Daily Archives: July 16, 2019

Over 80% of network teams play a role in security efforts

More than 4 in 5 IT teams are involved in security efforts, and a majority of them report an increase of at least 25 percent in time spent on these efforts over the past 12 months, according to Viavi. The most striking conclusion is that network-based conversation wire data has become the top data source for security incidents, with its use tripling, demonstrating that threat levels have driven enterprises to seek the most reliable forensic … More

The post Over 80% of network teams play a role in security efforts appeared first on Help Net Security.

Singapore’s IT Security Outlook

Singapore continues to be a role model when it comes to the fight towards cybersecurity readiness in Southeast Asia. The city-state has learned a lot from last year’s SingHealth data breach, that brought Singapore into the stage of renewed cybersecurity renewal. Singapore established bug bounty programs, now in its 3rd edition this year 2019, its leaders are also establishing new policies for “interim” technical measures that will hopefully lessen the attractiveness of the country in future cyber attacks.

Singapore’s public sector is now in full swing with its core project implementation of automated email filtering. When it comes to determining if the email is legitimately safe to open, the use of automated anti-spam and anti-phishing tools is more time-efficient. Of course, humans operating the computers will always be the front liners when it comes to any cybersecurity initiative, hence, massive public sector campaigns through user retraining programs are now being implemented across the city-state’s public sector and government agencies.

The initiative is under the supervision of Teo Chee Hean, a Senior Minister and concurrently a Coordinating Minister for National Security. His agency released initial findings, confirming threats, not only the public sector of the island nation but also against private enterprises. Minister Hean established a committee that will evaluate the progress of various government agencies to be fully compliant to the IT security policy set at the wake of SingHealth incident of 2018.

For Singapore, everything starts from the awareness, readiness, and eagerness of public servants in the area of safe computing habits. Regular IT audits are also in full swing which hopefully will address weaknesses in the public sector’s networks and computers. From the perspective of the Chief Information Officer (CIO)/Chief Information Security Officer (CISO), the move to cloud computing goes beyond “cost reduction measures” and gives control over IT-related assets.

Singapore is no different from the rest of the world, which cannot stop the march of cloud-computing. It is where the trade-off between security/privacy and convenience of accessibility of data is re-evaluated by each organization engaging with cloud-computing platforms. Cloud assumes that the security department will have veto power. It may or may not actually be. However, if you do not give too much veto power, you will make mistakes. For example, even if it is “compliance” (that is, important confidential information that can not be placed in the cloud environment), IT vendors immediately start selling “certified solutions” (in fact, such solutions already exist.)

In Cloud computing, it considers data (that is, confidential information) to be as liquid. We can control the flow of this liquid and let it flow in the desired river. User data is like gas, and behaving like gas is a new concept. The data will spread to fill the area being processed, true but really troublesome for any IT professional trying to secure devices in an organization. The convenience of information processing may be lost due to confidentiality. It is not clear if this fact could be learned from the information security of the past 20 years. If only one method can ensure the necessary convenience, the user is willing to adopt that method, even using a USB memory. To think that data (information) resembles a gas just because users do their own risk assessments related to policy violations. If the important data can be put into the cloud environment and work that leads to the improvement of the convenience of the company can be realized, users who are employees (good or bad) will try to take the risk of putting data into the cloud environment.

Also Read,

Singapore’s Countermeasure in Security Its Financial Sector

Singapore’s Healthcare Industry Has Been Attacked

Business Interruption Again Top Business Risk in Singapore

The post Singapore’s IT Security Outlook appeared first on .

The importance of hardening firmware security

It’s no secret that attackers traditionally go after low-hanging fruit when hacking a system. Historically, this has meant targeting user applications, and, for deeper persistence, the operating system (OS) kernel to gain control. But, as OS security has advanced, it’s become more difficult to compromise an OS with any kind of persistent kernel rootkit. As a result, hackers (and researchers) have moved below the OS level and are now targeting firmware – most notably the … More

The post The importance of hardening firmware security appeared first on Help Net Security.

Enterprises catching up with the explosion of cloud use and shadow IT in the workplace

Businesses worldwide are gaining control of previously unmonitored and unsupported cloud applications and devices, known as shadow IT, that lurk in their IT environments, according to the 2019 Duo Trusted Access Report. The average number of organizations protecting cloud apps with Duo surged 189 percent year-over-year, indicating that enterprises are catching up with the explosion of cloud use and shadow IT in the workplace. In addition, the frequency of out-of-date devices has dropped precipitously, hardening … More

The post Enterprises catching up with the explosion of cloud use and shadow IT in the workplace appeared first on Help Net Security.

Companies still don’t understand the importance of DMARC adoption

By implementing DMARC, brands lower the odds of their domains being spoofed and used for phishing attacks on recipients. Still, 79.7% of all domains analyzed have no DMARC policy in place, according to 250ok. The result of a domain not implementing any form of DMARC policy is exposing its recipients to possible phishing attacks and, unsurprisingly, 91% of all cyber attacks begin with a phishing email. Phishing and spoofing attacks against consumers are likely to … More

The post Companies still don’t understand the importance of DMARC adoption appeared first on Help Net Security.

As cyber attacks increase, the cloud-based database security market grows

The cloud-based database security market is expected to register a CAGR of 19.5% over the forecast period 2019-2024, according to ResearchAndMarkets. With the increasing adoption of Big Data platforms and relational databases becoming the prime target for data thieves, the demand for cloud-based database security is expected to gain traction. Key highlights There has been increasing volumes of data being generated from information-escalated applications like storage and mining of huge or commercial data. These applications … More

The post As cyber attacks increase, the cloud-based database security market grows appeared first on Help Net Security.

New satellite constellations aim to improve IoT connectivity options

By 2024, there will be 24 million IoT connections made via satellite, ABI Research reveals. A new report unveils the long-term opportunity within the satellite space for the growth of IoT deployments, particularly in application verticals, such as agriculture and asset tracking, that are dealing with the unreliability of terrestrial infrastructures. “Terrestrial cellular networks only cover 20% of the Earth’s surface, while satellite networks can cover the entire surface of the globe, from pole to … More

The post New satellite constellations aim to improve IoT connectivity options appeared first on Help Net Security.

McAfee ATR Aids Police in Arrest of the Rubella and Dryad Office Macro Builder Suspect

Everyday thousands of people receive emails with malicious attachments in their email inbox. Disguised as a missed payment or an invoice, a cybercriminal sender tries to entice a victim to open the document and enable the embedded macro. This macro then proceeds to pull in a whole array of nastiness and infect a victim’s machine. Given the high success rate, malicious Office documents remain a preferred weapon in a cyber criminal’s arsenal. To take advantage of this demand and generate revenue, some criminals decided to create off-the-shelf toolkits for building malicious Office documents. These toolkits are mostly offered for sale on underground cybercriminal forums.

Announced today, the Dutch National High-Tech Crime Unit (NHTCU) arrested an individual suspected of building and selling such a criminal toolkit named the Rubella Macro Builder. McAfee Advanced Threat Research spotted the Rubella toolkit in the wild some time ago and was able to provide NHTCU with insights that proved crucial in its investigation. In the following blog we will explain some of the details we found that helped unmask the suspected actor behind the Rubella Macro Builder.

What is an Office Macro Builder?

An Office Macro Builder is a toolkit designed to weaponize an Office document so it can deliver a malicious payload by the use an obfuscated macro code that purposely tries to bypass endpoint security defenses. By using a toolkit dedicated to this purpose, an actor can push out higher quantities of malicious documents and successfully outsource the first stage evasion and delivery process to a specialized third party. Below is an overview with the general workings of an Office Macro Builder. The Defense evasion shown here is specific to Rubella Office Macro Builder. Additional techniques can be found in other builders.

Dutch Language OpSec fail….

Rubella Macro Builder is such a toolkit and was offered by an actor by the same nickname “Rubella”. The toolkit was marketed with colorful banners on different underground forums. For the price of 500 US Dollars per month you could use his toolkit to weaponize Office documents that bypass end-point security systems and deliver a malicious payload or run a PowerShell Code of your choice.

Rubella advertisement banner

In one of Rubella’s forum postings the actor was detailing the toolkit and that it managed to bypass the Windows Anti Malware Scan Interface (AMSI) present in Windows 10. To prove this success, the post contained a link to a screenshot. Being a Dutch researcher, this screenshot immediately stood out because of the Dutch version of Microsoft Word that was used. Dutch is a very uncommon language, only a small percentage of the world’s population speaks it, let alone an even smaller percentage of cybercriminals who use it.

The linked screenshot with the Dutch version of Microsoft Word.

Interestingly enough we reported last year on the individuals behind Coinvault ransomware. One of the reasons they got caught was the use of flawless Dutch in their code. With this in the back of our minds we decided to go deeper down the rabbit hole.

Forum Research

We looked further into the large amount of posts by Rubella to learn more about the person behind the builder. The actor Rubella was actually promoting a variety of different, some self-written, products and services, ranging from (stolen) credit card data, a crypto wallet stealer and a malicious loader software to a newly pitched product called Tantalus ransomware-as-a-service.

During our research we were able to link different nicknames used by the actor on several forums across a timespan of many years. Piecing it all together, Rubella showed a classic growth pattern of an aspiring cybercriminal, started by gaining technical security knowledge on beginner forums with low op-sec and gradually moved to some of the bigger, exclusive forums to offer products and services.

PDB path Breitling

One of the posts Rubella placed on a popular hacker forum was promoting a piece of free software the actor coded to spoof email. The posting contained a link to VirusTotal and included a SHA-256 hash of the software. This gained our interest since it provided a possibility to link the adversary to the capability.

Email spoofer posting including the VirusTotal link 

Closer examination of the piece of software on VirusTotal showed that the mail Spoofer contained a debug or PDB path “C:\Users\Breitling”. Even though the username Breitling isn’t very revealing about an actual person, leaving such a specific PDB path within malware is a classic mistake.

