy of the website, including all the data.”

    The backup contained details for approximatively 2,700 users who registered and created profiles on the JRD website.

    The Joomla Resources Directory portal allows professionals and developers to advertise their services.

    Joomla team is investigating the data leak said they are still investigating the incident. It is currently unclear if anyone found and download the data from the third-party company’s S3 server.

    The Joomla team also carried out a full security audit of the portal.

    “The audit also highlighted the presence of Super User accounts owned by individuals outside Open Source Matters,” continues the notification.

    Data contained in the backup includes :

    • Full name
    • Business address
    • Business email address
    • Business phone number
    • Company URL
    • Nature of business
    • Encrypted password (hashed)
    • IP address
    • Newsletter subscription preferences

    The data breach notification states that most of the data was public, because it was a public directory, anyway private data (unpublished, unapproved listings, tickets) was exposed in the breach.

    The Joomla team is urging JRD users to change their password on the JRD portal and on other sites where they share the login credentials.

    “Even if we don’t have any evidence about data access, we highly recommend people who have an account on the Joomla Resources Directory and use the same password (or combination of email address and password) on other services to immediately change their password for security reasons.” concludes the notification.

    Pierluigi Paganini

    (SecurityAffairs – data breach, hacking)

    The post The team behind the Joomla CMS discloses a data breach appeared first on Security Affairs.

    New propagation module makes Trickbot more stealthy

    Trickbot infections of Domain Controller (DC) servers has become more difficult to detect due to a new propagation module that makes the malware run from memory, Palo Alto Networks researchers have found. That also means that the malware infection can’t survive a shutdown or reboot of the system, but the stealth vs persistence tradeoff is likely to work in the attackers’ favor since servers are rarely shut down or rebooted. Trickbot’s evolution Trickbot started as … More

    The post New propagation module makes Trickbot more stealthy appeared first on Help Net Security.

    Trump Plans to Ban Chinese Students with Military Ties

    Trump Plans to Ban Chinese Students with Military Ties

    The Trump administration is reportedly accelerating plans to ban Chinese students with military ties from attending university in the US, as Beijing prepares its own national security law for Hong Kong.

    American officials with knowledge of the discussions at the top of government told the New York Times that the long-mooted plan would involve cancelling student visas for Chinese students who took their undergraduate courses at military-affiliated institutions back home.

    The fear is that many of these individuals may be actively selected by the Chinese government, and required to collect information from the research projects they end up working on. There’s a double threat from those same graduates then landing jobs at high-profile US tech companies and continuing their espionage activities.

    It’s unclear how widespread the practice actually is, and students engaged in wrongdoing would certainly try to hide their affiliation.

    Back in January, the Department of Justice (DoJ) indicted a People’s Liberation Army lieutenant who lied about her background and secured a position studying at Boston University’s (BU) Department of Physics, Chemistry and Biomedical Engineering from October 2017 to April 2019. There, she allegedly stole info for military research projects and profiled US scientists for her bosses.

    Estimates suggest only around 3000 individuals would be affected by the mooted plans out of a potential 360,000 Chinese students in the US, although if they are formally announced it would come at a significant juncture.

    Washington is currently mulling how to respond to Beijing’s newly announced plans to force a national security law on Hong Kong, which would allow China’s fearsome secret police to be stationed in the supposedly semi-autonomous region.

    Rebecca Bernhard, partner at international law firm Dorsey & Whitney, explained that the US plans only affect those on F and J visas, although more may be caught up in trying to prove themselves innocent.

    “Due to the scrutiny to determine which students will be suspended from entry, all students and scholars will face a lot of questions and the burden will likely be on the students and scholars to document that their research program is not subject to the bar – it appears the presumption is that the bar applies and the student or scholar will need to document that it does not,” she argued. 

    “Unfortunately, this suggests to me that there will be even more delays at US consulates when they finally re-open for all Chinese graduate students and scholars in engineering."

    Analysing the (Alleged) Minneapolis Police Department “Hack”

    Analysing the (Alleged) Minneapolis Police Department

    The situation in Minneapolis at the moment (and many other places in the US) following George Floyd's death is, I think it's fair to say, extremely volatile. I wouldn't even know where to begin commentary on that, but what I do have a voice on is data breaches which prompted me to tweet this out earlier today:

    I was CC'd into a bunch of threads that were redistributing the alleged email addresses and passwords, most of them referring to a data breach (or "leak") of some kind allegedly perpetrated by "Anonymous". I've now seen several versions of the same set of email addresses and passwords albeit with different attribution up the top of the file. This is one of the more popular ones that links a hack of the MPD website to leaked credentials:

    Analysing the (Alleged) Minneapolis Police Department

    I've got a lot of "allegedly" and air quotes throughout this post because a lot of it is hard to substantiate, but certainly there's a lot of this sort of thing spreading online at the moment:

    Just to be clear: there's not necessarily a direct link between whoever put the video above together and the data now doing the rounds and attribution is tricky once you get a bunch of different people under different accounts and pseudonyms all flying the "Anonymous" banner. What I'm interested in whether the data I referred to earlier is actually from the MPD or, as I speculated, from elsewhere:

    So let's dig into it. There are 798 email addresses in the data set but only 689 unique ones. 87 of the email addresses appear multiple times, usually twice, but one of them 7 times over. I'll come back to the passwords associated with that account in a moment, what I will say for now is that it's extremely unusual to see the same email address with multiple different passwords in a legitimate data breach as most systems simply won't let an address register more than once.

    Of the 689 unique email addresses, 654 of them are already in Have I Been Pwned. That's a hit rate of 95% which is massively higher than any all-new legitimate breach. If you have a browse through the HIBP Twitter account, you'll see the percentage of previously breached accounts next to each tweet and it's typically in the 60% to 80% range for services based in the US (lower rates for areas of the world that are underrepresented in HIBP, for example Indonesia and Japan).

    Next up is the distribution of addresses across breaches and I'll share a couple of snippets from one of the tools I use to help attribute data such as this:

    Analysing the (Alleged) Minneapolis Police Department

    HIBP presently has a ratio of just over 2 breaches per email address in the system. However, what we're seeing here is a very high prevalence of each address appearing not just in 2 breaches, but in an average of 5.5 breaches. In other words, these accounts are breached way more than usual. When we look at which incidents they've been breached in, they're very heavily weighted towards data aggregators, with a couple of notable exceptions:

    Analysing the (Alleged) Minneapolis Police Department

    The People Data Labs breach is in the top spot and it's presently the 4th largest breach in HIBP. Verifications.io is the second largest and Anti Public the 6th largest. The conclusion I draw from this is that a huge amount of the data is coming from aggregated lists known to be in broad circulation. LinkedIn is a bit of an outlier here because whilst the data is in very broad circulation, it's not an aggregation of multiple sets rather a single, discrete breach. Which brings me to next tweet in my thread:

    Two of the passwords in the data clearly tie it back to the LinkedIn breach, one literally being the word "LinkedIn" and the other an all lowercase version of that. It's difficult to imagine someone creating an MPD account with that password. Then again, people do stupid things with passwords (yes, even police officers) so it's possible. What's less likely is that a current day official police department system would allow an all lowercase 8-character password. Not convinced? The following passwords are also present:

    1. le (yes, with just 2 characters)
    2. 1603 (which looks like a PIN)
    3. password
    4. 123456

    As with the LinkedIn passwords, it's possible these are from an official police system, but the likelihood is extremely low. So where could they be from? Let's run them all against Pwned Passwords and see.

