How to Spot Phishing Lures

Phishing attacks, in which scammers try to trick you out of your private information or money, are one of the most prevalent threats we see today. Part of the problem is that the cybercriminals have numerous ways in which to hook you, either online, over the phone, or even in person.

In today’s busy world we are often bombarded with information and it can be hard to tell who to trust, and when to be wary. But given that new phishing web pages grew by 900,000 in the third-quarter of 2018 alone, costing consumers and businesses potentially billions of dollars, it’s worth learning more about common phishing lures and how to avoid them. After all, most malware is delivered by phishing attacks, and malware grew by a stunning 53% in the third quarter of last year.

The first thing you should know about phishing is that it almost always involves a form of “social engineering”, in which the scammer tries to manipulate you into trusting them for fraudulent purposes, often by pretending to be a legitimate person or business.

You can get a better idea of how this works by learning about some of the most popular threats circulating today, the first of which are a growing number of business-related scams:

  • The CEO/Executive Scam—This scam appears as an email from a leader in your organization, asking for highly sensitive information like company accounts, employee salaries and Social Security numbers, or even sensitive client information.The hackers “spoof”, or fake, the executive’s email address so it looks like a legitimate internal company email. That’s what makes this, and the other business scams, so convincing—the lure is that you want to do your job well and please your coworkers.
  • The Business Entity Scam—This one targets corporations with the clever trick of filing phony Statements of Information with the Secretary of State using the government’s website. The fraudsters then use these doctored statements to apply for hard money loans, using them to prove they have assets. This scam works because the states don’t double check corporate statements for accuracy.
  • File Sharing & DocuSign—Phony requests to access files in Dropbox accounts are on the rise, tricking workers into clicking on dangerous links that download malware. There has also been a rash of threats masquerading as requests to electronically sign documents, pretending to be legitimate services like DocuSign, which is often used for real estate and other important transactions.
  • The Urgent Email Attachment—Phishing emails that try to trick you into downloading a dangerous attachment that can potentially infect your computer and steal your private information have been around for a long time. This is because they work. You’ve probably received emails asking you to download attachments confirming a package delivery, trip itinerary, or prize. They might urge you to “respond immediately!” The lure here is offering you something you want, and invoking a sense of urgency to get you to click.
  • The “Lucky” Phone Call—How fortunate! You’ve won a free gift, an exclusive service, or a great deal on a trip to Las Vegas. Just remember, whatever “limited time offer” you’re being sold, it’s probably a phishing scam designed to get you to give up your credit card number or identity information. The lure here is something free or exciting at what appears to be little or no cost to you.
  • The Romance Scam—This one can happen completely online, over the phone, or in person once contact is established. But the romance scam always starts with someone supposedly looking for love. The scammer often puts a phony ad online, or poses as a friend-of-a-friend on social media and contacts you directly. But what starts as the promise of love or partnership, often leads to requests for money or pricey gifts. The lure here is simple—love and acceptance.
  • The Mobile Phish—Our heavy use of mobile devices have given scammers yet another avenue of attack. They may distribute fake mobile apps that secretly gather your personal information in the background, or they could send phony text messages, inviting you to click on a dangerous link. Either way, you may be misled by a false sense of trust in who has access to your mobile device. In this case, you may be lured by the convenience of an app, or expediency of a message.

Here are some more smart ways not to get hooked:

  • Be wary of anyone who asks for more information than they need, even if you are talking to a company or bank you do business with.
  • When responding to a message, first check to see if you recognize the sender’s name and email address.
  • Before clicking on a link, hover over it to see if the URL address looks legitimate.
  • Before logging into an online account, make sure the web address is correct.
    Phishers often forge legitimate websites, like online storage accounts, hoping to trick you into entering your login details.
  • Avoid “free” offers, or deals that sound too good to be true. They probably are.
  • Review your bank statements and business filings on a regular basis to check for suspicious activities.
  • Always use comprehensive security software to protect your devices and information from malware and other threats that might result from a phishing scam.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

 

The post How to Spot Phishing Lures appeared first on McAfee Blogs.

Bigger Rewards for Security Bugs

Chrome has always been built with security at its core, by a passionate worldwide community as part of the Chromium open source project. We're proud that community includes world class security researchers who help defend Chrome, and other Chromium based browsers.

Back in 2010 we created the Chrome Vulnerability Rewards Program which provides cash rewards to researchers for finding and reporting security bugs that help keep our users safe. Since its inception the program has received over 8,500 reports and paid out over five million dollars! A big thank you to every one of the researchers - it's an honor working with you.

Over the years we've expanded the program, including rewarding full chain exploits on Chrome OS, and the Chrome Fuzzer Program, where we run researchers' fuzzers on thousands of Google cores and automatically submit bugs they find for reward.

Today, we're delighted to announce an across the board increase in our reward amounts! Full details can be found on our program rules page but highlights include tripling the maximum baseline reward amount from $5,000 to $15,000 and doubling the maximum reward amount for high quality reports from $15,000 to $30,000. The additional bonus given to bugs found by fuzzers running under Chrome Fuzzer Program is also doubling to $1,000.

We've also clarified what we consider a high quality report, to help reporters get the highest possible reward, and we've updated the bug categories to better reflect the types of bugs that are reported and that we are most interested in.

But that's not all! On Chrome OS we're increasing our standing reward to $150,000 for exploit chains that can compromise a Chromebook or Chromebox with persistence in guest mode. Security bug in firmware and lock screen bypasses also get their own reward categories.

These new reward amounts will apply to bugs submitted after today on the Chromium bug tracker using the Security template. As always, see the Chrome Vulnerability Reward Program Rules for full details about the program.

In other news, our friends over at the Google Play Security Reward Program have increased their rewards for remote code execution bugs from $5,000 to $20,000, theft of insecure private data from $1,000 to $3,000, and access to protected app components from $1,000 to $3,000. The Google Play Security Reward Program also pays bonus rewards for responsibly disclosing vulnerabilities to participating app developers. Check out the program to learn more and see which apps are in scope.

Happy bug hunting!

Security Experts Warn Against Use of FaceApp

Security Experts Warn Against Use of FaceApp

Security experts are warning the public not to partake in the FaceApp craze, which is being exacerbated by the #FaceAppChallenge that is going viral on social media, according to multiple reports. 

While security experts and privacy advocates are warning users to avoid the app, Senator Chuck Schumer has requested that the Federal Bureau of Investigation (FBI) and the Federal Trade Commission (FTC) investigate whether there are adequate safeguards in place to protect the privacy of the app’s users. 

"FaceApp's location in Russia raises questions regarding how and when the company provides access to the data of U.S. citizens to third parties, including foreign governments," wrote Schumer.

Created in 2017 by developers at Wireless Lab in St. Petersburg, Russia, FaceApp now has access to the face and images of over 150 million people, Forbes reported. Users’ photos are being uploaded to the cloud, yet the terms and conditions grant FaceApp the ability to do additional processing locally on their device.

“To make FaceApp actually work, you have to give it permissions to access your photos – ALL of them. But it also gains access to Siri and Search....Oh, and it has access to refreshing in the background – so even when you are not using it, it is using you,” tweeted technology author Rob La Gesse, who warned users who have installed the app to delete it. 

“FaceApp serves as an important reminder that free isn't free when it comes to apps. The user and his/her [photo are] the commodity, whether sold for purposes like marketing or more nefarious things like identity theft and creation of deep fakes. Don't use apps that need access to all your data and be sure to read the EULAs to ensure the app gives users some sort of control and protection based on where the data is stored and processed," said Rick McElroy, head of security strategy at Carbon Black.

What Is The True Score of AI VS Malware?

We admit here in hackercombat.com, we are one of the cybersecurity news organizations that somewhat hyped Artificial Intelligence (AI) when it comes to cybersecurity. We wrote numerous articles heralding the “hero” that will save us from the seemingly endless cat and mouse race between discovering a vulnerability that is currently exploited, and the time the vendor issues the patch addressing the vulnerability. We are no different from other tech sites which placed AI as a possible solution to the human labor-intensive process in order to quash software bugs, let alone the security flaws it enables.

IBM Security exposed the world’s dependence on the “hero”, the AI being mistakenly identified by many cybersecurity organizations as a silver bullet of our current cybersecurity problems. Big Blue considers such a premise as bias, indeed, IBM is correct. Seemingly the industry is so used to the intensive labor procedure of fixing a discovered security flaw. It takes humans to discover a bug, report it to the vendor and another unknown period until the latter issues the patch which will quash the bug. That is, of course, is an ideal situation, many of the flaws were discovered, weaponized by cybercriminals without the vendor knowing its existence for weeks, months or even years. It takes a “good samaritan” to finally report the bug with enough details to the developers, who is the only one that can issue a fix.

One is the algorithm itself. Is it biased in the way it’s approached, and the outcome it’s trying to solve? If you’re trying to solve the wrong outcome, and the outcome is biased, then your algorithm is biased. It’s not like the bad guys are waiting for us to learn how to do this. So, the faster we get there, the better off (we are),” hinted Aarti Borkar, IBM Security’s Vice President.

Antivirus products and End Point services for decades have employed heuristics scanning, which in itself is a crude type of artificial intelligence. Heuristics scanning claims to detect threats that signature-based scanning cannot accomplish, as the latter requires the actual virus signature present in its scanning engine to detect the particular malware. Instead of causing the number of malware to plummet, cybercriminals took the challenge – employing a combination of virus development and social engineering in their campaigns.

Heuristics scanning technologies predates all the current crop of malware we are encountering such as ransomware, cryptocurrency mining malware and stealth banking trojans. Current heuristics from a practical standpoint were unable to disable infection from those mentioned threats. We continue to hear news of local governments operations disabled due to ransomware infections, and all of them paid the steep ransom demand of cybercriminals.

Other than that Artificial Intelligence technologies will continue to improve, maybe in a year or two from now, we will post a follow-up article expressing our happiness as AI becomes truly effective against the campaigns launched by malware authors. Till then, we will continue reporting stories about malware infections, even if that means we will indirectly implicate the ineffectiveness of today’s antimalware software products.

Also Read,

Artificial Intelligence’s Deep Learning, A New Cybersecurity Tool?

A New Malware Called Silex Targets IoT Devices

BabyShark Malware Targeting Nuclear and Cryptocurrency Industries

The post What Is The True Score of AI VS Malware? appeared first on .

Data Privacy and Security Risks in Healthcare

Healthcare is a business much like all verticals I work with; however, it has a whole different set of concerns beyond those of traditional businesses. The compounding threats of malware, data thieves, supply chain issues, and the limited understanding of security within healthcare introduces astronomical risk. Walking through a hospital a few weeks ago, I was quickly reminded of how many different devices are used in healthcare—CT scanners, traditional laptops, desktops, and various other devices that could be classified as IoT.

Sitting in the hospital, I witnessed people reporting for treatment being required to sign and date various forms electronically. Then, on a fixed-function device, patients were asked to provide a palm scan for additional biometric confirmation. Credit card information, patient history, and all sorts of other data was also exchanged. In my opinion, patients should be asking, “Once the sign-in process is complete, where is the patient data stored, and who has access to it? Is it locked away, encrypted, or sent to the “cloud” where it’s stored and retrieved as necessary? If it’s stored on the cloud, who has access to that?” I do recall seeing a form asking that I consent to releasing records electronically, but that brings up a whole new line of questions. I could go on and on …

Are these challenges unique to healthcare? I would contend that at some level, no, they’re not. Every vertical I work with has compounding pressures based on the ever-increasing attack surface area. More devices mean more potential vulnerabilities and risk. Think about your home: You no doubt have internet access through a device you don’t control, a router, and many other devices attached to that network. Each device generally has a unique operating system with its own set of capabilities and with its own set of complexities. Heck, my refrigerator has an IP address associated with it these days! In healthcare, the risks are the same, but on a bigger scale. There are lives at stake, and the various staff members—from doctors, to nurses, to administrators—are there to hopefully focus on the patient and the experience. They don’t have the time or necessarily the education to understand the threat landscape—they simply need the devices and systems in the hospital network to “just work.”

Many times, I see doctors in hospital networks and clinics get fed up with having to enter and change passwords. As a result, they’ll bring in their personal laptops to bypass what IT security has put in place. Rogue devices have always been an issue, and since those devices are accessing patient records without tight security controls, they are a conduit for data loss. Furthermore, that data is being accessed from outside the network using cloud services. Teleradiology is a great example of how many different access points there are for patient data—from the referring doctor, to the radiologist, to the hospital, and more.

Figure 1:  Remote Teleradiology Architecture

With healthcare, as in most industries, the exposure risk is potentially great. The solution, as always, will come from identifying the most important thing that needs to be protected, and figuring out the best way to safeguard it. In this case, it is patient data, but that data is not just sitting locked up in a file cabinet in the back of the office anymore. The data is everywhere—it’s on laptops, mobile devices, servers, and now more than ever in cloud services such as IaaS, PaaS and SaaS. Fragmented data drives great uncertainty as to where the data is and who has access to it.

The security industry as a whole needs to step up. There is a need for a unified approach to healthcare data. No matter where it sits, there needs to be some level of technical control over it based on who needs access to it. Furthermore, as that data is traversing between traditional data centers and the cloud, we need to be able to track where it is and whether or not it has the right permissions assigned to it.

The market has sped up, and new trends in technology are challenging organizations every day. In order to help you keep up, McAfee for Healthcare (and other verticals) are focusing on the following areas:

  • Device – OS platforms—including mobile devices, Chromebooks and IoT—are increasingly locked down, but the steadily increasing number of devices provides other avenues for attack and data loss.
  • Network – Networks are becoming more opaque. HTTP is rarely used anymore in favor of HTTPS, so the need for a CASB safety net is essential in order to see the data stored with services such as Box or OneDrive.
  • Cloud – With workloads increasingly moving to the cloud, the traditional datacenter has been largely replaced by IaaS and PaaS environments. Lines of business are moving to the cloud with little oversight from the security teams.
  • Talent – Security expertise is extremely difficult to find. The talent shortage is real, particularly when it comes to cloud and cloud security. There is also a major shortage in quality security professionals capable of threat hunting and incident response.

McAfee has a three-pronged approach to addressing and mitigating these concerns:

  • Platform Approach – Unified management and orchestration with a consistent user experience and differentiated insights, delivered in the cloud.
    • To enhance the plaform, there is a large focus on Platform Driven Managed Services—focused on selling outcomes, not just technology.
  • Minimized Device Footprint – Powerful yet minimally invasive protection, detection and response spanning full-stack tech, native engine management and ‘as a service’ browser isolation. This is becoming increasingly important as the typical healthcare environment has an increasing variety of endpoints but contuinues to be limited in resources such as RAM and CPU.
  • Unified Cloud Security – Spanning data centers, integrated web gateway/SaaS, DLP and CASB. The unification of these technologies provides a safety net for data moving to the cloud, as well as the ability to enforce controls as data moves from on-prem to cloud services. Furthermore, the unification of DLP and CASB offers a “1 Policy” for both models, making administration simpler and more consistent. Consistent policy definition and enforcement is ideal for healthcare, where patient data privacy is essential.

In summary, security in healthcare is a complex undertaking. A vast attack surface area, the transformation to cloud services, the need to for data privacy and the talent shortage compound the overall problem of security in healthcare. At McAfee, we plan to address these issues through innovative technologies that offer a consistent way to define policy by leveraging a superior platform. We’re also utilizing sophisticated machine learning to simplify the detection of and response to bad actors and malware. These technologies are ideal for healthcare and will offer any healthcare organization long-term stability across the spectrum of security requirements.

The post Data Privacy and Security Risks in Healthcare appeared first on McAfee Blogs.

Experts detailed new StrongPity cyberespionage campaigns

Experts at AT&T’s Alien Labs recently discovered an ongoing campaign conducted by StrongPity threat actor that abuses malicious WinBox installers to infect victims.

AT&T’s Alien Labs experts recently discovered an ongoing campaign conducted by StrongPity APT group that abuses malicious WinBox installers to infect victims.

The activity of the group was initially uncovered in 2016 when experts at Kaspersky observed the cyberespionage group targeting users in Europe, in the Middle East, and in Northern Africa. The group set up malicious sites mimicking legitimate ones to carry out watering holes to deliver tainted installers and malware.

The new campaign started in the second half of 2018, attackers used once again tainted version of popular software like WinRAR to compromise victims’ systems.

“Alien Labs has identified an unreported and ongoing malware campaign, which we attribute with high confidence to the adversary publicly reported as “StrongPity”. Based on compilation times, infrastructure, and public distribution of samples – we assess the campaign operated from the second half of 2018 into today (July 2019).” reads the analysis published by the researchers. “We have also identified StrongPity deploying malicious versions of the WinBox router management software, WinRAR, and other trusted software to compromise targets.”

The new malware samples analyzed in July 2019 appear to have been rebuild by the group in response to public reporting on the group’s activities. The analysis of compilation times, infrastructure build and use, and public distribution of samples allowed the experts to attribute the activity to StrongPity group.

One of the samples employed by the hackers in the recent campaign is a malicious installer for the WinBox, which is the management console for MikroTik’s RouterOS software.

The installer implements all of the features of the legitimate software, but it installs the StrongPity malware on the target’s machine.

winbox GUI StrongPity 2

The malware operates similarly to previously reported variants, it implements spyware capabilities and allows the attacker to get remote access to the compromised machine. The malicious code communicate with the command and control (C&C) infrastructure over SSL.

“The malicious WinBox installer drops the StrongPity sample into the Windows Temporary directory as %temp%\DDF5-CC44CDB42E5\wintcsr.exe. Similar to previous reports of StrongPity, the malware communicates with the C2 server over SSL.” Alien Labs notes.

“Reviewing the compilation timestamps of the identified malware, various clusters of individual campaign start times can be noticed, stretching back into the previous reports of early 2018,”

The APT group used also newer versions of tainted WinRAR software, as well as a tool called Internet Download Manager (IDM).

Experts were not able to exactly determine the delivery mechanism of the tainted installers, however, it is likely that methods used in past campaigns such as regional download redirecting from ISPs are still used.

The choice of using installers for software like WinRAR, WinBox, and IDM suggests that the StrongPity is continuing to target technically-oriented victims.

“Overall, the identified TTPs, newer versions of StrongPity, and the legitimate software used to deliver it operate in ways similar to how the adversary has historically operated.” concludes the report. “This is likely due to the high amounts of operational success for the adversary with minimal modification to evade detection following public reporting over the years.”

Pierluigi Paganini

(SecurityAffairs – StrongPity, APT)

The post Experts detailed new StrongPity cyberespionage campaigns appeared first on Security Affairs.

How Will Companies Deploy Industrial IoT Security Solutions?

Industrial IoT (IIoT) devices will comprise the majority of the billions of IoT devices deployed over the next decade. How will the information security market meet this onslaught of technology?

The consumer market is not a useful guide for this analysis. Consumers buy in small quantities and choose to deploy information security tools piecemeal. Few consumers buy smart phone security products, usually after experiencing an incident. The industrial market is more sensitive to risk.

Industrial-scale IoT devices must have low price points. Once an enterprise decides to deploy a fleet of IIoT technology, they seek out the lowest price product that will meet their needs. This puts pressure on manufacturers to keep costs low. IIoT device manufacturers will not spend extra resources designing, installing, testing, and configuring effective security measures voluntarily. Government regulation will change this reluctance, but until forced to do so buyers will have to secure their devices after installation.

What will the IIoT security market look like? Given the low purchase price and vast scale of deployments, there will be a negligible aftermarket for individual IIoT device security software or hardware. The market will focus on aggregation points, concentrators, gateways, and network access devices.

Consider a solar panel farm. The largest solar farm now under construction, the Egyptian Benban solar park near Aswan, will cost about $4 billion, and should come on-line in 2020. Ten times larger than New York City’s Central Park, it will generate 1.8 gigawatts using 5 million panels. Each panel has an inverter and a sensor, and every 16 panels has a PLC (programmable logic controller). This farm will have 10 million edge IIoT devices and 312,500 PLCs.

How would you secure over 10 million IIoT devices? Assume the control systems are centralized. By protecting the external gateway only, you spend the least, but if any problem gets in, the plant could be disabled or destroyed. Segmentation costs more, but reduces the attack surface and impedes the spread of malware.

What is the optimum number of cells? There is no hard and fast rule. The cost of a device increases with its capacity, so having a few large cells would require powerful security appliances. More cells will reduce the impact of a breach, and lessen the load per appliance, allowing a lower price point. With one appliance for every thousand PLCs (covering 16,000 panels, meaning 32,000 IIoT devices) the configuration would need over three hundred appliances, with monitoring and control through an appropriately configured automation and management hub. The appliance cost would be miniscule compared with the total cost of the overall configuration.

The full security configuration would include the engineering and architecture skill to design and site the appliances, the architecture and deployment of the management hubs (dual for high availability), and the training for ongoing operations and maintenance. IIoT security vendors will work through channel partners with expertise in the specific vertical industries they serve.

Project managers for large industrial IoT deployments should work with their IT channel and OT engineering teams to identify the most cost-effective sourcing and deployment options for comprehensive, effective IT/OT security.

What do you think? Let me know, either in the comments below or @WilliamMalikTM.

The post How Will Companies Deploy Industrial IoT Security Solutions? appeared first on .

California State Auditors Say Government IT is Flawed

California State Auditors Say Government IT is Flawed

Weaknesses in the information security of some California state offices were brought to light after the state auditor called for additional oversight and regular assessments, according to the report Gaps in Oversight Contribute to Weaknesses in the State’s Information Security.

In the midst of ongoing conversations around the security of customer data and less than six months before the California Consumer Privacy Act (CCPA) is scheduled to go into effect, the report comes at a time when governments are grappling with the ever-growing threat of cyber-attacks. 

According to the report from state auditor Elaine Howle, the personal information of California residents may not be protected because of flaws in the government’s IT systems. “We surveyed 33 non-reporting entities from around the State and reviewed 10 of them in detail. Twenty-nine of the 33 obtained an information security assessment to evaluate their compliance with the specific security standards they selected, 24 learned that they were only partially compliant, and 21 identified high-risk deficiencies,” the report said.

Howle called for state agencies to do more in order to effectively safeguard the information that state government agencies collect, maintain and store. Additionally, Howle noted that “the non-reporting entities we surveyed may be unaware of additional information security weaknesses because many of them relied upon information security assessments that were limited in scope.”

Because California has usually been considered a trailblazer when it comes to information security and data privacy practices, Ben Sadeghipour, head of hacker operations at HackerOne, said the auditor’s report comes as a surprise. “When you are a large government agency like the State of California dealing with the data of almost 40 million residents, it is absolutely critical to have consistency across information security policies, especially among the numerous government entities who are tasked with handling, storing and safeguarding personal data,” said Sadeghipour.

“Cyber-criminals are constantly searching for ways to exploit vulnerabilities, especially in the government sector due to the notion that they are easy targets with a goldmine of data. Every government agency, regardless of budget, should at minimum implement a vulnerability disclosure policy (VDP) so that security researchers or ethical hackers can find those vulnerabilities before the bad guys do.”

Identity Theft on the Job Market

Identity theft is getting more subtle: "My job application was withdrawn by someone pretending to be me":

When Mr Fearn applied for a job at the company he didn't hear back.

He said the recruitment team said they'd get back to him by Friday, but they never did.

At first, he assumed he was unsuccessful, but after emailing his contact there, it turned out someone had created a Gmail account in his name and asked the company to withdraw his application.

Mr Fearn said the talent assistant told him they were confused because he had apparently emailed them to withdraw his application on Wednesday.

"They forwarded the email, which was sent from an account using my name."

He said he felt "really shocked and violated" to find out that someone had created an email account in his name just to tarnish his chances of getting a role.

This is about as low-tech as it gets. It's trivially for me to open a new Gmail account using a random first and last name. But because people innately trust email, it works.

Thousands of NHS computers are still running Windows XP from beyond the grave

Two years after the WannaCry ransomware outbreak shone a light on the computer security of the the UK’s National Health Service, and five years after Microsoft said it would no longer release patches for Windows XP, the NHS still has 2300 PCs running the outdated operating system.

Read more in my article on the Tripwire State of Security blog.

Thousands of NHS computers are still running Windows XP from beyond the grave

Two years after the WannaCry ransomware outbreak shone a light on the computer security of the UK’s National Health Service, and five years after Microsoft said it would no longer release patches for Windows XP, the NHS still has 2,300 PCs running the outdated operating system. The worrying statistic came to light in the response to a parliamentary question […]… Read More

The post Thousands of NHS computers are still running Windows XP from beyond the grave appeared first on The State of Security.

Malicious Python packages found on PyPI

Researchers have uncovered another batch of malicious Python libraries hosted on Python Package Index (PyPI). The malicious packages PyPI is the official third-party software repository for Python and a great source of open source libraries and modules for implementing common functionalities. Unfortunately, if a malicious component ends up on it, chances are many developers will download and implement it before it is discovered and removed from the repository. This happened with libpeshnx, libpesh and libari, … More

The post Malicious Python packages found on PyPI appeared first on Help Net Security.

IDG Contributor Network: Brand reputation at risk

The world is going digital at an unprecedented pace. Established business models are reaching the end of their life cycle. New market entrants are disruptively entering the arena with asset-light balance sheets, build upon platforms and apps, which turn the dynamics of competition upside-down. Technology, media and entertainment, and telco (TMT) companies are at the forefront of this wave.

Although many TMT companies are leaders in digital transformation, they arguably more vulnerable to cyber-attacks than other industries, with the consequences of a breach more serious as highlighted in EY’s GISS 2018-19. Unlike the global panel, this excerpt focuses on consolidated findings from TMT companies.

To read this article in full, please click here

Microsoft Observed Nation-State Attacks Targeting 10,000 of Its Customers

Microsoft has notified approximately 10,000 of its customers that they were the targets of nation-state attacks over the past year. On 17 July, Microsoft’s Corporate Vice President of Customer Security & Trust Tom Burt revealed that 84 percent of those attacks had targeted the tech giant’s enterprise customers. The remaining 16 percent of campaigns went […]… Read More

The post Microsoft Observed Nation-State Attacks Targeting 10,000 of Its Customers appeared first on The State of Security.

Security is Biggest Digital Transformation Concern

Security is Biggest Digital Transformation Concern

Cybersecurity is viewed as the biggest single risk to digital transformation projects, but most organizations aren’t involving CISOs early enough in projects, according to new research from Nominet.

The .uk registry and DNS security organization polled 274 CISOs, CIOs, CTOs and others with responsibility for security in US and UK organizations.