By pivoting on the specific PDB path we found additional samples on VirusTotal, including a file that was named RubellaBuilder.exe, which was a version of the Macro builder that Rubella was offering. Later in the blog post we will take a closer look at the builder itself.

Finding additional samples with the Breitling PDB path

Since Breitling was most likely the username used on the development machine, we were wondering if we could find Office documents that were crafted on the same machine and thus also containing the author name Breitling. We found an Office document with Breitling as author and the document happened to be created with a Dutch version of Microsoft Word.

The Word document containing the author name Breitling.

Closer inspection of the content of the Word document revealed that it also contained a string with the familiar Jabber account of Rubella; Rubella(@)exploit.im.

The Malicious document containing the string with the actor’s jabber account.

Circling back to the forums we found an older posting under one of the nicknames we could link to Rubella. In this posting the actor is asking for advice on how to add a registry key using C#. They placed another screenshot to show the community what they were doing. This behavior clearly shows a lack of skill but at the same time his thirst for knowledge.

Older posting where the actor asks for help.

A closer look at the screenshot revealed the same PDB path C:\Users\Breitling\.

Screenshot with the Breitling PDB path

Chatting with Rubella

Since Rubella was quite extroverted on the underground forums and had stated Jabber contact details in advertisements we decided to carefully initiate contact with him in the hope that we would get access to some more information. About a week after we added Rubella to our Jabber contact list, we received a careful “Hi.” We started talking and posing as a potential buyer, carefully mentioning our interest the Rubella Macro Builder. During this chat Rubella was quite responsive and as a real businessperson, mentioned that he was offering a new “more exclusive” Macro Builder named Dryad. Rubella proceeded to share a screenshot of Dryad with us.

Screenshot of Dryad shared by Rubella

 Eventually we ended our conversation in a friendly manner and told Rubella we would be in touch if we remained interested.

Dryad Macro Builder

Based on the information provided from the chat with Rubella we performed a quick search for Dryad Macro Builder. We eventually found a sample of the Dryad Macro Builder and decided to further analyze this sample and compare it for overlap with the Rubella Macro Builder.

PE Summary

We noticed that the program was coded in .NET Assembly which is usually a preferred language for less skilled malware coders.

Dynamic Analysis

When we ran the application, it asked us to enter a login and password in order to run.

We also noticed a number-generated HWID (Hardware-ID) that was always the same when running the app. The HWID number is a unique identifier specific to the machine it was running on and was used to register the app.

When trying to enter a random name we detected a remote connection to the website ‘hxxps://tailoredtaboo.com/auth/check.php’ to verify the license.

The request is made with the following parameters ‘hwid=<HWID>&username=<username>&password=<password>’.

Once the app is running and registered it shows the following interface.

In this interface it is possible to see the function proposed by the app and it was similar to the screenshot that was shared during our chat.

Basically, the tool allows the following:

  • Download and execute a malicious executable from an URL
  • Execute a custom command
  • Type of payload can be exe, jar, vbs, pif, scr
  • Modify the dropped filename
  • Load a stub for increase obfuscation
  • Generate a Word or Excel document

It contains an Anti-virus Evasion tab:

  • Use encryption and modify the encryption key
  • Add junk code
  • Add loop code

It also contains a tab which is still in development:

  • Create Jscript or VBscript
  • Download and execute
  • Payload URL
  • Obfuscation with base64 and AMSI bypass which are not yet developed.

Reverse Engineering

The sample is coded in .Net without any obfuscation. We can see in the following screenshot the structure of the file.

Additionally, it uses the Bunifu framework for the graphic interface. (https://bunifuframework.com/)

Main function

The main function launches the interface with the pre-configuration options. We can see here the link to putty.exe (also visible in the screenshots) for the payload that needs to be changed by the user.

Instead of running an executable, it is also possible to run a command.

By default, the path for the stub is the following:

We can clearly see here a link with Rubella.

Licensing function

To use the program, it requires a license, that the user has to enter from the login form.

The following function shows the login form.

To validate the license the program will perform some check and combine a Hardware ID, a username and a password.

The following function generates the hardware id.

It gets information from ‘Win32_Processor class’ to generate the ID.

It collects information from:

  • UniqueId: Globally unique identifier for the processor. This identifier may only be unique within a processor family.
  • ProcessorId: Processor information that describes the processor features.
  • Name: This value comes from the Processor Version member of the Processor Information structure in the SMBIOS information.
  • Manufacturer: This value comes from the Processor Manufacturer member of the Processor Information structure.
  • MaxClockSpeed: Maximum speed of the processor, in MHz.

Then it will collect information from the ‘Win32_BIOS class’.

  • Manufacturer: This value comes from the Vendor member of the BIOS Information structure.
  • SMBIOSVersion: This value comes from the BIOS Version member of the BIOS Information structure
  • IdentificationCode: Manufacturer’s identifier for this software element.
  • SerialNumber: Assigned serial number of the software element.
  • ReleaseDate: Release date of the Windows BIOS in the Coordinated Universal Time (UTC) format of YYYYMMDDHHMMSS.MMMMMM(+-)OOO.
  • Version: Version of the BIOS. This string is created by the BIOS manufacturer.

Then it will collect information from the ‘Win32_DiskDrive class’.

  • Model: Manufacturer’s model number of the disk drive.
  • Manufacturer: Name of the disk drive manufacturer.
  • Signature: Disk identification. This property can be used to identify a shared resource.
  • TotalHead: Total number of heads on the disk drive.

Then it will collect information from the ‘Win32_BaseBoard class’.

  • Model: Name by which the physical element is known.
  • Manufacturer: Name of the organization responsible for producing the physical element.
  • Name,
  • SerialNumber

Then it will collect information from the ‘Win32_VideoController class’.

  • DriverVersion
  • Name

With all that hardware information collected it will generate a hash that will be the unique identifier.

This hash, the username and password will be sent to the server to verify if the license is valid. In the source code we noticed the tailoredtaboo.com domain again.

Generate Macro

To generate a macro the builder is using several parts. The format function shows how each file structure is generated.

The structure is the following:

To save the macro in the malicious doc it uses the function ‘SaveMacro’:

Evasion Techniques

Additionally, it generates random code to obfuscate the content and adds junk code.

The function GenRandom is used to generate random strings, chars as well as numbers. It is used to obfuscate the macro generated.

It also uses a Junk Code function to add junk code into the document:

For additional obfuscation it uses XOR encryption as well as Base64.

Write Macro

Finally, the function WriteMacro, writes the content previously configured:

 

Under construction

We did also notice that the builder uses additional functions that were still under development, as we can see with the “Script Generator” tab.

A message is printed when we click on it and that indicates it is still a function in development.

Additionally, we can see the “Decoy Option” tab which is just a template to create another tab. The tab does not show anything. It seems the author left this tab to create another one.

Rubella Similarities

Dryad is very similar to the Rubella Builder; many hints present in the code confirm the conversation we had with Rubella. Unlike Rubella, Dryad did have a scrubbed PDB path.

Both Rubella builder and Dryad Builder are using the Bunifu framework for the graphic design.

The license check is also the same function, using the domain tailoredtaboo.com, Below is the license check function from the Rubella builder:

Tailoredtaboo.com Analysis

We analyzed the server used to register the builder and discovered additional samples:

Most of these samples were Word documents generated with the builder.

A quick search into the domain Tailoredtaboo showed that it had several subdomains, including a control panel on a subdomain named cpanel.tailoredtaboo.com.

The cPanel subdomain had the following login screen in the Dutch language.

The domain tailoredtaboo.com has been linked to malicious content in the past. On Twitter the researcher @nullcookies reported in April 2018 that he found some malicious files hosted on the specific domain. In the directory listing of the main domain there were several files also mentioning the name Rubella.

TailoredTaboo.com mentioned on Twitter

 

Based on all the references, and the way the domain Tailoredtaboo.com was used, we believe that the domain plays a central administrative role for both Rubella and Dryad Macro Builder and can provide insight into the customers of both Macro Builders

Conclusion

Toolkits that build weaponized Office documents, like Dryad and Rubella, cater to the increasing cybercriminal demand of this type of infection vector. With the arrest of the suspect comes an end to the era of Dryad and Rubella Macro Builder. Based on his activity, the suspect looked like quite the cybercriminal entrepreneur, but given his young age this is also a worrisome thought. If only he would have used his skills for good. The lure of quick cash was apparently more enticing than building a solid long-term career. We at McAfee never like to see young talented individuals heading down a dark path.

Indicators of Compromise

URL / Website:

hxxps://tailoredtaboo.com/auth/check.php

Hash Builder:

  • Dryad: 7d1603f815715a062e18ae56ca53efbaecc499d4193ea44a8aef5145a4699984
  • Rubella: 2a20d3d9ac4dc74e184676710a4165c359a56051c7196ca120fcf8716b7c21b9

Hash related samples:

93db479835802dc22ba5e55a7915bd25f1f765737d1efab72bde11e132ff165a

ad2f9ef7142a43094161eae9b9a55bfbb6dff85d890d1823e77fc4254f29ef17

c2c2fdcc36569f6866e19fcda702c823e7bf73d5ca394652ac3a0ccc6ff9c905

3c55e54f726758f5cb0d8ef81be47c6612dba5a73e3a29f82b73a4c773e691a3

74c8389f20e50ae3a9b7d7e69f6ae7ed1a625ccc8bb6a52b3cc435cf94e6e2d3

388ee9bc0acaeec139bc17bceb19a94071aa6ae43af4ec526518b5e1f1f38f07

08694ad23cafe45495fa790bfdc411ab5c81cc2412370633a236c688b07d26aa

428a30b8787d2ba441dba1dbc3acbfd40cf7f2fc143131a87a93f27db96b7a75

93db479835802dc22ba5e55a7915bd25f1f765737d1efab72bde11e132ff165a

c777012abe224126dca004561619cb0791096611257099058ece1b8d001277d0

5b773acad7da2f33d86286df6b5e95ae355ac50d143171a5b7ee61d6b3cad6d5

a17e3c2271a94450a7a7c6fcd936f177fc40ea156de4deafdfc14fd5aadfe503

1de0ebc0c375332ec60104060eecad77e0732fa2ec934f483f330110a23b46e1

b7a86965f22ed73de180a9f98243dc5dcfb6ee30533d44365bac36124b9a1541

The post McAfee ATR Aids Police in Arrest of the Rubella and Dryad Office Macro Builder Suspect appeared first on McAfee Blogs.