    There are 795 rows with passwords in the data. That's 3 less than the total number of email addresses as the first 3 lines are addresses only which is also a bit odd. Then again, those first 3 addresses are all @minneapolis.mn.us whereas all the other addresses are @ci.minneapolis.mn.us which feels more like a human error by whoever collated the list rather than the natural output of a dumped database. Of the passwords, 767 of them are distinct (that's a case sensitive distinct) with the dupes being passwords such as:

    1. goldie (4 occurrences)
    2. minneapolis (3 occurrences)
    3. 123456 (2 occurrences)

    Frankly, the individual occurrences of those in the data set are quite low, it's the prevalence of the passwords in existing data breaches that's more interesting. Only 86 of the 795 total rows didn't return a hit so in other words, 89% of them have been seen before. Not only seen before, but massively seen before - here's their prevalence in Pwned Passwords:

    1. 123456 (23,547,453 occurrences)
    2. qwerty (3,912,816 occurrences)
    3. password (3,730,471 occurrences)
    4. abc123 (2,855,057 occurrences)
    5. password1 (2,413,945 occurrences)
    6. sunshine (412,385 occurrences)
    7. shadow (343,769 occurrences)
    8. linkedin (291,385 occurrences)
    9. andrew (265,776 occurrences)
    10. joshua (262,771 occurrences)
    11. loveme (233,835 occurrences)
    12. freedom (221,713 occurrences)
    13. friends (218,341 occurrences)
    14. summer (214,360 occurrences)
    15. samantha (211,498 occurrences)
    16. maggie (211,290 occurrences)
    17. batman (206,795 occurrences)
    18. harley (197,503 occurrences)
    19. jasmine (192,023 occurrences)
    20. martin (188,772 occurrences)

    I want to go back to the email address I mentioned earlier on, the same one that appeared 7 times over. That address appeared once with the alias precisely represented as the password, once with it almost precisely as the password, once with "mickey23", once with "mickey23mikmonkhou", once with "32yekcim" (try reversing it...), once with "mickey2" and once with a "mickey23" prefix followed by a string that created an email address at a college. Why so many times? Because the data has almost certainly been pulled out of existing data breaches in an attempt to falsely fabricate a new one:

    These may well be legitimate MPD email addresses and the passwords may well have been used along with those email addresses on other systems, but they almost certainly didn't come from an MPD system and aren't the result of the police department being "hacked".

    And why is this happening? Because people are outraged at the situation in Minneapolis and they want this to be true:

    I want to be really clear about something at this point: events in the US at present are tragic and people should damn well be angry. But anger shouldn't mean throwing logic and reason out the window and I cannot think of a time where fact-checking has ever been more important than now, not just because of the Minneapolis situation, but because so much of what we see online simply can't be trusted. So by all means, be angry, but don't spread disinformation and right now, all signs point to just that - the alleged Minneapolis Police Department "breach" is fake.

    One last note: Please keep any commentary on this blog post focused on the data and don't let it descend into politics or emotional responses. This analysis is intended to be data-centric and cut through the FUD that so quickly spreads around highly emotive issues. Disinformation spreads very quickly online, especially so in situations like this where people get "caught up in the excitement".

    Apparently Coronavirus-tracing scammers won’t sound professional… (Yeah, right!)

    Some members of the UK public will soon start receiving text messages and emails claiming to come from the NHS Test and Trace Service, as part of the country’s fight against the Coronavirus pandemic.

    The problem is that many of them won’t know if the communication is genuine, or from a scammer.

    And the UK Government’s advice isn’t helping.

    Amtrak Guest Rewards Breach Affects Personal Info

    Amtrak Guest Rewards Breach Affects Personal Info

    Amtrak has revealed that some customers may have had their personal information and log-ins stolen after it detected unauthorized access of rewards accounts by a third party.

    Also known as the National Railroad Passenger Corporation, the state-backed US transportation provider revealed the news in a regulatory filing with the Office of the Vermont Attorney General.

    “On the evening of April 16, 2020, Amtrak determined that an unknown third party gained unauthorized access to certain Amtrak Guest Rewards accounts,” it noted. “We have determined that compromised usernames and passwords were used to access certain accounts and some personal information may have been viewed. No financial data, credit card information or Social Security numbers were compromised.”

    The statement claimed that Amtrak’s IT security team terminated the unauthorized access “within a few hours,” reset passwords for affected accounts and hired outside security experts to contain the incident and put safeguards in place.

    The firm is also offering affected customers a free year’s membership for the Experian IdentityWorks fraud monitoring service, although such offerings only flag suspicious account activity after the event and won’t be able to stop the potential follow-on phishing attacks that could target users.

    It’s unclear how the attacker got hold of Amtrak Guest Reward usernames and passwords in the first place, although the credentials may have been breached in another incident and were being reused by customers across multiple sites/accounts.

    This isn’t the first time the railroad giant has been forced to alert the authorities about a suspected breach. In 2018, it revealed that service provider Orbitz had suffered a security incident exposing customers’ personal information.

    A year later, critical vulnerabilities were discovered in the Amtrak mobile application which researchers said could lead to a data breach of at least six million Amtrak Guest Rewards accounts.

    It’s unclear how many passengers were affected in the latest data breach incident.

    KingNull leaks DB of Daniel’s Hosting dark web hosting provider

    Earlier this year a hacker breached Daniel’s Hosting, the largest free web hosting provider for dark web hidden services and now leaked its DB.

    A threat actor has leaked the database of Daniel’s Hosting (DH), the largest free web hosting provider for dark web hidden services.

    The hacker has stolen the data in March when he breached the hosting provider, almost 7,600 dark web portals have been taken offline following the security breach.

    Daniel Winzen, a German software developer that operated the service, revealed that attackers accessed the backend of the hosting provider and deleted all the databases of the websites hosted by Daniel’s Hosting.

    Winzen definitively shut down the service on March 26.

    Today ZDNet reported that a hacker that goes online with the moniker ‘KingNull’ uploaded a copy of Daniel’s Hosting database on a file-hosting site.

    “According to a cursory analysis of today’s data dump, the leaked data includes 3,671 email addresses, 7,205 account passwords, and 8,580 private keys for .onion (dark web) domains.” reported ZDNet.

