Daily Archives: June 21, 2019

This Week in Security News: Cyberespionage Campaigns and Botnet Malware

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about a cyberespionage campaign targeting Middle Eastern countries and a botnet malware that infiltrates containers via exposed Docker APIs.

Read on:

Hackers Are After Your Personal Data – Here’s How to Stop Them

The latest FBI Internet Crime Complaint Center (IC3) report paints an accurate picture of the scale of online threats and shows that consumers need to take urgent steps to protect their most sensitive identity and financial data from online attackers.

Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East

Trend Micro uncovered a cyberespionage campaign targeting Middle Eastern countries and named it “Bouncing Golf” based on the malware’s code in the package named “golf.” 

Trend Micro Partners with VIVOTEK to Enhance IP Cameras Security

Trend Micro announced it has blocked 5 million attempted cyberattacks against IP cameras in just five months. Through its strategic partnership with VIVOTEK, Trend Micro’s IoT security solutions are embedded in globally deployed IP cameras to provide superior protection.

AESDDoS Botnet Malware Infiltrates Containers via Exposed Docker APIs

Trend Micro details an attack type where an API misconfiguration in the open-source version of the popular DevOps tool Docker Engine-Community allows attackers to infiltrate containers and run a variant of the Linux botnet malware AESDDoS.

Ransomware Repercussions: Baltimore County Sewer Charges, 2 Medical Services Temporarily Suspended

A ransomware attack in May prevented the Baltimore City and County governments from mailing the annual water and sewage tax bills to its residents due to unverifiable accounts of abnormally low or no water consumption in 2018. 

Hackers Have Carried Out 12 Billion Attacks Against Gaming Sites in 17 Months

Hackers have targeted the gaming industry by carrying out 12 billion credential stuffing attacks against gaming websites in 17 months, according to a new report by internet delivery and cloud services company Akamai. 

Critical Linux and FreeBSD Vulnerabilities Found by Netflix, Including One That Induces Kernel Panic

A Netflix researcher uncovered four critical vulnerabilities within the TCP implementations on Linux and FreeBSD kernels that are related to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. 

New Oracle WebLogic Zero-day Vulnerability Allows Remote Attacks Without Authentication

Oracle published an out-of-band security alert advisory on CVE-2019-2729, a zero-day deserialization vulnerability that could allow remote attackers to execute arbitrary code on targeted servers.

Xenotime, Hacking Group Behind Triton, Found Probing Industrial Control Systems of Power Grids in the US

The hacking group, Xenotime, behind intrusions targeting facilities in oil and gas industries has started probing industrial control systems (ICSs) of power grids in the U.S. and the Asia-Pacific region, researchers reported.

Data Breach Forces Medical Debt Collector AMCA to File for Bankruptcy Protection

US medical bill and debt collector American Medical Collection Agency (AMCA) has filed for bankruptcy protection in the aftermath of a disastrous data breach that resulted in the theft of information from clients including Quest Diagnostics, LabCorp, BioReference Laboratories and more.

Cryptocurrency Mining Botnet Arrives Through ADB and Spreads Through SSH

Trend Micro observed a new cryptocurrency mining botnet that arrives via open ADB (Android Debug Bridge) ports and can spread from an infected host to any system that has had a previous SSH connection with the host.

Hacker Groups Pounce on Millions of Vulnerable Exim Servers

Multiple groups are launching attacks against exposed Exim mail servers, trying to exploit a vulnerability that could give them permanent root access.

Florida City to Pay $600K Ransom to Hacker Who Seized Computer Systems Weeks Ago

Riviera Beach is paying $600,000 in Bitcoins to a hacker who took over local government computers after an employee clicked on a malicious email link three weeks ago.

Are you up-to-date on the best ways to lower the risk of hackers accessing your personal data? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Cyberespionage Campaigns and Botnet Malware appeared first on .

Movie Tech Review: Child’s Play 2019

BETRAYED: A Trend Micro Child's Play Tech Review

A while back, Rik & Kasia Ferguson shared their thoughts on the movie, “Unfriended: The Dark Web.” The dark web and technology in general plays a pivotal role in the movie’s plot, so the team decided it would be interesting to have a real-world expert review.

Everyone had a lot of fun, and thus Trend Micro movie reviews were born. I was “fortunate” enough to get the next call. The downside? The movie is, “Child’s Play” and I don’t do horror movies well.

Opening night, I powered through, watched the movie and was…pleasantly surprised?