42Crunch new solution allows orgs to automate API security across Kubernetes environments

API security leader and creator of the industry’s first API Firewall – 42Crunch – announced the latest release of its API security platform with full support for Kubernetes environments. This new solution allows organizations to easily automate API security across Kubernetes environments – enabling the zero-trust architecture needed to protect each microservice, and scale without risk. The rapid adoption of microservices architectures and Kubernetes lead to proliferation of APIs exposed by these microservices. Developers employ … More

The post 42Crunch new solution allows orgs to automate API security across Kubernetes environments appeared first on Help Net Security.

Vade Secure’s Auto-Remediate adds automated protection for Office 365 environments

Vade Secure, the global leader in predictive email defense, announced the availability of Auto-Remediate for Vade Secure for Office 365. The new feature extends Vade Secure’s AI-based threat detection and mitigation capabilities, providing MSPs and small businesses with comprehensive, continuous, and automated protection before, during, and after the attack. Leveraging Vade’s real-time view of emerging global threats from 600 million mailboxes, Auto-Remediate automatically removes any malicious messages from users’ inboxes, mitigating attacks before they disrupt … More

The post Vade Secure’s Auto-Remediate adds automated protection for Office 365 environments appeared first on Help Net Security.

Back to Basics: Infosec for Small and Medium Sized Businesses

Too many small and medium-sized businesses (SMBs) are under the belief that purchasing “This One Product” or “This One Managed Service” will provide all the security their network requires. If this were true, large corporations with huge IT budgets would never have data breaches! Before you start buying expensive new technology to protect your office […]… Read More

The post Back to Basics: Infosec for Small and Medium Sized Businesses appeared first on The State of Security.

Aqua Security deepens strategic relationship with Microsoft to accelerate Azure deployments

Aqua Security, a leading platform provider for securing container-based, serverless and cloud native applications, announced a new Private Offer capability enabling software licensing and procurement directly through Microsoft Azure Marketplace, allowing customers to utilize existing purchasing methods in place for Azure services. Aqua now offers a choice of flexible software acquisition models that allow customers to purchase licenses on Azure the way that works best for them. Software purchased directly from Aqua can easily be … More

The post Aqua Security deepens strategic relationship with Microsoft to accelerate Azure deployments appeared first on Help Net Security.

Trend Micro’s Deep Security as a Service now available on the Microsoft Azure Marketplace

Trend Micro, a global leader in cybersecurity solutions, announced the availability of its leading cloud solution, Deep Security as a Service, on the Microsoft Azure Marketplace. Launching at Microsoft’s Inspire 2019 event, this Trend Micro offering enables organizations to combine the benefits of security software-as-a-service (SaaS) with the convenience of consolidated cloud billing and usage-based, metered pricing. “Our priority is to make cloud security as effortless as possible, which starts by meeting IT users and … More

The post Trend Micro’s Deep Security as a Service now available on the Microsoft Azure Marketplace appeared first on Help Net Security.

Karamba Security implements its security software on Alpine infotainment systems

Karamba Security, a world leader in automotive and enterprise edge cybersecurity, announced the signing of a production agreement of its leading Carwall runtime integrity software, in Alpine infotainment systems. The platform provides an ECU self-protection against remote code execution (RCE), helping to protect vehicles from cyberattacks. Protection against cyberattacks is critical in order to safeguard customer safety in the connected and autonomous vehicle era. Such exploits of in-memory vulnerabilities can jeopardize customer safety by controlling … More

The post Karamba Security implements its security software on Alpine infotainment systems appeared first on Help Net Security.

RISC-V Soft CPU Contest challenges designers to develop a hardware secure RISC-V soft CPU solution

The RISC-V Foundation, a non-profit corporation controlled by its members to drive the adoption and implementation of the free and open RISC-V instruction set architecture (ISA), announced the call for submissions for the RISC-V Soft CPU Contest. The aim of the contest is to challenge designers to develop a hardware secure RISC-V soft CPU solution that can thwart malicious software security attacks. The contest is sponsored by RISC-V Foundation members Microchip Technology Inc. and Thales. … More

The post RISC-V Soft CPU Contest challenges designers to develop a hardware secure RISC-V soft CPU solution appeared first on Help Net Security.

Ingram Micro chooses AvePoint as a global Modern Workplace Accelerate partner

AvePoint and Ingram Micro jointly announced the formation of a new global relationship. As part of this relationship, Ingram Micro will list AvePoint’s solutions to migrate, manage and backup data in Office 365 and Dynamics 365 in all of its Cloud Marketplaces around the world at discounted rates for managed service providers (MSPs) who qualify under Ingram Micro’s new Modern Workplace Accelerate program. Modern Workplace Accelerate is a global program designed to simplify the complexity … More

The post Ingram Micro chooses AvePoint as a global Modern Workplace Accelerate partner appeared first on Help Net Security.

Alfresco Migration Service to help orgs move off legacy platforms and migrate to the cloud

Alfresco Software, a commercial, open source software company, launched the Alfresco Migration Service to help enterprises move off outdated, legacy platforms, while mitigating the risk of migrating content to the cloud. Alfresco has completed many migrations and, based on this experience, created the Migration Service with a migration toolkit, skilled consultancy, and a robust 5-week process. Today’s enterprises need the modern deployment capabilities, hyper-scale and agility of the cloud and yet remain concerned about the … More

The post Alfresco Migration Service to help orgs move off legacy platforms and migrate to the cloud appeared first on Help Net Security.

T-Mobile launches Roambee BeeAware, a narrowband IoT asset tracking solution

T-Mobile is now in the asset tracking business. T-Mobile for Business will sell the first asset tracking solution, Roambee BeeAware, on a Narrowband IoT (NB-IoT) network in the United States. This moment marks the next stage of development for the IoT market. High-value asset tracking is a perfect match for America’s first NB-IoT network: Cost: When a company deploys hundreds, if not thousands, of asset trackers, device and service costs can add up quickly. No-hit … More

The post T-Mobile launches Roambee BeeAware, a narrowband IoT asset tracking solution appeared first on Help Net Security.

Eurofins’ testwizard system to provide automated testing for Niko Home Control

Eurofins Digital Testing, a global leader in end-to-end quality assurance (QA) and testing services, announced it was selected by Niko, a leader in residential and commercial switching material and smart home products, to provide automated quality assurance and device interoperability testing for Niko’s premier smart home solution. Specifically, Niko will use Eurofins’ testwizard system as a total, end-to-end test solution for their IoT home automation system, Niko Home Control. Niko Home Control is a state-of-the … More

The post Eurofins’ testwizard system to provide automated testing for Niko Home Control appeared first on Help Net Security.

DefenseStorm raises $15M to invest in employees and innovation

DefenseStorm, a leading cloud-based cybersecurity and cybercompliance management provider to regional and community banks and credit unions, announced that it has raised $15M in a Series A financing round led by Georgian Partners. Justin LaFayette, Managing Partner at Georgian Partners, will join the DefenseStorm board of directors. In addition to the investment, DefenseStorm will engage with the Georgian Impact team to accelerate the adoption of applied artificial intelligence and trust. The Georgian Impact team comprises … More

The post DefenseStorm raises $15M to invest in employees and innovation appeared first on Help Net Security.

Five chief IT security executives join RiskSense’s new Technology Advisory Board

RiskSense, pioneering risk-based vulnerability management and prioritization, announced that five leading chief IT security executives have joined the company’s new Technology Advisory Board. Each will bring a unique perspective on security, privacy and risk management to the Board. “Each of our advisory board members are highly respected practitioners, thought leaders and advocates that have made significant contributions to advance IT security over the course of their careers,” said Dr. Srinivas Mukkamala, co-founder and CEO of … More

The post Five chief IT security executives join RiskSense’s new Technology Advisory Board appeared first on Help Net Security.

Sprint revealed that hackers compromised some customer accounts via Samsung site

US telecommunications company Sprint revealed that hackers compromised an unknown number of customer accounts via the Samsung.com “add a line” website.

The mobile network operator Sprint disclosed a security breach, the company revealed that hackers compromised an unknown number of customer accounts via the Samsung.com “add a line” website.

“On June 22, Sprint was informed of unauthorized access to your Sprint account using your account credentials via the Samsung.com “add a line” website.” reads a letter sent to the customers by the company. “We take this matter, and all matters involving Sprint customer’s privacy, very seriously.”

The information exposed in the data breach includes the phone number, device type, device ID, monthly recurring charges, subscriber ID, account number, account creation date, eligibility, first and last name, billing address, and add-on services.

Sprint us mobile

According to the company, exposed data don’t expose customers to a substantial risk of fraud or identity theft, but in my humble opinion, such kind of information could be used for several malicious purposes.

In response to the incident, on June 25 the mobile network operator reset PIN codes of its users.

The US telecommunications company did not reveal the number of affected customers.

Sprint recommends affected clients to take all the precautionary steps necessary to prevent identity theft and other fraudulent activities as recommended by the Federal Trade Commission (FTC):

As a precautionary measure, we recommend that you take the preventative measures that are recommended by the Federal Trade Commission (FTC) to help protect you from fraud and identity theft.” concludes the letter. “These preventative measures are included at the end of this letter. You may review this information on the FTC’s website at www.ftc.gov/idtheft and www.IdentityTheft.govor contact the FTC directly by phone at 1-877-438-4338 or by mail at 600 Pennsylvania Avenue, NW, Washington, DC 20580.”