    Threat intelligence firm Under the Breach that analyzed the leaked database told ZDNet that the archive includes sensitive information on the owners and users of thousands of darknet sites. IP addresses of administrators and users were not included in the archive.

    The database could allow law enforcement agencies to deanonymize administrators of dark web services that were involved in illegal activities.

    Unfortunately, the leak could put in danger activists and dissidents that use the darknets to avoid the censorship applied by regimes.

    In November 2018, Daniel’s Hosting provider was victims of another incident, attackers hacked the service and deleted 6,500+ sites.

    ZDNet revealed that Winzen plans to launch again the hosting service in several months.

    Pierluigi Paganini

    (SecurityAffairs – dark web, hacking)

    The post KingNull leaks DB of Daniel’s Hosting dark web hosting provider appeared first on Security Affairs.

    When SOCs never stop: How to fill the intelligence gaps in security

    Demand for security analysts and security operations centre experts is high – so high that Frost and Sullivan found only two percent unemployment in the sector and that demand continues outstrip the supply of newly skilled professionals. (ISC)² suggests that the number of skilled professionals will have to grow from 2.8 million worldwide to 4.07 million to close the skills gap. All these roles will require the right skills and the right data. Alongside filling … More

    The post When SOCs never stop: How to fill the intelligence gaps in security appeared first on Help Net Security.

    The challenge of updating locally cached credentials

    As organizations work to ensure remote workforce productivity, the issue of cached credentials will inevitably appear, causing a problem for the impacted user, and the IT service desk. It’s no secret that some material portion of nearly every workforce is functioning remotely. You’ve spent the last few months scurrying to establish remote connectivity, cloud-based productivity, and some form of encompassing security – all to allow your remote employees to get their job done while meeting … More

    The post The challenge of updating locally cached credentials appeared first on Help Net Security.

    Agile security helps software teams deliver quicker and better software

    Agile adoption improves key capabilities needed to respond to current business challenges, especially those resulting from the pandemic, according to Digital.ai. With 60 percent of survey respondents saying Agile has helped increase speed to market, 41 percent agreeing they are better able to manage distributed teams, and 58 percent saying they have improved team productivity it is clear these practices are invaluable during these challenging times. “Our all-in move to the cloud in recent years … More

    The post Agile security helps software teams deliver quicker and better software appeared first on Help Net Security.

    Factors driving API growth in industry

    This is third in a series of articles that introduces and explains application programming interfaces (API) security threats, challenges, and solutions for participants in software development, operations, and protection. Explosion of APIs The API explosion is also driven by several business-oriented factors. First, enterprises are moving away from large monolithic applications that are updated annually at best. Instead, legacy and new applications are being broken into small, independently functional components, often rolled out as container-based … More

    The post Factors driving API growth in industry appeared first on Help Net Security.

    The Cybersecurity Implications of 5G Technology

    The coming of widespread 5G technology promises more than just faster everything, enhanced capacity and greater reliability. Leading proponents of the wonders of 5G, such as the theoretical physicist and author Michio Kaku, paint a picture of a true technological “paradigm shift, a game-changer.” The self-described futurist invites us to imagine a lightning-fast global communications […]… Read More

    The post The Cybersecurity Implications of 5G Technology appeared first on The State of Security.

    41% of organizations have not taken any steps to expand secure access for the remote workforce

    Currently, organizations are struggling to adjust to the new normal amidst the COVID-19 pandemic, a Bitglass survey reveals. 41% have not taken any steps to expand secure access for the remote workforce, and 50% are citing proper equipment as the biggest impediment to doing so. Consequently, 65% of organizations now enable personal devices to access managed applications. Remote work and secure access concerns When asked what their organizations are primarily concerned with securing while employees … More

    The post 41% of organizations have not taken any steps to expand secure access for the remote workforce appeared first on Help Net Security.

    A math formula could help 5G networks efficiently share communications frequencies

    Researchers at the National Institute of Standards and Technology (NIST) have developed a mathematical formula that, computer simulations suggest, could help 5G and other wireless networks select and share communications frequencies about 5,000 times more efficiently than trial-and-error methods. NIST engineer Jason Coder makes mathematical calculations for a machine learning formula that may help 5G and other wireless networks select and share communications frequencies efficiently The novel formula is a form of machine learning that … More

    The post A math formula could help 5G networks efficiently share communications frequencies appeared first on Help Net Security.

    Tripwire Patch Priority Index for May 2020

    Tripwire’s May 2020 Patch Priority Index (PPI) brings together important vulnerabilities from Microsoft, Adobe, SaltStack, and VMware. Up first on the patch priority list this month are patches for VMware vCenter Server and SaltStack Salt. The Metasploit exploit framework has recently integrated exploits for VMware vCenter Server (CVE-2020-3952) and SaltStack Salt (CVE-2020-11652, CVE-2020-11651). Administrators with […]… Read More

    The post Tripwire Patch Priority Index for May 2020 appeared first on The State of Security.

    Blackpoint Cyber launches 365 Defense, a Microsoft 365 security add-on for its MDR service

    Blackpoint Cyber released 365 Defense – a Microsoft 365 security add-on for its true Managed Detection and Response (MDR) service. With 365 Defense, Blackpoint adds 24/7 monitoring, threat detection, and security policy enforcement for Microsoft 365 environments. The add-on is available to existing and new clients and provides an additional offering for Blackpoint partners, including Managed Service Providers (MSPs). There’s been an alarming increase in Microsoft 365 account takeover (ATO) attacks according to a report … More

    The post Blackpoint Cyber launches 365 Defense, a Microsoft 365 security add-on for its MDR service appeared first on Help Net Security.

    Thierry Delaporte joins Wipro as Chief Executive Officer and Managing Director

    Wipro announced the appointment of Thierry Delaporte as the Chief Executive Officer and Managing Director of the company, effective July 6, 2020. Until recently, Thierry Delaporte was the Chief Operating Officer of Capgemini Group and a member of its Group Executive Board. During his twenty-five year career with Capgemini, he held several leadership roles including that of Chief Executive Officer of the Global Financial Services Strategic Business Unit, and head of all global service lines. … More

    The post Thierry Delaporte joins Wipro as Chief Executive Officer and Managing Director appeared first on Help Net Security.

    Anonymous demands justice for George Floyd and threatens attacks

    The hacktivist collective group Anonymous demands justice for George Floyd and threatens to ‘expose the many crimes’ of Minneapolis Police.

    Anonymous demands justice for George Floyd and threatens to ‘expose the many crimes’ of Minneapolis Police. George Floyd was killed by a white police officer by kneeling on his neck for more than eight minutes.

    While widespread civil unrest escalated in the US and the protest against the brutality of the police is spreading in the principal cities, Anonymous released a video, threatening Minneapolis Police Department (MPD) that it will “expose your many crimes to the world.”