The Movie

Was there too much gore and violence? Absolutely. However, the movie was a lot better than I expected, with an eerie performance by Mark Hamill as the voice of Chucky. Aubrey Plaza, as Karen, played her role well, which added the only real-relatable character of any depth beyond Chucky.

How does this movie rate in the horror genre? No idea. What I do know is that I enjoyed it more than I expected—which was, an admittedly low bar—and found myself entertained for the duration.

[ Spoilers ahead : scroll down if you’re ok with that ]

⤵

⬇

⬇

⬇

⬇

⬇

⬇

⬇

⬇

⬇

⬇

Bad Training Data

Unlike the original entries in the series, this edition brings Chucky into the 21st century. Chucky is no longer a demonically possessed doll, but a blank slate in the form of a nascent AI in a robotic toy doll.

As with any AI or machine learning model, the AI starts off neutral. It requires training data in order to generate results. In Chucky’s case, he is a unique example of the “Buddi” product.

In a classic insider supply chain attack, a QA employee is fired by an overly abusive boss, but before he’s removed from the property, the employee is ordered to finish one last Buddi doll: Chucky.

This employee modifies Chucky’s code to remove any boundary checking for his core behaviours. This creates a truly unbounded, clean slate for the AI that is set out into the world.

Skipping ahead, Chucky is trained on a biased data set. This bias is the naive world view of a group of kids and their run-down neighbourhood. Chucky is exposed to crude humour, horror movies and heated emotional commentary…all without the context to process it.

This tunes the AI to generate the psychotic behaviour that fuels the rest of the movie.

IoT Insecurity

One of the features of this 21st century Buddi doll is the ability to control your smart home. Think of the doll like a walking Alexa or Google Home. Of course, there’s zero authentication or information security controls in place.

Once he’s synced with the latest update from the cloud, Chucky can simply wave his tiny finger and control the devices around him.

This leads to a number of issues around privacy (in this case, used to increase the suspense and move the plot forward) that mirror cases we’ve seen in the real world.

3rd party access to smart speakers to terrorize unsuspecting victims, remote viewing of private video streams, and manipulation of key devices, like thermostats, have all happened already in the real world, but not by rogue AIs.

…yet.

Lateral Movement

In the movie’s climax, Chucky really lets loose. He comes into his digital powers and starts to wreak havoc. Our heroes and supporting cast struggle to respond to this maniacal behaviour. The interesting point is that Chucky has developed enough as a character by this point to understand that it’s not maniacal behaviour from his perspective. To him, it’s perfectly reasonable. This underscores the fact that AI is only as good as it’s training data and won’t highlight bad results from a bad model.

While striving to reach his goal, Chucky—a trusted endpoint in the corporation’s services network—reaches out to all of the compatible devices within his local area.

This type of lateral movement is extremely common in today’s cyberattacks.

The movie presents the issue in an overly dramatic fashion (it is a movie after all), but the point stands up. Most technologies, IoT specifically, are generally designed with two types of endpoints: trusted and untrusted.

Security and privacy controls are then designed to prevent untrusted endpoints from accessing trusted endpoints. Trusted endpoints have little to no verification applied when communicating with each.

In “Child’s Play”, this results in disastrous consequences. In the real world, too.

The movie is a stark—and bloody—reminder that networks and systems need visibility across all endpoints and layers and layers of security and privacy controls.

Takeaways

The way the movie leverages poor AI training, a lack of IoT security, and lateral movement techniques is intriguing, but what really caught my attention is the larger trend within the horror and suspense genre.

Films are moving away from fantasy and otherworldly villains to digital ones. That’s a reflection of how big a role technology plays in our lives, as well as the general lack of deep understanding of how it works.

For me—and the security community—that’s a big challenge: helping people understand cybersecurity and privacy in context.

If you’re looking for a fun suspense film with a technology slant, I would—shockingly— recommend watching this movie. As long as you have realistic exceptions and remember that breaking most current IoT security is…child’s play.

[ 🤣Sorry, couldn’t resist ]

The post Movie Tech Review: Child’s Play 2019 appeared first on .

Adam Levin on CBS This Morning: Catfish Scheme Leads to Murder

Adam Levin was featured on CBS This Morning where he discussed the recent catfish scheme that led to the murder of an Alaska teenager.

Levin warned that young people are especially vulnerable to online manipulation:

“You can ruin your entire life in a matter of minutes based on what you see, what you do and how you react to people online… Do not believe everything you see or hear online.”

 

The post Adam Levin on CBS This Morning: Catfish Scheme Leads to Murder appeared first on Adam Levin.

Will Business Lose Its Cookies Over These New Privacy Laws?