It found that the vast majority (93%) were implementing digital transformation projects, although of the small number who weren’t, more than a quarter (27%) said it is because of security concerns.

Cybersecurity was also far and away the biggest worry for those currently undertaking such projects, with 53% citing it as a top-three threat. Some 95% expressed some concern, with over two-fifths (41%) either “very” or “extremely” concerned.

Topping these concerns were exposure of customer data (60%), cyber-criminal sophistication (56%), an increased threat surface (53%), visibility blind spots (44%), and IoT devices (39%).

Although a third (34%) of respondents claimed security was considered during the development of the digital transformation strategy, many left it to the pre-implementation (28%) and implementation (28%) stages, or even post-implementation (9%). Some 2% said security wasn’t considered at all.

IT leaders may be over-confident in their ability to mitigate cyber-risk in digital transformation. Some 82% of respondents claimed it was considered early enough in their projects and 85% scored it near top marks for effectiveness, despite 86% having suffered a breach in the past 12 months.

What's more, a majority of partners (59%), customers (55%) and industry/regulatory bodies (54%) had queried the robustness of their approach.

“For any IT project it is absolutely fundamental that security is considered from word go. Otherwise, you end up trying to retrospectively fit security to a system and that results in gaps and vulnerabilities in the security architecture,” argued Nominet CISO, Cath Goulding.

“With digital transformation you have to be sure that when you’re bringing in new applications, security is considered from the outset. More than this though, in a digital transformation project, the real trick is to manage the security considerations of legacy and new applications simultaneously.”

On the plus side, 31% of respondents reported that 11-25% of their digital transformation budget is allocated to cybersecurity, with over a fifth (23%) claiming that 26-50% is set aside.

Authentication and the Have I Been Pwned API

Authentication and the Have I Been Pwned API

The very first feature I added to Have I Been Pwned after I launched it back in December 2013 was the public API. My thinking at the time was that it would make the data more easily accessible to more people to go and do awesome things; build mobile clients, integrate into security tools and surface more information to more people to enable them to do positive and constructive things with the data. I highlighted 3 really important attributes at the time of launch:

There is no authentication.

There is no rate limiting.

There is no cost.

One of those changed nearly 3 years ago now - I had to add a rate limit. The other 2 are changing today and I want to clearly explain why.

Identifying Abusive API Usage

Let me start with a graph:

Authentication and the Have I Been Pwned API

This is executions of the V2 API that enables you to search an individual email address. There's 1.06M requests in that 24 hour period with 491k of them in the last 4 hours. Even with the rate limit of 1 request every 1,500ms per IP address enforced, that graph shows a very clear influx of requests peaking at 14k per minute. How? Well let's pull the logs from Cloudflare and see:

Authentication and the Have I Been Pwned API

This is the output of a little log analyser I wrote that breaks requests down by ASN (and other metrics) over the past hour. There were 15,573 requests from AS23969 across 82 unique IP addresses. Have a look at where those IP addresses came from:

Authentication and the Have I Been Pwned API

There is no conceivable way that this is legitimate, organic usage of the API from Thailand. The ASN is owned by TOT Public Company Limited, a local Thai telco that somehow, has ended up with a truckload of IP addresses hitting HIBP at just the right rate to not trigger the rate limit. The next top ASN is Biznet Networks in Indonesia. Then Claro in Brazil. After that there's Digital Ocean and then another Indonesian telco, Telkomnet. It makes for a geographical spread that's entirely inconsistent with legitimate usage of genuine consumers (no, HIBP isn't actually big in Iran!):

Authentication and the Have I Been Pwned API

Late last year after seeing a similar pattern with a well-known hosting provider, I reached out to them to try and better understand what was going on. I provided a bunch of IP addresses which they promptly investigated and reported back to me on:

1- All those servers were compromised. They were either running standalone VPSs or cpanel installations.

2- Most of them were running WordPress or Drupal (I think only 2 were not running any of the two).

3- They all had a malicious cron.php running

This helped me understand the source of the problem, but it didn't get me any closer to actually blocking the abusive behaviour. For the sake of transparency, let me talk about how I tried to tackle this because that will help everyone understand why I've arrived at a very different model to what I started with.

Combating Abuse with Firewall Rules

Firewall rules on Cloudflare are amazingly awesome. It takes just a few seconds to have a rule like this in place:

Authentication and the Have I Been Pwned API

Make more than 40 requests in a minute and you're in the naughty corner for a day. Only thing is, that's IP-based and per the earlier section on abusive patterns, actors with large numbers of IP addresses can largely circumvent this approach. It's still a fantastic turn-key solution that seriously raises the bar for anyone wanting to get around it, but someone determined enough will find a way.

No problems, I'll just take abusive ASNs like the Thai one above and give them the boot. I scripted a lot of them based on patterns in the log files and create a firewall rule like this:

Authentication and the Have I Been Pwned API

That works pretty quickly and is very effective, except for the fact that there's an awful lot of ASNs out there being abused. Plus, it has side-effects I'll come back to shortly too.

So how about looking at user agent strings instead? I mean could always just block the ones bad actors are using, except that was never going to work particularly well for obvious reasons (you can always define whatever one you like). That said, there were a heap of browser UAs which clearly were (almost) never legitimate for a client making API calls. So I blocked these as well:

Authentication and the Have I Been Pwned API

That shouldn't have come as a surprise to anyone as the API docs were actually quite clear about this:

The user agent should accurately describe the nature of the API consumer such that it can be clearly identified in the request. Not doing so may result in the request being blocked.

Problem is, people don't read docs and I ended up with a heap of default user agents (such as curl's) which were summarily blocked. And, of course, the user agent requirement was easily circumvented as I expected it would be and I simply started seeing randomised strings in the UA.

Another approach I toyed with (very transiently) was blocking entire countries from accessing the API. I was always really hesitant to do this, but when 90% of the API traffic was suddenly coming from a country in West Africa, for example, that was a pretty quick win.

I'm only writing about this here now because as the new model comes into place, all of this will be redundant. Plus, I wanted to shed some light on the API behaviour some people may have previously seen which they couldn't quite work out, and that brings me to the next section.

The Impact on Legitimate Usage

The attempts described above to block abuse of the API also blocked a lot of good requests. I feel bad about that because it made something I'd always intended to be easily accessible difficult for some people to use. I hope that by explaining the background here, people will understand why the approaches above were taken and indeed, why the changes I'm going to talk about soon were necessary.

I got way too many emails from people about API requests being blocked to respond to. Often this was due to simply not meeting the API requirements, for example providing a descriptive UA string. Other times it was because they were on the same network as abusive users. There were also those who simply smashed through the rate limit too quickly and got themselves banned for a day. Other times, there were genuine API users in that West African country who found themselves unable to use the service. I was constantly balancing the desire to make the API easily accessible whilst simultaneously trying to ensure it wasn't taken advantage of. In the end, the path forward was clear - the API would need to be authenticated.

The New Model: Authenticated Requests

I held back on this for a long time because adding auth to the API adds a barrier to entry. It also adds coding effort on my end as well as management overhead. However, by earlier this year it became clear that this was the only way forward: requests would have to be auth'd. Doing this solves a heap of problems in one fell swoop:

  1. The rate limit could be applied to an API key thus solving the problem of abusive actors with multiple IP addresses
  2. Abuse associated to an IP, ASN, user agent string or country no longer has to impact other requests matching the same pattern
  3. The rate limit can be just that - a limit rather than also dishing out punishment via the 24 hour block

Making an authenticated call is a piece of cake, you just add an hibp-api-key header as follows:

GET https://haveibeenpwned.com/api/v3/breachedaccount/test@example.com
hibp-api-key: [your key]

However, this wasn't going to completely solve the problem, rather it moved the challenge to the way in which API keys were provisioned. It's no good putting controls around the key itself if a bad actor could just come along and register a heap of them. Anti-automation on the form where a key can be requested is one thing, stopping someone from manually registering, say, 20 of them with different email addresses and massively amplifying their request rate is quite another. I had to raise the bar just high enough to dissuade people from doing this, which brings me to the financial side of things.

There's a US$3.50 per Month Fee to Use the API

Clearly not everyone will be happy with this so let me spend a bit of time here explaining the rationale. This fee is first and foremost to stop abuse of the API. The actors I've seen taking advantage of it are highly unlikely to front up with a credit card and provide what amounts to personally identifiable data (i.e. make a credit card payment) in order to mass enumerate the API.

In choosing the $3.50 figure, I wanted to ensure it was a number that was inconsequential to a legitimate user of the service. That's about what a latte costs at my local coffee shop so spending a few bucks a month to search through billions of records seems like a pretty damn good deal, especially when that rate limit enables 57.6k requests per day.

One thing I want to be crystal clear about here is that the $3.50 fee is no way an attempt to monetise something I always wanted to provide for free. I hope the explanation above helps people understand that, and also the fact the API has run the last 5 and a half years without any auth whatsoever clearly demonstrates that financial gain has never been the intention. Plus, the service I'm using to implement auth and rate limits comes with a direct cost to me:

Authentication and the Have I Been Pwned API

This is from the Azure API Management pricing page which is the service I'm using to provision keys and control rate limits (I'll write a more detailed post on this later on - it's kinda awesome). I chose the $3.50 figure because it represents someone making one million calls. Some people will make much less, some much more - that rate limit represents a possible 1.785 million calls per month. Plus, there's still the costs of function executions, storage queries and egress bandwidth to consider, not to mention the slice of the $3.50 that Stripe takes for processing the payment (all charges are routed through them). The point is that the $3.50 number is pretty much bang on the mark for the cost of providing the service.

What this change does it simultaneously gives me a much higher degree of confidence the API will be used in an ethical fashion whilst also ensuring that those who use it have a much more predictable experience without me dipping deeper and deeper into my own pocket.

The API is Revving to Version 3 (and Has Some Breaking Changes)

With this change, I'm revising the API up to version 3. All documentation on the API page now reflects that and also reflects a few breaking changes, the first of which is obviously the requirement for auth. When using V3, any unauthenticated requests will result in an HTTP 401.

The second breaking change relates to how the versioning is done. Back in 2014, I wrote about how your API versioning is wrong and headlined it with this graphic:

Authentication and the Have I Been Pwned API

I outlined 3 different possible ways of expressing the desired version in API calls, each with their own technical and philosophical pros and cons:

  1. Via the URL
  2. Via a custom request header
  3. Via the accept header

After 4 and a bit years, by far and away the most popular method with an uptake of more than 90% is versioning via the URL. So that's all V3 supports. I don't care about the philosophical arguments to the contrary, I care about working software and in this case, the people have well and truly spoken. I don't want to have to maintain code and provide support for something people barely use when there's a perfectly viable alternative.

Next, I'm inverting the condition expressed in the "truncateResponse" query string. Previously, a call such as this would return all meta data for a breach:

GET https://haveibeenpwned.com/api/v2/breachedaccount/test@example.com

You'd end up with not just the name of the breach, but also how many records were in it, all the impacted data classes, a big long description and a whole bunch of other largely redundant information. I say "redundant" because if you're hitting the API over and over again, you're pulling but the same info for each account that appears in the same breach. Using the "truncateResponse" parameter reduced the response size by 98% but because it wasn't the default, it wasn't used that much. I want to drive the adoption of small responses because not only are they faster for the consumer, they also reduce my bandwidth bill which is one of the most expensive components of HIBP. You can still pull back all the data for each breach if you'd like, you just need to pass "truncateResponse=false" as true is now the default. (Just a note on that: you're far better off making a single call to get all breached sites in the system then referencing that collection by breach name after querying an individual email address.)

I'm also inverting the "includeUnverified" parameter. The original logic for this was that when I launched the concept of unverified breaches, I didn't want existing consumers of the API to suddenly start getting results for breaches which may not be real. However, with the passage of time I've come across a couple of issues with this and the first is that a heap of people consumed the API with the default params (which wouldn't include unverified breaches) and then contacted me asking "why does the API return different results to the front page of HIBP?" The other issue is that I simply haven't flagged very many breaches as unverified and I've also added other classes of breach which deviate from the classic model of loading a single incident clearly attributable to a single site such as the original Adobe breach. There are now spam lists, for example, as well as credential stuffing lists and returning all data by default is much more consistent with the ethos of considering all breached data to be in scope.

The other major thing related to breaking stuff is this:

Versions 1 and 2 of the API for searching breaches and pastes by email address will be disabled in 4 weeks from today on August 18.

I have to do this on an aggressive time frame. Whilst I don't, all the problems mentioned above with abuse of the API continues. When we hit that August due date, the APIs will begin returning HTTP 400 "Bad Request" and that will be the end of them.

One important distinction: this doesn't apply to the APIs that don't pull back information about an email address; the API listing all breaches in the system, for example, is not impacted by any of the changes outlined here. It can be requested with version 3 in the path, but also with previous versions of the API. Because it returns generic, non-personal data it doesn't need to be protected in the same fashion (plus it's really aggressively cached at Cloudflare). Same too for Pwned Passwords - there's absolutely zero impact on that service.

During the next 4 weeks I'll also be getting more aggressive with locking down firewall rules on the previous versions at the first sign of misuse until they're discontinued entirely. They're an easy fix if you're blocked with V2 - get an API key and roll over to V3. Now, about that key...

Protecting the API Key (and How My Problem Becomes Your Problem)

Now that API keys are a thing, let me touch briefly on some of the implications of this as it relates to those of you who've built apps on top of HIBP. And just for context, have a look at the API consumers page to get a sense of the breadth we're talking about; I'll draw some examples out of there.

For code bases such as Brad Dial's Pwny Corral, it's just a matter of adding the hibp-api-key header and a configuration for the key. Users of the script will need to go through the enrolment process to get their own key then they're good to go.

In a case like What's My IP Address' Data Breach Check, we're talking about a website with a search feature that hits their endpoint and then they call HIBP on the server side. The HIBP API key will sit privately on their end and the only thing they'll really need to do is stop people from hammering their service so it doesn't exceed the HIBP rate limit for that key. This is where it becomes their (your) problem rather than mine and that's particularly apparent in the next scenario...

Rich client apps designed for consumer usage such as Outer Corner's Secrets app will need to proxy API hits through their own service. You don't want to push the HIBP API key out with the installer plus you also need to be able to control the rate limit of all your customers so that it doesn't make the service unavailable for others (i.e. one user of Secrets smashes through the rate limit thus making the service unavailable for others).

One last thing on the rate limit: because it's no longer locking you out for a day if exceeded, making too many requests results in a very temporary lack of service (usually single digit seconds). If you're consuming the new auth'd API, handle HTTP 429 responses from HIBP gracefully and ask the user to try again momentarily. Now, with that said, let me give you the code to make it dead easy to both proxy those requests and control the rate at which your subscribers hit the service; here's how to do it with Cloudflare workers and rate limits:

Proxying With a Cloudflare Worker (and Setting Rate Limits)

The fastest way to get up and running with proxying requests to V3 of the HIBP API is with a Cloudflare Worker. This is "serverless code on the edge" or in other words, script that runs on Cloudflare's 180 edge nodes around the world such that when someone makes a request for a particular route, the script kicks in and executes. It's easiest just to have a read of the code below:

Stand up a domain on Cloudflare's free tier (if you're not on there already) then it's $5 per month to send 10M queries through your worker which is obviously way more than you can send to the HIBP API anyway. And while you're there, go and use the firewall rules to lock down a rate limit so your own API isn't hammered too much (keeping in mind some of the challenges I faced when doing this).

The point is that if you need to protect the API key and proxy requests, it's dead simple to do.

"But what if you just..."

I'll get a gazillion suggestions of how I could do this differently. Every single time I talk about the mechanics of how I've built something I always do! The model described in this blog post is the best balance of a whole bunch of different factors; the sustainability of the service, the desire to limit abuse, leveraging the areas my skills lie in, the limited availability of my time and so on and so forth. There are many other factors that also aren't obvious so as much as suggestions for improvements are very welcomed, please keep in mind that they may not work in the broader sense of what's required to run this project.

Caveats

There's a couple of these and they're largely due to me trying to make sure I get this feature out as early as possible and continue to run things on a shoestring cost wise. Firstly, there's no guarantee of support. We do the same thing with entry-level Report URI pricing and it's simply because it's enormously hard to do with the time constraints of a single person running this. That said, if anything is buggy or broken I definitely want to know about it. Secondly, there's no way to retrieve or rotate the API key. If you extend the one-off subscription you'll get the same key back or if you cancel an existing subscription  and take a new one you'll also get the same key. I'll build out better functionality around this in the future.

I'm sure there'll be others that pop up and I'll expand on the items above if I've missed any here.

Summary

The changes I've outlined here strike a balance between making the API available for good purposes, making it harder to use for bad purposes, ensuring stability for all those in the former category and crucially, making it sustainable for me to operate. That last point in particular is critical for me both in terms of reducing abuse and reducing the overhead on me trying to achieve that objective and supporting those who ran into the previously mentioned blocks.

I expect there'll be many requests to change or evolve this model; other payment types, no payment at all for certain individuals or organisations, higher rate limits and so on and so forth. At this stage, my focus is on keeping the service sustainable as Project Svalbard marches forward and once that comes to fruition, I'll be in a much better position to revisit suggestions (also, there's a UserVoice for that). For now, I hope that this change leads to a much more sustainable service for everyone.

CVE-2019-6342 flaw allows hackers to fully compromise Drupal 8.7.4 websites

Drupal developers urge users to update their installs to version 8.7.5, which addresses the CVE-2019-6342 flaw that allows hackers to take control of Drupal 8 sites.

Drupal developers informed users that version 8.7.4 is affected by a critical flaw, tracked as CVE-2019-6342, that could be exploited by attackers to take control of Drupal 8 websites. Users have to update to version 8.7.5 to address the vulnerability.

The issue resides in the Drupal 8.7.4, it is an access bypass vulnerability that can be triggered when the experimental Workspaces module is enabled.

“In Drupal 8.7.4, when the experimental Workspaces module is enabled, an access bypass condition is created.” reads the security advisory.

The vulnerability can be mitigated by disabling the Workspaces module.

“For sites with the Workspaces module enabled, update.php needs to run to ensure a required cache clear. If there is a reverse proxy cache or content delivery network (e.g. Varnish, CloudFlare) it is also advisable to clear these as well.” continues the advisory.

The development team pointed out that the flaw only affects Drupal 8.7.4 release, earlier versions are not affected.

The flaw was reported by the Dave Botsch, the good news is that there is no evidence of cyber attacks exploiting the flaw in the wild. Anyway, security experts believe that threat actors could start exploiting the flaw very soon because it affects default configurations, it is easy to exploit and require minimal user interaction to be triggered.

The U.S. Department of Homeland Security (DHS) has also published a security update for the CVE-2019-6342 flaw.

Drupal websites are privileged targets for hackers, in the past several campaigns leveraged other flaws in the popular CMS. In February, just three days after the CVE-2019-6340 flaw was addressed, threat actors in the wild started exploiting the issue to deliver cryptocurrency miners and other payloads.

In 2018, threat actors compromised many Drupal sites by exploiting other two flaw dubbed Drupalgeddon2 and Drupalgeddon3.

Pierluigi Paganini

(SecurityAffairs – CVE-2019-6342, hacking)

The post CVE-2019-6342 flaw allows hackers to fully compromise Drupal 8.7.4 websites appeared first on Security Affairs.

BEC Scams Cost US Firms $300m Each Month

BEC Scams Cost US Firms $300m Each Month

Business Email Compromise (BEC) scams have rocketed in volume and value over the past two years, making cyber-criminals over $300m each month in 2018 from US victims alone, according to new data.

The findings were revealed by the Financial Crimes Enforcement Network (FinCEN), a bureau of the US Department of the Treasury.

They note that the number of BEC reports has climbed rapidly, from around 500 per month in 2016 to more than 1100 last year. The total value of related BEC thefts has also soared over the same period, from around $110m per month to an average of $301m.

Manufacturing and construction was the most targeted sector in 2017 and 2018, accounting for around a fifth and quarter of reports in these respective years.

In 2018, this sector was followed by “commercial services” – which includes shopping centers, entertainment facilities, and lodging – and then real estate.

The former saw reported BEC attacks increase more than any other vertical, tripling from 6% in 2017 to 18% last year.

Interestingly, the vast majority (73%) of BEC attacks seen over the period involved scammers receiving funds into US accounts, rather than ones overseas, taking advantage of money mule networks nationwide, FinCEN claimed.

“Industries that are common in a particular state likely represent the most targeted companies in that state,” it added. “For example, financial firms are the most frequently targeted firms in New York, while manufacturing and construction firms are the most frequently targeted in Texas.”

In terms of attack methodology, CEO impersonation ranked pretty high in 2017, accounting for a third (33%) of scams, but declined to 12% in 2018. On the other hand, use of a fraudulent vendor or client invoices grew from 30% to 39% over the period. Impersonation of an outside entity was 20% in 2018 but not documented in 2017.

The FBI warned earlier this year that BEC losses hit $1.3bn in 2018, almost half of all losses associated with cybercrime in the year. These were linked to just 20,000 victims, highlighting the potential high ROI for the scammers.

The figure works out much lower than the cost of BEC calculated by FinCEN, but this could be down to under-reporting.

FaceApp privacy panic: Be careful which apps you use

The privacy panic over FaceApp, the selfie-editing mobile app that makes photo subjects younger, older or turns them into members of the opposite sex, has been overblown. The (overblown) issue FaceApp is an iOS and Android app developed by Russian company Wireless Lab and is not without past controversy (e.g., lightening skin color to make users “hot”). In this latest bout of massive popularity, the app makers were “accused” of siphoning pictures from users’ mobile … More

The post FaceApp privacy panic: Be careful which apps you use appeared first on Help Net Security.

Dutch Police Nab Macro Malware Suspect

Dutch Police Nab Macro Malware Suspect

Dutch police have arrested a man suspected of developing and selling toolkits designed to build malicious Office documents for use in attacks.

In a statement on Wednesday, the country’s high-tech crime team (THTC) revealed it had apprehended a 20-year-old Utrecht man after monitoring his participation in hacking forums, with help from McAfee.

He’s suspected of selling specialized off-the-shelf toolkits such as Rubella Macro Builder which effectively weaponize Office docs by enabling them to use obfuscated macro code to deliver a malicious payload, bypassing traditional security filters in the process.

However, in one of the man’s suspected posts to a hacking forum, investigators spotted use of a Dutch version of Microsoft Word. Given the relatively small global population that speaks the language, McAfee researchers went on the hunt for more clues.

“During our research we were able to link different nicknames used by the actor on several forums across a time span of many years,” the vendor said in a blog post. “Piecing it all together, Rubella showed a classic growth pattern of an aspiring cyber-criminal, started by gaining technical security knowledge on beginner forums with low op-sec and gradually moved to some of the bigger, exclusive forums to offer products and services.”

On arrest, the suspect was found with data on dozens of credit cards and manuals on carding, as well as access credentials for thousands of websites.

“The suspect has collected an amount of approx. €20,000 in cryptocurrency such as Bitcoins. These have been seized. The investigation into further amounts the young man may have (unlawfully) earned will continue. In due course, a confiscation order will be issued,” a police statement noted.

“The public prosecutor has meanwhile decided that the suspect will have to face trial. No court date has yet been set.”

Scraping the TOR for rare contents

Cyber security expert Marco Ramilli explains the difficulties for scraping the ‘TOR networks’ and how to enumerate hidden-services with scrapers.

Scraping the “TOR hidden world” is a quite complex topic. First of all you need an exceptional computational power (RAM mostly) for letting multiple runners grab web-pages, extracting new links and re-run the scraping-code against the just extracted links. Plus a queue manager system to manage scrapers conflicts and a database to store scraped data need to be consistent. Second, you need great starting points. In other words you need the .onion addresses where your scrapers start from. You might decide to begin from common and well-known onion links such as The TOR-hidden-wiki or to start from great reddit threads such this one, but seldom those approaches bring you to what I refer as “interesting links”. For this post “interesting links” means specific links that are rare or not very widespread and mostly focused on cyber-attacks and/or cyber-espionage. Another approach needs be used in order to reach better results. One of the most profitable way to search for “interesting links” is to look for .onion addresses in temporal and up-to-date spots such as: temporal pasties, IRC chats, slack or telegram groups, and so on and so forth. In there you might find links that bring you to more rare contents and to less spread information.

Today I want to start from here by showing some simple stats about scraped .onion links in my domestic scraping cluster. From the following graph you might appreciate some statistics of active-and-inactive scraped hidden services. The represented week is actually a great stereotype of what I’ve got in the last whole quarter. What is interesting, at least in my personal point of view, is the percentage of offline (green) onion services versus the percentage of online (yellow) onion services.

Tor crawlers

This scenario changed dramatically in the past few months. While during Q1 (2019) most of the scraped websites were absolutely up-and-running on Q2 (2019) I see, most of the scraped hidden services, dismissed and/or closed even if they persists in the communication channels (IRC chat, Pasties, Telegram, etc.).

I think there are dual factors that so much affected last quarter in spotting active hidden service. (1) Old content revamping. For example bots pushing “interesting links” back online even after months of inactivity. This activity is not new at all, but during the past quarter has been abused too many time respect to previous quarters. (2) Hidden services are changing address much more fast respect to few months ago. In order to make hard to spot malicious actors, they might decide to keep up-and-running their hidden services only for few hours and then change address/location. Is that way to enumerate hidden-services passing away or is it a simple weird time-frame? We will see it during the next “Scraping” months, stay tuned !

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans.

This analysis and many other studies and tools are available on Marco Ramilli’s blog:

https://marcoramilli.com/2019/07/18/scraping-the-tor-for-rare-contents/

Pierluigi Paganini

(SecurityAffairs – Tor network, DarkWeb)

The post Scraping the TOR for rare contents appeared first on Security Affairs.

Experts spotted a rare Linux Desktop spyware dubbed EvilGnome

Experts at Intezer discovered a new backdoor, dubbed EvilGnome, that is targeting Linux systems for cyber espionage purpose.

Intezer spotted a new piece of Linux malware dubbed EvilGnome because it disguises as a Gnome extension. The researchers attribute the spyware to the Russia-linked and Gamaredon Group.  The modules used by EvilGnome are reminiscent of the Windows tools used by the Gamaredon Group, other analogies include the use of SFX, persistence with task scheduler and the deployment of information stealers.

“Linux desktop remains an unpopular choice among mainstream desktop users, making up a little more than 2% of the desktop operating system market share.” reads the analysis published by Intezer. ” This explains our surprise when in the beginning of July, we discovered a new, fully undetected Linux backdoor implant, containing rarely seen functionalities with regards to Linux malware, targeting desktop users.”