    The video was shared on May 28 through a Facebook page affiliated with the group, the electronic voice accuses MPD of having “a horrific track record of violence and corruption,” claiming that the killing of George Floyd was “merely the tip of the iceberg.”

    “Officers who kill people and commit other crimes need to be held accountable just like the rest of us. Otherwise, they will believe that they have a license to do whatever they want.” the Anonymous narrator says.

    “People have had enough of this corruption and violence from an organization that promises to keep them safe. After the events of the past few years, many people are beginning to learn that you are not here to save us but rather you are here to oppress us and carry out the will of the criminal ruling class.”

    “You are here to keep order for the people in control, not to provide safety for the people who are controlled. In fact, you are the very mechanism that elites use to continue their global system of oppression.”

    “These officers must face criminal charges and officer Chauvin especially should face murder charges. Unfortunately, we do not trust your corrupt organization to carry out justice so will be exposing your many crimes to the world. We are legion. Expect us.”

    “Sadly, in the vast majority of police killings, the only one left alive to tell the story is the officer who took the person’s life,” the Anonymous narrator continues. “This travesty has gone on for far too long… and now the people have had enough.”

    The collective has launched its offensive against the authorities, the MPD’s website was taken offline late on Saturday, and today alleged members of the group (@PowerfulArmyGR, @namatikure) announced on Pastebin that the site was hacked and leaked the database of email and passwords.

    “The Minneapolis official website was been hacked and database with emails and passwords leaked.” reads the post published on PasteBin.

    Anonymous has yet to claim responsibility for taking down the website.

    In the last hours other operations have been attributed to Anonymous, including the hack of Chicago police radios,

    Pierluigi Paganini

    (SecurityAffairs – George Floyd, Anonymous)

    The post Anonymous demands justice for George Floyd and threatens attacks appeared first on Security Affairs.

    ENISA published “Proactive detection – Measures and information sources” report

    EU Agency for Cybersecurity ENISA has published a new report of the proactive detection of incidents, including measures and information sources.

    The EU Agency for Cybersecurity ENISA has published a new report and accompanying repository on measures and information sources that could help security experts and operators of IT and critical infrastructure to proactively detect network security incidents in the EU.

    The documents aims at evaluating methods, tools, activities and information sources for proactive detection of network security incidents.

    The proactive detection process aims at discovering malicious activity conducted by threat actors through internal monitoring tools or external sources that shares information about detected incidents.

    “The current project aims to provide a complete inventory of all available methods, tools, activities and information sources for proactive detection of network security incidents, which are used already or potentially could be used by incident response teams in Europe nowadays.” reads the report. “The current report evaluates available methods, tools, activities and information sources for proactive detection of network incidents.”

    ENISA proactive detection security incidents

    The EU agency launched this project to improve the detection of network security incidents in the EU, by:

    • Providing an inventory of available measures and information sources;
    • Identifying good practices;
    • Recommending possible areas for development.

    This report identifies and analyzes how proactive detection in the EU is evolved between 2011 and 2019. Among the goals of the project there is the exploration of new areas that could help to improve operational cooperation and information sharing.

    The deliverable of the project are three reports and in a living repository hosted on GitHub.

    “The objective is to offer a point of reference for new or well-established teams who need to identify or reassess appropriate measures for proactive detection of incidents.” continues the post published by ENISA.

    1- Report – Survey results

    • Survey among incident response teams in Europe;
    • Comparison with the 2011 survey.

    2- Report – Measures and information sources

    • Inventory of available methods, tools, activities and information sources;
    • Evaluation of identified measures and information sources.

    3- Report – Good practices gap analysis recommendations

    • Analysis of the data gathered;
    • Recommendations.

    4- Online repository – GitHub

    • Information sources;
    • Measures and tools.

    Enjoy the report!

    Pierluigi Paganini

    (SecurityAffairs – ENISA, cybersecurity)

    The post ENISA published “Proactive detection – Measures and information sources” report appeared first on Security Affairs.

    Coronavirus-themed attacks May 24 – May 30, 2020

    This post includes the details of the Coronavirus-themed attacks launched from May 24 to May 30, 2020.

    Threat actors exploit the interest in the Coronavirus outbreak while infections increase worldwide, experts are observing new campaigns on a daily bases.

    Below a list of attacks detected this week.

    May 26 – Hangzhou could permanently adopt COVID-19 contact-tracing app

    The City of Hangzhou is planning to make a contact tracing system developed to fight the COVID-19 pandemic permanent for its citizens.

    May 27 – Fuckunicorn ransomware targets Italy in COVID-19 lures

    A new piece of ransomware dubbed FuckUnicorn it targeting Italy by tricking victims into downloading a fake COVID-19 contact tracing app.

    May 29 – Himera and AbSent-Loader Leverage Covid19 lures

    Researchers at ZLab spotted a new phishing campaign using Covid19 lures to spread Himera and Absent-Loader.  

    May 30 – A new COVID-19-themed campaign targets Italian users

    Security researchers uncovered a new COVID-19-themed campaign targeting users of the National Institute for Social Security (INPS).

    If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

    If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

    Pierluigi Paganini

    (SecurityAffairs – COVID-19, Coronavirus themed campaigns)

    The post Coronavirus-themed attacks May 24 – May 30, 2020 appeared first on Security Affairs.

    Security Affairs newsletter Round 266

    A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

    Experts observed a spike in COVID-19 related malspam emails containing GuLoader
    Silent Night Zeus botnet available for sale in underground forums
    The Florida Unemployment System suffered a data breach
    Voter information for 2 millions of Indonesians leaked online
    25 million Mathway user records available for sale on the dark web
    Online education site EduCBA discloses data breach and reset customers pwds
    Personal details and documents for millions of Indians available in the deep web
    Unc0ver is the first jailbreak that works on all recent iOS versions since 2014
    3 hacking forums have been hacked and database have been leaked online
    Cisco fixed a critical issue in the Unified Contact Center Express
    Crooks hacked e-shops and threaten to sell SQL databases if ransom not paid
    Maze ransomware operators leak credit card data from Costa Ricas BCR bank
    Ragnar Ransomware encrypts files from virtual machines to evade detection
    Bugs in open-source libraries impact 70% of modern software
    Hangzhou could permanently adopt COVID-19 contact-tracing app
    New Turla ComRAT backdoor uses Gmail for Command and Control
    StrandHogg 2.0 Android flaw affects over 1 Billion devices
    Boris Johnson to reduce Huaweis role in national 5G network
    Fuckunicorn ransomware targets Italy in COVID-19 lures
    Grandoreiro Malware implements new features in Q2 2020
    Microsoft warns about ongoing PonyFinal ransomware attacks
    Real estate app leaking thousands of user records and sensitive private messages
    Researchers dismantled ShuangQiang gangs botnet that infected thousands of PCs
    The evolution of ransomware in 2019: attackers think bigger, go deeper and grow more advanced
    Google TAG report Q1 details about nation-state hacking and disinformation
    Israel s national cyber chief warns of rising of cyber-warfare
    Ke3chang hacking group adds new Ketrum malware to its arsenal
    NSA warns Russia-linked APT group is exploiting Exim flaw since 2019
    Security breach impacted Cisco VIRL-PE infrastructure
    Valak a sophisticated malware that completely changed in 6 months
    An archive with 20 Million Taiwanese citizens leaked in the dark web
    Himera and AbSent-Loader Leverage Covid19 lures
    ICT solutions provider NTT Com discloses security breach
    Octopus Scanner Malware: open source supply chain attack via NetBeans projects on GitHub
    Steganography in targeted attacks on industrial enterprises in Japan and Europe
    A new COVID-19-themed campaign targets Italian users
    A New York man was charged with stealing credit card data via SQL Injection attacks
    API Security and Hackers: Whats the Need?
    NetWalker ransomware gang threatens to release Michigan State University files