Pierluigi Paganini

(SecurityAffairs – Sprint, data breach)

The post Sprint revealed that hackers compromised some customer accounts via Samsung site appeared first on Security Affairs.

A flaw in discontinued Iomega/Lenovo NAS devices exposed millions of files

Experts at Vertical Structure and WhiteHat Security discovered a serious flaw that exposed millions of files stored on thousands of exposed Lenovo NAS devices.

An analysis conducted by researchers at Vertical Structure and WhiteHat Security allowed discovering a vulnerability in discontinued Iomega/Lenovo NAS devices, tracked as CVE-2019-6160, that exposed millions of files.

The discovery was made in the fall of 2018 querying the Shodan search engine and revealed 5,114 devices storing over 3 million files. The issue exposed roughly 20,000 documents, 13,000 spreadsheets, 13,000 text files and 405,000 pictures. Some of the documents contained sensitive information, including card numbers and financial records.

IOmega NAS devices flaw 3

The experts believe the actual number of exposed systems could be much greater because they were able to identify only 5,114 devices.

“Vertical Structure was able to find about 13,000 spreadsheet files indexed, with 36 terabytes of data available. The number of files in the index from scanning totaled to 3,030,106.” states a blog post published by WhiteHat Security.

“Within these files, there was a significant amount of files with sensitive financial card numbers and financial records. Vertical Structure was able to track down the source, a legacy Iomega storage product acquired by EMC and co-branded Lenovo-EMC in a joint venture.”

The vulnerability could have been exploited by a remote, unauthenticated attacker to access the files stored on the NAS devices by sending a specially crafted request via an API that was not protected with any authentication mechanism. The experts pointed out that the devices did not leak data through their web interface.

The exploitation of the issue could be automated by developing a script that scans the internet for vulnerable Iomega/Lenovo NAS devices and sends crafted requests to the vulnerable ones.

After the researchers from Vertical Structure and WhiteHat reported their findings to Lenovo, the company pulled three versions of the affected software out of retirement to solve the issue.

“A vulnerability in Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.” reads the advisory published by Lenovo.

In October 2018, experts at Lenovo discovered nine vulnerabilities affecting discontinued Iomega and LenovoEMC NAS devices that could be exploited by unauthenticated attackers to access protected content.

Pierluigi Paganini

(SecurityAffairs – NAS devices, hacking)



The post A flaw in discontinued Iomega/Lenovo NAS devices exposed millions of files appeared first on Security Affairs.

Photo Shared via iPhone Leads to JetBlue Evacuation

Photo Shared via iPhone Leads to JetBlue Evacuation

Passengers heading to Tampa, Florida, experienced an unusual delay on Tuesday. Those on board a JetBlue flight out of Newark, New Jersey, were evacuated after a person used the AirDrop feature on the Apple phone to send an image of a suicide vest to multiple iOS devices on the plane, according to the Daily News

Several passengers on the flight surprisingly received the image through Apple’s AirDrop feature, which allows users to share content with nearby devices through Bluetooth technology. Given that the person delivering the photo had to be within Bluetooth range, it was presumably a passenger as the plane had already left the gate and was on the runway waiting for takeoff, the report suggested. 

There’s no real way to trace a Bluetooth MAC address to an individual or their device unless all devices were confiscated from the passengers on the flight, according to Dr. Richard Gold, head of security engineering at Digital Shadow. “Even then, it’s unlikely you’d be able to figure the originating MAC address without forensically examining the devices which received the pictures.”

The issue is just the latest concern with Bluetooth. There have been a number of reports of people abusing the AirDrop feature on iOS devices that uses Bluetooth technology to send unwanted photos of various natures to unsuspecting receivers since the feature was introduced in 2011, Gold said. 

In addition to being difficult to trace, people typically leave the Bluetooth function on, said Chris Morales, head of security analytics at Vectra. “I used to admittedly walk around with my laptop scanning for exposed Bluetooth listening devices and could send commands to the owner. It is very easy. The easiest way to not receive things over Bluetooth is to require a pin for connectivity or to just turn it off.”  

Zoom Vulnerability

The Zoom conferencing app has a vulnerability that allows someone to remotely take over the computer's camera.

It's a bad vulnerability, made worse by the fact that it remains even if you uninstall the Zoom app:

This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission.

On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.

Additionally, if you've ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install 'feature' continues to work to this day.

Zoom didn't take the vulnerability seriously:

This vulnerability was originally responsibly disclosed on March 26, 2019. This initial report included a proposed description of a 'quick fix' Zoom could have implemented by simply changing their server logic. It took Zoom 10 days to confirm the vulnerability. The first actual meeting about how the vulnerability would be patched occurred on June 11th, 2019, only 18 days before the end of the 90-day public disclosure deadline. During this meeting, the details of the vulnerability were confirmed and Zoom's planned solution was discussed. However, I was very easily able to spot and describe bypasses in their planned fix. At this point, Zoom was left with 18 days to resolve the vulnerability. On June 24th after 90 days of waiting, the last day before the public disclosure deadline, I discovered that Zoom had only implemented the 'quick fix' solution originally suggested.

This is why we disclose vulnerabilities. Now, finally, Zoom is taking this seriously and fixing it for real.

Businesses Shine a Light on Shadow IT

Businesses Shine a Light on Shadow IT

The issues surrounding shadow IT that have long plagued security because of unmonitored and unsupported cloud applications and devices are increasingly coming under proper control, according to the 2019 Duo Trusted Access Report

The report found that threats from applications and devices that have traditionally been lurking in IT environments are being mitigated through the implementation of a zero-trust model. Enterprises appear to be catching up with cloud expansion and addressing concerns of shadow IT because the report found that the average number of organizations protecting cloud apps reportedly surged 189% year-over-year.

The report assessed the security of thousands of the world’s largest and fastest-growing organizations and examined 24 million devices used for work. Research showed that the use of out-of-date devices has dropped precipitously, which could be a function of the ever-growing remote workforce. According to today’s press release, a third of all work is done on a mobile device, a 10% increase year-over-year. In turn, organizations are hardening mobile defenses against malware. 

In addition, biometric verification has seen a double-digit jump to more than 77% of business devices, and organizations are outright rejecting authentication based on policies for location-rooted devices, device locks not enabled or a lack of disk encryption.

“Without proper protections, such as strong user authentication and device hygiene checks, accessing business applications from mobile devices can increase exposure to threats that exploit user identities,” the press release said.

As organizations continue to experience shifts in digital transformation, they are enforcing security controls that establish user and device trust through a zero-trust security model. 

“For years, security teams have had little visibility into the cloud applications users were accessing and the personal devices they were using,” said Wendy Nather, head of advisory CISOs at Duo. “The findings in this report make clear that security leaders are taking back control of these apps and devices thanks to a zero-trust approach to security. This approach, in many cases, even allows organizations to adapt quickly to pending threats.”

US Coast Guard Issued Cyber-Safety Alert

US Coast Guard Issued Cyber-Safety Alert

The US Coast Guard recommended that ships update their cybersecurity strategies after a malware attack “significantly” degraded the computer systems of a deep draft vessel in February, according to a press release

In the marine safety alert, the Coast Guard wrote that the vessel involved in the February cyber incident was inbound to the Port of New York and New Jersey during an international trip when it reported that its onboard network was being impacted by a cyber incident.

The Coast Guard responded, and after an analysis conducted alongside an “interagency team of cyber experts” it concluded that while the functionality of the boat’s computer system was impacted, control systems were not. The computer system was used for managing cargo data and communicating with the Coast Guard and shore-side facilities.

“Prior to the incident, the security risk presented by the shipboard network was well known among the crew. Although most crew members didn’t use onboard computers to check personal email, make online purchases or check their bank accounts, the same shipboard network was used for official business – to update electronic charts, manage cargo data and communicate with shore-side facilities, pilots, agents, and the Coast Guard,” the alert said.

Targeting governmental and military assets will continue to be valuable for those seeking to disrupt our society, said Tim Mackey, principal security strategist for the Cybersecurity Research Center at Synopsys

“This incident highlights lessons for everyone to take – whether you’re in government or in a corporate setting – vigilance starts with preparedness. All systems contain weaknesses, and software systems are no different. An up-to-date inventory of all software assets, including versions, origins and update procedures, is a bare minimum operational requirement for deployed software,” said Mackey. 

“This asset inventory should also include a detailed accounting for all known weaknesses, and procedures should be in place to ensure newly disclosed weaknesses or vulnerabilities are amended to the inventory. The goal of this process to ensure that systems are both patched and that the potential attack surface for the asset can be quantified. Armed with this information, threat models can be created which then guide mitigation efforts.”

How to cost-effectively manage and secure a mobile ecosystem

Today’s post was written by Roxane Suau, Vice President of Marketing for Pradeo.

In the corporate environment, mobile devices and applications are at the center of communications, enhancing collaborators’ productivity with 24/7 access to information. But at the same time, they represent thousands of direct entry points to organizations’ information systems, exposing critical data to the wide spectrum of mobile threats.

Our increasingly connected world is driving up the volume of cyberattacks targeting mobility. In 2017, there were 42 million attack attempts on mobile devices registered globally, and this number keeps growing.

While data protection laws urge companies to ensure mobile data privacy, security teams are struck with the challenge of protecting mobile devices, applications, and files while maintaining the flexibility collaborators need to be efficient.

The booming of mobility

According to a Gartner survey, nearly 80 percent of employees haven’t received employer-issued smartphones and more than 50 percent of them exclusively use their personal mobile device in the workplace (BYOD).

As organizations are more and more flexible regarding working tools and locations, employees often access business data and applications from home or public space using their mobile device, by connecting to unsecure networks.

Usually, cybercriminals leverage three vectors to infiltrate mobile devices: applications, the network, and the operating system (OS). Threats operating at the applicative level, such as leaky and malicious applications, are by far the most common and represent 78 percent of all attacks. Attacks perpetrated through the network and the OS count for 12 percent and 10 percent, respectively.