The experts confirmed that the spy agent used by the threat actors was never seen before.

EvilGnome

The Gamaredon APT was first spotted in 2013, last year researchers at LookingGlass have shared the details of a cyber espionage campaign, tracked as Operation Armageddon, targeting Ukrainian entities.

The Security Service of Ukraine (SBU) blamed theRussia’s Federal Security Service (FSB) for the cyber attacks. 

The sample analyzed by Intezer was uploaded to VirusTotal by mistake, the presence of metadata that was not removed by the attackers revealed that the malicious code was created on July 4. The analysis revealed that the malicious code includes an unfinished keylogger, some comments, symbol names and compilation metadata, a circumstance that suggests the authors are still working on it.

EvilGnome allows attackers to take screenshots, steal files, capture audio recordings from the microphone, and download and execute other payloads.

The attack starts with spear-phishing emails containing weaponized attachments, the malware is distributed via Russian hosting providers.

The hosting provider used by attackers behind EvilGnome was used by Gamaredon Group for years, the SSH was exposed over the port 3436, the same used by Gamaredon to expose SSH.

The Linux implant is delivered in the form of a self-extracting archive shell script created with makeself that is a small shell script that generates a self-extractable compressed tar archive from a directory. The generated files appear as a shell script, many having a .run suffix, that can be launched as is. 

The setup script installs the malicious code to ~/.cache/gnome-software/gnome-shell-extensions/, and attackers gain persistence by registering gnome-shell-ext.sh to run every minute in crontab.

In the last step of the installation process, the script executes gnome-shell-ext.sh, which in turn launches the main executable gnome-shell-ext:

“The Spy Agent was built in C++, using classes with an object oriented structure. The binary was not stripped, which allowed us to read symbols and understand the developer’s intentions.” continues the analysis.

“At launch, the agent forks to run in a new process. The agent then reads the rtp.dat configuration file and loads it directly into memory”

The spy agent is composed of five modules that run in separate threads:

  • ShooterSound – captures audio from the user’s microphone and uploads to C2;
  • ShooterImage – captures screenshots and uploads to C2;
  • ShooterFile – scans the file system for newly created files and uploads them to C2;
  • ShooterPing – receives new commands from C2;
  • ShooterKey – unimplemented and unused, most likely an unfinished keylogging module;

The modules access to shared resources that are safeguarded through mutexes, they use RC5 with the key “sdg62_AS.sa$die3” to encrypt or decrypt data to and from the C&C.

The malware supports several commands, it can download and execute files, set new filters for scanning, download and set new runtime configurations, exfiltrate stored output to the C&C, or stop the modules from running.

EvilGnome is a rare type of malware due to its appetite for Linux desktop users. Throughout this post, we have presented detailed infrastructure-related evidence to connect EvilGnome to the actors behind the Gamaredon Group.” concludes the group. “We believe this is a premature test version. We anticipate newer versions to be discovered and reviewed in the future, which could potentially shed more light into the group’s operations.”

Pierluigi Paganini

(SecurityAffairs – EvilGnome, Linux malware)

The post Experts spotted a rare Linux Desktop spyware dubbed EvilGnome appeared first on Security Affairs.

Multi-Cloud Security Best Practices Guide

A multi-cloud network is a cloud network that consists of more than one cloud services provider. A straightforward type of multi-cloud network involves multiple infrastructure as a service (IaaS) vendors. Can you use AWS and Azure together? For example, you could have some of your cloud network’s servers and physical network provided by Amazon Web […]… Read More

The post Multi-Cloud Security Best Practices Guide appeared first on The State of Security.

Anatomy of a spear phishing attack – with example scam

With cyber crime quickly becoming a top priority for organisations, IT admins have felt the pressure to invest in network defences and ensure their systems aren’t breached.

But those measures aren’t much help when criminals use phishing scams to bypass organisations’ defences and hit them where they’re most vulnerable: their employees.

Fraudsters have countless tricks up their sleeve when targeting people for attacks, but perhaps the most dangerous is spear phishing. Let’s take a look at how it works, along with an example to help you spot the clues of an attack.

What is spear phishing?

Spear phishing is a form of email attack in which fraudsters tailor their message to a specific person.

They can gather the information they need to seem plausible by researching the target online – perhaps using Facebook, LinkedIn or the website of the target’s employer – and imitating a familiar email address.

Spear phishing is harder to detect than regular phishing scams, because although messages contain the same clues as any phishing attack, the fact that they are addressed specifically to the target assuages suspicions that they are bogus.

However, other than creating a false sense of security, the attack works in the same way as any other type of phishing scam. The message will either contain an attachment infected with malware or direct the recipient to a malicious website, which might inject malware into the browser or request user credentials through spoofing.


See also:


Proofpoint’s 2019 State of the Phish Report found that 83% of respondents were hit by at least one spear phishing attack in last year. This shows just how hard it is to identify and properly respond to targeted email threats.

An example of a spear phishing email

Here’s an example of a real spear phishing email. You can see the whole message below, followed by a breakdown of the text showing how you can tell that the message is bogus.

Subject: Domain Notification for [website] : This is your Final Notice of Domain

Attention: Important Notice , DOMAIN SERVICE NOTICE
Domain Name: [website]

ATT: [name redacted]
[website redacted]
Response Requested By
5 – Nov. – 2018

PART I: REVIEW NOTICE

Attn: [name]

As a courtesy to domain name holders, we are sending you this notification for your business Domain name search engine registration. This letter is to inform you that it’s time to send in your registration.

Failure to complete your Domain name search engine registration by the expiration date may result in cancellation of this offer making it difficult for your customers to locate you on the web.

Privatization allows the consumer a choice when registering. Search engine registration includes domain name search engine submission. Do not discard, this notice is not an invoice it is a courtesy reminder to register your domain name search engine listing so your customers can locate you on the web.

This Notice for: [website] will expire at 11:59PM EST, 5 – Nov. – 2018 Act now!

Select Package:
[website link redacted]

Payment by Credit/Debit Card

Select the term using the link above by 5 – Nov. – 2018
[website]

Spotting the signs of spear phishing

Did you see the clues that the email was fake? And what about the tricks the scammer used to make the message look genuine? Let’s take a closer look at the message, beginning with the subject line:

“This is your Final Notice”

Right from the start, the criticality of this email is established in my mind. I’m also concerned as it looks like I’ve missed a previous notice.

“Attention: Important Notice”

The importance of this email has been set.

“Domain Name: [website]”

It’s the correct domain, indicating this email is indeed relevant to me.

“ATT: [name]”

Correct name also; must be legit and specific to me personally.

“As a courtesy”

They’re doing me the service. Sounds decent and generous.

“This letter is to inform you that it’s time to send in your registration.”

Sounding official now and the time pressure is being ramped up. It’s also trying to soften me up to part with personal information.

“Failure to complete your Domain name search engine registration by the expiration date may result in cancellation of this offer making it difficult for your customers to locate you on the web.”

If I don’t comply quickly (time pressure again), there’s going to be an adverse impact on me and I’ll lose customers. This could potentially hit me in the pocket!

“Search engine registration includes domain name search engine submission.”

They’re going to perform some sort of important-sounding service for me.

“Do not discard, this notice is not an invoice it is a courtesy reminder to register your domain name search engine listing so your customers can locate you on the web.”

Really mixed messages here. An instruction not to “discard” this important “notice” but no pressure, as this isn’t a request for money (“not an invoice”) but just a generous and selfless “courtesy” and “reminder” that will benefit me.

“This Notice for: [website] will expire at 11:59PM EST, 5 – Nov. – 2018 Act now!”

Time pressure cranked up to maximum. No need to think; just act now before it’s too late.

All the above are typical examples of emotional manipulation. This is classic spear phishing.

I didn’t click the link and hand over my payment card details, because it raised all manner of red flags. Instead, I googled the link, which confirmed my suspicions.

Sadly, some would have fallen for it simply through a lack of training and awareness.

Teach your staff to spot phishing emails

You can help educate employees on the threat of phishing and what they can do to mitigate the risk by enrolling them on our Phishing Staff Awareness E-Learning Course.

This 45-minute course uses examples like the one above to explain how phishing emails work, the clues to look for and the steps to take to avoid falling victim.

You might also benefit from a comprehensive review of your approach to cyber security. Our Security Awareness Programme does just that, helping you generate tangible and lasting improvements to your organisation’s security awareness.

It combines a learning needs assessment to identify the areas that your organisation should focus on, with a series of tools and services to address problems as they arise, including hands-on support from a specialist consultant, pocket guides and e-learning courses.

Find out more about our Security Awareness Programme >>

The post Anatomy of a spear phishing attack – with example scam appeared first on IT Governance Blog.

True passwordless authentication is still quite a while away

The password has been one of the great inventions in the history of computing: a solution that allowed simple and effective identity and access management when the need arose for it. Unfortunately, as time passed, the downsides of using (just) passwords became apparent: they can be forgotten, guessed, cracked, stolen and, finally, misused. While we wait for the password to die… During the last decade or so, many IT and IT security professionals have foretold … More

The post True passwordless authentication is still quite a while away appeared first on Help Net Security.

Sprint Data Breach Due To Samsung.com Bug Revealed

U.S. telecom giant, Sprint has recently revealed that a certain number of Sprint customer accounts were taken over by unauthorized users using a loophole in Samsung.com’s “add a line” feature. The company disclosed this information as per their June 22 internal report and the following information of affected users are now in the hands of unknown personalities:

  • Full name
  • Billing address
  • Subscriber ID
  • Account creation date
  • Account number
  • Phone number
  • Device ID
  • Device Type
  • Monthly recurring charges
  • Upgrade eligibility
  • Add-on services

Even with a huge laundry list of information was stolen, Sprint remains calm as the telecom giant claims that the information lost to the Samsung.com breach was not substantial enough to for identity theft to thrive. Sprint on their part issued a force reset of their customer’s PIN in order to lessen the chance of further security breaches. The forced PIN change was initiated on June 25, three full days after the discovery of the incident.

“Sprint has taken appropriate action to secure your account from unauthorized access and has not identified any fraudulent activity associated with your account at this time. Sprint re-secured your account on June 25, 2019. We apologize for the inconvenience that this may cause you. Please be assured that the privacy of your personal information is important to us. Please contact Sprint at 1-888-211-4727 if you have any questions or concerns regarding this matter,” explained Sprint in its official press release.

The company urges all its affected customers to visit www.indentitytheft.gov, a website operated by the U.S. Federal Trade Commission. Sprint claims that the preventive and security measures provided by the FTC will be very helpful for customers that continue to worry about the data breach incident. As of this writing, Sprint has not disclosed the details on what actually happened to Samsung.com’s “add a line” feature, and how it caused Sprint customers to get hacked through the use of the website.

On their part, Samsung claims that they keep their systems and website secure, and no Samsung customer info from their systems was leaked to the outside world. “We recently detected fraudulent attempts to access Sprint user account information via Samsung.com, using Sprint login credentials that were not obtained from Samsung. We deployed measures to prevent further attempts of this kind on Samsung.com and no Samsung user account information was accessed as part of these attempts,” said a Samsung spokesperson.

Also Read;

Five Important Things about Data Security

Data Breaches have become a common threat in online transactions

Beware of Fake Samsung Firmware Update App

 

The post Sprint Data Breach Due To Samsung.com Bug Revealed appeared first on .

Skills gap remains a top barrier to SD-WAN adoption

SD-WAN security drives selection, skills gaps remain a primary obstacle to adoption, and adoption continues to rise, according to Masergy. The survey, conducted in partnership with IDG Research, analyzed responses from IT decision makers in global enterprises across a variety of industries. This survey was also conducted in 2017 as a benchmark in order to measure SD-WAN trends over time. Optimizing the network to support cutting-edge technology stands out as the most prominent objective that … More

The post Skills gap remains a top barrier to SD-WAN adoption appeared first on Help Net Security.

The true potential of 5G for businesses

Technology is transforming our world beyond recognition and both public and private sector organizations are at a tipping point where they must embrace digital transformation or risk being left behind. Concepts which once seemed futuristic and out of reach – autonomous vehicles, remote surgery, and smart cities – are now within our sights and 5G is being touted as the key to unlocking the door to this digital future. Yet, with all the excitement and … More

The post The true potential of 5G for businesses appeared first on Help Net Security.

Adoption rates of basic cloud security tools and practices still far too low

As organizations migrate more of their data and operations to the cloud, they must maintain a robust cybersecurity posture, a Bitglass report reveals. Each year, Bitglass conducts research on the state of enterprise cloud security in order to identify key trends and common vulnerabilities. This year’s report found that 75 percent of organizations leverage multiple cloud solutions, but only 20 percent have visibility over cross-app anomalous behavior. With more and more organizations storing sensitive information … More

The post Adoption rates of basic cloud security tools and practices still far too low appeared first on Help Net Security.

Plugins

Every plugin or add-on you install in your browser can expose you to more danger. Only install the plugins you need and make sure they are always current. If you no longer need a plugin, disable or remove it from your browser via your browser's plugin preferences.

Certificate-related outages impact the reputation of financial services organizations

Financial services organizations are more likely to have digital certificate-related outages than other industries, a Venafi study reveals. Over 100 CIOs in the financial services industry from the U.S., U.K., France, Germany and Australia participated in the study. In the last six months, 36 percent experienced an outage that impacted critical business applications or services. In addition, financial services CIOs are more concerned about the impact of certificate-related outages on their customers. “Organizations from every … More

The post Certificate-related outages impact the reputation of financial services organizations appeared first on Help Net Security.

Federal and SLED IT managers say AI will be a game changer

AI is not a concept of the future, a MeriTalk study confirms. A new study, underwritten by Arrow and NetApp, surveyed 300 Federal, state, local, and higher education (SLED) IT managers to explore where they think their agencies are with AI as a broader concept, and to understand their usage of foundational AI technologies like chatbots, intelligent analytics, high performance computing, and more. Between February’s executive order and the launch of AI.gov in March, AI … More

The post Federal and SLED IT managers say AI will be a game changer appeared first on Help Net Security.

MobileIron launches zero sign-on technology for secure and passwordless authentication

MobileIron, the company that introduced the industry’s first mobile-centric, zero trust platform for the enterprise, announced the availability of zero sign-on technology for secure and passwordless authentication to enterprise cloud services from desktops. Users can now log into software-as-a-service (SaaS) applications, such as Office 365 and Salesforce, from any laptop or desktop using their secured iPhone as their identity – eliminating the need for passwords entirely. A zero password experience is critical as a recent … More

The post MobileIron launches zero sign-on technology for secure and passwordless authentication appeared first on Help Net Security.

Privitar extends data-protection and safe data-analysis capabilities of its Publisher product

Privitar, whose software delivers the uncompromised data privacy that is essential for organizations worldwide to conduct safe and ethical data analysis, released version 3.0 of its Publisher product, extending both its data-protection and safe data-analysis capabilities. With Privitar Publisher 3.0, companies can use its centralized, policy-based approach to data privacy more widely within their organizations, automate more processes, and make data available to data scientists more quickly. Publisher 3.0 also enables companies to create richer … More

The post Privitar extends data-protection and safe data-analysis capabilities of its Publisher product appeared first on Help Net Security.

Smarter Security’s new optical technology to prevent sidegating

Smarter Security, the intelligent entrance controls company, announced new optical technology that reduces the risk of “sidegating” when two people attempt unauthorized side-by-side entry through a turnstile. Sidegating is a growing security issue as changing regulations and customer demands for increased pedestrian and wheelchair user comfort dictate the need for wider turnstiles. If a lane is wide enough to comfortably fit a wheelchair, it is also wide enough to fit two pedestrians side-by-side. Until now, … More

The post Smarter Security’s new optical technology to prevent sidegating appeared first on Help Net Security.

Cohesity Runbook enables enterprises to systematically move workloads to the cloud

Cohesity announced a new application called Cohesity Runbook. Cohesity Runbook provides organizations with a new automation design canvas that makes it incredibly simple and formulaic for enterprises to move workloads systematically between on-premises data centers and the public cloud – a critical need as more and more organizations rely on the cloud for everything from dev/test to security to disaster recovery. The Cohesity Runbook application, available through the Cohesity Marketplace, automates the process of moving … More

The post Cohesity Runbook enables enterprises to systematically move workloads to the cloud appeared first on Help Net Security.

Communication – The Forgotten Security Tool

Security professionals have many tools in their toolbox. Some are physical in nature. (WireShark, Mimikatz, endpoint detection and response systems and SIEMs come to mind.) Others not so much. (These assets include critical thinking faculties, the ability to analyze complex processes, a willingness—some call it a need—to dig in and find the root cause of […]… Read More

The post Communication – The Forgotten Security Tool appeared first on The State of Security.

PremiumSoft releases new version of Navicat Monitor

PremiumSoft announces the immediate release of Navicat Monitor version 2.0, a new version of Navicat Monitor, now supported SQL Server. Navicat Monitor is a safe, simple and agentless remote server monitoring tool for MySQL, MariaDB and SQL Server. It includes a rich set of real-time and historical graphs that allow you to drill down into server statistic details. In the latest version of Navicat Monitor, you can easily uncover the problematic queries, such as identifying: … More

The post PremiumSoft releases new version of Navicat Monitor appeared first on Help Net Security.

Symantec’s new cloud access security solution enforces consistent security and data protection policies

Symantec, the world’s leading cyber security company, announced its new cloud access security solution to help secure cloud and internet access and use in an enterprise environment. These enhancements and integrations across Symantec’s network security portfolio further position Symantec as the only security provider to offer an integrated cloud-delivered solution that lessens operational costs and complexity, while lowering operational risk. In today’s business environment, there is a tremendous volume of enterprise network traffic directed to … More

The post Symantec’s new cloud access security solution enforces consistent security and data protection policies appeared first on Help Net Security.

Synack launches a new crowdsourced penetration test designed specifically for government

Synack, the most trusted leader in crowdsourced penetration testing, announces the availability of the market’s first comprehensive crowdsourced penetration test designed specifically for government, by offering a bug bounty-based vulnerability discovery model coupled with NIST 800-53 guidelines. Synack co-founders and technical security experts Jay Kaplan and Mark Kuhr came out of the NSA and the US Department of Defense with a shared vision to create a scalable, effective, and trusted security solution for the government. … More

The post Synack launches a new crowdsourced penetration test designed specifically for government appeared first on Help Net Security.

Perimeter 81 ensures zero trust access to web applications without an agent

Perimeter 81, the leading Zero Trust Secure Network as a Service provider, announced that it has officially unveiled its new cornerstone solution: Zero Trust Application Access. The service is designed to meet the demands of today’s ever-expanding modern network and ensure fully secured, isolated and agentless access to an organization’s critical web applications, secure shell (SSH), remote desktop (RDP), virtual network computing (VNC) and Telnet in an emulated, streamlined and seamless way, regardless of where … More

The post Perimeter 81 ensures zero trust access to web applications without an agent appeared first on Help Net Security.

CyberGRX Auto Inherent Risk provides users with immediate visibility into potential threats

CyberGRX, provider of the world’s first and largest global cyber risk exchange, announced the recent release of a groundbreaking new feature that provides users with immediate visibility into potential threats in their ecosystem: Auto Inherent Risk (AIR) insights. As digital transformation and interconnected ecosystems continue to expand, effective third-party cyber risk management (TPCRM) is increasingly becoming a top priority for CISO’s and Risk Managers. CyberGRX AIR automates what was once a very time-consuming and manual … More

The post CyberGRX Auto Inherent Risk provides users with immediate visibility into potential threats appeared first on Help Net Security.

ShiftLeft Ocular enhancements to help orgs discover business logic flaws faster

ShiftLeft, an innovator in automated application security, announced enhancements to its Ocular solution that empower organizations to discover business logic flaws during application development 10 times faster than manual code reviews. Updates to Ocular include support for four new programming languages, C#, C, C++ and Scala, which improve development efforts with coverage for the top cloud, Internet of Things (IoT) and embedded applications. The updates also include blazing fast automated security regression testing in CI/CD, … More

The post ShiftLeft Ocular enhancements to help orgs discover business logic flaws faster appeared first on Help Net Security.

Signal Sciences and Datadog provide real-time web app attacks monitoring and response

Signal Sciences, the fastest growing web application security company in the world, announced its integration with Datadog, the monitoring and analytics platform for modern cloud environments. The integration provides engineering and operations teams with an easy way to monitor and respond to real-time web application attacks from the Datadog platform. By activating the new Signal Sciences dashboard, Datadog users can quickly see the volume and types of attacks against their applications, APIs, and microservices. The … More

The post Signal Sciences and Datadog provide real-time web app attacks monitoring and response appeared first on Help Net Security.

FireEye launches two new service delivery options for managed detection and response

FireEye, the intelligence-led security company, announced the availability of two new managed detection and response (MDR) service offerings – FireEye Managed Defense Nights and Weekends and FireEye Managed Defense for Endpoint Security. “Managed Defense has led the managed detection and response market since 2011 when we saw the need to provide ongoing, proactive detection and investigations following incident response engagements,” said Marshall Heilman, Senior Vice President, Managed Defense and TORE, FireEye. “Customer needs continue to … More

The post FireEye launches two new service delivery options for managed detection and response appeared first on Help Net Security.

Smashing Security #137: Porn trolling lawyers, Insta hacking, and Ctrl-Alt-LED

Erection your honour! Lawyers find themselves behind bars after they make porn movies in an attempt to scam internet users, boffins in Israel detail a way to steal data from an air-gapped computer, and Instagram coughs up $30,000 after a researcher finds a simple way to hack into anybody’s account.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast.

Western Digital enhances its IntelliFlash data center systems portfolio

Western Digital announced new additions and enhancements to its IntelliFlash data center systems portfolio, giving customers even greater choice and flexibility to design modern hybrid-cloud infrastructures that accelerate the speed of business and help extract greater value from data. By doubling available performance and density, combined with enhanced capabilities for data migration and hybrid-cloud mobility, Western Digital’s IntelliFlash family of NVMe-flash, all-flash and hybrid-flash arrays delivers a superior overall value proposition for accelerating today’s most … More

The post Western Digital enhances its IntelliFlash data center systems portfolio appeared first on Help Net Security.

Party Like a Russian, Carder’s Edition

“It takes a certain kind of man with a certain reputation
To alleviate the cash from a whole entire nation…”

KrebsOnSecurity has seen some creative yet truly bizarre ads for dodgy services in the cybercrime underground, but the following animated advertisement for a popular credit card fraud shop likely takes the cake.

The name of this particular card shop won’t be mentioned here, and its various domain names featured in the video have been pixelated so as not to further promote the online store in question.

But points for knowing your customers, and understanding how to push emotional buttons among a clientele that mostly views America’s financial system as one giant ATM that never seems to run out of cash.

WARNING: Some viewers may find this video disturbing. Also, it is almost certainly Not Safe for Work.

The above commercial is vaguely reminiscent of the slick ads produced for and promoted by convicted Ukrainian credit card fraudster Vladislav “BadB” Horohorin, who was sentenced in 2013 to serve 88 months in prison for his role in the theft of more than $9 million from RBS Worldpay, an Atlanta-based credit card processor. (In February 2017, Horohorin was released and deported from the United States. He now works as a private cybersecurity consultant).

The clip above is loosely based on the 2016 music video, “Party Like a Russian,” produced by British singer-songwriter Robbie Williams.

Tip of the hat to Alex Holden of Hold Security for finding and sharing this video.

Firmware Bugs Plague Server Supply Chain, 7 Vendors Impacted

Lenovo, Acer and five additional server manufacturers are hit with supply-chain bugs buried in motherboard firmware.

Canadian Credit Union Desjardins Data Breached by Employee

Canadian financial institution Desjardins reported a data breach that compromised the personal information of 2.7 million customers and 173,000 businesses.

The compromised data included names, addresses, birthdates, social insurance numbers, email addresses and transaction histories. The breach was reportedly the result of employee misconduct. Investigators believe an employee sold the data on the dark web. Evidence of fraudulent credit cards opened in customer names has been reported.

“This is a very serious situation,” said the Autorité des marchés financiers (AMF), an organization responsible for financial regulation in Québec in a statement.

“The AMF is satisfied with the actions taken to date by Desjardins Group to protect the interests and assets of its members. It remains confident that the institution’s officers have handled the situation with due rigour, transparency and speed and that the cooperation provided to law enforcement is full and complete,” it added.

Desjardins and its CEO were criticized following complaints by affected customers that registration for the five years of free credit monitoring offered by the company was difficult, with reports of crashed websites, long wait times on the phone, and limited support in French. After finding that only 13% of customers had signed up for the service, Desjardins expanded the service, offering lifelong identity theft protection for all of its clients, including those unaffected by the breach.

The Office of the Privacy Commissioner and the Québec Access to Information Commission have announced a joint investigation into the breach to determine if Desjardin was compliant with consumer protection regulations at the provincial and federal levels.

Read more about the story here.

The post Canadian Credit Union Desjardins Data Breached by Employee appeared first on Adam Levin.

75% of Security Awareness Pros Are Part Time

75% of Security Awareness Pros Are Part Time

The 2019 Security Awareness Report published by SANS Security Awareness, a division of SANS Institute, found that across many organizations, there is an increased emphasis on the need for awareness and training programs.

According to the report, more than 75% of those who are currently responsible for security awareness and training are spending less than half of their time on employee education programs. 

“The implication is that awareness is simply mounted on to their other job requirements. This is the largest single factor limiting the growth and maturity of programs,” the report said.

Though awareness professionals often bring more dynamic skills to their technical roles, the lack of candidates who possess the much needed soft skills of communication and marketing hinders the organization’s ability to build a program that truly engages employees.

Among the nearly 1,600 respondents who participated in the study, those who reported having programs that are effectively changing employee behavior have at least two full-time employees dedicated to awareness and training. 

“While there is a general tendency to isolate individual employees as the cause of security related issues, the data within the report demonstrates that addressing an organization’s human cyber risk is best handled by making consistent systemic training investments. This report examines the most effective steps to address them, enabling you to benchmark your awareness program against your peers and other organizations,” the report said. 

The report did find that the number of organizations with no program at all has decreased over the last two years, falling from 7.6% to 4.3% and indicating a slow but steady shift toward success.

“I’m absolutely thrilled about the release of the 2019 Security Awareness Report,” says SANS security awareness director Lance Spitzner. “Every year we are able to gain a better understanding of the most common challenges awareness professionals face and how to best address them, and after five years we are beginning to identify key trends.”