    Pierluigi Paganini

    (SecurityAffairs – newsletter, hacking)

    The post Security Affairs newsletter Round 266 appeared first on Security Affairs.

    Over 100K+ WordPress sites using PageLayer plugin exposed to hack

    Two security flaws in the PageLayer WordPress plugin can be exploited to potentially wipe the contents or take over WordPress sites.

    Security experts from WordFence discovered two high severity security vulnerabilities in the PageLayer WordPress plugin that could potentially allow attackers to wipe the contents or take over WordPress sites using vulnerable plugin versions.

    PageLayer is a WordPress page builder plugin, it is very easy to use and actually has over 200,000 active installations according to numbers available on its WordPress plugins repository entry.

    The vulnerabilities were reported to PageLayer’s developer by the Wordfence Threat Intelligence team on April 30 and were patched with the release of version 1.1.2 on May 6.

    One vulnerability could allow an authenticated user with subscriber-level and above permissions to update and modify posts.

    “One flaw allowed any authenticated user with subscriber-level and above permissions the ability to update and modify posts with malicious content, amongst many other things,” reads the post published by Wordfence.

    The second vulnerability could allow attackers to forge a request on behalf of a site’s administrator to change the plugin settings allowing to inject malicious Javascript.

    Both vulnerabilities are the result of unprotected AJAX actions, nonce disclosure, and a lack of Cross-Site Request Forgery (CSRF) protection. An attacker could exploit the vulnerabilities to inject malicious JavaScript code, alter the pages of the site, create rogue admin accounts, redirect site visitors to malicious sites, and exploit a site’s user’s browser to compromise their computer.

    WordFence experts reported the issue to PageLayer’s developers on April 30 and both were addressed with the release of version 1.1.2 on May 6.

    Developers implemented permissions checks on all of the sensitive functions that could allow to change the site and reconfigured the plugin to create separate nonces for the public and administrative areas of a WordPress site.

    At the time of writing, more than a hundred thousand WordPress sites still use vulnerable versions of PageLayer plugin.

    When it comes to WordPress attacks involving the exploitation of vulnerabilities, malicious actors usually target unpatched plugins, for this reason, it is essential to keep them up to date.

    I believe it is very important to protect WordPress install with dedicated solutions, I’m currently using WordFence solution, the company provided with a license to evaluate the premium features.

    Pierluigi Paganini

    (SecurityAffairs – PageLayer, hacking)

    The post Over 100K+ WordPress sites using PageLayer plugin exposed to hack appeared first on Security Affairs.

    Week in review: Windows RDP backdoor, GDPR enforcement, application threats and security trends

    Here’s an overview of some of last week’s most interesting news and articles: How do I select a backup solution for my business? In order to select an appropriate backup solution for your business, you need to think about a variety of factors. We’ve talked to several industry professionals to get their insight on the topic. StrandHogg 2.0: Critical Android flaw allows app hijacking, data theft Google has released a patch for CVE-2020-0096, a critical … More

    The post Week in review: Windows RDP backdoor, GDPR enforcement, application threats and security trends appeared first on Help Net Security.

    A new COVID-19-themed campaign targets Italian users

    Security researchers uncovered a new COVID-19-themed campaign targeting users of the National Institute for Social Security (INPS).

    Security experts from D3Lab have uncovered a new COVID-19-themed phishing campaign that is targeting the users of the Italian National Institute for Social Security (INPS). Like a previous campaign observed in early April, threat actors set up a fake INPS site used (“inps-it[.]top”) to trick victims into downloading a malicious app.

    “A new Phishing campaign against INPS users , similar to the previous one of April 6, 2020 , has been detected in the past few hours by our research and analysis center for Phishing campaigns.” reads the post published D3Lab.

    “The fraudulent activity is carried out through a web domain created Ad Hoc with similarities, in the name, to the official one of the national social security institution with the intent to download malware to users interested in receiving the Covid-19 allowance allocated from the Italian state.”

    COVID-19 campaign INPS
    COVID-19 campaign INPS

    D3Lab reported its findings to the Italian CERT-AGID that published a security advisory.

    Cybercriminals are attempting to take advantage of the Covid-19 indemnity that the Italian government will give to some Italian citizens with specific requirements.

    The citizens have to request the Covid-19 indemnity to the goverment through the INPS portal, for this reason, threat actors set up a fake INPS site asking people to download a phantom “application for the new COVID-19 indemnity” which actually returns a malicious APK for Android devices..

    The malicious APT, named “acrobatreader.apk,” is a Trojan-Banker malware that is able to monitor the actions performed by the user.

    The malware asks users to enable the accessibility service in order to take advantage of the legitimate functions of this service and achieve wider access to the system APIs to communicate with other apps on the device.

    “As soon as the presence of connectivity is detected, an HTTP POST request is sent to C2 through the following url ” http: // greedyduck [.] Top / gate [.] Php ” passing two parameters:

    • ” Action “: with botcheck or injcheck values ;
    • ” Data “: information collected and passed in encrypted form (RC4).”

    The CERT-AGID published the Indicators of Compromise (IoCs) here.

    Pierluigi Paganini

    (SecurityAffairs – COVID-19, hacking)

    The post A new COVID-19-themed campaign targets Italian users appeared first on Security Affairs.

    Former IT Administrator Sentenced in Insider Threat Case

    Charles E. Taylor Caused $800,000 in Damages to His Former Company
    A former IT administrator for an Atlanta-based building products distribution company has been sentenced to 18 months in federal prison after he sabotaged the firm by changing router passwords and damaging a critical command server. Overall, Charles E. Taylor caused more than $800,000 in damages.