Enterprise mobility has led to the obsolescence of standard network security solutions historically used by companies, as they don’t cover the perimeter of mobile devices and applications. In recent years, the Mobile Threat Defense (MTD) technology has taken over.

Microsoft Intune unified endpoint management + Pradeo Security Mobile Threat Defense

Microsoft and Pradeo (a member of the Microsoft Intelligent Security Association) joined forces a few years ago to pursue a common goal: enable a productive and safe connected workspace.

To help companies set up a more secure and compliant environment, Microsoft Intune, a unified endpoint management platform, offers the functionalities necessary to manage and secure mobile devices and applications. Furthermore, it extends the activation of mobile security capabilities through partner integrations.

Pradeo Security Mobile Threat Defense (MTD) is designed to work with Intune to protect smartphones, tablets, mobile apps, and data. The solution relies on a behavioral analysis engine to precisely detect all actions performed on mobile devices (malware, data leakage, network exploit, OS manipulation). When activated in Intune, customers deploy the Pradeo Security agent on mobile devices to ensure their 360-degree real-time protection.

Pradeo stands out from other MTD solutions, which perform score-based risk evaluation, by being the only vendor on the market that offers an accurate mobile threat detection. Intune customers benefit from Pradeo’s precise threat detection directly in their UEM platform, strengthening their organization’s mobile security posture in the most cost-efficient way.

About Pradeo

Pradeo is a global leader of mobile security and a member of the Microsoft Intelligent Security Association. It offers services to protect the data handled on mobile devices and applications, and tools to collect, process, and get value out of mobile security events.

Pradeo’s cutting-edge technology has been recognized as one of the most advanced mobile security technology by Gartner, IDC, and 37 other research firms in 2018. It provides a reliable detection of mobile threats to prevent breaches and reinforce compliance with data privacy regulations.

For more details, visit www.pradeo.com or write to contact@pradeo.com.

Note: Users must be entitled separately to Pradeo and Microsoft licenses as appropriate.

The post How to cost-effectively manage and secure a mobile ecosystem appeared first on Microsoft Security.

Could a Dropped USB Drive Expose You to Malware?

USB drives seem harmless enough and they’re a convenient way to store, back up, or transfer files from your computer. So If you spot a USB drive sitting on the ground or in your office, should you assume someone lost their files? Or is it a hacker baiting you into compromising your computer and network?

On the latest episode of “Hackable?” Geoff learns if USB drives are dangerous and — with the help of white-hat hacker Tim Martin — sets his own trap for Pedro. Listen and learn how to protect your network from dropped drives, and if Pedro takes the bait.

Listen now to the award-winning podcast “Hackable?”.

The post Could a Dropped USB Drive Expose You to Malware? appeared first on McAfee Blogs.

Could a Dropped USB Drive Expose You to Malware?

USB drives seem harmless enough and they’re a convenient way to store, back up, or transfer files from your computer. So If you spot a USB drive sitting on the ground or in your office, should you assume someone lost their files? Or is it a hacker baiting you into compromising your computer and network?

On the latest episode of “Hackable?” Geoff learns if USB drives are dangerous and — with the help of white-hat hacker Tim Martin — sets his own trap for Pedro. Listen and learn how to protect your network from dropped drives, and if Pedro takes the bait.

Listen now to the award-winning podcast “Hackable?”.

The post Could a Dropped USB Drive Expose You to Malware? appeared first on McAfee Blogs.

Meet the World’s Biggest ‘Bulletproof’ Hoster

For at least the past decade, a computer crook variously known as “Yalishanda,” “Downlow” and “Stas_vl” has run one of the most popular “bulletproof” Web hosting services catering to a vast array of phishing sites, cybercrime forums and malware download servers. What follows are a series of clues that point to the likely real-life identity of a Russian man who appears responsible for enabling a ridiculous amount of cybercriminal activity on the Internet today.

Image: Intel471

KrebsOnSecurity began this research after reading a new academic paper on the challenges involved in dismantling or disrupting bulletproof hosting services, which are so called because they can be depended upon to ignore abuse complaints and subpoenas from law enforcement organizations. We’ll get to that paper in a moment, but for now I mention it because it prompted me to check and see if one of the more infamous bulletproof hosters from a decade ago was still in operation.

Sure enough, I found that Yalishanda was actively advertising on cybercrime forums, and that his infrastructure was being used to host hundreds of dodgy sites. Those include a large number of cybercrime forums and stolen credit card shops, ransomware download sites, Magecart-related infrastructure, and a metric boatload of phishing Web sites mimicking dozens of retailers, banks and various government Web site portals.

I first encountered Yalishanda back in 2010, after writing about “Fizot,” the nickname used by another miscreant who helped customers anonymize their cybercrime traffic by routing it through a global network of Microsoft Windows computers infected with a powerful malware strain called TDSS.

After that Fizot story got picked up internationally, KrebsOnSecurity heard from a source who suggested that Yalishanda and Fizot shared some of the same infrastructure.

In particular, the source pointed to a domain that was live at the time called mo0be-world[.]com, which was registered in 2010 to an Aleksandr Volosovyk at the email address stas_vl@mail.ru. Now, normally cybercriminals are not in the habit of using their real names in domain name registration records, particularly domains that are to be used for illegal or nefarious purposes. But for whatever reason, that is exactly what Mr. Volosovyk appears to have done.

WHO IS YALISHANDA?

The one or two domain names registered to Aleksandr Volosovyk and that mail.ru address state that he resides in Vladivostok, which is a major Pacific port city in Russia that is close to the borders with China and North Korea. The nickname Yalishanda means “Alexander” in Mandarin (亚历山大).

Here’s a snippet from one of Yalishanda’s advertisements to a cybercrime forum in 2011, when he was running a bulletproof service under the domain real-hosting[.]biz:

-Based in Asia and Europe.
-It is allowed to host: ordinary sites, doorway pages, satellites, codecs, adware, tds, warez, pharma, spyware, exploits, zeus, IRC, etc.
-Passive SPAM is allowed (you can spam sites that are hosted by us).
-Web spam is allowed (Hrumer, A-Poster ….)

-Forbidden: Any outgoing Email spam, DP, porn, phishing (exclude phishing email, social networks)

There is a server with instant activation under botnets (zeus) and so on. The prices will pleasantly please you! The price depends on the specific content!!!!

Yalishanda would re-brand and market his pricey bulletproof hosting services under a variety of nicknames and cybercrime forums over the years, including one particularly long-lived abuse-friendly project aptly named abushost[.]ru.

In a talk given at the Black Hat security conference in 2017, researchers from cyber intelligence firm Intel 471 labeled Yalishanda as one the “top tier” bulletproof hosting providers worldwide, noting that in just one 90-day period in 2017 his infrastructure was seen hosting sites tied to some of the most advanced malware contagions at the time, including the Dridex and Zeus banking trojans, as well as a slew of ransomware operations.

“Any of the actors that can afford his services are somewhat more sophisticated than say the bottom feeders that make up the majority of the actors in the underground,” said Jason Passwaters, Intel 471’s chief operating officer. “Bulletproof hosting is probably the biggest enabling service that you find in the underground. If there’s any one group operation or actor that touches more cybercriminals, it’s the bulletproof hosters.”

Passwaters told Black Hat attendees that Intel471 wasn’t convinced Alex was Yalishanda’s real name. I circled back with Intel 471 this week to ask about their ongoing research into this individual, and they confided that they knew at the time Yalishanda was in fact Alexander Volosovyk, but simply didn’t want to state his real name in a public setting.

KrebsOnSecurity uncovered strong evidence to support a similar conclusion. In 2010, this author received a massive data dump from a source that had hacked into or otherwise absconded with more than four years of email records from ChronoPay — at the time a major Russian online payment provider whose CEO and co-founders were the chief subjects of my 2014 book, Spam Nation: The Inside Story of Organized Cybercrime.

Querying those records on Yalishanda’s primary email address — stas_vl@mail.ru — reveal that this individual in 2010 sought payment processing services from ChronoPay for a business he was running which sold counterfeit designer watches.

As part of his application for service, the person using that email address forwarded six documents to ChronoPay managers, including business incorporation and banking records for companies he owned in China, as well as a full scan of his Russian passport.

That passport, pictured below, indicates that Yalishanda’s real name is Alexander Alexandrovich Volosovik. The document shows he was born in Ukraine and is approximately 36 years old.

The passport for Alexander Volosovyk, a.k.a. “Yalishandra,” a major operator of bulletproof hosting services.

According to Intel 471, Yalishanda lived in Beijing prior to establishing a residence in Vladivostok (that passport above was issued by the Russian embassy in Beijing). The company says he moved to St. Petersburg, Russia approximately 18 months ago.

His current bulletproof hosting service is called Media Land LLC. This finding is supported by documents maintained by Rusprofile.ru, which states that an Alexander Volosovik is indeed the director of a St. Petersburg company by the same name.

ARMOR-PIERCING BULLETS?

Bulletproof hosting administrators operating from within Russia probably are not going to get taken down or arrested, provided they remain within that country (or perhaps within the confines of the former republics of the Soviet Union, known as the Commonwealth of Independent States).

That’s doubly so for bulletproof operators who are careful to follow the letter of the law in those regions — i.e., setting up official companies that are required to report semi-regularly on various aspects of their business, as Mr. Volosovik clearly has done.

However, occasionally big-time bulletproof hosters from those CIS countries do get disrupted and/or apprehended. On July 11, law enforcement officials in Ukraine announced they’d conducted 29 searches and detained two individuals in connection with a sprawling bulletproof hosting operation.

The press release from the Ukrainian prosecutor general’s office doesn’t name the individuals arrested, but The Associated Press reports that one of them was Mikhail Rytikov, a man U.S. authorities say was a well-known bulletproof hoster who operated under the nickname “AbdAllah.”

Servers allegedly tied to AbdAllah’s bulletproof hosting network. Image: Gp.gov.ua.

In 2015, the U.S. Justice Department named Rytikov as a key infrastructure provider for two Russian hackersVladimir Drinkman and Alexandr Kalinin — in a cybercrime spree the government called the largest known data breach at the time.