93% of Orgs Worry About Cloud Security

93% of Orgs Worry About Cloud Security

Two reports published independently of each other found that the majority of organizations are moderately to extremely concerned about the state of cloud security.

In Guardians of the Cloud, the 2019 cloud report published annually by Bitglass, researchers found that 93% of organizations are at least moderately concerned about their ability to use the cloud securely. The same number of respondents in the 2019 Cloud Security Report from Synopsys said that they were either moderately or extremely concerned about cloud security.

According to Guardians of the Cloud, 75% of organizations leverage multiple cloud solutions, while a mere 20% actually have visibility over cross-app anomalous behavior. Additionally, only 20% of participating organizations said that they use cloud data loss prevention (DLP), despite storing highly sensitive information in the cloud, including customer and employee data and intellectual property. Not surprisingly, malware is the most concerning data leakage vector.

The majority (67%) of companies said they believe cloud apps are either as secure as or more secure than on-premises apps. Two of the most popular cloud security capabilities among respondents are access control (52%) and anti-malware (46%). 

“Data is now being stored in more cloud apps and accessed by more devices than ever before,” said Rich Campagna, chief marketing officer of Bitglass, in today’s press release. “This report found that...the adoption rates of basic cloud security tools and practices are still far too low. Many organizations need to rethink their approach to protecting data, as traditional tools for safeguarding data on premises are not capable of protecting data in the cloud.”

Synopsys’ latest cloud security report likewise found that organizations have a wide range of cloud security concerns. Most notable, organizations are worried about data loss and leakage (64%) and data privacy and confidentiality (62%).

For 43% of organizations, monitoring new vulnerabilities in cloud services is one of the most challenging aspects of cloud compliance. 

“As workloads continue to move to the cloud, cybersecurity professionals are realizing the complications of protecting these workloads. The top two security headaches SOCs are struggling with are compliance (34%) and lack of visibility into infrastructure security (33%). Setting consistent security policies across cloud and on-premises environments (31%) and the continuing lack of qualified security staff (31%) are tied for third place,” the report said. 

New Malware Samples Resemble StrongPity

New Malware Samples Resemble StrongPity

Researchers have said with high confidence that the publicly reported adversary dubbed StrongPity has been engaged in an unreported and ongoing malware campaign, according to research from AT&T Alien Labs

Threat actors are using the new malware and infrastructure to control compromised machines and deploying malicious versions of the WinBox router management software, WinRAR, as well as other trusted software to compromise their targets, researchers said. 

“StrongPity was first publicly reported on in October 2016 with details on attacks against users in Belgium and Italy in mid-2016. In this campaign, StrongPity used watering holes to deliver malicious versions of WinRAR and TrueCrypt file encryption software,” researchers wrote in a blog post

StrongPity was reported on again in 2017 and 2018. New samples that strongly resembled the work of StrongPity were again identified in early July 2019. 

These most recent samples of the malware have been, as of yet, unreported but mirror those created and deployed to targets following a toolset rebuild that came after public reporting of the malware during the fourth quarter of 2018, researchers said. 

“The malicious version of the software installs StrongPity malware without any obvious signs to the victim, and then operates as if it were a standard unaltered version of the trusted software.”

While researchers were unable to identify specific details about how the malicious installers are delivered, they noted, “It is likely that methods previously documented by the previous reports of StrongPity, such as regional download redirecting from ISPs, is still occurring. Based on the type of software used as the installer (WinRAR, WinBox, IDM, etc.), the type of targets may continue to be technically-oriented, again similar to past reports.”

Cybersecurity In Mid-2019: Nothing To See Here, Same Problems

The need for cybersecurity measures has been viewed as an issue, however, many companies have problems with countermeasures, as proven by our many years of coverage of cybersecurity news here at hackercombat.com. Due to insufficient security investment and security personnel shortage, the risks in conducting business in today’s technology-driven economy. We at hackercombat.com defines cybersecurity as the act of protecting information data from cyber attacks such as computer intrusion, virus infection, information leakage, data alteration, and destruction. The most common threats against firms include targeted attack, malware infiltration and lack of security personnel.

A targeted attack is one of the cyber attack methods. It is conducted aiming at the information in a specific organization such as a company and will steal various information regardless of the method. As an example, after collecting information on employees who belong to you, you may be spoofed by employees of affiliated companies, etc.

Three Foundations of a secure enterprise:

  1. Enforce security measures including not only the company but also supply partners such as business partners and system management.
  2. Appropriate communication with related parties such as information disclosure related to cybersecurity risks and measures to combat them.
  3. Recognize cybersecurity risks and take appropriate leadership in allocating resources, etc.

It is necessary for companies to take appropriate measures, such as whether they have bases overseas, along with the strengthening of domestic and foreign laws and regulations and security measures. In the case of the European Union-enforced GDPR (General Data Protection Regulation), for example, all global companies that provide Web services for domestic and foreign users, and handle IP addresses and cookies (data sent from the browser to the server according to the past user behavior), Even if you do not have branch offices overseas, if you do not respond according to the GDPR, you may be subject to disposal and compensation.

It is essential to work on strengthening cybersecurity measures throughout the entire organization. And for implementation, securing security personnel is one of the important items. Lack of security personnel and human resource development have become major issues in cybersecurity measures. In addition to hiring outside personnel, implementing human resources development in-house as a measure is the first step in cybersecurity measures. When it comes to cybersecurity measures, there is a tendency for security enhancement of systems and electronic devices to precede.

On the other hand, many of the security damage is triggered by human factors, and we must be aware that employee literacy may lead to security vulnerabilities. Conversely, if you raise security awareness and enable all employees to respond appropriately, you can effectively strengthen corporate cybersecurity. In order to improve employee security literacy, it is necessary to improve IT literacy and to hold regular training sessions on the latest cyber-attack methods and countermeasures. The important thing is that each and every employee has an active role in security measures. Along with the progress of digitization, cybersecurity measures have been taken for granted. In addition to proactive measures, when an incident such as an information leak occurs, the employees involved must immediately make a sure decision and create a system that does not aggravate the damage.

On the other hand, IT and security fields are very diverse, so it is difficult to decide how much literacy should be acquired, and it is necessary to have a training system to learn appropriately. In such cases, it is recommended to outsource cybersecurity training to a specialized school. By asking for a specialized training period, you can efficiently improve security skills using a structured IT and security curriculum. In addition, there is also the merit that it is possible to carry out education and training without having to spend the work hours of senior employees by requesting training to the outside.

Also Read,

What’s New With Separ Malware Family in 2019

Why We Need the Antivirus Software Even in 2019

A Brief Look At The Shade Ransomware (2019 variant)

The post Cybersecurity In Mid-2019: Nothing To See Here, Same Problems appeared first on .

NIST Mapping


Mapping PCI DSS v. 3.2.1 to the NIST Cybersecurity Framework v. 1.1  

How meeting PCI DSS requirements can help toward achieving Framework outcomes for payment environments.  On the blog, we cover basic questions about the newly released Mapping of PCI DSS to the NIST Cybersecurity Framework (NCF)with PCI SSC Chief Technology Officer Troy Leach. 

Binary Review: Rachio WiFi Smart Sprinkler

This is a personal review of the Rachio WiFi Smart Sprinkler controller. I was so impressed by what it did for my watering and my water bill I felt I had to write a review about it. A month ago my 10 year old, standard sprinker controler started to malfunction. It wouldn’t start properly, the […]

The post Binary Review: Rachio WiFi Smart Sprinkler appeared first on Security In Five.

New Azure Marketplace Pay-As-You-Go Billing for Trend Micro Deep Security as a Service

Cloud adoption continues to rise as organizations reduce their data center footprint, look to cloud native technologies to improve their application design and output, and strive to improve scalability and management of resources and systems.

In a recent survey conducted by analyst firm ESG, 87% of respondents indicated that they currently run production applications and workloads on a public cloud infrastructure-as-a-service platform. However only 10% of respondents run more than half of their workloads in the cloud.  This means that while cloud adoption is on the rise, businesses are still heavily vested in on-premises and hybrid-cloud environments.

With all this change comes the task of understanding how best to secure new cloud technologies and environments, while maintaining protection for traditional server platforms against threats and risks which present both technical and cost challenges.

So, what options does your business have to tackle this?

Trend Micro is excited to announce pay-as-you-go billing with its leading cloud solution, Deep Security as a Service (DSaaS) on the Microsoft Azure Marketplace. As a launch partner for pay-as-you-go billing at Microsoft’s Inspire 2019 conference, Trend Micro’s offering enables organizations to combine the benefits of security software-as-a-service (SaaS) with the convenience of usage-based metered pricing and consolidated cloud billing.

“Providing Trend Micro’s Deep Security as a Service offering through Azure Marketplace gives customers more ways to enable, automate, and orchestrate cloud security,” said Jeana Jorgensen, GM, Cloud and AI for Microsoft. “Customers can pay for only what they use with Trend Micro’s flexible, metered pricing or negotiate more a more traditional enterprise agreement using private offers while enjoying a consolidated bill for software and cloud infrastructure.”

Trend Micro Deep Security as a Service is purpose built to deliver a multi-layered automated approach to protect hybrid cloud workloads and container environments against known and unknown threats. Deep Security’s capabilities include network controls such as a host firewall and Intrusion Prevention/Detection (IPS) to shield servers and web applications from vulnerabilities and exploits. Deep Security also has system security capabilities such as log inspection, application control to detect and lockdown unauthorized executables, and real-time integrity monitoring to alert the security team of any suspicious or unexpected changes to registry values, registry keys, services, processes, installed software, ports, or files.

Additionally, Deep Security provides this same complete protection for your containers, with real-time malware protection, container vulnerability shielding, full traffic inspection for both North-South and East-West traffic between containers, as well as network and system controls, extending protection to the container and Kubernetes platforms. This also helps to meet compliance obligations across major regulations and industry guidelines, like PCI DSS, HIPAA, NIST, GDPR and more from within one trusted security solution.

Microsoft’s new Azure Marketplace offerings and billing methods allow IT and developers a means to quickly identify what software-as-a-service offerings they need and pay only for what is consumed with no additional costs. This makes purchasing easy for customers, with one transaction and a single invoice helping to remove friction across budget planning, capacity, and scaling.

“Our priority is to make cloud security as effortless as possible, which starts by meeting IT users and developers where they are and then offering comfortable usage and pricing options,” said Sanjay Mehta, SVP, Business Development & Strategic Alliances at Trend Micro. “Trend Micro is proud to continue our close relationship with Microsoft Azure as one of its top global security partners. Being part of their consumption-based billing launch for SaaS offerings helps customers looking to secure workloads and containers through their Azure instances.”

Trend Micro’s Deep Security as a Service will provide Microsoft Azure customers a fully hosted security management experience, starting at only $0.01 per workload per hour.

Learn more visit https://www.trendmicro.com/azure/

 

 

The post New Azure Marketplace Pay-As-You-Go Billing for Trend Micro Deep Security as a Service appeared first on .

How to recover from a cyber attack

One in three UK organisations fell victim to a cyber attack in 2018, costing £17.8 billion in total.

Your first – obviously valid – thought might be that we all need to get better at preventing security incidents, but it’s not the whole story.

Cyber attacks are so widespread, and criminals’ tactics so varied, that it’s impossible to prevent breaches altogether. That organisations invest the majority of their resources into preventing attacks is the reason attacks are so costly.

The damages would be a lot less expensive if organisations prepared for the inevitability of cyber attacks and implemented an incident response plan to help them respond to and recover from incidents quickly and effectively.

What is an incident response plan?

An incident response plan is a document that outlines the steps an organisation must take following a cyber security incident.

What goes in an incident response plan?

Incident response plans can help organisations identify vulnerabilities in their networks and processes, mitigate the effects of a variety of situations and limit the damage caused by security incidents.

They also help organisations:

  • Spot when a security incident has occurred;
  • Assess the immediate damage;
  • Identify who needs to be made aware of the situation; and
  • Document the steps towards recovery.

Incident response in action

Let’s take a look at a real-life example of an organisation using an incident response plan to recover from a cyber attack.

On 19 March 2019, the aluminium producer Norsk Hydro’s systems were infected with ransomware, but instead of acquiescing to the criminals’ demands, the organisation turned to its incident response procedure.

Norsk wiped its systems and restored clean versions from backups, knowing that its cyber insurance policy would help cover the costs.

Meanwhile, employees from across the organisation were drafted in to ensure operations continued.

The incident cost Norsk about £60 million, but given the organisation’s moral stand against paying a ransom (an approach every organisation should take), it was an exemplary recovery effort.

See also:

Despite having to shut down 40 networks and 22,000 computers, Norsk was able to continue operating, all the while garnering praise from security experts and knowing that profits will bounce back in the coming months.

Let’s compare that to an organisation that had no idea what to do when it suffered a major disruption.

Response efforts found wanting at British Airways

In May 2017, British Airways was reportedly hit by a power surge that shut down its IT systems and caused the airline to ground all its flights for 48 hours. (This is a separate incident to the one that led to the recently announced £183 million fine.)

The airline struggled to respond to the disruption, with one passenger telling the Guardian that the response “felt very improvised, and not very successful at all. It was honestly the angriest place I’ve ever been […] No one knew what was going on, which is why everyone was so miserable.”

Other passengers struggled to contact the airline to reclaim their baggage, while those in Heathrow Airport at the time were told to leave without the bags and collect them later.

Hundreds of people stood around waiting for guidance. Many missed their flights over the coming days – not necessarily because of cancellations but because the airline’s online and in-terminal check-in systems were down. This caused massive queues as staff had to handle huge numbers of requests at check-in desks.

Given British Airways’s reliance on technology, an incident response plan was essential. It would have helped the airline identify the main problems and find suitable solutions.

Don’t have time to create an incident response plan?

If you suffer a data breach before you’ve had time to implement an incident response plan, don’t panic. Our cyber security incident response service provides you with the expert help you need.

With years of cyber security experience, our consultants know how to tackle any type of security incident. They’ll help you identify the source of the compromise, guide you through the response effort and ensure that you return to business as usual.

Find out more >>

The post How to recover from a cyber attack appeared first on IT Governance Blog.

Hackers are breaking into the enterprise through content collaboration platforms CCPs

Estimated reading time: 4 minutes

Globally, as enterprises gather and integrate optimum avenues to secure their information technology infrastructure from cyber threats, somehow, hackers are still managing to find a way to break-in. Cybersecurity vigilance has driven business stakeholders to secure core networks with the latest and best-in-breed anti-virus and malware detection capabilities. Since this initiative, hackers are now changing routes to trespass, penetrate and annihilate businesses – one such channel being content collaboration platforms (CCPs).

Today’s corporations are heavily dependent on CCPs coming from popular brands like Box, Dropbox, Google, etc. to gratify a variety of enterprise needs. But before we discuss what these needs are, here is a glance at important statistics on CCPs.

  • About 33% of Millenials prefer to work in companies that promote collaborative workspaces
  • Nearly 83% of the workforce globally is dependent on technology to collaborate
  • Roughly 85% of employees that leverage on collaborative management tools perceive themselves as happy at their workplace
  • The content collaboration market will be around a US$ 45 billion industry by the end of 2019

The numbers provide satisfactory evidence about the success and adoption of CCPs in the enterprise. However, why did they become so popular with the corporate workforce?

Effective Communication

CCPs have facilitated a channel for internal customers to easily share their ideas with colleagues. This location-agnostic development is helping enterprise workforce to be in-sync about a plethora of business elements, globally. Before CCPs emails were the go-to source for internal communication, however, it didn’t turn out that well because of factors such as loss of documents, excessive to-and-fro, decentralization, etc.

Improved Project Management

Enterprises have hundreds of projects-in-process at any given point in time. Managing one or two projects is easy, but to manage a large number of projects simultaneously is not an easy task. Furthermore, when the task force chosen to execute projects is spread out globally, project management software becomes a must.

Strengthening the Workflow of Teams That Function on the Agile Model

The use of CCPs has drastically optimized the performance of Agile teams facilitating better remote working possibilities, improved scheduling, and quick talent identification.

Increasing the Speed of Work

CCPs are helping in saving a lot of time for teams which in-turn permits them to focus on other important things, increasing the speed of work, consistency, and performance.

Employee Satisfaction

We live in a surging trend of remote working in today’s day. Employees have time and again chosen remote working as a preferred choice over working from an office location. Managing remote employees was a daunting challenge, now resolved due to effective CCPs. Enterprises are seeing a spike in their approval ratings through employee satisfaction surveys, courtesy CCPs.

With such a strong employee sentiment towards CCPs, they are here to stay and grow year-after-year. This brings us to an important point about the possible ways in which CCPs can become a soft target for malware attacks.

CCPs are an ideal target to execute the dreaded ‘cyber kill chain.’ With hundreds of users leveraging collaboration platforms, all hackers need is that one user for spreading a harmful malware in enterprise systems – they can easily do so through phishing techniques such as social engineering with nothing to stop them.

Some of the best-guarded companies in the world also have an IT policy that suggests that users need to practice safety while dealing with enterprise data. Unfortunately, this not always the case. Employees are bound to make mistakes even if made unintentionally. The result – employees end up clicking on that one infected file that can disable the entire enterprise.

CCPs (unlike emails) are not under the control of an organization’s IT department. History is full of examples wherein files coming from emails were responsible to crash entire networks. So, if a channel as well-guarded as company email can get infected, CCPs become extremely soft targets for hackers to spread malware. Moreover, malware coming into an enterprise through CCPs can further cripple IT systems.

Typically, what hackers are doing is attempting to gain access to an employee’s home computer. Currently, social engineering messages act as bait for employees to click on malicious files. These files enter from the home computer into the enterprise network and move into a cloud-hosted collaboration platform. Once, even a single file gets contaminated, employees interacting with these files transform into carriers of malware that may cripple the entire enterprise. What’s worst is that such attacks may take days to be identified.

An add-on to this problem is how employees use CCPs to share files. In the event of a breach, documents that are being shared either internally or externally containing highly-sensitive business data can be viewed by a hacker with the simplest of web tools. This also applies to user workflows of attaching weak passwords to business applications. Businesses all over the world need to make rigid policies around employee workflows. If not, cybercriminals all over the world will continue to breach enterprises and gain access to highly-sensitive data.

Companies that provide CCPs themselves claim that the only line of defense that they employ to counter cyberattacks are anti-viruses and that’s not enough. What companies need to do is integrate enterprise-grade cyber defense solutions like Seqrite Endpoint Security (EPS) for comprehensive security across various endpoints.

Some good-to-follow tips for enterprises dealing with CCPs in general include –

  • Uploading a file in the company server instead of CCP for a more advanced scan
  • Ensuring that the file is checked automatically every time an employee saves a change on it
  • Allowing IT departments to reclaim ownership on enterprise data

 

The post Hackers are breaking into the enterprise through content collaboration platforms CCPs appeared first on Seqrite Blog.

Is Network Security Complexity Holding You Back?

At its most fundamental level, the objective of network security is a simple one. Organizations need to protect their people, assets, and the data that travels across and resides within their networks. They do this by setting security policies that detail parameters like who or what is allowed to access which resources.

Over time, even small organizations can accumulate large libraries of security policies across a variety of different security products. The old processes used to create, update and audit these policies become a burden for the IT team and cause a number of problems for the organization.

Research firm Enterprise Strategy Group (ESG) recently surveyed 200 IT and cybersecurity decision-makers to understand their views on network security complexity and its consequences. They examine some of the top challenges facing these organizations today in their new report “Navigating Network Security Complexity.”

It’s not just your imagination. Security is getting more complex.

Unsurprisingly, a majority (83%) of respondents felt that network security has gotten more complicated in the last two years. There are many reasons for this, but the top responses included:

  1. More devices deployed on the network
  2. More traffic on the network
  3. The operations team managing more networking and security technologies

Taken together, these responses paint the picture of a growing attack surface and increasing workload for teams responsible for protecting organizations’ critical assets.

Challenges on the horizon

What are the biggest network security challenges facing organizations in the next few years? According to the survey, they are:

  1. Business initiatives being adopted without the proper security involvement
  2. A lack of dedicated network security staff
  3. It takes too long to manage network security policies

Businesses are innovating at a record pace, and they aren’t waiting for the security team. Hiring staff continues to be challenging, and outdated processes are compounding the issue.

Brace for impact: outages, disruption and data breaches

Nearly a third (29%) of organizations said they experienced a security event resulting from network security complexity. The most common incidents included network outages, application or network availability, loss of sensitive data, and lost productivity. Given the critical nature of these risks, it’s clear that network security management needs to be addressed when assessing an organization’s risk management strategy.

Recommendations: technology integration, automation, simplification

ESG offers three headline recommendations for CISOs dealing with network security complexity today. First, look for solutions that are integrated and centrally managed when possible. Next, seek out solutions that emphasize ease-of-use and time-to-value. Finally, organizations should strive for process automation and use technology to accomplish this.

Whether you’re directly involved in managing your organization’s security policies or not, you’re likely experiencing negative effects of the drain that these manual tasks can have on an IT department. It’s time to prioritize making security policy management more efficient, consistent and effective. Reading the full research report is a great place to get started.

Simplify network security management with Cisco Defense Orchestrator

At Cisco, we’re working hard to help our customers streamline their security operations. Cisco Defense Orchestrator is a cloud-based security policy and device manager that uses automation to eliminate complexity. Manage consistent security policies across Cisco ASA, FTD and Meraki MX devices, and reduce time spent on security management tasks by up to 90%. Visit the Cisco Defense Orchestrator webpage to learn more and sign up for a free trial.

Ransomware Attack Disrupts Some Services at Onondaga County Libraries

A crypto-ransomware attack has disrupted some services at all library locations across Onondaga County in New York State. On 16 July, the Onondaga County Public Library system published a tweet in which it explained that many of its public services were unavailable. 07/16/19 UPDATE: Library services continue to be unavailable. We apologize for the frustration, […]… Read More

The post Ransomware Attack Disrupts Some Services at Onondaga County Libraries appeared first on The State of Security.

CEOs’ Cyber Ignorance Costing Firms Dear

CEOs’ Cyber Ignorance Costing Firms Dear

A lack of CEO awareness and engagement with cybersecurity could be placing their organizations at unnecessary risk of attack, according to new findings from RedSeal.

The security vendor polled over 500 IT professionals in the UK to better understand the cyber-risks posed by business leaders.

Over half (54%) said they don’t believe their CEO follows correct security procedure and in so doing is potentially exposing their organization to compromise. Over a third (38%) weren’t sure what technology their CEO used at home, with the majority (95%) claiming to be concerned that home smart devices could be hacked.

Over one in 10 (11%) respondents claimed that CEO or senior managers’ actions had put corporate security at risk, and three-quarters (75%) argued that their CEOs should pay more attention to cybersecurity in the future.

However, poor security policies and processes also seem to be to blame: 14% of UK CEOs still haven’t had any security training, while only 29% of respondents said they provide a daily cyber-report to their boss. A quarter (26%) said they only report major breaches to the CEO, perpetuating disengagement from cyber-related issues at the highest level.

In reality, cyber matters to CEOs as breaches could have a major impact on the bottom line and corporate reputation. Following a major incident, a third of respondents said they lost customers, 34% said it damaged reputation and over a fifth (23%) lost revenue.

“CEOs have wide access to their organization’s network resources, the authority to look into most areas, and frequently see themselves as exempt from the inconvenient rules applied to others. This makes them ideal targets,” argued RedSeal CTO, Mike Lloyd.

“The internet is a dangerous place where new security threats can evolve and rapidly mutate. Perfect defense is illusory; in a complex and interdependent world, some attacks are bound to succeed. Organizations must look to a strategy of resilience. They’ll survive only by planning in advance for how the inevitable successful attacks will be handled.”

UK Government Staff Lost 500+ Devices Last Year

UK Government Staff Lost 500+ Devices Last Year

UK government workers have lost over 500 mobile devices and laptops over the past year, with just a small percentage ever recovered, according to new research from MobileIron.

The security vendor issued Freedom of Information (FOI) requests to nine government departments, all but one of which replied.

It found that public sector employees managed to lose 508 mobiles and laptops between January 2018 and April 2019.

It’s unclear whether these devices were password protected and/or if the data on them was encrypted, or if they had a remote wipe functionality to protect sensitive information. However, attackers could theoretically gain access to sensitive accounts if a device gets into the wrong hands without proper security controls in place.

“As the amount of business data that flows across devices, apps, networks, and cloud services continues to increase, it is essential that organizations have the right security protocols in place to minimize risk and prevent unauthorized access to sensitive data if a device is lost or stolen. Even one lost or stolen device provides a goldmine of readily accessible and highly critical data to potential fraudsters and hackers,” argued MobileIron UK and Ireland regional director, David Critchley.

The answer is to implement a zero-trust model, whereby users are forced to authenticate at all times, he said.

“This approach validates the device, establishes user context, checks app authorization, verifies the network, and detects and remediates threats before granting secure access to a device or user,” he added. “The zero-trust model allows organisations, including government departments, to significantly reduce risk by giving them complete control over their business data – even on lost or stolen devices.”

It’s not just the government that has been found wanting regarding the loss of devices. Last year, an FOI request revealed that the BBC had reported over 170 lost or stolen devices over the previous two years.

UK’s NCSC Hails Another Successful Year of Cyber Defense

UK’s NCSC Hails Another Successful Year of Cyber Defense

The UK’s National Cyber Security Centre (NCSC) has dismantled tens of thousands of phishing campaigns and fraudulent websites over the past year as its Active Cyber Defence (ACD) program continues to lead by example globally.

In an update on Tuesday, the GCHQ off-shoot revealed a successful second year for the initiative.

It dismantled over 22,000 phishing campaigns hosted in UK IP space, linked to over 142,000 attacks, and removed more than 14,000 phishing sites, as part of an overall takedown of over 192,000 fraudulent sites – most (64%) of which were offline within 24 hours.

The NCSC also pointed to a 100-fold increase in the number of web checks run, with a total of 111, 853 advisories issued to public sector users. This comes on top of a Protective DNS service which now prevents 1.4m public sector employees from visiting malicious sites, DMARC to prevent email attacks, and other initiatives designed to bolster the security of the UK’s internet space and set an example for other governments.

“By taking down phishing and malware attacks when we see them in UK IP space, regardless of the brand abused, we intend to make the UK a more difficult place to host these attacks. While in and of itself this doesn’t affect the global attacks against the UK, we hope to lead by example,” the report claimed.