    Critical ‘Sign in with Apple’ Bug Could Have Let Attackers Hijack Anyone’s Account

    Apple recently paid Indian vulnerability researcher Bhavuk Jain a huge $100,000 bug bounty for reporting a highly critical vulnerability affecting its 'Sign in with Apple' system. The now-patched vulnerability could have allowed remote attackers to bypass authentication and take over targeted users' accounts on third-party services and apps that have been registered using 'Sign in with Apple'

    NetWalker ransomware gang threatens to release Michigan State University files

    Michigan State University is the last victim of the NetWalker ransomware, attackers threaten to leak stolen files if it will not pay the ransom in seven days.

    Michigan State University hit by ransomware gang, NetWalker ransomware operators are threatening to leak stolen files if the university will not pay the ransom in seven days.

    At the time of writing the ransom demand to decrypt their files was not disclosed.

    Even if the MSU will restore from backups, the NetWalker ransomware gang will leak the documents stolen on its dark web leak site.

    As a proof of the attack, NetWalker ransomware operators have shared five images on the leak site.

    “These include two images showing a directory structure allegedly from the university’s network, a passport scan for a student, and two scans of Michigan State financial documents.” reported ZDNet.

    Source ZDNet

    The NetWalker group is very active in this period, the list of the victims of the gang includes the shipping giant Toll. Researchers also identified a new Coronavirus phishing campaign that aims at delivering the Netwalker Ransomware using COVID-19 lures.

    The university did not reveal the extent of the attack, students and employees are still working from home due to the COVID-19 outbreak, anyway, the incident may not impact the e-learning activity.

    NetWalker isn’t the unique ransomware gang that is threatening to publish data of the victims to force to pay the ransom, other gangs are DopplePaymer, Maze, Nefilim, Nemty, RagnarLocker, and REvil.

    Pierluigi Paganini

    (SecurityAffairs – Michigan State University, hacking)

    The post NetWalker ransomware gang threatens to release Michigan State University files appeared first on Security Affairs.

    API Security and Hackers: What’s the Need?

    API Security – There is a considerable demand for data-centric projects, that is why companies have quickly opened their data to their ecosystem through REST or SOAP APIs.

    APIs work as doors for a company – closely guarding data of an organization. However, there are some challenges created: how do we hold the doors open to the world while simultaneously sealing them off from hackers?

    Here are the simple tips for API security, let’s have a look! 

    Authentication

    Don’t communicate with strangers. To increase the complexity of hacking your device, always get to know who is calling your APIs, by using a simple access authentication (user/password) or an API key (asymmetric key).

    Encryption 

    Just be cryptic. For internal or external correspondence nothing should be in the open.

    You and your partners can cipher all TLS (the successor to SSL) transfers, be it one-way encryption (also called standard one-way TLS) or even better, shared encryption (two-way TLS).

    Using the new versions of TLS to block the use of weaker cipher suites.

    Monitoring: Audit, Log, and Version 

    In case of an error, you need to be ready to troubleshoot: audit and log relevant information on the server. Also, keep that history as long as it is reasonable in terms of capacity for your servers in production. In case of any accidents, you can convert your logs into debugging tools. Follow-up dashboards are also highly recommended resources for monitoring your API use.

    Do not forget to add the version to all APIs, ideally in the API direction, to give several APIs with different versions working concurrently, and to be able to delete and depreciate one version over another.

    Call Security Experts

    It is better to use ICAP (Internet Content Adaptation Protocol) servers or excellent Antivirus systems to protect the data of your company. 

    Share as Little as Possible 

    For API security, it’s okay to be paranoid and show very little information, particularly in error messages. Limit content and email subjects to predefined messages that are non-customizable. Since you can send locations to IP addresses, keep them for yourself. To limit access to your accounts, use IP Whitelist and IP Blacklist where possible. You can also check your ip address by simply searching what is my ip and you will get the details. Limit the number of administrators, divide access into diverse roles, and hide sensitive information in all your interfaces. 

    OAuth & OpenID Connect 

    Delegate all responsibilities. A good manager takes accountability, and a fantastic API does so too. The authorization and/or authentication of your APIs should be delegated.

    OAuth is a magical mechanism which prevents you from having to remember 10,000 passwords. Instead of creating an account on a website, you can connect via credentials from another provider, such as Facebook or Google. This works the same way for APIs: the API provider depends on a third-party server to handle permissions. The user does not supply their credentials but then gives the third-party server a token. This protects the user because they don’t reveal their passwords, and the provider of the API doesn’t need to worry about protecting data about the authorization, because it only collects tokens.

    OAuth is a delegation protocol widely used to forward authorizations. You can add an identity layer on top of it to protect your APIs even further and add authentication: this is the Open I d Connect standard which extends OAuth 2.0 with ID tokens.

    System Protection with Throttling and Quotas 

    Keep a Control. To protect your backend network bandwidth according to the capability of your servers, you can restrict access to your device to a limited number of messages per second.

    You can also limit access by the API and the user (or application) to make sure that no one, in particular, can misuse the program or any API.

    Throttling thresholds and quotas – if well defined – are essential to avoid attacks from different sources from overwhelming the network with numerous requests (DDOS-Distributed Denial of Service Attack).

    OWASP top 10

    Avoid wasps. The top 10 of the OWASP (Open Web Application Security Project) is a list of the ten worst vulnerabilities, measured by their exploitability and effect. In addition to the above, make sure that you have checked all of the bugs in OWASP to check the program.

    Data Validation 

    Be picky and refuse surprise presents, especially when they’re massive. You should verify that your server is accepting anything. Be vigilant to reject any content that is added, data that is too high, and also test the information that customers give you. Use XML or JSON schema validation to verify whether your restrictions are what they should be (integer, string …) to avoid all kinds of XML blast and SOL injection. 

    Infrastructure 

    Stay up-to-date. To be stable and still benefit from the latest security updates, a good API should rely on a good security network, infrastructure and up-to-date applications (servers, load balancers).

    API Firewalling 

    Create a wall: Building of a wall will solve all the immigration issues for some citizens. That is the case, at least for APIs! The protection of your API should be divided into two levels:

    • DMZ is the first level, with an API firewall to perform simple protection measures, including checking message size, SQL injections, and any HTTP layer-based protection that blocks intruders early. The message is then forwarded to the second sheet.
    • The second level is LAN, with advanced data information protection mechanisms.

    Set a Budget for Security Testing 

    Security monitoring takes time and resources, and the investment needs to be made by the businesses. Although new functionality drives growth, security testing should be allocated about 5 percent to 10 percent of the budget. Use of APIs is growing and encouraging companies to create more diverse applications. Nonetheless, as they exploit these resources, companies need to be mindful of and close the possible security holes.

    About the author: Waqas Baig

    Waqas Baig is a Tech Writer having experience of 8 years in journalism, reporting and editing. In his spare time, he reads and writes about tech products including gadgets, smart watches, home security products and others. If you have story ideas, feel free to share here waqasbaigblog@gmail.com

    Pierluigi Paganini

    (SecurityAffairs – APT, hacking)

    The post API Security and Hackers: What’s the Need? appeared first on Security Affairs.