According to the Justice Department, Drinkman and his co-defendants were responsible for hacks and digital intrusions against NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard.

Whether AbdAllah ever really faces justice for his alleged crimes remains to be seen. Ukraine does not extradite citizens, as the U.S. authorities have requested in this case. And we have seen time and again how major cybercriminals get raided and detained by local and federal authorities there, only to quickly re-emerge and resume operations shortly thereafter, while the prosecution against them goes nowhere.

Some examples of this include several Ukrainian men arrested in 2010 and accused of running an international crime and money laundering syndicate that used a custom version of the Zeus trojan to siphon tens of millions of dollars from hacked small businesses in the U.S. and Europe. To my knowledge, none of the Ukrainian men that formed the core of that operation were ever prosecuted, reportedly because they were connected to influential figures in the Ukrainian government and law enforcement.

Intel 471’s Passwater said something similar happened in December 2016, when authorities in the U.S., U.K. and Europe dismantled Avalanche, a distributed, cloud-hosting network that was rented out as a bulletproof hosting enterprise for countless malware and phishing attacks.

Prior to that takedown, Passwater said, somehow an individual connected to Avalanche who went by the nickname “Sosweet” got a tip about an impending raid.

“Sosweet was raided in December right before Avalanche was taken down, [and] we know that he was tipped off because of corruption [because] 24 hours later the guy was back in service and has all his stuff back up,” Passwater said.

The same also appears to be true for several Ukrainian men arrested in 2011 on suspicion of building and disseminating Conficker, a malware strain that infected millions of computers worldwide and prompted an unprecedented global response from the security industry.

So if a majority of bulletproof hosting businesses operate primarily out of countries where the rule of law is not strong and/or where corruption is endemic, is there any hope for disrupting these dodgy businesses?

Here we come full circle to the academic report mentioned briefly at the top of this story: The answer seems to be — like most things related to cybercrime — “maybe,” provided the focus is on attempting to interfere with their ability to profit from such activities.

That paper, titled Platforms in Everything: Analyzing Ground-Truth Data on the Anatomy and Economics of Bulletproof Hosting, was authored by researchers at New York University, Delft University of Technology, King Saud University and the Dutch National High-Tech Crimes Unit. Unfortunately, it has not yet been released publicly, and KrebsOnSecurity does not have permission yet to publish it.

The study examined the day-to-day operations of MaxiDed, a bulletproof hosting operation based in The Netherlands that was dismantled last summer after authorities seized its servers. The paper’s core findings suggest that because profit margins for bulletproof hosting (BPH) operations are generally very thin, even tiny disruptions can quickly push these businesses into the red.

“We demonstrate the BPH landscape to have further shifted from agile resellers towards marketplace platforms with an oversupply of resources originating from hundreds of legitimate upstream hosting providers,” the researchers wrote. “We find the BPH provider to have few choke points in the supply chain amenable to intervention, though profit margins are very slim, so even a marginal increase in operating costs might already have repercussions that render the business unsustainable.”

United Kingdom’s NCSC Advisory vs DNS Hijacking Released

The United Kingdom’s National Cyber Security Centre (NCSC) has issued an advisory warning UK citizens using computers and other Internet-connected mobile devices that large-scale DNS hijackings in the Internet are ongoing, and the agency provides simple mitigation advice for IT professionals to implement in their respective areas of coverage. NCSC defined DNS hijacking as an incident where DNS entries of an authoritative DNS server were edited by a 3rd party without permission. Such attack creates an unsafe environment for users, as their traffic get redirected to a false website instead of the genuine website they wish to visit. NCSC highlighted that hackers are concentrating on establishing transparent proxy, Domain hijacking, obtaining TLS certificates without authority and creating malicious DNS records, all without the knowledge of the target victims.

Unfortunately, the majority of what NCSC describes as “Account Take Over” (ATO) cases involve the domain registrar itself, and end-users have nothing to do with it. Though the agency issued a short advice for domain registrars in order to minimize the chance of a take over of their DNS systems by unknown parties. “Registry and Registrar Lock – many registries offer a “registrar lock” service. This lock prevents the domain being transferred to a new owner, without the lock being removed. A “registry lock” (which sometimes involves a fee) is considered an additional level of protection whereby changes cannot be made until additional authentication has taken place which usually involves a call to the owner,” explained the NCSC report.

The focus of heightened alert is for service providers and domain registrars to prioritize offering domain lock for their customers, which comprises of the following functionalities, as directly quoted from NCSC:

  • Prevents the nameservers from being changed;
  • Prevents domain registrant and / or contact details being changed;
  • Prevents the domain from being transferred to another registrar.

DNS server hosting is a regular part of the domain registry and Internet Service Provider business, however, it is not considered as a money-making endeavor. Hence, ISPs and domain registrars are not placing a lot of investment when it comes to securing their DNS infrastructure.

NCSC provided the following security suggestions in order for DNS-hosting organizations to be confident of their DNS server security:

1. Implement DNSSEC

DNSSEC is a security extension that proves the reliability of correspondence information of IP address and host name sent from DNS server. This is to prevent DNS response spoofing attacks such as DNS cache poisoning. In DESSEC, the DNS server that sends the response signs the response using the private key, and the recipient verifies it with the public key. Because you can not sign correctly without the private key, you can detect false responses by verifying the signature. A normal DNS server does not have a means to authenticate the other party, so by supporting DNSSEC, it can have its function.

2. Monitor TLS

TLS certificate creation needs to be done correctly, the “web of trust” truly depends on the level of trust people to the certificate authority. Lost of trust to a certificate authority means lost of business, just like what happened to Diginotar’s and Symantec’s dissolved certificate authority businesses.

3. Auditing and Monitoring

4. Access Control

5. Change Control

Keep evidence – in case your entire domain is hijacked, you’ll need to appeal to your registry for help. Keep extensive records which can be used to prove ownership,” concluded the NCSC report.

 

Also Read, 

What is DNS Security? Why is it Important?

DNS Servers | How to Secure DNS Servers from hacker attacks?

 

The post United Kingdom’s NCSC Advisory vs DNS Hijacking Released appeared first on .

Cybersecurity Hygiene: 8 Steps Your Business Should be Taking

Whether you’re managing your enterprise’s cybersecurity or you’ve outsourced it to a service provider, you’re ultimately the one that will be held accountable for a data breach. If your vendor loses your data, your customers and board of directors will likely still hold you responsible.

McAfee’s recent report, Grand Theft Data II: The Drivers and Shifting State of Data Breaches, reveals a majority of IT professionals have experienced at least one data breach, and on average have dealt with six breaches over the course of their career. Nearly three-quarters of all breaches have required public disclosure or have affected financial results.

Enterprise threats are increasing in number and sophistication, while rapidly targeting new vulnerabilities. And while, the top three vectors for exfiltrating data were database leaks, cloud applications, and removable USB drives, IT professionals are most worried about leaks from cloud enterprise applications such as Microsoft OneDrive, Cisco WebEx, and Salesforce.com.

Cybersecurity hygiene best practices must not only be established but updated and followed to keep up with these agile, versatile threats. Here are eight steps your business should be taking to implement better cybersecurity hygiene:

  1. Educate Your Teams All employees are part of an organization’s security posture. And yet, 61% of IT professionals say their executives expect more lenient security policies for themselves, and 65% of those respondents believe this leniency results in more incidents. Do as I say, not as I do can be dangerous. It’s imperative that you develop a continuing cybersecurity education program for all enterprise teams including best practices for passwords and how to detect phishing emails. Your program should include re-education processes for your IT team on breach targets such as default accounts and missing patches.
  2. Timely Patches and Updates – The Data Exfiltration Report found that IT was implicated in most data breaches, and much of this can be attributed to failures in cybersecurity hygiene, such as the failure to get a security patch out across the enterprise within 24 to 72 hours. Or failing to check that all available updates are accepted on every device. The vulnerabilities these patches and updates are designed to address can remain vulnerable for months despite the availability of the fixes. Cloud and SaaS operations have proven that automated patching testing and deployment works well with minimal downside risk.
  3. Implement Data Loss Policies (DLP) Data loss prevention requires thinking through the data, the applications, and the users. Most security teams continue to operate in isolation, with 81% reporting separate policies or management consoles for cloud access security brokers (CASBs) and data loss prevention (DLP). It is more important than ever to have a set of consistent Data Loss Prevention (DLP) policies that protect data everywhere it’s stored, including the cloud and corporate endpoints, networks, or unmanaged devices.
  4. Pay Attention to Cloud Security Settings – Cloud applications are where the bulk of your data resides, and data is what most cybercriminals are after. As Dev Ops moves more workloads to the cloud your enterprise needs to pay attention to the security setting of the cloud instances it uses and be aware of the security associated with the underlying infrastructure. Many security measures and considerations in the cloud are the same as on-prem, but some are different. Understanding the security of the cloud you choose and the applications that you use in the cloud are a critical part of securely navigating digital transformation.
  5. Technology Integration and Automation – One of the top actions cited for reducing future breach risks is integrating the various security technologies into a more cohesive defense. A lack of integration between security products allows suspicious activity to dwell unnoticed. If an attack is identified and blocked, all entry points should be instantly informed. If a compromised device is detected, security products should automatically scan all other devices for evidence of similar compromise, and quarantine affected systems. Automation allows machines to make these decisions based on policy set by the security team and accelerates time to detection and remediation without incurring material risk of unintended IT consequences.
  6. Deploy and Activate CASB, DLP, EDR – A Cloud Attack Security Broker (CASB) automatically classifies sensitive information, enforces security policies such as data loss prevention, rights management, data classification, threat protection, and encryption. Data Loss Prevention (DLP) safeguards intellectual property and ensures compliance by protecting sensitive data. Endpoint Detection and Response (EDR) can help your enterprise gain visibility into emerging threats with little maintenance and by monitoring endpoint activity, detecting suspicious behavior, making sense of high-value data, and understanding context. EDR can also reduce your need for additional SOC resources.
  7. Run Proper Device Audits –It’s important to regularly review device encryption on all devices including laptops, tablets, and mobile phones. Using multifactor identification strengthens your security beyond common sense steps like evaluating and promoting password strength.
  8. Have an Incident Response Plan – You may have only minutes and hours to act on a cyberattack. Good intentions aren’t enough to effectively respond and remedy a security breach. Be prepared before it happens. An Incident Response Plan is integral in helping your enterprise respond more effectively, reduce business disruptions and a loss of reputation.