“If we can show that a relatively simple set of actions can make a delegated IP space a harder place to host badness, we can get on our high horse and try to get other responsible countries and entities to do similar things. Coordinated action would make hosting badness globally much harder and therefore increase the cost of launching these attacks in the first place and reduce the return on investment.”

The NCSC is not stopping there: it’s working with Action Fraud to produce a new automated fraud reporting system for the public; developing an Internet Weather Centre to provide insight into the digital landscape of the UK; and producing a vulnerability scanning tool for CNI and public sector providers.

Anti-Debugging Techniques from a Complex Visual Basic Packer

One of the latest trends for the attackers is to leverage the ISO files to avoid detection, the technique has also been used in a recent Hawkeye campaign.

Introduction

As we described in our previous post, one of the latest trends for the attackers is to leverage the ISO files in order to reduce detection chances. This technique has also been used by a recent Hawkeye spreading campaign.

“Hawkeye Keylogger” is an info-stealing malware for sale in the dark-web. Anyone can  easily subscribe to the malware service by paying a fee. It has been in continuous development at least since 2013  and the malware authors behind Hawkeye have improved the malware service adding new capabilities and techniques. It can collect credentials from various applications, mostly email clients, web browser and FTP clients, and send them to the crooks via various protocols such as FTP, HTTP, and SMTP.

So, our Cybaze-Yoroi ZLAB decided to take a look at this recent Hawkeye attack, tacking its anti-analysis protection and the anti-debugging techniques enforced by the Visual Basic packer used by the crooks.

Technical Analysis

The delivered file is an ISO image. Inside of it, there is a bat file, but actually is a well formed PE file. So, we can extract the “bat” file and replace its extension in “exe”.

Figure 1: Fake .bat file inside the ISO archive
Hash32951a56e3fcd8f5b006c0b64ec694ddf722eba71e2093f7ee90f57856941f3d
ThreatHawkey Spyware
Brief DescriptionHawkey Spyware inside a Visual Basic Packer
Ssdeep12288:GVwYvwrMkE9LfRUXkpW7zGidwY/rwxOp8mH:COrI9zRUJfGCfzw0

Table 1: Information about the PE file inside the ISO image

The ISO file has low AV detection rate, but only by extracting the executable from  the ISO image, the rate raises:

Figure 2: AV Detection of the ISO compressed file (left) and of the extracted file (right)

The PE file is packed with a Visual Basic 5.0 stub. It has the duty to protect the core of the malware and complicate the analysis:

Figure 3: Visual Basic packer evidence

As seen above, the malware is written in Visual Basic 5.0. So it is possible to decompile the malware through the use of the ad-hoc decompilers.

Figure 4: Visual Basic code decompilation in P-Code

The decompiled code has been translated in P-Code and it is quite obfuscated in the same way. The only solution to obtain more information about the infection mechanisms is to debug the program.

The first trick to complicate the analysis is to dynamically create a new memory section where inject some code, through the use of the “VirtualAlloc” function. The malware decodes some a piece of code, and choose a random new virtual address space to alloc memory, in this case “0x00260000” loaded into the EAX register.

Figure 5: Memory allocation through the VirtualAlloc API

The GetTickCount Anti-Debug Technique

After the context switch inside the new allocated area, the malware adopts the well known “GetTickCount()” anti-debug technique. According to the MSDN documentation, GetTickCount retrieves the number of milliseconds that have elapsed since the system was started, up to 49.7 days. This API call is used by the malicious actors to retrieve the time of the execution of the process, and if it is higher than a preset threshold, the malware terminates its execution:

Figure 6: GetTickCount routine a new address space

The first malicious action of the created address space is the invoking of the GetTickCount API and the result is:

Figure 7: GetTickCount result in EAX register

The result of the GetTickCount function is stored in EAX register. After doing some other decrypting operations, the malware invokes it another time.

Figure 8: GetTickCount subtraction anti-debug trick

After the second invocation of GetTickCount, there is immediately the subtraction of the two values and it is placed in EAX register. The next instruction is a comparison between the EAX register and a preset threshold value, “0x5DC”, which is 1500 in decimal representation. According to the Microsoft documentation, the resolution of the GetTickCount function is 10ms, thus we can deduce that the decided threshold by the cyber criminal is 15 seconds. After understood the trick, it quite easy to bypass and go on to analyze the sample.

Figure 9: ShellExecute routine to run the payload

The malware allocates another memory space to write an entire file with the MZ header and it is opened through the “ShellExecute” API function. Dumping the process in this moment, another piece of code hidden in a resource, which did not exist before the anti-debug trick, emerges:

Figure 10: Resource comparison between the original exe and the self-modified exe

As shown in the above figure, the original file (on the left) presents as resources only the icons and the manifest, instead the self-manipulated file presents a resource called “RCData” with a resource named “__”. It is the encrypted final payload.

Figure 11: Malicious resource retrieving routine

In order to protect itself and to make more difficult the analysis, the malware respawns itself through the “CreateProcessInternalW” API call:

Figure 12: Execution routine of the final payload

Now the real payload is ready to be self-decrypted with a custom internal routine. 

Figure 13: Decoding routine of the final payload

After the decryption routine, the malware copies this new code into another piece of memory through the “memcpy” function. Moreover, in order to validate the correct extraction of the payload, the malware checks if the first two bytes of the memory spare are “0x5A4D” which is “MZ” in ASCII code.

Figure 14: Validation check of the correct decoding of the final payload

Dumping the file, the real payload is unveiled.

The Payload

The extracted payload is a PE file compiled in .NET C# language with the following static information:

Hasha3aa6e220591f05f4e2ecc4f4741ac6b6715ebb2b5c42c2b7bb52142c54be30b
ThreatHawkey Spyware
Brief DescriptionHawkey Spyware obfuscated payload
Ssdeep6144:HuXT5iKKhhSHCMA2g22fB1YbcLetS7iz+K3hk:OXtxc/r1fXrwgil3h

Table 2: Static information about the final payload

The payload sample is obfuscated with the .NET Reactor tool, but the cleared version can be easily restored:

Figure 15: Usage of .NET Reactor obfuscator evidence

Below some static information of the final payload is reported:

Hasha848c84a1306ea7cc4704eced4067db1012c0bf1b9b65f8c04a8379d71464eaa
ThreatHawkey Spyware
Brief DescriptionHawkey Spyware clear payload
Ssdeep6144:37iz+K3hkCAg3JhmkuEFZ+1WjsroyGh0DBabr:Lil3hdhmOF

Table 3: Static information about the cleared version of the final payload

Due to the fact that the payload is written in .NET framework, it is possible to debug the code in order to retrieve all the details of this new sample. The debugging of the sample lets emerge the attribution of the malware, HawkEye.

Figure 16: Recurrent string decryption routine through the usage of Rijndael algorithm

Every sensitive information, string or other information  is encrypted through Rijndael algorithm, as shown in figure 16. Before starting any operation, the malware tries to make a simple evasion trick. It retrievers the username of the victim machine and it compares this one with a series of usernames hardcoded. These usernames are the classical ones adopted by the sandboxes and if one of them is matched, probably the malware is run inside a virtual machine.

Figure 17: Sandbox evasion trick

After the simple check, the info stealer starts to perform its malicious operations. The first malicious operation is the persistence mechanism adopted by the malware:

Figure 18: Persistence mechanism

The persistence is guaranteed through the setting of the classic registry key “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” with the value “C:\Users\Admin\AppData\Roaming\MyApp\MyApp.exe”, having already copied itself in this path. However, it’s important to say that if the malware is launched from the original wrapper, it copies in the “MyApp” path the entire executable, because the payload is executed inside the wrapper process as a thread; instead if only the final payload is executed, only this part is stored. 

Figure 19: Task Manager disabling

A particular auto-protection mechanism adopted by the malware is the disabling the possibility to open the Task Manager process from the user, through the setting of the highlighted registry key in the Figure 19. At this point the malware can start the information stealing routines.

Figure 20: Password retrieving routine from Internet Explorer

The first information retrieved is the password stored inside Internet Explorer through the routine described in the above figure. This is only the starting point: it retrieves all sensitive data and login data from a large list of browsers. A little example is shown in the following figure:

Figure 21: Piece of the browser list harvested by the malware

Below, the complete list:

  • Google Chrome
  • Yandex
  • Comodo Dragon
  • Cool Novo
  • Chromium
  • Torch Browser
  • 7Star
  • Amigo
  • Brave
  • Cent Browser
  • Chedot
  • Coccoc
  • Elements Browser
  • Epic Privacy
  • Kometa
  • Orbitum
  • Sputnik
  • Uran
  • Vivaldi
  • UC Browser
  • Flock Browser

In the same way, the malware looks for other credentials coming from other services, like CoreFTP, FileZilla and JDownloader. The last information stolen by the malware is the registered email accounts on the victim machine. The searched email clients are:

  • Outlook
  • SeaMonkey
  • Postbox
  • Thunderbird

Now, we wanted to deepen the password gathering routine of the malware on the Microsoft Outlook application. So, we created a fake account and we logged on the Microsoft email account software. 

Figure 22: Registry key where it is stored the Microsoft Outlook client user configuration

Themalware retrieves a particular registry key: “HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook”. Inside of it is stored the configuration of the Microsoft Outlook user profile.

Figure 23: Outlook password decryption routine

The method “smethod_50”  in figure 23 shows how is simple to decrypt the password saved in that registry key: it is enough retrieve the array of bytes and use it as parameter, together with the CurrentUser DataProtectionScope,  to the static method provided from the .NET framework, “ProtectedData.Unprotect()”. After that, the harvested information are collected in a list, ready to be sent to the server.

Figure 24: Creation of the list of the gathered accounts

The last action is properly the preparation to send the information to the recipient. As the classic HawkEye malware, the communication protocol designed to transmit the stolen info is SMTP. For this reason the malware needs to use the API provided by the .NET framework in order to  instantiate an SMTP client. Debugging until the right point, the malware configuration are revealed:

Figure 25: SMTP client account configuration

Conclusion 

Hawkeye is nowadays a well known threat. The security firms analyzed in an excellent way the malware and all the infection chain, but this sample, like our latest ones, has the peculiarity to be protected by a complex and evasive packer. 

In the last two posts we saw a tough Delphi packer to analyze, but also this one has some points to analyze that make challenging  the reverse engineering process for the analyst. In the end, we were able to dissect all the malware chain revealing the threat actor exfiltration address.

Further technical details, including IoCs and Yara rules are reported in the analysis published on the Yoroi blog:

https://blog.yoroi.company/research/anti-debugging-techniques-from-a-complex-visual-basic-packer/

Pierluigi Paganini

(SecurityAffairs – anti-debugging, malware)

The post Anti-Debugging Techniques from a Complex Visual Basic Packer appeared first on Security Affairs.

12 dark secrets of cloud security

The promise of cloud computing is irresistible. For pocket change, you can spin up a server. Backups can be created with a click. No more worries about buying hardware or keeping the server closet cool. Just log in and go.

But what you gain in convenience, you lose a little control. And anyone with an ounce of paranoia might start pondering the catch. What’s going on behind the curtain?

(Insider Story)

Security Affairs 2019-07-17 03:53:53

Tesla paid $10,000 a researcher that found a stored cross-site scripting (XSS) vulnerability that could have been exploited to change vehicle information.

The security researcher Sam Curry has earned $10,000 from Tesla after reporting a stored cross-site scripting (XSS) flaw that could have been exploited to obtain vehicle information and potentially modify it.

Curry discovered the issue in the software on his Tesla Model 3. He used the XSS Hunter tool to insert a payload in the “Name Your Vehicle” field in the infotainment system.

The XSS Hunter works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service. 

Curiously Carry discovered the XSS issue months later when he used the mobile app to contact Tesla support after his windshield was cracked by a rock.

He was setting up an appointment when he noticed from the XSS Hunter panel that the flaw was triggered. He discovered that some information about the vehicle was collected from a page of Tesla application that was used to see the vital statistics of the car.

The exposed information included the vehicle’s VIN, speed, temperature, version number, whether it was locked or not, tire pressure, and alerts. The data also included other firmware info such as geofense locations, CAN viewers, and configurations.

“The thing that was very interesting was that live support agents have the capability to send updates out to cars and, most likely, modify configurations of vehicles. My guess was that this application had that functionality based off the different hyperlinks within the DOM,” Curry wrote. “I didn’t attempt this, but it is likely that by incrementing the ID sent to the vitals endpoint, an attacker could pull and modify information about other cars.”

“If I were an attacker attempting to compromise this I’d probably have to submit a few support requests but I’d eventually be able to learn enough about their environment via viewing the DOM and JavaScript to forge a request to do exactly what I’d want to do.” he added.

The researcher reported the flaw to Tesla that acknowledged it and addressed it is only 12 hours. Below the timeline of the flaw:

  • 20 Jun 2019 06:27:30 UTC – Reported
  • 20 Jun 2019 20:35:35 UTC – Triaged, hot fix
  • 11 Jul 2019 16:07:59 UTC – Bounty and resolution

Curry was awarded $10,000 for reporting the flaw to Tesla.

“Looking back, this was a very simple issue but understandably something that could’ve been overlooked or regressed somehow. Although I’m unsure of the exact impact of the vulnerability, it seems to have been substantial and at the very least would’ve allowed an attacker to view live information about vehicles and likely customer information,” Curry concludes.

Pierluigi Paganini

(SecurityAffairs – Tesla, XSS)

The post appeared first on Security Affairs.

Flaw in Iomega, LenovoEMC NAS devices exposes millions of files on the Internet

A vulnerability in legacy Iomega and LenovoEMC network-attached storage (NAS) devices has led to many terabytes of potentially sensitive data being accessible to anyone via the Internet. About Iomega and LenovoEMC Iomega Corporation was acquired in 2008 by EMC. In 2013, Iomega became LenovoEMC – a joint venture between Lenovo and EMC Corporation – and Iomega’s products were rebranded under the new name. Iomega’s and LenovoEMC’s storage products were aimed at small and medium-sized businesses. … More

The post Flaw in Iomega, LenovoEMC NAS devices exposes millions of files on the Internet appeared first on Help Net Security.

Security Affairs 2019-07-17 02:18:54

Threat actors used the Extembro DNS-changer Trojan in an adware campaign to prevent users from accessing security-related websites.

Security experts at Malwarebytes observed an adware campaign that involved the Extembro DNS-changer Trojan to prevent users from accessing websites of security vendors.

“Recently, we uncovered a new DNS-changer called Extenbro that comes with an adware bundler. These DNS-changers block access to security-related sites, so the adware victims can’t download and install security software to get rid of the pests.” reads the post published by Malwarebytes.

The Extenbro Trojan is delivered by a bundler that is tracked by the security firm as Trojan.IStartSurf.

The Extenbro Trojan is used to change the DNS settings, victims can only notice that it adds four DNS servers to the Advanced DNS tab in Windows.

extenbro trojan

To malware gain persistence by creating a randomly-named Scheduled Task that points to a fixed-location folder.

The Extenbro Trojan adds a certificate to the set of Windows Root certificates, it has no “Friendly Name” and experts believe it was registered to abose[at]reddit[dot]com.

The malware also disables IPv6 by changing the registry value DisabledComponents under the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters. Thus, it forces the system to use the new DNS servers.

On top of that, the Trojan makes a change in the Firefox user.js file and configures the browser to use the Windows Certificate Store where its root certificate was added.

The Extenbro Trojan also modifies the Firefox user.js file and sets the security.enterprise_roots.enabled setting to true, in this way it forces Firefox to use the Windows Certificate Store that includes the newly-added root certificate.

The analysis published by Malwarebytes includes the removal instructions.

To restore their DNS settings, users should remove the DNS entries added by the malware from the DNS advanced settings without rebooting the system.

“To get to your security sites, you may need a restart of the browser. Do NOT reboot your system or the DNS servers might be changed for the worse again by the Scheduled Task that belongs to the Trojan. If your existing solution does not pick up on the malware, download  Malwarebytes to your desktop.” concludes the analysis.

To restore Firefox to the initial settings, users should type about:config in the address bar, search for security.enterprise_roots.enabled and change it to the default setting, “False.”

Pierluigi Paganini

(SecurityAffairs – Extembro Trojan, adware)

The post appeared first on Security Affairs.

Turla APT group adds Topinambour Trojan to its arsenal

Kaspersky researchers revealed that since earlier this year, Russia-linked APT group Turla used new variants of the KopiLuwak Trojan in targeted attacks.

Security experts at Kaspersky revealed that the Russia-linked APT group Turla used new variants of the KopiLuwak Trojan in targeted attacks since early 2019.

The Turla APT group (aka SnakeUroburosWaterbugVenomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America and former Soviet bloc nations.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

In the past months, security experts reported the APT group has been updating its arsenal. In May, ESET experts revealed that Turla has been using a sophisticated backdoor, dubbed LightNeuron, to hijack Microsoft Exchange mail servers.

Now Kaspersky published a detailed analysis of a new modular tool dubbed Topinambour (aka Sunchoke – the Jerusalem artichoke). Kaspersky researchers also found .NET and PowerShell versions of the KopiLuwak Trojan that was involved in targeted attacks since the beginning of this year. 

Topinambour is spread via tainted legitimate software installers, the dropper includes a tiny .NET shell that is used to deliver commands to the target machine and deliver other modules via SMB.

“Using this and SMB shares on rented virtual private servers (VPS), the campaign operators spread the next-stage modules using just “net use” and “copy” Windows shell commands. It’s hard to believe, but SMB still works through public networks.” reads the analysis published by Kaspersky.

“These campaign-related VPSs are located in South Africa. Interestingly, their external IP addresses start with “197.168”. Possibly these first two bytes are there to mimic LAN addresses that start with “192.168”

The dropper sample analyzed by the experts is able to deliver the payload to a specific location, gain persistence for the malicious code with a scheduled task that starts every 30 minutes, and drop the original application the dropper tries to mimic. 

The tiny .NET shell dropped on the target system connects the C2 server and fetches the KopiLuwak dropper, that gains persistence and drops a JavaScript file that leads to the final stage Trojan.

Recent operations also involved another .NET Trojan along with the KopiLuwak JavaScript, it was called RocketMan and supports commands to download/upload a file, and to halt the Trojan activity. 

Hackers also used a PowerShell Trojan tracked as MiamiBeach, it differs from the RocketMan Trojan due to its ability to take a screenshot.

“The reason behind the development of KopiLuwak’s PowerShell and .NET analogues may be simply to minimize detection of the well-knownpublicly discussed JavaScript versions.” concludes Kaspersky.

“Using the Windows system registry to store encrypted data that is later used by the malware also seems to be aimed at minimizing detection and reducing the digital footprint on any victim’s computer, where only a tiny starter would be left,”

Pierluigi Paganini

(SecurityAffairs – Turla APT, Topinambour)

The post Turla APT group adds Topinambour Trojan to its arsenal appeared first on Security Affairs.

Over 80% of network teams play a role in security efforts

More than 4 in 5 IT teams are involved in security efforts, and a majority of them report an increase of at least 25 percent in time spent on these efforts over the past 12 months, according to Viavi. The most striking conclusion is that network-based conversation wire data has become the top data source for security incidents, with its use tripling, demonstrating that threat levels have driven enterprises to seek the most reliable forensic … More

The post Over 80% of network teams play a role in security efforts appeared first on Help Net Security.

Singapore’s IT Security Outlook

Singapore continues to be a role model when it comes to the fight towards cybersecurity readiness in Southeast Asia. The city-state has learned a lot from last year’s SingHealth data breach, that brought Singapore into the stage of renewed cybersecurity renewal. Singapore established bug bounty programs, now in its 3rd edition this year 2019, its leaders are also establishing new policies for “interim” technical measures that will hopefully lessen the attractiveness of the country in future cyber attacks.

Singapore’s public sector is now in full swing with its core project implementation of automated email filtering. When it comes to determining if the email is legitimately safe to open, the use of automated anti-spam and anti-phishing tools is more time-efficient. Of course, humans operating the computers will always be the front liners when it comes to any cybersecurity initiative, hence, massive public sector campaigns through user retraining programs are now being implemented across the city-state’s public sector and government agencies.

The initiative is under the supervision of Teo Chee Hean, a Senior Minister and concurrently a Coordinating Minister for National Security. His agency released initial findings, confirming threats, not only the public sector of the island nation but also against private enterprises. Minister Hean established a committee that will evaluate the progress of various government agencies to be fully compliant to the IT security policy set at the wake of SingHealth incident of 2018.

For Singapore, everything starts from the awareness, readiness, and eagerness of public servants in the area of safe computing habits. Regular IT audits are also in full swing which hopefully will address weaknesses in the public sector’s networks and computers. From the perspective of the Chief Information Officer (CIO)/Chief Information Security Officer (CISO), the move to cloud computing goes beyond “cost reduction measures” and gives control over IT-related assets.

Singapore is no different from the rest of the world, which cannot stop the march of cloud-computing. It is where the trade-off between security/privacy and convenience of accessibility of data is re-evaluated by each organization engaging with cloud-computing platforms. Cloud assumes that the security department will have veto power. It may or may not actually be. However, if you do not give too much veto power, you will make mistakes. For example, even if it is “compliance” (that is, important confidential information that can not be placed in the cloud environment), IT vendors immediately start selling “certified solutions” (in fact, such solutions already exist.)

In Cloud computing, it considers data (that is, confidential information) to be as liquid. We can control the flow of this liquid and let it flow in the desired river. User data is like gas, and behaving like gas is a new concept. The data will spread to fill the area being processed, true but really troublesome for any IT professional trying to secure devices in an organization. The convenience of information processing may be lost due to confidentiality. It is not clear if this fact could be learned from the information security of the past 20 years. If only one method can ensure the necessary convenience, the user is willing to adopt that method, even using a USB memory. To think that data (information) resembles a gas just because users do their own risk assessments related to policy violations. If the important data can be put into the cloud environment and work that leads to the improvement of the convenience of the company can be realized, users who are employees (good or bad) will try to take the risk of putting data into the cloud environment.

Also Read,

Singapore’s Countermeasure in Security Its Financial Sector

Singapore’s Healthcare Industry Has Been Attacked

Business Interruption Again Top Business Risk in Singapore

The post Singapore’s IT Security Outlook appeared first on .

The importance of hardening firmware security

It’s no secret that attackers traditionally go after low-hanging fruit when hacking a system. Historically, this has meant targeting user applications, and, for deeper persistence, the operating system (OS) kernel to gain control. But, as OS security has advanced, it’s become more difficult to compromise an OS with any kind of persistent kernel rootkit. As a result, hackers (and researchers) have moved below the OS level and are now targeting firmware – most notably the … More

The post The importance of hardening firmware security appeared first on Help Net Security.

Enterprises catching up with the explosion of cloud use and shadow IT in the workplace

Businesses worldwide are gaining control of previously unmonitored and unsupported cloud applications and devices, known as shadow IT, that lurk in their IT environments, according to the 2019 Duo Trusted Access Report. The average number of organizations protecting cloud apps with Duo surged 189 percent year-over-year, indicating that enterprises are catching up with the explosion of cloud use and shadow IT in the workplace. In addition, the frequency of out-of-date devices has dropped precipitously, hardening … More

The post Enterprises catching up with the explosion of cloud use and shadow IT in the workplace appeared first on Help Net Security.

Companies still don’t understand the importance of DMARC adoption

By implementing DMARC, brands lower the odds of their domains being spoofed and used for phishing attacks on recipients. Still, 79.7% of all domains analyzed have no DMARC policy in place, according to 250ok. The result of a domain not implementing any form of DMARC policy is exposing its recipients to possible phishing attacks and, unsurprisingly, 91% of all cyber attacks begin with a phishing email. Phishing and spoofing attacks against consumers are likely to … More

The post Companies still don’t understand the importance of DMARC adoption appeared first on Help Net Security.

As cyber attacks increase, the cloud-based database security market grows

The cloud-based database security market is expected to register a CAGR of 19.5% over the forecast period 2019-2024, according to ResearchAndMarkets. With the increasing adoption of Big Data platforms and relational databases becoming the prime target for data thieves, the demand for cloud-based database security is expected to gain traction. Key highlights There has been increasing volumes of data being generated from information-escalated applications like storage and mining of huge or commercial data. These applications … More

The post As cyber attacks increase, the cloud-based database security market grows appeared first on Help Net Security.

New satellite constellations aim to improve IoT connectivity options

By 2024, there will be 24 million IoT connections made via satellite, ABI Research reveals. A new report unveils the long-term opportunity within the satellite space for the growth of IoT deployments, particularly in application verticals, such as agriculture and asset tracking, that are dealing with the unreliability of terrestrial infrastructures. “Terrestrial cellular networks only cover 20% of the Earth’s surface, while satellite networks can cover the entire surface of the globe, from pole to … More

The post New satellite constellations aim to improve IoT connectivity options appeared first on Help Net Security.

McAfee ATR Aids Police in Arrest of the Rubella and Dryad Office Macro Builder Suspect

Everyday thousands of people receive emails with malicious attachments in their email inbox. Disguised as a missed payment or an invoice, a cybercriminal sender tries to entice a victim to open the document and enable the embedded macro. This macro then proceeds to pull in a whole array of nastiness and infect a victim’s machine. Given the high success rate, malicious Office documents remain a preferred weapon in a cyber criminal’s arsenal. To take advantage of this demand and generate revenue, some criminals decided to create off-the-shelf toolkits for building malicious Office documents. These toolkits are mostly offered for sale on underground cybercriminal forums.

Announced today, the Dutch National High-Tech Crime Unit (NHTCU) arrested an individual suspected of building and selling such a criminal toolkit named the Rubella Macro Builder. McAfee Advanced Threat Research spotted the Rubella toolkit in the wild some time ago and was able to provide NHTCU with insights that proved crucial in its investigation. In the following blog we will explain some of the details we found that helped unmask the suspected actor behind the Rubella Macro Builder.

What is an Office Macro Builder?

An Office Macro Builder is a toolkit designed to weaponize an Office document so it can deliver a malicious payload by the use an obfuscated macro code that purposely tries to bypass endpoint security defenses. By using a toolkit dedicated to this purpose, an actor can push out higher quantities of malicious documents and successfully outsource the first stage evasion and delivery process to a specialized third party. Below is an overview with the general workings of an Office Macro Builder. The Defense evasion shown here is specific to Rubella Office Macro Builder. Additional techniques can be found in other builders.

Dutch Language OpSec fail….