Last month marked the one-year anniversary of the European Union’s General Data Privacy Regulation, or GDPR. Since then, California and New York State have created similar bills aimed at protecting the privacy of their citizens. Nevada has recently enacted a narrow privacy law. Meanwhile, privacy is dead.

Long Live Privacy!

While privacy legislation seems like common sense in the surveillance economy, where unimaginatively intrusive data tracking and compiling is commonplace, even the GDPR’s strongest proponents say the launch of the EU’s much vaunted privacy protections was pretty rocky. While California has passed similar strict legislation, it does not take effect until 2020, and as regulations required for its implementation are being promulgated, there is enormous pressure being brought to bear by various business and industry lobbying groups to water it down. New York’s Privacy Act might up the ante for no-can-do in the realm of who-are-you with even more stringent prohibitions than put in place by California’s Consumer Privacy Act (CCPA).

At this anniversary time, it’s worth looking at what has and hasn’t worked in Europe.

The Good, the Bad, or the Woefully Ineffective?

Looking at the numbers released by the EU, familiarity with the law itself has been one of its greatest successes: Sixty-seven percent of Europeans have heard of the GDPR, and there were 144,376 queries and complaints reported in its first year. Add to these impressive figures the 89,271 data breach notifications issued, and it’s clear that despite its flaws, the law successfully addresses a set of problems that a more scattershot approach (with multiple statutes enacted by different EU member states) was unable to achieve.

Where the GDPR comes up short is enforcement: While the law includes fines for the mishandling of data for up to 4 percent of a company’s annual global revenue, the actual numbers so far have been underwhelming. Far from preventative, they almost encourage bad cybersecurity. Take Google. The company was fined €50 million (roughly $57 million) for lack of consent on advertisements–not a big number for them–and this fine comprised the bulk of the €56 million of fines levied in total.

Needless to say, for Google a fine of this nature would be an acceptable cost of doing business in the EU.

It is anticipated that heavier fines will be placed on companies under the GDPR going forward, Facebook most likely being the poster child, but the message so far is clear: Fines need to hurt if the goal is the deterrence of poor data practices.

The Biggest Issue

By far the largest flaw in the GDPR has been a lack of clarity caused by poor communication.

Even though 67 percent of Europeans have heard of the GDPR, only 20 percent know which public authority is responsible for it. Misinformation combined with the requirement for 72-hour breach notification set off a deluge to the U.K. data privacy regulator in 2018. One-third of those calls involved incidents well below the GDPR’s threshold. Misconceptions about what exactly was required under the law were so widespread that the Irish Data Protection Commission actually blogged about whether taking pictures of one’s children at a school event is permissible. (It is.)

Corporations have also struggled with what many perceive as the law’s ambiguity. Under the GDPR, “companies processing large amounts of special categories of personal data” are required to hire a data protection officer, or DPO, to ensure compliance. The problem is that the law doesn’t specifically define what “large amounts” are, and although the DPO is required to have “expert knowledge of data protection law,” there is no set definition for what qualifies as an expert, either. It’s a great idea to have someone at large corporations ensuring the careful and lawful handling of customer data, but the implementation is ill-defined by the GDPR, which could make a DPO’s job awkward or downright impossible.

The kinds of confusion caused by the GDPR seem contagious, and that’s just the nature of the beast. There are many stakeholders in the privacy racket, and they are often vigorously at odds with one another.

The privacy laws in the U.S. will be more of the same. The best innovation when it comes to the GDPR was that it created one law instead of a patchwork that might change the moment you crossed a border. While New York and California should be applauded for taking steps to protect the privacy and data of their citizens, having multiple sets of requirements for websites and businesses alike (as we have witnessed with more than 50 U.S. jurisdictions’ having individual and not necessarily complementary breach notification laws) will necessarily lead to widespread difficulty in their implementation and accessibility.

Perhaps the most important takeaway for any state wishing to mirror the data protections of the GDPR is that in order to be privacy-friendly and consumer-friendly, the application of the law itself should at least try to be user-friendly, too. Too many differences run the risk of any and all of these laws’ being accept gnats to be clicked away when we visit our favorite websites–and that is a giant fail.

Laws are supposed to solve problems, and keep others from happening. When it comes to privacy, we have a long way to go.

The post Will Business Lose Its Cookies Over These New Privacy Laws? appeared first on Adam Levin.

Cyber News Rundown: GPS Vulnerabilities in Tesla Vehicles

Reading Time: ~ 2 min.