    New Noise-Resilient Attack On Intel and AMD CPUs Makes Flush-based Attacks Effective

    Modern Intel and AMD processors are susceptible to a new form of side-channel attack that makes flush-based cache attacks resilient to system noise, newly published research shared with The Hacker News has revealed. The findings are from a paper "DABANGG: Time for Fearless Flush based Cache Attacks" published by a pair of researchers, Biswabandan Panda and Anish Saxena, from the Indian

    A New York man was charged with stealing credit card data via SQL Injection attacks

    The US DoJ announced that a New York City man was charged with hacking, credit card trafficking, and money laundering conspiracies.

    New York City man Vitalii Antonenko (28) was charged with hacking, credit card trafficking, and money laundering conspiracies, states the US DoJ.

    The man was arrested in March 2019 and detained after his arrival from Ukraine. The man was carrying computers and other digital media holding containing hundreds of thousands of stolen payment card numbers.

    “Vitalii Antonenko, 28, was indicted on one count of conspiracy to gain unauthorized access to computer networks and to traffic in unauthorized access devices, and one count of money laundering conspiracy.” reads the press release published by US DoJ. “In March 2019, Antonenko was arrested and detained on money laundering charges at New York’s John F. Kennedy International Airport after he arrived there from Ukraine carrying computers and other digital media that held hundreds of thousands of stolen payment card numbers.”

    The man nd co-conspirators obtained the credit card data by hacking into vulnerable computer networks.

    The hackers launched SQL injection attacks to access vulnerable networks and steal Payment Card Data and other PII.

    Crooks were able to steal card account numbers, expiration dates, and card verification values, along with other personally identifiable information (PII), then they were offering them for sale on cybercrime marketplaces.

    “They used a hacking technique known as a “SQL injection attack” to access those networks without authorization, extracted Payment Card Data and other PII, and transferred it for sale on online criminal marketplaces.” continues the DoJ. “Once a co-conspirator sold the data, Antonenko and others used Bitcoin as well as traditional bank and cash transactions to launder the proceeds in order to disguise their nature, location, source, ownership, and control.”

    The charges related to unauthorized access carry a sentence of up to five years in prison, three years of supervised release, a $250,000 fine, restitution and forfeiture.

    Antonenko faces up to 20 years in prison and a $500,000 fine for the money laundering conspiracy charges.

    Pierluigi Paganini

    (SecurityAffairs – Card Data, hacking)

    The post A New York man was charged with stealing credit card data via SQL Injection attacks appeared first on Security Affairs.

    Exclusive – Any Mitron (Viral TikTok Clone) Profile Can Be Hacked in Seconds

    Mitron (means "friends" in Hindi), you have been fooled again! Mitron is not really a 'Made in India' product, and the viral app contains a highly critical, unpatched vulnerability that could allow anyone to hack into any user account without requiring interaction from the targeted users or their passwords. I am sure many of you already know what TikTok is, and those still unaware, it's a

    Hackers Breached 6 Unpatched Cisco Internal Servers

    Servers Support Company's Virtual Networking Service
    Six internal servers that Cisco uses to support its virtual networking service were compromised earlier this month after the company failed to patch two SaltStack zero day vulnerabilities. The company did not describe the damage done, saying only that "a limited set of customers" was impacted.

    Threat Roundup for May 22 to May 29

    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between May 22 and May 29. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

    Read More

     

    Reference

    20200529-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

    The post Threat Roundup for May 22 to May 29 appeared first on Cisco Blogs.

    Career Choice Tip: Cybercrime is Mostly Boring

    When law enforcement agencies tout their latest cybercriminal arrest, the defendant is often cast as a bravado outlaw engaged in sophisticated, lucrative, even exciting activity. But new research suggests that as cybercrime has become dominated by pay-for-service offerings, the vast majority of day-to-day activity needed to support these enterprises is in fact mind-numbingly boring and tedious, and that highlighting this reality may be a far more effective way combat cybercrime and steer offenders toward a better path.

    Yes, I realize hooded hacker stock photos have become a meme, but that’s the point.

    The findings come in a new paper released by researchers at Cambridge University’s Cybercrime Centre, which examined the quality and types of work needed to build, maintain and defend illicit enterprises that make up a large portion of the cybercrime-as-a-service market. In particular, the academics focused on botnets and DDoS-for-hire or “booter” services, the maintenance of underground forums, and malware-as-a-service offerings.

    In examining these businesses, the academics stress that the romantic notions of those involved in cybercrime ignore the often mundane, rote aspects of the work that needs to be done to support online illicit economies. The researchers concluded that for many people involved, cybercrime amounts to little more than a boring office job sustaining the infrastructure on which these global markets rely, work that is little different in character from the activity of legitimate system administrators.

    Richard Clayton, a co-author of the report and director of Cambridge’s Cybercrime Centre, said the findings suggest policymakers and law enforcement agencies may be doing nobody a favor when they issue aggrandizing press releases that couch their cybercrime investigations as targeting sophisticated actors.

    “The way in which everyone looks at cybercrime is they’re all interested in the rockstars and all the exciting stuff,” Clayton told KrebsOnSecurity. “The message put out there is that cybercrime is lucrative and exciting, when for most of the people involved it’s absolutely not the case.”

    From the paper:

    “We find that as cybercrime has developed into industrialized illicit economies, so too have a range of tedious supportive forms of labor proliferated, much as in mainstream industrialized economies. We argue that cybercrime economies in advanced states of growth have begun to create their own tedious, low-fulfillment jobs, becoming less about charismatic transgression and deviant identity, and more about stability and the management and diffusion of risk. Those who take part in them, the research literature suggests, may well be initially attracted by exciting media portrayals of hackers and technological deviance.”

    “However, the kinds of work and practices in which they actually become involved are not reflective of the excitement and exploration which characterized early ‘hacker’ communities, but are more similar to low-level work in drug dealing gangs, involving making petty amounts of money for tedious work in the service of aspirations that they may one day be one of the major players. This creates the same conditions of boredom…which are found in mainstream jobs when the reality emerges that these status and financial goals are as blocked in the illicit economy as they are in the regular job market.”

    The researchers drew on interviews with people engaged in such enterprises, case studies on ex- or reformed criminal hackers, and from scraping posts by denizens of underground forums and chat channels. They focused on the activity needed to keep various crime services operating efficiently and free from disruption from interlopers, internecine conflict, law enforcement or competitors.

    BOOTER BLUES

    For example, running an effective booter service requires a substantial amount of administrative work and maintenance, much of which involves constantly scanning for, commandeering and managing large collections of remote systems that can be used to amplify online attacks.