Rubella Macro Builder is such a toolkit and was offered by an actor by the same nickname “Rubella”. The toolkit was marketed with colorful banners on different underground forums. For the price of 500 US Dollars per month you could use his toolkit to weaponize Office documents that bypass end-point security systems and deliver a malicious payload or run a PowerShell Code of your choice.

Rubella advertisement banner

In one of Rubella’s forum postings the actor was detailing the toolkit and that it managed to bypass the Windows Anti Malware Scan Interface (AMSI) present in Windows 10. To prove this success, the post contained a link to a screenshot. Being a Dutch researcher, this screenshot immediately stood out because of the Dutch version of Microsoft Word that was used. Dutch is a very uncommon language, only a small percentage of the world’s population speaks it, let alone an even smaller percentage of cybercriminals who use it.

The linked screenshot with the Dutch version of Microsoft Word.

Interestingly enough we reported last year on the individuals behind Coinvault ransomware. One of the reasons they got caught was the use of flawless Dutch in their code. With this in the back of our minds we decided to go deeper down the rabbit hole.

Forum Research

We looked further into the large amount of posts by Rubella to learn more about the person behind the builder. The actor Rubella was actually promoting a variety of different, some self-written, products and services, ranging from (stolen) credit card data, a crypto wallet stealer and a malicious loader software to a newly pitched product called Tantalus ransomware-as-a-service.

During our research we were able to link different nicknames used by the actor on several forums across a timespan of many years. Piecing it all together, Rubella showed a classic growth pattern of an aspiring cybercriminal, started by gaining technical security knowledge on beginner forums with low op-sec and gradually moved to some of the bigger, exclusive forums to offer products and services.

PDB path Breitling

One of the posts Rubella placed on a popular hacker forum was promoting a piece of free software the actor coded to spoof email. The posting contained a link to VirusTotal and included a SHA-256 hash of the software. This gained our interest since it provided a possibility to link the adversary to the capability.

Email spoofer posting including the VirusTotal link 

Closer examination of the piece of software on VirusTotal showed that the mail Spoofer contained a debug or PDB path “C:\Users\Breitling”. Even though the username Breitling isn’t very revealing about an actual person, leaving such a specific PDB path within malware is a classic mistake.

By pivoting on the specific PDB path we found additional samples on VirusTotal, including a file that was named RubellaBuilder.exe, which was a version of the Macro builder that Rubella was offering. Later in the blog post we will take a closer look at the builder itself.

Finding additional samples with the Breitling PDB path

Since Breitling was most likely the username used on the development machine, we were wondering if we could find Office documents that were crafted on the same machine and thus also containing the author name Breitling. We found an Office document with Breitling as author and the document happened to be created with a Dutch version of Microsoft Word.

The Word document containing the author name Breitling.

Closer inspection of the content of the Word document revealed that it also contained a string with the familiar Jabber account of Rubella; Rubella(@)exploit.im.

The Malicious document containing the string with the actor’s jabber account.

Circling back to the forums we found an older posting under one of the nicknames we could link to Rubella. In this posting the actor is asking for advice on how to add a registry key using C#. They placed another screenshot to show the community what they were doing. This behavior clearly shows a lack of skill but at the same time his thirst for knowledge.

Older posting where the actor asks for help.

A closer look at the screenshot revealed the same PDB path C:\Users\Breitling\.

Screenshot with the Breitling PDB path

Chatting with Rubella

Since Rubella was quite extroverted on the underground forums and had stated Jabber contact details in advertisements we decided to carefully initiate contact with him in the hope that we would get access to some more information. About a week after we added Rubella to our Jabber contact list, we received a careful “Hi.” We started talking and posing as a potential buyer, carefully mentioning our interest the Rubella Macro Builder. During this chat Rubella was quite responsive and as a real businessperson, mentioned that he was offering a new “more exclusive” Macro Builder named Dryad. Rubella proceeded to share a screenshot of Dryad with us.

Screenshot of Dryad shared by Rubella

 Eventually we ended our conversation in a friendly manner and told Rubella we would be in touch if we remained interested.

Dryad Macro Builder

Based on the information provided from the chat with Rubella we performed a quick search for Dryad Macro Builder. We eventually found a sample of the Dryad Macro Builder and decided to further analyze this sample and compare it for overlap with the Rubella Macro Builder.

PE Summary

We noticed that the program was coded in .NET Assembly which is usually a preferred language for less skilled malware coders.

Dynamic Analysis

When we ran the application, it asked us to enter a login and password in order to run.

We also noticed a number-generated HWID (Hardware-ID) that was always the same when running the app. The HWID number is a unique identifier specific to the machine it was running on and was used to register the app.

When trying to enter a random name we detected a remote connection to the website ‘hxxps://tailoredtaboo.com/auth/check.php’ to verify the license.

The request is made with the following parameters ‘hwid=<HWID>&username=<username>&password=<password>’.

Once the app is running and registered it shows the following interface.

In this interface it is possible to see the function proposed by the app and it was similar to the screenshot that was shared during our chat.

Basically, the tool allows the following:

  • Download and execute a malicious executable from an URL
  • Execute a custom command
  • Type of payload can be exe, jar, vbs, pif, scr
  • Modify the dropped filename
  • Load a stub for increase obfuscation
  • Generate a Word or Excel document

It contains an Anti-virus Evasion tab:

  • Use encryption and modify the encryption key
  • Add junk code
  • Add loop code

It also contains a tab which is still in development:

  • Create Jscript or VBscript
  • Download and execute
  • Payload URL
  • Obfuscation with base64 and AMSI bypass which are not yet developed.

Reverse Engineering

The sample is coded in .Net without any obfuscation. We can see in the following screenshot the structure of the file.

Additionally, it uses the Bunifu framework for the graphic interface. (https://bunifuframework.com/)

Main function

The main function launches the interface with the pre-configuration options. We can see here the link to putty.exe (also visible in the screenshots) for the payload that needs to be changed by the user.

Instead of running an executable, it is also possible to run a command.

By default, the path for the stub is the following:

We can clearly see here a link with Rubella.

Licensing function

To use the program, it requires a license, that the user has to enter from the login form.

The following function shows the login form.

To validate the license the program will perform some check and combine a Hardware ID, a username and a password.

The following function generates the hardware id.

It gets information from ‘Win32_Processor class’ to generate the ID.

It collects information from:

  • UniqueId: Globally unique identifier for the processor. This identifier may only be unique within a processor family.
  • ProcessorId: Processor information that describes the processor features.
  • Name: This value comes from the Processor Version member of the Processor Information structure in the SMBIOS information.
  • Manufacturer: This value comes from the Processor Manufacturer member of the Processor Information structure.
  • MaxClockSpeed: Maximum speed of the processor, in MHz.

Then it will collect information from the ‘Win32_BIOS class’.

  • Manufacturer: This value comes from the Vendor member of the BIOS Information structure.
  • SMBIOSVersion: This value comes from the BIOS Version member of the BIOS Information structure
  • IdentificationCode: Manufacturer’s identifier for this software element.
  • SerialNumber: Assigned serial number of the software element.
  • ReleaseDate: Release date of the Windows BIOS in the Coordinated Universal Time (UTC) format of YYYYMMDDHHMMSS.MMMMMM(+-)OOO.
  • Version: Version of the BIOS. This string is created by the BIOS manufacturer.

Then it will collect information from the ‘Win32_DiskDrive class’.

  • Model: Manufacturer’s model number of the disk drive.
  • Manufacturer: Name of the disk drive manufacturer.
  • Signature: Disk identification. This property can be used to identify a shared resource.
  • TotalHead: Total number of heads on the disk drive.

Then it will collect information from the ‘Win32_BaseBoard class’.

  • Model: Name by which the physical element is known.
  • Manufacturer: Name of the organization responsible for producing the physical element.
  • Name,
  • SerialNumber

Then it will collect information from the ‘Win32_VideoController class’.

  • DriverVersion
  • Name

With all that hardware information collected it will generate a hash that will be the unique identifier.

This hash, the username and password will be sent to the server to verify if the license is valid. In the source code we noticed the tailoredtaboo.com domain again.

Generate Macro

To generate a macro the builder is using several parts. The format function shows how each file structure is generated.

The structure is the following:

To save the macro in the malicious doc it uses the function ‘SaveMacro’:

Evasion Techniques

Additionally, it generates random code to obfuscate the content and adds junk code.

The function GenRandom is used to generate random strings, chars as well as numbers. It is used to obfuscate the macro generated.

It also uses a Junk Code function to add junk code into the document:

For additional obfuscation it uses XOR encryption as well as Base64.

Write Macro

Finally, the function WriteMacro, writes the content previously configured:

 

Under construction

We did also notice that the builder uses additional functions that were still under development, as we can see with the “Script Generator” tab.

A message is printed when we click on it and that indicates it is still a function in development.

Additionally, we can see the “Decoy Option” tab which is just a template to create another tab. The tab does not show anything. It seems the author left this tab to create another one.

Rubella Similarities

Dryad is very similar to the Rubella Builder; many hints present in the code confirm the conversation we had with Rubella. Unlike Rubella, Dryad did have a scrubbed PDB path.

Both Rubella builder and Dryad Builder are using the Bunifu framework for the graphic design.

The license check is also the same function, using the domain tailoredtaboo.com, Below is the license check function from the Rubella builder:

Tailoredtaboo.com Analysis

We analyzed the server used to register the builder and discovered additional samples:

Most of these samples were Word documents generated with the builder.

A quick search into the domain Tailoredtaboo showed that it had several subdomains, including a control panel on a subdomain named cpanel.tailoredtaboo.com.

The cPanel subdomain had the following login screen in the Dutch language.

The domain tailoredtaboo.com has been linked to malicious content in the past. On Twitter the researcher @nullcookies reported in April 2018 that he found some malicious files hosted on the specific domain. In the directory listing of the main domain there were several files also mentioning the name Rubella.

TailoredTaboo.com mentioned on Twitter

 

Based on all the references, and the way the domain Tailoredtaboo.com was used, we believe that the domain plays a central administrative role for both Rubella and Dryad Macro Builder and can provide insight into the customers of both Macro Builders

Conclusion

Toolkits that build weaponized Office documents, like Dryad and Rubella, cater to the increasing cybercriminal demand of this type of infection vector. With the arrest of the suspect comes an end to the era of Dryad and Rubella Macro Builder. Based on his activity, the suspect looked like quite the cybercriminal entrepreneur, but given his young age this is also a worrisome thought. If only he would have used his skills for good. The lure of quick cash was apparently more enticing than building a solid long-term career. We at McAfee never like to see young talented individuals heading down a dark path.

Indicators of Compromise

URL / Website:

hxxps://tailoredtaboo.com/auth/check.php

Hash Builder:

  • Dryad: 7d1603f815715a062e18ae56ca53efbaecc499d4193ea44a8aef5145a4699984
  • Rubella: 2a20d3d9ac4dc74e184676710a4165c359a56051c7196ca120fcf8716b7c21b9

Hash related samples:

93db479835802dc22ba5e55a7915bd25f1f765737d1efab72bde11e132ff165a

ad2f9ef7142a43094161eae9b9a55bfbb6dff85d890d1823e77fc4254f29ef17

c2c2fdcc36569f6866e19fcda702c823e7bf73d5ca394652ac3a0ccc6ff9c905

3c55e54f726758f5cb0d8ef81be47c6612dba5a73e3a29f82b73a4c773e691a3

74c8389f20e50ae3a9b7d7e69f6ae7ed1a625ccc8bb6a52b3cc435cf94e6e2d3

388ee9bc0acaeec139bc17bceb19a94071aa6ae43af4ec526518b5e1f1f38f07

08694ad23cafe45495fa790bfdc411ab5c81cc2412370633a236c688b07d26aa

428a30b8787d2ba441dba1dbc3acbfd40cf7f2fc143131a87a93f27db96b7a75

93db479835802dc22ba5e55a7915bd25f1f765737d1efab72bde11e132ff165a

c777012abe224126dca004561619cb0791096611257099058ece1b8d001277d0

5b773acad7da2f33d86286df6b5e95ae355ac50d143171a5b7ee61d6b3cad6d5

a17e3c2271a94450a7a7c6fcd936f177fc40ea156de4deafdfc14fd5aadfe503

1de0ebc0c375332ec60104060eecad77e0732fa2ec934f483f330110a23b46e1

b7a86965f22ed73de180a9f98243dc5dcfb6ee30533d44365bac36124b9a1541

The post McAfee ATR Aids Police in Arrest of the Rubella and Dryad Office Macro Builder Suspect appeared first on McAfee Blogs.

42Crunch new solution allows orgs to automate API security across Kubernetes environments

API security leader and creator of the industry’s first API Firewall – 42Crunch – announced the latest release of its API security platform with full support for Kubernetes environments. This new solution allows organizations to easily automate API security across Kubernetes environments – enabling the zero-trust architecture needed to protect each microservice, and scale without risk. The rapid adoption of microservices architectures and Kubernetes lead to proliferation of APIs exposed by these microservices. Developers employ … More

The post 42Crunch new solution allows orgs to automate API security across Kubernetes environments appeared first on Help Net Security.

Vade Secure’s Auto-Remediate adds automated protection for Office 365 environments

Vade Secure, the global leader in predictive email defense, announced the availability of Auto-Remediate for Vade Secure for Office 365. The new feature extends Vade Secure’s AI-based threat detection and mitigation capabilities, providing MSPs and small businesses with comprehensive, continuous, and automated protection before, during, and after the attack. Leveraging Vade’s real-time view of emerging global threats from 600 million mailboxes, Auto-Remediate automatically removes any malicious messages from users’ inboxes, mitigating attacks before they disrupt … More

The post Vade Secure’s Auto-Remediate adds automated protection for Office 365 environments appeared first on Help Net Security.

Back to Basics: Infosec for Small and Medium Sized Businesses

Too many small and medium-sized businesses (SMBs) are under the belief that purchasing “This One Product” or “This One Managed Service” will provide all the security their network requires. If this were true, large corporations with huge IT budgets would never have data breaches! Before you start buying expensive new technology to protect your office […]… Read More

The post Back to Basics: Infosec for Small and Medium Sized Businesses appeared first on The State of Security.

Aqua Security deepens strategic relationship with Microsoft to accelerate Azure deployments

Aqua Security, a leading platform provider for securing container-based, serverless and cloud native applications, announced a new Private Offer capability enabling software licensing and procurement directly through Microsoft Azure Marketplace, allowing customers to utilize existing purchasing methods in place for Azure services. Aqua now offers a choice of flexible software acquisition models that allow customers to purchase licenses on Azure the way that works best for them. Software purchased directly from Aqua can easily be … More

The post Aqua Security deepens strategic relationship with Microsoft to accelerate Azure deployments appeared first on Help Net Security.

Trend Micro’s Deep Security as a Service now available on the Microsoft Azure Marketplace

Trend Micro, a global leader in cybersecurity solutions, announced the availability of its leading cloud solution, Deep Security as a Service, on the Microsoft Azure Marketplace. Launching at Microsoft’s Inspire 2019 event, this Trend Micro offering enables organizations to combine the benefits of security software-as-a-service (SaaS) with the convenience of consolidated cloud billing and usage-based, metered pricing. “Our priority is to make cloud security as effortless as possible, which starts by meeting IT users and … More

The post Trend Micro’s Deep Security as a Service now available on the Microsoft Azure Marketplace appeared first on Help Net Security.

Karamba Security implements its security software on Alpine infotainment systems

Karamba Security, a world leader in automotive and enterprise edge cybersecurity, announced the signing of a production agreement of its leading Carwall runtime integrity software, in Alpine infotainment systems. The platform provides an ECU self-protection against remote code execution (RCE), helping to protect vehicles from cyberattacks. Protection against cyberattacks is critical in order to safeguard customer safety in the connected and autonomous vehicle era. Such exploits of in-memory vulnerabilities can jeopardize customer safety by controlling … More

The post Karamba Security implements its security software on Alpine infotainment systems appeared first on Help Net Security.

RISC-V Soft CPU Contest challenges designers to develop a hardware secure RISC-V soft CPU solution

The RISC-V Foundation, a non-profit corporation controlled by its members to drive the adoption and implementation of the free and open RISC-V instruction set architecture (ISA), announced the call for submissions for the RISC-V Soft CPU Contest. The aim of the contest is to challenge designers to develop a hardware secure RISC-V soft CPU solution that can thwart malicious software security attacks. The contest is sponsored by RISC-V Foundation members Microchip Technology Inc. and Thales. … More

The post RISC-V Soft CPU Contest challenges designers to develop a hardware secure RISC-V soft CPU solution appeared first on Help Net Security.

Ingram Micro chooses AvePoint as a global Modern Workplace Accelerate partner

AvePoint and Ingram Micro jointly announced the formation of a new global relationship. As part of this relationship, Ingram Micro will list AvePoint’s solutions to migrate, manage and backup data in Office 365 and Dynamics 365 in all of its Cloud Marketplaces around the world at discounted rates for managed service providers (MSPs) who qualify under Ingram Micro’s new Modern Workplace Accelerate program. Modern Workplace Accelerate is a global program designed to simplify the complexity … More

The post Ingram Micro chooses AvePoint as a global Modern Workplace Accelerate partner appeared first on Help Net Security.

Alfresco Migration Service to help orgs move off legacy platforms and migrate to the cloud

Alfresco Software, a commercial, open source software company, launched the Alfresco Migration Service to help enterprises move off outdated, legacy platforms, while mitigating the risk of migrating content to the cloud. Alfresco has completed many migrations and, based on this experience, created the Migration Service with a migration toolkit, skilled consultancy, and a robust 5-week process. Today’s enterprises need the modern deployment capabilities, hyper-scale and agility of the cloud and yet remain concerned about the … More

The post Alfresco Migration Service to help orgs move off legacy platforms and migrate to the cloud appeared first on Help Net Security.

T-Mobile launches Roambee BeeAware, a narrowband IoT asset tracking solution

T-Mobile is now in the asset tracking business. T-Mobile for Business will sell the first asset tracking solution, Roambee BeeAware, on a Narrowband IoT (NB-IoT) network in the United States. This moment marks the next stage of development for the IoT market. High-value asset tracking is a perfect match for America’s first NB-IoT network: Cost: When a company deploys hundreds, if not thousands, of asset trackers, device and service costs can add up quickly. No-hit … More

The post T-Mobile launches Roambee BeeAware, a narrowband IoT asset tracking solution appeared first on Help Net Security.

Eurofins’ testwizard system to provide automated testing for Niko Home Control

Eurofins Digital Testing, a global leader in end-to-end quality assurance (QA) and testing services, announced it was selected by Niko, a leader in residential and commercial switching material and smart home products, to provide automated quality assurance and device interoperability testing for Niko’s premier smart home solution. Specifically, Niko will use Eurofins’ testwizard system as a total, end-to-end test solution for their IoT home automation system, Niko Home Control. Niko Home Control is a state-of-the … More

The post Eurofins’ testwizard system to provide automated testing for Niko Home Control appeared first on Help Net Security.

DefenseStorm raises $15M to invest in employees and innovation

DefenseStorm, a leading cloud-based cybersecurity and cybercompliance management provider to regional and community banks and credit unions, announced that it has raised $15M in a Series A financing round led by Georgian Partners. Justin LaFayette, Managing Partner at Georgian Partners, will join the DefenseStorm board of directors. In addition to the investment, DefenseStorm will engage with the Georgian Impact team to accelerate the adoption of applied artificial intelligence and trust. The Georgian Impact team comprises … More

The post DefenseStorm raises $15M to invest in employees and innovation appeared first on Help Net Security.

Five chief IT security executives join RiskSense’s new Technology Advisory Board

RiskSense, pioneering risk-based vulnerability management and prioritization, announced that five leading chief IT security executives have joined the company’s new Technology Advisory Board. Each will bring a unique perspective on security, privacy and risk management to the Board. “Each of our advisory board members are highly respected practitioners, thought leaders and advocates that have made significant contributions to advance IT security over the course of their careers,” said Dr. Srinivas Mukkamala, co-founder and CEO of … More

The post Five chief IT security executives join RiskSense’s new Technology Advisory Board appeared first on Help Net Security.

Sprint revealed that hackers compromised some customer accounts via Samsung site

US telecommunications company Sprint revealed that hackers compromised an unknown number of customer accounts via the Samsung.com “add a line” website.

The mobile network operator Sprint disclosed a security breach, the company revealed that hackers compromised an unknown number of customer accounts via the Samsung.com “add a line” website.

“On June 22, Sprint was informed of unauthorized access to your Sprint account using your account credentials via the Samsung.com “add a line” website.” reads a letter sent to the customers by the company. “We take this matter, and all matters involving Sprint customer’s privacy, very seriously.”

The information exposed in the data breach includes the phone number, device type, device ID, monthly recurring charges, subscriber ID, account number, account creation date, eligibility, first and last name, billing address, and add-on services.

Sprint us mobile

According to the company, exposed data don’t expose customers to a substantial risk of fraud or identity theft, but in my humble opinion, such kind of information could be used for several malicious purposes.

In response to the incident, on June 25 the mobile network operator reset PIN codes of its users.

The US telecommunications company did not reveal the number of affected customers.

Sprint recommends affected clients to take all the precautionary steps necessary to prevent identity theft and other fraudulent activities as recommended by the Federal Trade Commission (FTC):

As a precautionary measure, we recommend that you take the preventative measures that are recommended by the Federal Trade Commission (FTC) to help protect you from fraud and identity theft.” concludes the letter. “These preventative measures are included at the end of this letter. You may review this information on the FTC’s website at www.ftc.gov/idtheft and www.IdentityTheft.govor contact the FTC directly by phone at 1-877-438-4338 or by mail at 600 Pennsylvania Avenue, NW, Washington, DC 20580.”

Pierluigi Paganini

(SecurityAffairs – Sprint, data breach)

The post Sprint revealed that hackers compromised some customer accounts via Samsung site appeared first on Security Affairs.

A flaw in discontinued Iomega/Lenovo NAS devices exposed millions of files

Experts at Vertical Structure and WhiteHat Security discovered a serious flaw that exposed millions of files stored on thousands of exposed Lenovo NAS devices.

An analysis conducted by researchers at Vertical Structure and WhiteHat Security allowed discovering a vulnerability in discontinued Iomega/Lenovo NAS devices, tracked as CVE-2019-6160, that exposed millions of files.

The discovery was made in the fall of 2018 querying the Shodan search engine and revealed 5,114 devices storing over 3 million files. The issue exposed roughly 20,000 documents, 13,000 spreadsheets, 13,000 text files and 405,000 pictures. Some of the documents contained sensitive information, including card numbers and financial records.

IOmega NAS devices flaw 3

The experts believe the actual number of exposed systems could be much greater because they were able to identify only 5,114 devices.

“Vertical Structure was able to find about 13,000 spreadsheet files indexed, with 36 terabytes of data available. The number of files in the index from scanning totaled to 3,030,106.” states a blog post published by WhiteHat Security.

“Within these files, there was a significant amount of files with sensitive financial card numbers and financial records. Vertical Structure was able to track down the source, a legacy Iomega storage product acquired by EMC and co-branded Lenovo-EMC in a joint venture.”

The vulnerability could have been exploited by a remote, unauthenticated attacker to access the files stored on the NAS devices by sending a specially crafted request via an API that was not protected with any authentication mechanism. The experts pointed out that the devices did not leak data through their web interface.

The exploitation of the issue could be automated by developing a script that scans the internet for vulnerable Iomega/Lenovo NAS devices and sends crafted requests to the vulnerable ones.

After the researchers from Vertical Structure and WhiteHat reported their findings to Lenovo, the company pulled three versions of the affected software out of retirement to solve the issue.

“A vulnerability in Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.” reads the advisory published by Lenovo.

In October 2018, experts at Lenovo discovered nine vulnerabilities affecting discontinued Iomega and LenovoEMC NAS devices that could be exploited by unauthenticated attackers to access protected content.

Pierluigi Paganini

(SecurityAffairs – NAS devices, hacking)



The post A flaw in discontinued Iomega/Lenovo NAS devices exposed millions of files appeared first on Security Affairs.

Photo Shared via iPhone Leads to JetBlue Evacuation

Photo Shared via iPhone Leads to JetBlue Evacuation

Passengers heading to Tampa, Florida, experienced an unusual delay on Tuesday. Those on board a JetBlue flight out of Newark, New Jersey, were evacuated after a person used the AirDrop feature on the Apple phone to send an image of a suicide vest to multiple iOS devices on the plane, according to the Daily News

Several passengers on the flight surprisingly received the image through Apple’s AirDrop feature, which allows users to share content with nearby devices through Bluetooth technology. Given that the person delivering the photo had to be within Bluetooth range, it was presumably a passenger as the plane had already left the gate and was on the runway waiting for takeoff, the report suggested. 

There’s no real way to trace a Bluetooth MAC address to an individual or their device unless all devices were confiscated from the passengers on the flight, according to Dr. Richard Gold, head of security engineering at Digital Shadow. “Even then, it’s unlikely you’d be able to figure the originating MAC address without forensically examining the devices which received the pictures.”

The issue is just the latest concern with Bluetooth. There have been a number of reports of people abusing the AirDrop feature on iOS devices that uses Bluetooth technology to send unwanted photos of various natures to unsuspecting receivers since the feature was introduced in 2011, Gold said. 

In addition to being difficult to trace, people typically leave the Bluetooth function on, said Chris Morales, head of security analytics at Vectra. “I used to admittedly walk around with my laptop scanning for exposed Bluetooth listening devices and could send commands to the owner. It is very easy. The easiest way to not receive things over Bluetooth is to require a pin for connectivity or to just turn it off.”  

Zoom Vulnerability

The Zoom conferencing app has a vulnerability that allows someone to remotely take over the computer's camera.

It's a bad vulnerability, made worse by the fact that it remains even if you uninstall the Zoom app:

This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission.

On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.

Additionally, if you've ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install 'feature' continues to work to this day.

Zoom didn't take the vulnerability seriously:

This vulnerability was originally responsibly disclosed on March 26, 2019. This initial report included a proposed description of a 'quick fix' Zoom could have implemented by simply changing their server logic. It took Zoom 10 days to confirm the vulnerability. The first actual meeting about how the vulnerability would be patched occurred on June 11th, 2019, only 18 days before the end of the 90-day public disclosure deadline. During this meeting, the details of the vulnerability were confirmed and Zoom's planned solution was discussed. However, I was very easily able to spot and describe bypasses in their planned fix. At this point, Zoom was left with 18 days to resolve the vulnerability. On June 24th after 90 days of waiting, the last day before the public disclosure deadline, I discovered that Zoom had only implemented the 'quick fix' solution originally suggested.