Multiple Tesla Models Vulnerable to GPS Attacks

Though it’s not the only manufacturer to offer GPS navigation in their vehicles, Tesla has once again suffered an attack on their GPS autopilot features. These attacks were able to trick the car into thinking it had arrived at an off-ramp more than two miles early, causing it to start to merge and eventually turn off the road entirely, even with a driver attempting to stop the action. Using off-the-shelf products, the test conductors were able to gain control of Tesla’s GPS in less than a minute.

Oregon DHS Successfully Phished

The personally identifiable information for at least 645,000 Oregon Department of Human Services (DHS) patients was illicitly accessed after a successful phishing attack on nine DHS employees. The attack allowed the hackers to obtain 2 million emails from the accounts, which contained everything from names and birthdates to social security numbers and confidential health information. Fortunately, the DHS issued a password reset shortly after the initial breach that stopped the attackers from getting any further and began contacting potential victims of the attack.

IP and Computer Blacklisting in New Ryuk Variant

The latest variant of the Ryuk ransomware includes an IP blacklist and a computer name check prior to beginning encryption. The IPs and computer name strings were likely implemented to stop any encryption of Russian computer systems. After these checks, the ransomware continues as normal using .RYK as the appended file extension and a ransom note that points victims to make payments to one of two proton mail accounts.

EatStreet Ordering Services Breached

A data breach is affecting the food ordering service EatStreet and possibly all of its 15,000 partnered restaurants. Payment card information for millions of customers using the app, along with some banking information for the 15,000 business partners, is believed to have been compromised in the breach. Though EatStreet quickly began improving their security and implementing multi-factor authentication following the breach, the damage was already done.

Fake System Cleaners on the Rise

While phony system cleaner apps have been common for many years, a recent study shows that user numbers for these apps has doubled from the same time last year to nearly 1.5 million. These apps often appear innocent and helpful at the outset, while others have begun taking an outright malicious approach. To make matters worse, these apps are commonly installed to fix the very issues they later create by slowing the computer down and causing annoying popups. 

The post Cyber News Rundown: GPS Vulnerabilities in Tesla Vehicles appeared first on Webroot Blog.

How organisations can effectively manage, detect and respond to a data breach?

Guest article by Andy Pearch, Head of IA Services at CORVID

78% of businesses cite cyber security as a high priority for their organisation’s senior management. Whilst it is encouraging that this figure has risen year on year, generating awareness of cyber security is only one part of the issue. The next step for organisations to take is not only understanding, but intelligently acting on the risks presented. Despite the heightened awareness, many organisations are still focusing on mitigating assumed risks, rather than real risks, without a robust security strategy in place.

Whilst perimeter security is a key part of any organisation’s security posture, the fact is that it cannot work in isolation. Data breaches are now commonplace and largely regarded as inevitable, and the rise of new technologies means that today’s threats have increased in sophistication. As Andy Pearch, Head of IA Services at CORVID, explains, safeguarding data integrity, confidentiality and availability should be fundamental to all cyber security strategies. After all, it is the speed with which a breach is detected and the effectiveness with which it is remediated that will provide the most value – this can be achieved with a strategic Managed Detection and Response solution.

Unidentified attacks The Government’s Cyber Security Breaches Survey 2019 revealed that in the last 12 months alone, almost one third of UK businesses identified cyber security breaches or attacks. What’s more, the research also showed that just under half of these companies identified at least one breach or attack per month. While these figures should be enough to make a business refocus its strategic security thinking, it is the use of the word ‘identified’ that is significant: many more attacks could have occurred, but not yet been discovered.

Indeed, global figures reveal that the median dwell time – the time a criminal can be on a company’s network undetected – is over 100 days. And in many cases, the breach is not revealed by the security team itself; it is a call from a supplier, a customer or business partner that brings the problem to light, typically following the receipt of a diversion fraud email requesting, for example, that future payments should be sent to a different bank account.

These breaches not only have the ability to undermine business relationships, but in some cases, can also incur significant financial liability. These frauds usually follow one of two forms: either impersonation, where a criminal masquerades as the business using a very similar domain name and email address, or following a successful compromise, the email comes from the company’s own system. It is the latter case that raises the issue of liability for any financial losses a business partner may have suffered.

Asking the tough questions
Alongside phishing attacks, this approach to cyber attacks completely bypasses the traditional cyber security methods, such as anti-virus (AV) software and firewalls, upon which so many companies still rely. Indeed, while 80% of businesses cite phishing attacks as the cause of breach, 28% confirm the cause was the impersonation of an organisation in emails or online. Only 27% cite viruses, spyware or malware, including ransomware attacks, as the root cause of the breach.