For more on how to improve your enterprise’s cybersecurity hygiene using automation, integration, and cloud-based deployment and analytics, check out McAfee MVISION EDR.

The post Cybersecurity Hygiene: 8 Steps Your Business Should be Taking appeared first on McAfee Blogs.

Media File Jacking allows manipulating media files users receive via Android WhatsApp and Telegram

Media File Jacking – Security researchers at Symantec demonstrated how to manipulate media files that can be received via WhatsApp and Telegram Android apps.

Security experts at Symantec devised an attack technique dubbed Media File Jacking that could allow attackers to manipulate media files that can be received via WhatsApp and Telegram Android apps. The issue could potentially affect many other Android apps as well.

The attack technique leverages the fact that any app installed on a device can access and rewrite files saved in the external storage, including the files saved by other apps. Popular apps like WhatsApp and Telegram allow users to choose where to store the file. The researchers pointed out that unlike Telegram for Android.

Anyway, many Telegram users prefer to save their data to external storage using the “Save to Gallery” option.

“The security flaw, dubbed “Media File Jacking”, affects WhatsApp for Android by default, and Telegram for Android if certain features are enabled.” reads the report published by Symantec. “It stems from the lapse in time between when media files received through the apps are written to the disk, and when they are loaded in the apps’ chat user interface (UI) for users to consume.”

A malicious app installed on the recipient’s device can intercept and manipulate media files, including photos, documents, or videos stored on the external storage, that are exchanged between users. The attack is completely transparent for the recipient that is not able to see any suspicious activity.

“The fact that files are stored in, and loaded from, external storage without proper security mechanisms, allows other apps with write-to-external storage permission to risk the integrity of the media files,” continues the analysis. ” Write-to-external storage (WRITE_EXTERNAL_STORAGE) is a common permission requested by Android apps, with over a million apps in Google Play having this access. In fact, based on our internal app data, we found nearly 50% of a given device’s apps have this permission.”

media file jacking attack

Researchers presented four attack scenarios that see a malicious app manipulating media files sent to the recipient:

  1. Image manipulation

The malicious, app downloaded by a user can run in the background to perform a Media File Jacking attack while the victim uses WhatsApp or Telegram and manipulate images in near-real-time.

2.) Payment manipulation

The attackers can manipulate an invoice sent by a vendor to the recipient and trick them into making a payment.

3.) Audio message spoofing

Attackers can use voice reconstruction via deep learning technology to modify the original audio message for malicious purposes.

4.) Spread fake news

In Telegram, attackers can carry out Media File Jacking attacks to alter media files that appear in a trusted channel feed in real-time to spread fake news.

To ensure that media files are kept safe from attackers, Symantec provides the following recommendations:

  • Validate the integrity of files: Store in a metadata file a hash value for each received media file before writing it to the disk. Then, confirm that the file has not been changed (i.e. the hash is the same) before the media file is loaded by the app in the relevant chat portion for users to see. This step can help developers validate that files were not manipulated before they are loaded. This approach balances between the security (protection against Media File Jacking attacks) and functionality (e.g., supporting third party backup apps) needs of the IM apps.
     
  • Internal storage: If possible, store media files in a non-public directory, such as internal storage. This is a measure some IM apps have chosen.
     
  • Encryption: Strive to encrypt sensitive files, as is usually done for text messages in modern IM solutions. This measure, as well as the previous one, will better protect files from exposure and manipulation. The downside is that other apps, such as photo backup apps, won’t be able to easily access these files.

Symantec shared its findings with both Telegram and WhatsApp, the experts explained that the vulnerability will be addressed by Google with the Android Q update.

“With the release of Android Q, Google plans to enact changes to the way apps access files on a device’s external storage. Android’s planned Scoped Storage is more restrictive, which may help mitigate threats like the WhatsApp/Telegram flaw we found.”concludes Symantec. “Scoped Storage means that apps will have their own storage area in an app-specific directory, but will be prevented from accessing files in the entire storage partition, unless an explicit permission is granted by the user.”

Pierluigi Paganini

(SecurityAffairs – Media File Jacking, hacking)

The post Media File Jacking allows manipulating media files users receive via Android WhatsApp and Telegram appeared first on Security Affairs.

Epsiode 537 – Truly Effective Security Programs Are Business Focused

Cybersecurity is technical in nature but it’s really a business problem to solve. This episode how aligning to the business will take your security program to the next level.  Be aware, be safe. Become A Patron! Patreon Page *** Support the podcast with a cup of coffee *** – Ko-Fi Security In Five Don’t forget […]

The post Epsiode 537 – Truly Effective Security Programs Are Business Focused appeared first on Security In Five.

Mysterious hackers steal data of over 70% of Bulgarians

Hackers stole data of millions of Bulgarians, and sent it to local media, According to the media the source could be the National Revenue Agency.

Hackers have exfiltrated data from a Bulgarian government system, likely the National Revenue Agency (NRA), and have shared it with the local media.

The hackers have stolen the personal details of millions of Bulgarians and sent to the local newspaper download links for the archives containing them.

“The link was sent by anonymous hackers via Russian mail servers on Monday to the Bulgarian media. The array of 57 folders contains thousands of files that they claim to be from the Treasury’s servers, probably.” reads the Monitor website.

The National Revenue Agency is investigating the incident and verifying the authenticity of the data.

“The NRA and the specialized bodies of the Ministry of the Interior and the State Agency for National Security (SANS) check the potential vulnerability of the National Revenue Agency’s computer system.” reads a statement published by the NRA.

“Earlier today, emails of certain media have been sent a link to download files allegedly belonging to the Bulgarian Ministry of Finance. We are currently verifying whether the data is real.”

The hackers claim to have breached Treasury’s servers and have exfiltrated data from more than 110 databases. More than 5 million Bulgarian and foreign citizens are affected, consider that the country has a population composed of 7 million people.

“Your government is slow to develop, your state of cybersecurity is parodyous,” wrote the hackers.

The hacker bragged about stealing 110 databases from NRA’s network, totaling nearly 21 GB. The hacker only shared 57 databases, comprising 11GB of data out of 21 aggregate data with local news outlets but promised to release the rest in the coming days.

“Perhaps the biggest leak of personal data in Bulgaria. That’s how the 57-folder contains more than a thousand files that anonymous hackers sent to Bulgarian media on Monday.” reported the Capital website. “Upon reviewing the information, Capital has opened databases with more than 1 million rows containing PINs, names, addresses, and even earnings.”

Most of the data is very old, in some cases, information is dated back as far as 2007.

Hackers also leaked information from Department Civil Registration and Administrative Services (GRAO), Bulgaria’s customs agency, the National Health Insurance Fund (NZOK), and data from the Bulgarian Employment Agency (AZ).

The email was sent by an email address belonging to the Russian service Yandex.ru. The message sent to local media by hackers ends with a quote by WikiLeaks founder Julian Assange and calls for his release.

“Your government is stupid. Your is a parody.” closes the email.

Immediately after the leak of the data, the Democratic Bulgaria opposition party demanded the resignation of Finance Minister Vladislav Goranov.

It seems that cyber security for Bulgarian government services is very poor, tt the end of June, Bulgarian police arrested the IT expert Petko Petrov after he publicly demonstrated a security vulnerability in the kindergarten software used by local kindergartens.

Pierluigi Paganini

(SecurityAffairs – Bulgarians, hacking)

The post Mysterious hackers steal data of over 70% of Bulgarians appeared first on Security Affairs.

Edge Feature Section

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book

Evite Reveals Security Incident Potentially Involving Unauthorized Access

Social-planning website Evite has revealed a security incident that potentially involved unauthorized access to its systems. Evite first became aware of the security incident back in April 2019. It responded by retaining a data forensics firm to launch a thorough investigation into the event. This effort uncovered malicious activity that had been present on its […]… Read More

The post Evite Reveals Security Incident Potentially Involving Unauthorized Access appeared first on The State of Security.

NCSC in DNS Warning as Hijackers Focus on Home Routers

NCSC in DNS Warning as Hijackers Focus on Home Routers

The UK’s National Cyber Security Centre (NCSC) has issued a warning about DNS hijacking threats, as reports emerge of widespread attacks in Brazil affecting 180,000 users.

The NCSC posted the advisory on Friday as a follow-up to one issued in January. DNS hijacking attackers typically take control of an authoritative DNS server, change the entries stored there and in so doing covertly redirect users to servers under their control, in a Man in the Middle attack.

This is what happened in the DNSpionage campaign revealed earlier this year and the Sea Turtle attacks which Cisco Talos last week claimed are still ongoing.

However, DNS hijackers are also targeting consumers with a slightly different modus operandi, Avast revealed in a recent blog post.

These attacks look to modify the settings on home routers, potentially via cross-site request forgery (CSRF) web-based attacks, so that they use rogue DNS servers. Once again, the end goal is to secretly redirect the user to a phishing page or one capable of installing malware on their machine.

Avast claims to have blocked over 4.6m CSRF attacks during February and March alone in Brazil, adding that 180,000 users have had their DNS hijacked in the first half of 2019.

The initial CSRF attack often happens via malvertising when a user visits a compromised website.

“When visiting a compromised site, the victim is unknowingly redirected to a router exploit kit landing page, which is usually opened in a new window or tab, initiating the attack on the router automatically, without user interaction,” it said.