This is why we disclose vulnerabilities. Now, finally, Zoom is taking this seriously and fixing it for real.

Businesses Shine a Light on Shadow IT

Businesses Shine a Light on Shadow IT

The issues surrounding shadow IT that have long plagued security because of unmonitored and unsupported cloud applications and devices are increasingly coming under proper control, according to the 2019 Duo Trusted Access Report

The report found that threats from applications and devices that have traditionally been lurking in IT environments are being mitigated through the implementation of a zero-trust model. Enterprises appear to be catching up with cloud expansion and addressing concerns of shadow IT because the report found that the average number of organizations protecting cloud apps reportedly surged 189% year-over-year.

The report assessed the security of thousands of the world’s largest and fastest-growing organizations and examined 24 million devices used for work. Research showed that the use of out-of-date devices has dropped precipitously, which could be a function of the ever-growing remote workforce. According to today’s press release, a third of all work is done on a mobile device, a 10% increase year-over-year. In turn, organizations are hardening mobile defenses against malware. 

In addition, biometric verification has seen a double-digit jump to more than 77% of business devices, and organizations are outright rejecting authentication based on policies for location-rooted devices, device locks not enabled or a lack of disk encryption.

“Without proper protections, such as strong user authentication and device hygiene checks, accessing business applications from mobile devices can increase exposure to threats that exploit user identities,” the press release said.

As organizations continue to experience shifts in digital transformation, they are enforcing security controls that establish user and device trust through a zero-trust security model. 

“For years, security teams have had little visibility into the cloud applications users were accessing and the personal devices they were using,” said Wendy Nather, head of advisory CISOs at Duo. “The findings in this report make clear that security leaders are taking back control of these apps and devices thanks to a zero-trust approach to security. This approach, in many cases, even allows organizations to adapt quickly to pending threats.”

US Coast Guard Issued Cyber-Safety Alert

US Coast Guard Issued Cyber-Safety Alert

The US Coast Guard recommended that ships update their cybersecurity strategies after a malware attack “significantly” degraded the computer systems of a deep draft vessel in February, according to a press release

In the marine safety alert, the Coast Guard wrote that the vessel involved in the February cyber incident was inbound to the Port of New York and New Jersey during an international trip when it reported that its onboard network was being impacted by a cyber incident.

The Coast Guard responded, and after an analysis conducted alongside an “interagency team of cyber experts” it concluded that while the functionality of the boat’s computer system was impacted, control systems were not. The computer system was used for managing cargo data and communicating with the Coast Guard and shore-side facilities.

“Prior to the incident, the security risk presented by the shipboard network was well known among the crew. Although most crew members didn’t use onboard computers to check personal email, make online purchases or check their bank accounts, the same shipboard network was used for official business – to update electronic charts, manage cargo data and communicate with shore-side facilities, pilots, agents, and the Coast Guard,” the alert said.

Targeting governmental and military assets will continue to be valuable for those seeking to disrupt our society, said Tim Mackey, principal security strategist for the Cybersecurity Research Center at Synopsys

“This incident highlights lessons for everyone to take – whether you’re in government or in a corporate setting – vigilance starts with preparedness. All systems contain weaknesses, and software systems are no different. An up-to-date inventory of all software assets, including versions, origins and update procedures, is a bare minimum operational requirement for deployed software,” said Mackey. 

“This asset inventory should also include a detailed accounting for all known weaknesses, and procedures should be in place to ensure newly disclosed weaknesses or vulnerabilities are amended to the inventory. The goal of this process to ensure that systems are both patched and that the potential attack surface for the asset can be quantified. Armed with this information, threat models can be created which then guide mitigation efforts.”

How to cost-effectively manage and secure a mobile ecosystem

Today’s post was written by Roxane Suau, Vice President of Marketing for Pradeo.

In the corporate environment, mobile devices and applications are at the center of communications, enhancing collaborators’ productivity with 24/7 access to information. But at the same time, they represent thousands of direct entry points to organizations’ information systems, exposing critical data to the wide spectrum of mobile threats.

Our increasingly connected world is driving up the volume of cyberattacks targeting mobility. In 2017, there were 42 million attack attempts on mobile devices registered globally, and this number keeps growing.

While data protection laws urge companies to ensure mobile data privacy, security teams are struck with the challenge of protecting mobile devices, applications, and files while maintaining the flexibility collaborators need to be efficient.

The booming of mobility

According to a Gartner survey, nearly 80 percent of employees haven’t received employer-issued smartphones and more than 50 percent of them exclusively use their personal mobile device in the workplace (BYOD).

As organizations are more and more flexible regarding working tools and locations, employees often access business data and applications from home or public space using their mobile device, by connecting to unsecure networks.

Usually, cybercriminals leverage three vectors to infiltrate mobile devices: applications, the network, and the operating system (OS). Threats operating at the applicative level, such as leaky and malicious applications, are by far the most common and represent 78 percent of all attacks. Attacks perpetrated through the network and the OS count for 12 percent and 10 percent, respectively.

Enterprise mobility has led to the obsolescence of standard network security solutions historically used by companies, as they don’t cover the perimeter of mobile devices and applications. In recent years, the Mobile Threat Defense (MTD) technology has taken over.

Microsoft Intune unified endpoint management + Pradeo Security Mobile Threat Defense

Microsoft and Pradeo (a member of the Microsoft Intelligent Security Association) joined forces a few years ago to pursue a common goal: enable a productive and safe connected workspace.

To help companies set up a more secure and compliant environment, Microsoft Intune, a unified endpoint management platform, offers the functionalities necessary to manage and secure mobile devices and applications. Furthermore, it extends the activation of mobile security capabilities through partner integrations.

Pradeo Security Mobile Threat Defense (MTD) is designed to work with Intune to protect smartphones, tablets, mobile apps, and data. The solution relies on a behavioral analysis engine to precisely detect all actions performed on mobile devices (malware, data leakage, network exploit, OS manipulation). When activated in Intune, customers deploy the Pradeo Security agent on mobile devices to ensure their 360-degree real-time protection.

Pradeo stands out from other MTD solutions, which perform score-based risk evaluation, by being the only vendor on the market that offers an accurate mobile threat detection. Intune customers benefit from Pradeo’s precise threat detection directly in their UEM platform, strengthening their organization’s mobile security posture in the most cost-efficient way.

About Pradeo

Pradeo is a global leader of mobile security and a member of the Microsoft Intelligent Security Association. It offers services to protect the data handled on mobile devices and applications, and tools to collect, process, and get value out of mobile security events.

Pradeo’s cutting-edge technology has been recognized as one of the most advanced mobile security technology by Gartner, IDC, and 37 other research firms in 2018. It provides a reliable detection of mobile threats to prevent breaches and reinforce compliance with data privacy regulations.

For more details, visit www.pradeo.com or write to contact@pradeo.com.

Note: Users must be entitled separately to Pradeo and Microsoft licenses as appropriate.

The post How to cost-effectively manage and secure a mobile ecosystem appeared first on Microsoft Security.

Could a Dropped USB Drive Expose You to Malware?

USB drives seem harmless enough and they’re a convenient way to store, back up, or transfer files from your computer. So If you spot a USB drive sitting on the ground or in your office, should you assume someone lost their files? Or is it a hacker baiting you into compromising your computer and network?

On the latest episode of “Hackable?” Geoff learns if USB drives are dangerous and — with the help of white-hat hacker Tim Martin — sets his own trap for Pedro. Listen and learn how to protect your network from dropped drives, and if Pedro takes the bait.

Listen now to the award-winning podcast “Hackable?”.

The post Could a Dropped USB Drive Expose You to Malware? appeared first on McAfee Blogs.

Could a Dropped USB Drive Expose You to Malware?

USB drives seem harmless enough and they’re a convenient way to store, back up, or transfer files from your computer. So If you spot a USB drive sitting on the ground or in your office, should you assume someone lost their files? Or is it a hacker baiting you into compromising your computer and network?

On the latest episode of “Hackable?” Geoff learns if USB drives are dangerous and — with the help of white-hat hacker Tim Martin — sets his own trap for Pedro. Listen and learn how to protect your network from dropped drives, and if Pedro takes the bait.

Listen now to the award-winning podcast “Hackable?”.

The post Could a Dropped USB Drive Expose You to Malware? appeared first on McAfee Blogs.

Meet the World’s Biggest ‘Bulletproof’ Hoster

For at least the past decade, a computer crook variously known as “Yalishanda,” “Downlow” and “Stas_vl” has run one of the most popular “bulletproof” Web hosting services catering to a vast array of phishing sites, cybercrime forums and malware download servers. What follows are a series of clues that point to the likely real-life identity of a Russian man who appears responsible for enabling a ridiculous amount of cybercriminal activity on the Internet today.

Image: Intel471

KrebsOnSecurity began this research after reading a new academic paper on the challenges involved in dismantling or disrupting bulletproof hosting services, which are so called because they can be depended upon to ignore abuse complaints and subpoenas from law enforcement organizations. We’ll get to that paper in a moment, but for now I mention it because it prompted me to check and see if one of the more infamous bulletproof hosters from a decade ago was still in operation.

Sure enough, I found that Yalishanda was actively advertising on cybercrime forums, and that his infrastructure was being used to host hundreds of dodgy sites. Those include a large number of cybercrime forums and stolen credit card shops, ransomware download sites, Magecart-related infrastructure, and a metric boatload of phishing Web sites mimicking dozens of retailers, banks and various government Web site portals.

I first encountered Yalishanda back in 2010, after writing about “Fizot,” the nickname used by another miscreant who helped customers anonymize their cybercrime traffic by routing it through a global network of Microsoft Windows computers infected with a powerful malware strain called TDSS.

After that Fizot story got picked up internationally, KrebsOnSecurity heard from a source who suggested that Yalishanda and Fizot shared some of the same infrastructure.

In particular, the source pointed to a domain that was live at the time called mo0be-world[.]com, which was registered in 2010 to an Aleksandr Volosovyk at the email address stas_vl@mail.ru. Now, normally cybercriminals are not in the habit of using their real names in domain name registration records, particularly domains that are to be used for illegal or nefarious purposes. But for whatever reason, that is exactly what Mr. Volosovyk appears to have done.

WHO IS YALISHANDA?

The one or two domain names registered to Aleksandr Volosovyk and that mail.ru address state that he resides in Vladivostok, which is a major Pacific port city in Russia that is close to the borders with China and North Korea. The nickname Yalishanda means “Alexander” in Mandarin (亚历山大).

Here’s a snippet from one of Yalishanda’s advertisements to a cybercrime forum in 2011, when he was running a bulletproof service under the domain real-hosting[.]biz:

-Based in Asia and Europe.
-It is allowed to host: ordinary sites, doorway pages, satellites, codecs, adware, tds, warez, pharma, spyware, exploits, zeus, IRC, etc.
-Passive SPAM is allowed (you can spam sites that are hosted by us).
-Web spam is allowed (Hrumer, A-Poster ….)

-Forbidden: Any outgoing Email spam, DP, porn, phishing (exclude phishing email, social networks)

There is a server with instant activation under botnets (zeus) and so on. The prices will pleasantly please you! The price depends on the specific content!!!!

Yalishanda would re-brand and market his pricey bulletproof hosting services under a variety of nicknames and cybercrime forums over the years, including one particularly long-lived abuse-friendly project aptly named abushost[.]ru.

In a talk given at the Black Hat security conference in 2017, researchers from cyber intelligence firm Intel 471 labeled Yalishanda as one the “top tier” bulletproof hosting providers worldwide, noting that in just one 90-day period in 2017 his infrastructure was seen hosting sites tied to some of the most advanced malware contagions at the time, including the Dridex and Zeus banking trojans, as well as a slew of ransomware operations.

“Any of the actors that can afford his services are somewhat more sophisticated than say the bottom feeders that make up the majority of the actors in the underground,” said Jason Passwaters, Intel 471’s chief operating officer. “Bulletproof hosting is probably the biggest enabling service that you find in the underground. If there’s any one group operation or actor that touches more cybercriminals, it’s the bulletproof hosters.”

Passwaters told Black Hat attendees that Intel471 wasn’t convinced Alex was Yalishanda’s real name. I circled back with Intel 471 this week to ask about their ongoing research into this individual, and they confided that they knew at the time Yalishanda was in fact Alexander Volosovyk, but simply didn’t want to state his real name in a public setting.

KrebsOnSecurity uncovered strong evidence to support a similar conclusion. In 2010, this author received a massive data dump from a source that had hacked into or otherwise absconded with more than four years of email records from ChronoPay — at the time a major Russian online payment provider whose CEO and co-founders were the chief subjects of my 2014 book, Spam Nation: The Inside Story of Organized Cybercrime.

Querying those records on Yalishanda’s primary email address — stas_vl@mail.ru — reveal that this individual in 2010 sought payment processing services from ChronoPay for a business he was running which sold counterfeit designer watches.

As part of his application for service, the person using that email address forwarded six documents to ChronoPay managers, including business incorporation and banking records for companies he owned in China, as well as a full scan of his Russian passport.

That passport, pictured below, indicates that Yalishanda’s real name is Alexander Alexandrovich Volosovik. The document shows he was born in Ukraine and is approximately 36 years old.

The passport for Alexander Volosovyk, a.k.a. “Yalishandra,” a major operator of bulletproof hosting services.

According to Intel 471, Yalishanda lived in Beijing prior to establishing a residence in Vladivostok (that passport above was issued by the Russian embassy in Beijing). The company says he moved to St. Petersburg, Russia approximately 18 months ago.

His current bulletproof hosting service is called Media Land LLC. This finding is supported by documents maintained by Rusprofile.ru, which states that an Alexander Volosovik is indeed the director of a St. Petersburg company by the same name.

ARMOR-PIERCING BULLETS?

Bulletproof hosting administrators operating from within Russia probably are not going to get taken down or arrested, provided they remain within that country (or perhaps within the confines of the former republics of the Soviet Union, known as the Commonwealth of Independent States).

That’s doubly so for bulletproof operators who are careful to follow the letter of the law in those regions — i.e., setting up official companies that are required to report semi-regularly on various aspects of their business, as Mr. Volosovik clearly has done.

However, occasionally big-time bulletproof hosters from those CIS countries do get disrupted and/or apprehended. On July 11, law enforcement officials in Ukraine announced they’d conducted 29 searches and detained two individuals in connection with a sprawling bulletproof hosting operation.

The press release from the Ukrainian prosecutor general’s office doesn’t name the individuals arrested, but The Associated Press reports that one of them was Mikhail Rytikov, a man U.S. authorities say was a well-known bulletproof hoster who operated under the nickname “AbdAllah.”

Servers allegedly tied to AbdAllah’s bulletproof hosting network. Image: Gp.gov.ua.

In 2015, the U.S. Justice Department named Rytikov as a key infrastructure provider for two Russian hackersVladimir Drinkman and Alexandr Kalinin — in a cybercrime spree the government called the largest known data breach at the time.

According to the Justice Department, Drinkman and his co-defendants were responsible for hacks and digital intrusions against NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard.

Whether AbdAllah ever really faces justice for his alleged crimes remains to be seen. Ukraine does not extradite citizens, as the U.S. authorities have requested in this case. And we have seen time and again how major cybercriminals get raided and detained by local and federal authorities there, only to quickly re-emerge and resume operations shortly thereafter, while the prosecution against them goes nowhere.

Some examples of this include several Ukrainian men arrested in 2010 and accused of running an international crime and money laundering syndicate that used a custom version of the Zeus trojan to siphon tens of millions of dollars from hacked small businesses in the U.S. and Europe. To my knowledge, none of the Ukrainian men that formed the core of that operation were ever prosecuted, reportedly because they were connected to influential figures in the Ukrainian government and law enforcement.

Intel 471’s Passwater said something similar happened in December 2016, when authorities in the U.S., U.K. and Europe dismantled Avalanche, a distributed, cloud-hosting network that was rented out as a bulletproof hosting enterprise for countless malware and phishing attacks.

Prior to that takedown, Passwater said, somehow an individual connected to Avalanche who went by the nickname “Sosweet” got a tip about an impending raid.

“Sosweet was raided in December right before Avalanche was taken down, [and] we know that he was tipped off because of corruption [because] 24 hours later the guy was back in service and has all his stuff back up,” Passwater said.

The same also appears to be true for several Ukrainian men arrested in 2011 on suspicion of building and disseminating Conficker, a malware strain that infected millions of computers worldwide and prompted an unprecedented global response from the security industry.

So if a majority of bulletproof hosting businesses operate primarily out of countries where the rule of law is not strong and/or where corruption is endemic, is there any hope for disrupting these dodgy businesses?

Here we come full circle to the academic report mentioned briefly at the top of this story: The answer seems to be — like most things related to cybercrime — “maybe,” provided the focus is on attempting to interfere with their ability to profit from such activities.

That paper, titled Platforms in Everything: Analyzing Ground-Truth Data on the Anatomy and Economics of Bulletproof Hosting, was authored by researchers at New York University, Delft University of Technology, King Saud University and the Dutch National High-Tech Crimes Unit. Unfortunately, it has not yet been released publicly, and KrebsOnSecurity does not have permission yet to publish it.

The study examined the day-to-day operations of MaxiDed, a bulletproof hosting operation based in The Netherlands that was dismantled last summer after authorities seized its servers. The paper’s core findings suggest that because profit margins for bulletproof hosting (BPH) operations are generally very thin, even tiny disruptions can quickly push these businesses into the red.

“We demonstrate the BPH landscape to have further shifted from agile resellers towards marketplace platforms with an oversupply of resources originating from hundreds of legitimate upstream hosting providers,” the researchers wrote. “We find the BPH provider to have few choke points in the supply chain amenable to intervention, though profit margins are very slim, so even a marginal increase in operating costs might already have repercussions that render the business unsustainable.”

United Kingdom’s NCSC Advisory vs DNS Hijacking Released

The United Kingdom’s National Cyber Security Centre (NCSC) has issued an advisory warning UK citizens using computers and other Internet-connected mobile devices that large-scale DNS hijackings in the Internet are ongoing, and the agency provides simple mitigation advice for IT professionals to implement in their respective areas of coverage. NCSC defined DNS hijacking as an incident where DNS entries of an authoritative DNS server were edited by a 3rd party without permission. Such attack creates an unsafe environment for users, as their traffic get redirected to a false website instead of the genuine website they wish to visit. NCSC highlighted that hackers are concentrating on establishing transparent proxy, Domain hijacking, obtaining TLS certificates without authority and creating malicious DNS records, all without the knowledge of the target victims.

Unfortunately, the majority of what NCSC describes as “Account Take Over” (ATO) cases involve the domain registrar itself, and end-users have nothing to do with it. Though the agency issued a short advice for domain registrars in order to minimize the chance of a take over of their DNS systems by unknown parties. “Registry and Registrar Lock – many registries offer a “registrar lock” service. This lock prevents the domain being transferred to a new owner, without the lock being removed. A “registry lock” (which sometimes involves a fee) is considered an additional level of protection whereby changes cannot be made until additional authentication has taken place which usually involves a call to the owner,” explained the NCSC report.

The focus of heightened alert is for service providers and domain registrars to prioritize offering domain lock for their customers, which comprises of the following functionalities, as directly quoted from NCSC:

  • Prevents the nameservers from being changed;
  • Prevents domain registrant and / or contact details being changed;
  • Prevents the domain from being transferred to another registrar.

DNS server hosting is a regular part of the domain registry and Internet Service Provider business, however, it is not considered as a money-making endeavor. Hence, ISPs and domain registrars are not placing a lot of investment when it comes to securing their DNS infrastructure.

NCSC provided the following security suggestions in order for DNS-hosting organizations to be confident of their DNS server security:

1. Implement DNSSEC

DNSSEC is a security extension that proves the reliability of correspondence information of IP address and host name sent from DNS server. This is to prevent DNS response spoofing attacks such as DNS cache poisoning. In DESSEC, the DNS server that sends the response signs the response using the private key, and the recipient verifies it with the public key. Because you can not sign correctly without the private key, you can detect false responses by verifying the signature. A normal DNS server does not have a means to authenticate the other party, so by supporting DNSSEC, it can have its function.

2. Monitor TLS

TLS certificate creation needs to be done correctly, the “web of trust” truly depends on the level of trust people to the certificate authority. Lost of trust to a certificate authority means lost of business, just like what happened to Diginotar’s and Symantec’s dissolved certificate authority businesses.

3. Auditing and Monitoring

4. Access Control

5. Change Control

Keep evidence – in case your entire domain is hijacked, you’ll need to appeal to your registry for help. Keep extensive records which can be used to prove ownership,” concluded the NCSC report.

 

Also Read, 

What is DNS Security? Why is it Important?

DNS Servers | How to Secure DNS Servers from hacker attacks?

 

The post United Kingdom’s NCSC Advisory vs DNS Hijacking Released appeared first on .

Cybersecurity Hygiene: 8 Steps Your Business Should be Taking

Whether you’re managing your enterprise’s cybersecurity or you’ve outsourced it to a service provider, you’re ultimately the one that will be held accountable for a data breach. If your vendor loses your data, your customers and board of directors will likely still hold you responsible.

McAfee’s recent report, Grand Theft Data II: The Drivers and Shifting State of Data Breaches, reveals a majority of IT professionals have experienced at least one data breach, and on average have dealt with six breaches over the course of their career. Nearly three-quarters of all breaches have required public disclosure or have affected financial results.

Enterprise threats are increasing in number and sophistication, while rapidly targeting new vulnerabilities. And while, the top three vectors for exfiltrating data were database leaks, cloud applications, and removable USB drives, IT professionals are most worried about leaks from cloud enterprise applications such as Microsoft OneDrive, Cisco WebEx, and Salesforce.com.

Cybersecurity hygiene best practices must not only be established but updated and followed to keep up with these agile, versatile threats. Here are eight steps your business should be taking to implement better cybersecurity hygiene:

  1. Educate Your Teams All employees are part of an organization’s security posture. And yet, 61% of IT professionals say their executives expect more lenient security policies for themselves, and 65% of those respondents believe this leniency results in more incidents. Do as I say, not as I do can be dangerous. It’s imperative that you develop a continuing cybersecurity education program for all enterprise teams including best practices for passwords and how to detect phishing emails. Your program should include re-education processes for your IT team on breach targets such as default accounts and missing patches.
  2. Timely Patches and Updates – The Data Exfiltration Report found that IT was implicated in most data breaches, and much of this can be attributed to failures in cybersecurity hygiene, such as the failure to get a security patch out across the enterprise within 24 to 72 hours. Or failing to check that all available updates are accepted on every device. The vulnerabilities these patches and updates are designed to address can remain vulnerable for months despite the availability of the fixes. Cloud and SaaS operations have proven that automated patching testing and deployment works well with minimal downside risk.
  3. Implement Data Loss Policies (DLP) Data loss prevention requires thinking through the data, the applications, and the users. Most security teams continue to operate in isolation, with 81% reporting separate policies or management consoles for cloud access security brokers (CASBs) and data loss prevention (DLP). It is more important than ever to have a set of consistent Data Loss Prevention (DLP) policies that protect data everywhere it’s stored, including the cloud and corporate endpoints, networks, or unmanaged devices.
  4. Pay Attention to Cloud Security Settings – Cloud applications are where the bulk of your data resides, and data is what most cybercriminals are after. As Dev Ops moves more workloads to the cloud your enterprise needs to pay attention to the security setting of the cloud instances it uses and be aware of the security associated with the underlying infrastructure. Many security measures and considerations in the cloud are the same as on-prem, but some are different. Understanding the security of the cloud you choose and the applications that you use in the cloud are a critical part of securely navigating digital transformation.
  5. Technology Integration and Automation – One of the top actions cited for reducing future breach risks is integrating the various security technologies into a more cohesive defense. A lack of integration between security products allows suspicious activity to dwell unnoticed. If an attack is identified and blocked, all entry points should be instantly informed. If a compromised device is detected, security products should automatically scan all other devices for evidence of similar compromise, and quarantine affected systems. Automation allows machines to make these decisions based on policy set by the security team and accelerates time to detection and remediation without incurring material risk of unintended IT consequences.
  6. Deploy and Activate CASB, DLP, EDR – A Cloud Attack Security Broker (CASB) automatically classifies sensitive information, enforces security policies such as data loss prevention, rights management, data classification, threat protection, and encryption. Data Loss Prevention (DLP) safeguards intellectual property and ensures compliance by protecting sensitive data. Endpoint Detection and Response (EDR) can help your enterprise gain visibility into emerging threats with little maintenance and by monitoring endpoint activity, detecting suspicious behavior, making sense of high-value data, and understanding context. EDR can also reduce your need for additional SOC resources.
  7. Run Proper Device Audits –It’s important to regularly review device encryption on all devices including laptops, tablets, and mobile phones. Using multifactor identification strengthens your security beyond common sense steps like evaluating and promoting password strength.
  8. Have an Incident Response Plan – You may have only minutes and hours to act on a cyberattack. Good intentions aren’t enough to effectively respond and remedy a security breach. Be prepared before it happens. An Incident Response Plan is integral in helping your enterprise respond more effectively, reduce business disruptions and a loss of reputation.

For more on how to improve your enterprise’s cybersecurity hygiene using automation, integration, and cloud-based deployment and analytics, check out McAfee MVISION EDR.

The post Cybersecurity Hygiene: 8 Steps Your Business Should be Taking appeared first on McAfee Blogs.

Media File Jacking allows manipulating media files users receive via Android WhatsApp and Telegram

Media File Jacking – Security researchers at Symantec demonstrated how to manipulate media files that can be received via WhatsApp and Telegram Android apps.

Security experts at Symantec devised an attack technique dubbed Media File Jacking that could allow attackers to manipulate media files that can be received via WhatsApp and Telegram Android apps. The issue could potentially affect many other Android apps as well.

The attack technique leverages the fact that any app installed on a device can access and rewrite files saved in the external storage, including the files saved by other apps. Popular apps like WhatsApp and Telegram allow users to choose where to store the file. The researchers pointed out that unlike Telegram for Android.

Anyway, many Telegram users prefer to save their data to external storage using the “Save to Gallery” option.

“The security flaw, dubbed “Media File Jacking”, affects WhatsApp for Android by default, and Telegram for Android if certain features are enabled.” reads the report published by Symantec. “It stems from the lapse in time between when media files received through the apps are written to the disk, and when they are loaded in the apps’ chat user interface (UI) for users to consume.”