Many companies still depend on perimeter security, and for those that do, it is time to ask some serious questions. Firstly, can you be 100% confident that your business has not been compromised? How would you know if the attacker has not used malware or a virus that would be picked up by the perimeter defences? Secondly, even when a compromise is identified, many companies aren’t sure what the next steps should be. If a supplier makes the call to reveal the business has been compromised, can you confidently identify where that occurred? What part of the business has been affected? What is the primary goal of the attack? Is the attacker only leveraging a compromised email system to defraud customers, or aiming to gain intellectual property or personal data?

The GDPR has demonstrated that the risk associated with a cyber attack is not only financial, as hackers are also actively seeking to access personal information. Security plans, therefore, must also consider data confidentiality, integrity and availability. But it is also essential for organisations to accept that protection is not a viable option given today’s threat landscape: a fundamental shift in security thinking is required. When hackers are using the same tactics and tools as genuine users, preventing these attacks is impossible. Rapid detection and remediation must be the priority.

Removing the burden
Managed Detection and Response (MDR) enables an organisation to spot the unusual activity that indicates a potential breach. For example, if a user is accessing files they would never usually open or view, sending unexpected emails or reaching out to a new domain, such activity should prompt a review. The problem for most companies, however, is they lack not only the tools to detect this activity but also the time and skills to analyse whether it is a breach or actually a false positive.

A managed approach not only takes the burden away from the business, but also enables every company to benefit from the pool of knowledge gathered by detecting and remediating attacks on businesses across the board. With MDR, every incident detected is investigated and, if it’s a breach, managed. That means shutting down the attack’s communication channel to prevent the adversary communicating with the compromised host, and identifying any compromised assets – this can then either be remediated in-house, if preferred, or as part of the MDR service.

Information relating to the mode of attack is also collected. This timely, actionable intelligence is immediately applied to the MDR service, creating either a prevention or detection technique to minimise the chance of this approach succeeding again. Because of this, the speed with which attacks can now be detected is compelling: whilst the average dwell time has continued to decrease in recent years, it is now entirely possible for unknown malware to be detected and nullified within the hour.

Reflect and act
The threat landscape is continuously evolving – it’s important for organisations to recognise this and match security strategies to the true level of risk. What’s more, whilst the increased commitment to security at a Board level is encouraged, organisations cannot equate expenditure with effectiveness.

Organisations must reflect and consider not only the consequences of data loss, but of integrity and availability too. Security strategies can no longer rely on users not making mistakes; when a breach occurs, an organisation must know what happened.

Security strategies cannot afford to stand still. With the rise in phishing and diversion fraud, it is not enough for organisations to simply lock down the perimeter. Companies cannot prevent all attacks, but when a compromise occurs, it is essential to understand how, when and why the attack succeeded so the appropriate response can be determined, and learnings can be applied for the future. It is only with this process in place that organisations can safeguard their business, data and reputation.

Weekly Update 144

Weekly Update 144

So first things first - my patience for the Instamics we're wearing just reached zero. One of them recorded and one of them didn't which means we've had to fallback to audio captured by the iPhone I was recording from so apologies it's sub-par. I ended up just uploading the unedited clip direct from the phone because frankly, after trying to recover the non-existent audio both my time and patience were well into the red.

Be that as it may, there's video, audio and a narrative to tell both around the NDC event Scott and I are at and the progress of "Project Svalbard". I'm trying to share as much as I can about that process as things progress and I hope people appreciate the transparency I've always run HIBP with. As I say in the video, if you've got questions about it then drop them in the comments section below.

Weekly Update 144
Weekly Update 144
Weekly Update 144

References

  1. Scott wrote about maintaining state in a Cloudflare worker (this is a fundamental part of how we're able to process 670M reports a day!)
  2. Check out how much HIBP trended in searches in January (yes, that's a direct map to my stress levels and yes, I will send stickers to anyone who creates that site I mentioned!)
  3. Project Svalbard is forging ahead (it's becoming increasingly demanding, but it's also a very exciting time)
  4. Varonis is sponsoring my blog again this week (check out their Varonis DFIR team investigating a cyberattack using their data-centric security stack)

Beware! Email attachments can make you victim of spear phishing attacks

In the last few months, we’ve seen a sudden increase in Spear Phishing attacks. Spear phishing is a variation of a phishing scam wherein hackers send a targeted email to an individual which appears to be from a trusted source. In this type of attack, the attacker uses social engineering tricks and some…