    Booter services (a.k.a. “stressers”) — like many other cybercrime-as-a-service offerings — tend to live or die by their reputation for uptime, effectiveness, treating customers fairly, and for quickly responding to inquiries or concerns from users. As a result, these services typically require substantial investment in staff needed for customer support work (through a ticketing system or a realtime chat service) when issues arise with payments or with clueless customers failing to understand how to use the service.

    In one interview with a former administrator of a booter service, the proprietor told researchers he quit and went on with a normal life after getting tired of dealing with customers who took for granted all the grunt work needed to keep the service running. From the interview:

    “And after doing [it] for almost a year, I lost all motivation, and really didn’t care anymore. So I just left and went on with life. It wasn’t challenging enough at all. Creating a stresser is easy. Providing the power to run it is the tricky part. And when you have to put all your effort, all your attention. When you have to sit in front of a computer screen and scan, filter, then filter again over 30 amps per 4 hours it gets annoying.”

    The researchers note that this burnout is an important feature of customer support work, “which is characterized less by a progressive disengagement with a once-interesting activity, and more by the gradual build-up of boredom and disenchantment, once the low ceiling of social and financial capital which can be gained from this work is reached.”

    WHINY CUSTOMERS

    Running a malware-as-a-service offering also can take its toll on developers, who quickly find themselves overwhelmed with customer support requests and negative feedback when a well-functioning service has intermittent outages.

    Indeed, the author of the infamous ZeuS Trojan — a powerful password stealing tool that paved the way for hundreds of millions of dollars stolen from hacked businesses — is reputed to have quit the job and released the source code for the malware (thus spawning an entire industry of malware-as-a-service offerings) mainly to focus his skills on less tedious work than supporting hundreds of customers.

    “While they may sound glamorous, providing these cybercrime services require the same levels of boring, routine work as is needed for many non-criminal enterprises, such as system administration, design, maintenance, customer service, patching, bug-fixing, account-keeping, responding to sales queries, and so on,” the report continues.

    To some degree, the ZeuS’s author experience may not be the best example, because his desire to get away from supporting hundreds of customers ultimately led to his focusing attention and resources on building a far more sophisticated malware threat — the peer-to-peer based Gameover malware that he leased to a small group of organized crime groups.

    Likewise, the cover story in this month’s Wired magazine profiles Marcus Hutchins, who said he “quickly grew bored with his botnets and his hosting service, which he found involved placating a lot of ‘whiny customers.’ So he quit and began to focus on something he enjoyed far more: perfecting his own malware.”

    BORING THEM OUT OF BUSINESS

    Cambridge’s Clayton and his colleagues argue the last two examples are more the exception than the rule, and that their research points to important policy implications for fighting cybercrime that are often discounted or overlooked: Namely, interventions that focus on the economics of attention and boredom, and on making such work as laborious and boring as possible.

    Many cybersecurity experts often remark that taking down domain names and other infrastructure tied to cybercrime businesses amounts to little more than a game of whack-a-mole, because the perpetrators simply move somewhere else to resume their operations. But the Cambridge researchers note that each takedown creates further repetitive, tedious, work for the administrators to set up their sites anew.

    “Recent research shows that the booter market is particularly susceptible to interventions targeted at this infrastructural work, which make the jobs of these server managers more boring and more risky,” the researchers note.

    The paper takes care to note that its depictions of the ‘boredom’ of the untrained administrative work carried out in the illicit economy should not be taken as impugning the valuable and complex work of legitimate system administrators. “Rather, it is to recognize that this is a different kind of knowledge and set of skills from engineering work, which needs to be taught, learned, and managed differently.”

    The authors conclude that refocusing interventions in this way might also be supported by changes to the predominant forms of messaging used by law enforcement and policy professionals around cybercrime:

    “If participation within these economies is in fact based in deviant aspiration rather than deviant experience, the currently dominant approaches to messaging, which tend to focus on the dangerous and harmful nature of these behaviors, the high levels of technical skill possessed by cybercrime actors, the large amounts of money made in illicit online economies, and the risk of detection, arrest, and prosecution are potentially counterproductive, only feeding the aspiration which drives this work. Conversely, by emphasizing the tedious, low-skilled, low-paid, and low-status reality of much of this work, messaging could potentially dissuade those involved in deviant online subcultures from making the leap from posting on forums to committing low-level crime.”

    “Additionally, diversionary interventions that emphasize the shortage of sysadmin and ‘pen tester’ workers in the legitimate economy (“you could be paid really good money for doing the same things in a proper job”) need to recognize that pathways, motivations, and experiences may be rather more prosaic than might be expected.”

    “Conceptualizing cybercrime actors as high-skilled, creative adolescents with a deep love for and understanding of technology may in fact mischaracterize most of the people on whom these markets depend, who are often low-skilled administrators who understand fairly little about the systems they maintain and administer, and whose approach is more akin to the practical knowledge of the maintainer than the systematic knowledge of a software engineer or security researcher. Finding all these bored people appropriate jobs in the legitimate economy may be as much about providing basic training as about parachuting superstars into key positions.”

    Further reading: Cybercrime is (often) Boring: Maintaining the Infrastructure of Cybercrime Economies (PDF).

    ICT solutions provider NTT Com discloses security breach

    NTT Communications (NTT Com), a subsidiary of tech giant NTT Corp, disclosed a data breach that impacted hundreds of customers.

    NTT Communications (NTT Com), a subsidiary of the tech giant NTT Corp, disclosed a data breach that impacted hundreds of customers.

    NTT Com provides network management, security and solution services[3] to consumers, corporations and governments.

    NTT Com Group has more than 30 companies in the Asia-Pacific regionEurope and the Americas.

    The company launched an investigation after discovering unauthorized access to some systems on May 7, then this week it confirmed that threat actors may have been stolen.

    “NTT Communications (hereafter NTT Com) detected an unauthorized access to our equipment that has been made by an attacker on May 7, and the possibility that some information may have leaked to the outside was confirmed on May 11.” reads the data breach notification.

    Experts at NTT Com initially noticed suspicious activity on an Active Directory server, then they discovered that threat actors have breached an operational server and an information management server that stored customer information.

    The internal investigation revealed that attackers initially targeted a server in Singapore, then used it for lateral movements and reach the infrastructure in Japan.

    In response to the incident, the company shut down impacted servers to avoid the malware from spreading and communicating with external servers.

    According to NTT, the security breach could impact 621 companies whose information was stored on the information management server.

    The company announced that it has taken additional measures to prevent similar attacks in the future.

    Other major Japanese companies recently disclosed security breaches, some of them took place years ago, including NEC, Mitsubishi ElectricPasco and Kobe Steel.

    Pierluigi Paganini

    (SecurityAffairs – NTT, hacking)

    The post ICT solutions provider NTT Com discloses security breach appeared first on Security Affairs.