A malicious app installed on the recipient’s device can intercept and manipulate media files, including photos, documents, or videos stored on the external storage, that are exchanged between users. The attack is completely transparent for the recipient that is not able to see any suspicious activity.

“The fact that files are stored in, and loaded from, external storage without proper security mechanisms, allows other apps with write-to-external storage permission to risk the integrity of the media files,” continues the analysis. ” Write-to-external storage (WRITE_EXTERNAL_STORAGE) is a common permission requested by Android apps, with over a million apps in Google Play having this access. In fact, based on our internal app data, we found nearly 50% of a given device’s apps have this permission.”

media file jacking attack

Researchers presented four attack scenarios that see a malicious app manipulating media files sent to the recipient:

  1. Image manipulation

The malicious, app downloaded by a user can run in the background to perform a Media File Jacking attack while the victim uses WhatsApp or Telegram and manipulate images in near-real-time.

2.) Payment manipulation

The attackers can manipulate an invoice sent by a vendor to the recipient and trick them into making a payment.

3.) Audio message spoofing

Attackers can use voice reconstruction via deep learning technology to modify the original audio message for malicious purposes.

4.) Spread fake news

In Telegram, attackers can carry out Media File Jacking attacks to alter media files that appear in a trusted channel feed in real-time to spread fake news.

To ensure that media files are kept safe from attackers, Symantec provides the following recommendations:

  • Validate the integrity of files: Store in a metadata file a hash value for each received media file before writing it to the disk. Then, confirm that the file has not been changed (i.e. the hash is the same) before the media file is loaded by the app in the relevant chat portion for users to see. This step can help developers validate that files were not manipulated before they are loaded. This approach balances between the security (protection against Media File Jacking attacks) and functionality (e.g., supporting third party backup apps) needs of the IM apps.
     
  • Internal storage: If possible, store media files in a non-public directory, such as internal storage. This is a measure some IM apps have chosen.
     
  • Encryption: Strive to encrypt sensitive files, as is usually done for text messages in modern IM solutions. This measure, as well as the previous one, will better protect files from exposure and manipulation. The downside is that other apps, such as photo backup apps, won’t be able to easily access these files.

Symantec shared its findings with both Telegram and WhatsApp, the experts explained that the vulnerability will be addressed by Google with the Android Q update.

“With the release of Android Q, Google plans to enact changes to the way apps access files on a device’s external storage. Android’s planned Scoped Storage is more restrictive, which may help mitigate threats like the WhatsApp/Telegram flaw we found.”concludes Symantec. “Scoped Storage means that apps will have their own storage area in an app-specific directory, but will be prevented from accessing files in the entire storage partition, unless an explicit permission is granted by the user.”

Pierluigi Paganini

(SecurityAffairs – Media File Jacking, hacking)

The post Media File Jacking allows manipulating media files users receive via Android WhatsApp and Telegram appeared first on Security Affairs.

Epsiode 537 – Truly Effective Security Programs Are Business Focused

Cybersecurity is technical in nature but it’s really a business problem to solve. This episode how aligning to the business will take your security program to the next level.  Be aware, be safe. Become A Patron! Patreon Page *** Support the podcast with a cup of coffee *** – Ko-Fi Security In Five Don’t forget […]

The post Epsiode 537 – Truly Effective Security Programs Are Business Focused appeared first on Security In Five.

Mysterious hackers steal data of over 70% of Bulgarians

Hackers stole data of millions of Bulgarians, and sent it to local media, According to the media the source could be the National Revenue Agency.

Hackers have exfiltrated data from a Bulgarian government system, likely the National Revenue Agency (NRA), and have shared it with the local media.

The hackers have stolen the personal details of millions of Bulgarians and sent to the local newspaper download links for the archives containing them.

“The link was sent by anonymous hackers via Russian mail servers on Monday to the Bulgarian media. The array of 57 folders contains thousands of files that they claim to be from the Treasury’s servers, probably.” reads the Monitor website.

The National Revenue Agency is investigating the incident and verifying the authenticity of the data.

“The NRA and the specialized bodies of the Ministry of the Interior and the State Agency for National Security (SANS) check the potential vulnerability of the National Revenue Agency’s computer system.” reads a statement published by the NRA.

“Earlier today, emails of certain media have been sent a link to download files allegedly belonging to the Bulgarian Ministry of Finance. We are currently verifying whether the data is real.”

The hackers claim to have breached Treasury’s servers and have exfiltrated data from more than 110 databases. More than 5 million Bulgarian and foreign citizens are affected, consider that the country has a population composed of 7 million people.

“Your government is slow to develop, your state of cybersecurity is parodyous,” wrote the hackers.

The hacker bragged about stealing 110 databases from NRA’s network, totaling nearly 21 GB. The hacker only shared 57 databases, comprising 11GB of data out of 21 aggregate data with local news outlets but promised to release the rest in the coming days.

“Perhaps the biggest leak of personal data in Bulgaria. That’s how the 57-folder contains more than a thousand files that anonymous hackers sent to Bulgarian media on Monday.” reported the Capital website. “Upon reviewing the information, Capital has opened databases with more than 1 million rows containing PINs, names, addresses, and even earnings.”

Most of the data is very old, in some cases, information is dated back as far as 2007.

Hackers also leaked information from Department Civil Registration and Administrative Services (GRAO), Bulgaria’s customs agency, the National Health Insurance Fund (NZOK), and data from the Bulgarian Employment Agency (AZ).

The email was sent by an email address belonging to the Russian service Yandex.ru. The message sent to local media by hackers ends with a quote by WikiLeaks founder Julian Assange and calls for his release.

“Your government is stupid. Your is a parody.” closes the email.

Immediately after the leak of the data, the Democratic Bulgaria opposition party demanded the resignation of Finance Minister Vladislav Goranov.

It seems that cyber security for Bulgarian government services is very poor, tt the end of June, Bulgarian police arrested the IT expert Petko Petrov after he publicly demonstrated a security vulnerability in the kindergarten software used by local kindergartens.

Pierluigi Paganini

(SecurityAffairs – Bulgarians, hacking)

The post Mysterious hackers steal data of over 70% of Bulgarians appeared first on Security Affairs.

Edge Feature Section

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book

Evite Reveals Security Incident Potentially Involving Unauthorized Access

Social-planning website Evite has revealed a security incident that potentially involved unauthorized access to its systems. Evite first became aware of the security incident back in April 2019. It responded by retaining a data forensics firm to launch a thorough investigation into the event. This effort uncovered malicious activity that had been present on its […]… Read More

The post Evite Reveals Security Incident Potentially Involving Unauthorized Access appeared first on The State of Security.

NCSC in DNS Warning as Hijackers Focus on Home Routers

NCSC in DNS Warning as Hijackers Focus on Home Routers

The UK’s National Cyber Security Centre (NCSC) has issued a warning about DNS hijacking threats, as reports emerge of widespread attacks in Brazil affecting 180,000 users.

The NCSC posted the advisory on Friday as a follow-up to one issued in January. DNS hijacking attackers typically take control of an authoritative DNS server, change the entries stored there and in so doing covertly redirect users to servers under their control, in a Man in the Middle attack.

This is what happened in the DNSpionage campaign revealed earlier this year and the Sea Turtle attacks which Cisco Talos last week claimed are still ongoing.

However, DNS hijackers are also targeting consumers with a slightly different modus operandi, Avast revealed in a recent blog post.

These attacks look to modify the settings on home routers, potentially via cross-site request forgery (CSRF) web-based attacks, so that they use rogue DNS servers. Once again, the end goal is to secretly redirect the user to a phishing page or one capable of installing malware on their machine.

Avast claims to have blocked over 4.6m CSRF attacks during February and March alone in Brazil, adding that 180,000 users have had their DNS hijacked in the first half of 2019.

The initial CSRF attack often happens via malvertising when a user visits a compromised website.

“When visiting a compromised site, the victim is unknowingly redirected to a router exploit kit landing page, which is usually opened in a new window or tab, initiating the attack on the router automatically, without user interaction,” it said.

“In general, the exploit kit attempts to find the router IP on a network, and subsequently attempts to guess the password using various login credentials. Once the hacker successfully logs into the router, the exploit kit attempts to alter the router’s DNS settings using various CSRF requests.”

GhostDNS, Navidade and SonarDNS are the three exploit kits being used in these attacks. Once a rogue DNS server is installed, the attackers look to monetize their efforts via phishing to steal Netflix and banking credentials from consumers; replacing good ads with malicious ones to steal traffic for profit; and installing browser-based crypto-jacking scripts.

Avast urged consumers to stay on the latest router firmware version; use strong and unique log-ins for online banking and routers; and to check their banking sites have a valid certificate.

iOS URL Scheme expose users to App-in-the-Middle attack

Security experts at Trend Micro have discovered that iOS URL scheme could allow an attacker to hijack users’ accounts via App-in-the-Middle attack.

Security experts at Trend Micro devised a new app-in-the-middle attack that could be exploited by a malicious app installed on iOS devices to steal sensitive data from other applications. The attack exploits the implementations of the Custom URL Scheme.

Apple iOS implements a sandbox mechanism to prevent that each app could access data of the other ones installed on the device.

Apple also implements some methods to allow sending and receiving limited data between applications, including the URL Scheme (aka Deep Linking). The method could allow developers to launch an app through URLs (i.e. facetime://, whatsapp://, fb-messenger://).

For example, a user can click on “Contact us via Whatspp” within an app, launches the WhatsApp app installed on the device passing the necessary information to authenticate the user.

Experts explained how to abuse the URL Scheme for malicious purposes that could potentially expose users to attacks.

Trend Micro pointed out that iOS allows one single URL Scheme to be used by multiple apps allowing malicious apps to exploit the URL Scheme.

iOS allows one single URL Scheme to be claimed by multiple apps. For instance, Sample:// can be used by two completely separate apps in their implementation of URL Schemes. This is how some malicious apps can take advantage of the URL Scheme and compromise users.” reads the analysis published by Trend Micro.

“Apple addressed the issue in later iOS versions (iOS 11), where the first-come-first-served principle applies, and only the prior installed app using the URL Scheme will be launched. However, the vulnerability can still be exploited in different ways.”

The vulnerability is very dangerous when the login process of app A is associated with app B, the image below shows the attack scenario:

ios custom url scheme

When the Suning app users access their e-commerce account using WeChat, it generates a login-request and sends it to the WeChat app installed on the same device using the iOS URL Scheme for the messaging app. The WeChat app received the login request and in turn requests a login token from its server that sends it back to the Suning app.

The experts discovered that since Suning always uses the same login-request query and WeChat does not authenticate the source of the login request, an attacker could carry out aapp-in-the-middle attack via the iOS URL Scheme.

“With the legitimate WeChat URL Scheme, a fake-WeChat can be crafted, and Suning will query the fake one for Login-Token. If the Suning app sends the query, then the fake app can capture its Login-Request URL Scheme.” continues the analysis. “WeChat recognizes it, but it will not authenticate the source of the Login-Request. Instead, it will directly respond with a Login-Token to the source of the request. Unfortunately, the source could be a malicious app that is abusing the Suning URL scheme.”

The discovery demonstrates that an attacker using a malicious app with the same Custom URL Scheme as a targeted app can trick them into sharing users’ sensitive data with it.

“In our research, plenty of apps that our system audited were found taking advantage of this feature to show ads to victims. Potentially malicious apps would intentionally claim the URL Scheme associated with popular apps: wechat://, line://, fb://, fb-messenger://, etc. We identified some of these malicious apps,” explained the researchers.

Experts remarked that the URL Scheme cannot be used for the transfer of sensitive data. 

Pierluigi Paganini

(SecurityAffairs – URL scheme, hacking)

The post iOS URL Scheme expose users to App-in-the-Middle attack appeared first on Security Affairs.

Researcher releases PoC code for critical Atlassian Crowd RCE flaw

A researcher has released proof-of-concept code for a critical code execution vulnerability (CVE-2019-11580) in Atlassian Crowd, a centralized identity management solution providing single sign-on and user identity. Atlassian plugged the hole in late May, but administrators that failed to implement it should consider doing so now, as full-fledged exploits are likely to pop up soon. About the vulnerability (CVE-2019-11580) Atlassian Crowd allows enterprise admins to manage users from Active Directory, LDAP, OpenLDAP or Microsoft Azure … More

The post Researcher releases PoC code for critical Atlassian Crowd RCE flaw appeared first on Help Net Security.

NHS Still Running 2000+ XP Computers

NHS Still Running 2000+ XP Computers

The NHS still has over 2,000 machines running Windows XP, the government had revealed, despite official support for the operating system running out in 2014.

The figures came in response to a parliamentary written question tabled by Jo Platt, the shadow Cabinet Office minister.

Parliamentary under secretary of state at the Department of Health, Jackie Doyle-Price, replied that the health service was running around 2300 XP computers as of July this year.

Platt criticized the figures as an indictment of the government’s failure to prioritize cybersecurity.

“The government is seriously lacking the leadership, strategy and co-ordination we need across the public sector to keep us and our data safe and secure. How many more warnings will it take before they listen and take action?” she said.

“The next Labour government will provide not only the resourcing but also the vital leadership, organization and dedication needed to get our public sector fit and resilient to fight the cyber-threats of the 21st century.”

The NHS was famously caught out by the WannaCry ransomware worm of 2017, which affected around a third of trusts and led to the cancellation of an estimated 19,000 operations and appointments.

Despite repeated warnings, and patches being made available by Microsoft, even for XP, systems were not updated quickly enough, leading to the ensuing chaos which is said to have cost the NHS around £92m to clean-up.

However, the government has been taking steps to address the problems, with a £150m cash injection announced last year said to be for Windows 10 upgrades, along with other measures.

Doyle-Price was also keen to put the 2300 figure in context: the NHS runs a total of around 1.4 million computers.

“This equates to 0.16% of the NHS estate,” she said. “We are supporting NHS organizations to upgrade their existing Microsoft Windows operating systems, allowing them to reduce potential vulnerabilities and increase cyber resilience.”

A report from Centrify last week revealed that the NHS has successfully repelled over 11.3 million email-based cyber-attacks over the past three years.

UK Mid-Sized Firms Lost £30bn to Attacks in 2018

UK Mid-Sized Firms Lost £30bn to Attacks in 2018

Cybersecurity incidents have cost UK mid-market firms a combined £30bn over the past year as automated attacks become the norm, according to Grant Thornton.

The accounting and consulting giant interviewed 500 UK business leaders from firms with revenue of between £15m and £1bn to compile its latest study, Cyber security: the board report.

It revealed that more than half of those polled had reported losses of between 3-10% of revenue following a cybersecurity breach. For those hit hardest, losses were up to 25% of revenue.

Reputational loss (58%) was the most commonly reported impact of a cyber-attack, followed by clean-up costs (45%), management time (44%), loss of turnover (39%), and customer churn/behavior change (35%).

Part of the problem is that many mid-market firms still believe they are able to avoid the scrutiny of cyber-criminals, and therefore pay less attention to security best practice.

Less than a third (31%) claimed to follow minimum cybersecurity standards, versus 46% of large companies; just half (48%) conduct risk assessments versus 69% in larger enterprises; and 55% do cyber health checks compared to 64%.

Risks will only increase as automated attack techniques grow in popularity – enabling vulnerability identification, credential stuffing, and open source information scraping en masse.

“It’s the equivalent of thieves driving down a street to see who’s left their door open. Criminals exploit the vulnerable networks they identify or sell the list of promising targets on to others eager to exploit the opportunity. If your defenses are not up to scratch, you could already be on a list,” argued Grant Thornton head of cybersecurity, James Arthur.

“The reality is that it’s not the size or profile of a business that attracts the interest of cyber-criminals. They have increasingly sophisticated targeting tools and are using these to launch an increasing volume of attacks against anyone who looks like they have weak defenses. It’s not personal – it’s just business.”

Putting cyber risk on the board agenda is one of the best ways to regain the initiative and minimize the chances of a successful attack, but challenges persist, the consultancy claimed.

Only two-fifths (41%) of respondents claimed to have an incident response plan in place, and even fewer (37%) said their board formally reviews cybersecurity, or that there’s a security-specific role on the board (37%). Just 36% said they had provided all staff with security training over the past year.

In most cases the board member with responsibility for cyber is the CIO (31%), CTO (23%), CEO (16%) or CFO (15%). Chief security officer doesn’t feature at all.

Why PCI DSS Compliance Is Important For Smartcards?

As more and more people are conducting their everyday financial transaction needs through the use of smartcards, that is the reality on the ground. People use less cash, and the growing demand for the use of debit/credit cards is globally speaking the release of EMV cards to replace magnetic stripe cards are not yet fully implemented. Hence the PCI DSS Goals and Requirements are established in order to guide the financial sector.

The six goals with their corresponding requirements are enumerated below:

1. Build and maintain secure networks and systems:

Install and maintain a firewall to protect cardholder data

This is the responsibility of system administrators and their team of IT staff. The smartcard itself is just a frontend, the “magic” of using a piece of plastic card in on its backend, the servers that supports the electronic transactions. Both the merchant and the bank are connected by this network that is expected to run 24/7, as ecommerce never stops as office hours stop.

Do not use vendor-supplied defaults for system passwords and other security parameters

Trouble comes with the “default”, there is a term in the IT support industry called the “tyranny of the default”, where the end-user are totally dependent on the default values. Default values for passwords are documented in the web, never use them for a production system.

2. Protect cardholder data

Protect stored cardholder data

Physical security is still one of the strongest security to implement. But immediately succeeding it is the stored data itself that gets read and written through machines like ATMs and POS terminals. It is the full responsibility of banks and merchants that their terminals fully comply with the current security standards.

Encrypt when transmitting cardholder data over an open public network

This is a common practice across the industry, no one will trust a merchant with non-encrypted POS, and no one will ever transact with a bank that has no reasonable implementation of encryption standards practice all around the world for securing their customer’s data.

3. Maintenance of vulnerability management program

Protect all systems as malware and update anti-virus software regularly

Malware infection vulnerability is the very reason why POS and ATM machines are usually running a variant of the Unix and Linux operating systems. This is due to the number of malware available in the Windows platform, it is not recommended for use in merchandising and banking purposes.

Develop and maintain highly secure systems and applications

Many banks maintain their old but still dependable Unix systems, some banks even uses the decades-old mainframe systems for the same reason, security.

4. Introducing powerful access control methods

Restrict access to cardholder data to the extent necessary for business

Also known as user account control, only those bank employees and merchant staff tasks with handling data of customers should have access to customer information.

Identify and authenticate access to system components

Aside from time-tested vaults, banks using their Unix/Linux systems have elaborate components that work together in a secure fashion.

Restrict physical access to cardholder data

Same as number 7, however, securing data on the card is itself is the full responsibility of the owner. Misuse of the card does not make the bank responsible for fraudulent transactions.

5. Regular monitoring and testing of the network

  • Track and monitor all access to network resources and cardholder data
  • Test security systems and processes regularly

6. Development of information security policy

  • Develop a policy to support information security for all personnel

Also, Read:

Cybersecurity Risk Readiness Of Financial Sector Measured

11 Signs That We May Be Nearing Another Global Financial Crisis

How Financial Apps Could Render You Vulnerable to Attacks

The post Why PCI DSS Compliance Is Important For Smartcards? appeared first on .

Fighting talk and fines obscure other GDPR lessons from BA and Marriott data breaches

There’s been lots of talk about regulations with bite, a watchdog baring its teeth, and that ‘the gloves are off’ after the UK Information Commissioner’s Office one-two punch of a £184 million fine against British Airways, and £99 million against Marriott International announced a day later.

It certainly looks like the ICO went for the jugular (sorry, it’s contagious) over breaches of the General Data Protection Regulation. But it reminds me of the build-up to the regulation before May 2018. Then, much of the coverage focused on the potentially huge fines at stake. In the same way, last week’s news shouldn’t obscure the lessons beyond the attention-grabbing sums of money.

A wake-up call

The first thing to clarify is that these fines haven’t been issued yet. In both cases, the ICO is saying it’s an intention to fine – it’s giving both companies a warning. Whether or not the amounts will be close to the published figures, we know there will be fines for sure. Companies should take this as a wake-up call that non-compliance with GDPR requirements may result in tough penalties.

As I noted in the SANS Institute newsletter, the fines are not for having a breach, but for poor security that helped it. The ICO press statement makes this very clear. “The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information,” it said.

Strong message

That being said, the proposed fine nevertheless amounts to 1.5 per cent of British Airways’ revenue. “This should send a strong message to all organisations that are regulated by the GDPR to take the security and privacy of their customer data seriously,” I wrote.

In an interview with Bank Info Security, I said that more GDPR fines are likely on the way. “Many GDPR data breaches, especially the highly publicised ones, can take a long time for proper investigations by the supervisory authorities… What we are seeing now are the beginnings of the supervisory authorities issuing penalties under GDPR, and I expect we will see many more over the coming months.”

The ICO’s moves last week aren’t the first fines that a supervisory authority has imposed under GDPR. As Tracy Elliott noted in our blog marking the first year post-GDPR, there have been other, smaller fines issued in the UK, Portugal and France. We also know that Ireland’s Data Protection Commission (DPC) has several cases ongoing against Facebook, Google and Quantcast.

(Don’t just) follow the money

Last week, I was at the Maastricht University European Centre on Privacy and Cybersecurity, where I contribute to certification training for data protection officers (DPOs). Some attendees said their senior management were now asking what the fines could mean. They also wondered what assurances they have that their own organisations aren’t at risk from a similar incident.

After the race to get ready for GDPR by May 2018, a certain amount of complacency set in. Since these breaches, the size of these proposed fines has raised GDPR on senior management’s radar again. (Side note: BA’s share price fell by more than £115 million after the news came out.)

There are broader lessons from last week’s news. It’s important to look beyond the financial repercussions, particularly in companies whose business model relies on gathering and processing data. Bear in mind that fines are just one penalty that a regulator can impose. They could compel companies to delete data or stop processing certain types of data. That could have a bigger long-term impact on their business than a monetary fine which they could absorb. Not being able to gather data in a certain way could have negative repercussions on how you do business.

Third-party risk

The root causes of BA and Marriott’s breaches highlight a particular security risk: external third parties. BA’s breach was due to a software script integrated into its website. There were no checks in place to verify any changes to that code. The Marriott breach came from its acquisition of Starwood hotels in 2016. It only discovered in 2018 that Starwood’s customer database suffered a hack in 2014.

So, companies need to ask what due diligence they need to carry out against third-party vendors and suppliers. If your company plans to acquire or partner with businesses, you inherit their risk profile, security and data protection frameworks. You need to check what assurances you have that these third parties are adhering to your security requirements, rather than you inheriting theirs.

In light of the news, what actions should other companies take? Interestingly, even before the ICO’s news, the Irish DPC issued a short guide to information sources to consider when reviewing or setting security.

Companies should carry out continuous auditing and verification to ensure their security and privacy controls are working. And if they don’t have the internal resources to do this, to work with independent experts to verify those controls.

The post Fighting talk and fines obscure other GDPR lessons from BA and Marriott data breaches appeared first on BH Consulting.

DoppelPaymer, a fork of BitPaymer Ransomware, appeared in the threat landscape

Some of the crooks behind the Dridex Trojan have split from the gang and released a forked version of the BitPaymer ransomware dubbed DoppelPaymer.

Cybercrime gang tracked as TA505 has been active since 2014 and focusing on Retail and Banking industries. The group that is known for the distribution of the Dridex Trojan and the Locky ransomware, has released other pieces of malware including the tRat backdoor and the AndroMut downloader

In mid-2017, the group released BitPaymer ransomware (aka FriedEx) that was used in attacks against high profile targets and organizations. The ransomware was being distributed through Remote Desktop Protocol (RDP) brute force attacks.

“CrowdStrike® Intelligence has identified a new ransomware variant identifying itself as BitPaymer. This new variant was behind a series of ransomware campaigns beginning in June 2019, including attacks against the City of Edcouch, Texas and the Chilean Ministry of Agriculture.” reads the analysis published by CrowdStrike.

“We have dubbed this new ransomware DoppelPaymer because it shares most of its code with the BitPaymer ransomware operated by INDRIK SPIDER.”

Now experts found a new variant of the ransomware tracked as DoppelPaymer. The discovery suggests that some members of TA505 gang left the group and forked the source code of both Dridex and BitPaymer to develop a new malware.

First variants of BitPaymer initially delivered a ransom note containing the ransom amount and the onion address of the payment portal. Later versions did not include the above info, instead, the variant appeared in the threat landscape since July 2018 only included two emails to negotiate the ransom and to contact to receive the instructions for the payment.

The latest variant observed by the experts in November 2018 includes the victim’s name in the ransom note, it also uses 256-bit AES in cipher block chaining (CBC) mode for encryption.

“Since the update in November 2018, INDRIK SPIDER has actively used the latest version of BitPaymer in at least 15 confirmed ransomware attacks. These attacks have continued throughout 2019, with multiple incidents occurring in June and July of 2019 alone.” continues the analysis.

According to the experts, DoppelPaymer was used for the first time in a targeted attack in June 2019. Experts detected eight distinct malware builds that was used at least in attacks against three victims. 

The ransom amounts asked to the victims in the attacks were different and ranged from approximately $25,000 to $1,200,000 worth of Bitcoin. 

The ransom note dropped by the DoppelPaymer ransomware doesn’t include the ransom amount, instead, it contains the onion address for a TOR-based payment portal that is identical to the original BitPaymer portal. 

DoppelPaymer

The authors of DoppelPaymer improved the source code of the BitPaymer.

numerous modifications were made to the BitPaymer source code to improve and enhance DoppelPaymer’s functionality. For instance, file encryption is now threaded, which can increase the rate at which files are encrypted.” continues the report. “The network enumeration code was updated to parse the victim system’s Address Resolution Protocol (ARP) table, retrieved with the command arp.exe -a. The resulting IP addresses of other hosts on the local network are combined with domain resolution results via nslookup.exe.”

DoppelPaymer leverages ProcessHacker, a legitimate open-source administrative utility, to terminates processes and services that may interfere with the file encryption process.

“Both BitPaymer and DoppelPaymer continue to be operated in parallel and new victims of both ransomware families have been identified in June and July 2019.” concludes CrowdStrike. “The parallel operations, coupled with the significant code overlap between BitPaymer and DoppelPaymer, indicate not only a fork of the BitPaymer code base, but an entirely separate operation,”

Pierluigi Paganini

(SecurityAffairs – DoppelPaymer ransomare, TA505)

The post DoppelPaymer, a fork of BitPaymer Ransomware, appeared in the threat landscape appeared first on Security Affairs.