“In general, the exploit kit attempts to find the router IP on a network, and subsequently attempts to guess the password using various login credentials. Once the hacker successfully logs into the router, the exploit kit attempts to alter the router’s DNS settings using various CSRF requests.”

GhostDNS, Navidade and SonarDNS are the three exploit kits being used in these attacks. Once a rogue DNS server is installed, the attackers look to monetize their efforts via phishing to steal Netflix and banking credentials from consumers; replacing good ads with malicious ones to steal traffic for profit; and installing browser-based crypto-jacking scripts.

Avast urged consumers to stay on the latest router firmware version; use strong and unique log-ins for online banking and routers; and to check their banking sites have a valid certificate.

iOS URL Scheme expose users to App-in-the-Middle attack

Security experts at Trend Micro have discovered that iOS URL scheme could allow an attacker to hijack users’ accounts via App-in-the-Middle attack.

Security experts at Trend Micro devised a new app-in-the-middle attack that could be exploited by a malicious app installed on iOS devices to steal sensitive data from other applications. The attack exploits the implementations of the Custom URL Scheme.

Apple iOS implements a sandbox mechanism to prevent that each app could access data of the other ones installed on the device.

Apple also implements some methods to allow sending and receiving limited data between applications, including the URL Scheme (aka Deep Linking). The method could allow developers to launch an app through URLs (i.e. facetime://, whatsapp://, fb-messenger://).

For example, a user can click on “Contact us via Whatspp” within an app, launches the WhatsApp app installed on the device passing the necessary information to authenticate the user.

Experts explained how to abuse the URL Scheme for malicious purposes that could potentially expose users to attacks.

Trend Micro pointed out that iOS allows one single URL Scheme to be used by multiple apps allowing malicious apps to exploit the URL Scheme.

iOS allows one single URL Scheme to be claimed by multiple apps. For instance, Sample:// can be used by two completely separate apps in their implementation of URL Schemes. This is how some malicious apps can take advantage of the URL Scheme and compromise users.” reads the analysis published by Trend Micro.

“Apple addressed the issue in later iOS versions (iOS 11), where the first-come-first-served principle applies, and only the prior installed app using the URL Scheme will be launched. However, the vulnerability can still be exploited in different ways.”

The vulnerability is very dangerous when the login process of app A is associated with app B, the image below shows the attack scenario:

ios custom url scheme

When the Suning app users access their e-commerce account using WeChat, it generates a login-request and sends it to the WeChat app installed on the same device using the iOS URL Scheme for the messaging app. The WeChat app received the login request and in turn requests a login token from its server that sends it back to the Suning app.

The experts discovered that since Suning always uses the same login-request query and WeChat does not authenticate the source of the login request, an attacker could carry out aapp-in-the-middle attack via the iOS URL Scheme.

“With the legitimate WeChat URL Scheme, a fake-WeChat can be crafted, and Suning will query the fake one for Login-Token. If the Suning app sends the query, then the fake app can capture its Login-Request URL Scheme.” continues the analysis. “WeChat recognizes it, but it will not authenticate the source of the Login-Request. Instead, it will directly respond with a Login-Token to the source of the request. Unfortunately, the source could be a malicious app that is abusing the Suning URL scheme.”

The discovery demonstrates that an attacker using a malicious app with the same Custom URL Scheme as a targeted app can trick them into sharing users’ sensitive data with it.

“In our research, plenty of apps that our system audited were found taking advantage of this feature to show ads to victims. Potentially malicious apps would intentionally claim the URL Scheme associated with popular apps: wechat://, line://, fb://, fb-messenger://, etc. We identified some of these malicious apps,” explained the researchers.

Experts remarked that the URL Scheme cannot be used for the transfer of sensitive data. 

Pierluigi Paganini

(SecurityAffairs – URL scheme, hacking)

The post iOS URL Scheme expose users to App-in-the-Middle attack appeared first on Security Affairs.

Researcher releases PoC code for critical Atlassian Crowd RCE flaw

A researcher has released proof-of-concept code for a critical code execution vulnerability (CVE-2019-11580) in Atlassian Crowd, a centralized identity management solution providing single sign-on and user identity. Atlassian plugged the hole in late May, but administrators that failed to implement it should consider doing so now, as full-fledged exploits are likely to pop up soon. About the vulnerability (CVE-2019-11580) Atlassian Crowd allows enterprise admins to manage users from Active Directory, LDAP, OpenLDAP or Microsoft Azure … More

The post Researcher releases PoC code for critical Atlassian Crowd RCE flaw appeared first on Help Net Security.

NHS Still Running 2000+ XP Computers

NHS Still Running 2000+ XP Computers

The NHS still has over 2,000 machines running Windows XP, the government had revealed, despite official support for the operating system running out in 2014.

The figures came in response to a parliamentary written question tabled by Jo Platt, the shadow Cabinet Office minister.

Parliamentary under secretary of state at the Department of Health, Jackie Doyle-Price, replied that the health service was running around 2300 XP computers as of July this year.

Platt criticized the figures as an indictment of the government’s failure to prioritize cybersecurity.

“The government is seriously lacking the leadership, strategy and co-ordination we need across the public sector to keep us and our data safe and secure. How many more warnings will it take before they listen and take action?” she said.

“The next Labour government will provide not only the resourcing but also the vital leadership, organization and dedication needed to get our public sector fit and resilient to fight the cyber-threats of the 21st century.”

The NHS was famously caught out by the WannaCry ransomware worm of 2017, which affected around a third of trusts and led to the cancellation of an estimated 19,000 operations and appointments.

Despite repeated warnings, and patches being made available by Microsoft, even for XP, systems were not updated quickly enough, leading to the ensuing chaos which is said to have cost the NHS around £92m to clean-up.

However, the government has been taking steps to address the problems, with a £150m cash injection announced last year said to be for Windows 10 upgrades, along with other measures.

Doyle-Price was also keen to put the 2300 figure in context: the NHS runs a total of around 1.4 million computers.

“This equates to 0.16% of the NHS estate,” she said. “We are supporting NHS organizations to upgrade their existing Microsoft Windows operating systems, allowing them to reduce potential vulnerabilities and increase cyber resilience.”

A report from Centrify last week revealed that the NHS has successfully repelled over 11.3 million email-based cyber-attacks over the past three years.

UK Mid-Sized Firms Lost £30bn to Attacks in 2018

UK Mid-Sized Firms Lost £30bn to Attacks in 2018

Cybersecurity incidents have cost UK mid-market firms a combined £30bn over the past year as automated attacks become the norm, according to Grant Thornton.

The accounting and consulting giant interviewed 500 UK business leaders from firms with revenue of between £15m and £1bn to compile its latest study, Cyber security: the board report.

It revealed that more than half of those polled had reported losses of between 3-10% of revenue following a cybersecurity breach. For those hit hardest, losses were up to 25% of revenue.

Reputational loss (58%) was the most commonly reported impact of a cyber-attack, followed by clean-up costs (45%), management time (44%), loss of turnover (39%), and customer churn/behavior change (35%).

Part of the problem is that many mid-market firms still believe they are able to avoid the scrutiny of cyber-criminals, and therefore pay less attention to security best practice.

Less than a third (31%) claimed to follow minimum cybersecurity standards, versus 46% of large companies; just half (48%) conduct risk assessments versus 69% in larger enterprises; and 55% do cyber health checks compared to 64%.

Risks will only increase as automated attack techniques grow in popularity – enabling vulnerability identification, credential stuffing, and open source information scraping en masse.

“It’s the equivalent of thieves driving down a street to see who’s left their door open. Criminals exploit the vulnerable networks they identify or sell the list of promising targets on to others eager to exploit the opportunity. If your defenses are not up to scratch, you could already be on a list,” argued Grant Thornton head of cybersecurity, James Arthur.

“The reality is that it’s not the size or profile of a business that attracts the interest of cyber-criminals. They have increasingly sophisticated targeting tools and are using these to launch an increasing volume of attacks against anyone who looks like they have weak defenses. It’s not personal – it’s just business.”

Putting cyber risk on the board agenda is one of the best ways to regain the initiative and minimize the chances of a successful attack, but challenges persist, the consultancy claimed.

Only two-fifths (41%) of respondents claimed to have an incident response plan in place, and even fewer (37%) said their board formally reviews cybersecurity, or that there’s a security-specific role on the board (37%). Just 36% said they had provided all staff with security training over the past year.

In most cases the board member with responsibility for cyber is the CIO (31%), CTO (23%), CEO (16%) or CFO (15%). Chief security officer doesn’t feature at all.

Why PCI DSS Compliance Is Important For Smartcards?

As more and more people are conducting their everyday financial transaction needs through the use of smartcards, that is the reality on the ground. People use less cash, and the growing demand for the use of debit/credit cards is globally speaking the release of EMV cards to replace magnetic stripe cards are not yet fully implemented. Hence the PCI DSS Goals and Requirements are established in order to guide the financial sector.

The six goals with their corresponding requirements are enumerated below:

1. Build and maintain secure networks and systems:

Install and maintain a firewall to protect cardholder data

This is the responsibility of system administrators and their team of IT staff. The smartcard itself is just a frontend, the “magic” of using a piece of plastic card in on its backend, the servers that supports the electronic transactions. Both the merchant and the bank are connected by this network that is expected to run 24/7, as ecommerce never stops as office hours stop.

Do not use vendor-supplied defaults for system passwords and other security parameters

Trouble comes with the “default”, there is a term in the IT support industry called the “tyranny of the default”, where the end-user are totally dependent on the default values. Default values for passwords are documented in the web, never use them for a production system.

2. Protect cardholder data

Protect stored cardholder data

Physical security is still one of the strongest security to implement. But immediately succeeding it is the stored data itself that gets read and written through machines like ATMs and POS terminals. It is the full responsibility of banks and merchants that their terminals fully comply with the current security standards.

Encrypt when transmitting cardholder data over an open public network

This is a common practice across the industry, no one will trust a merchant with non-encrypted POS, and no one will ever transact with a bank that has no reasonable implementation of encryption standards practice all around the world for securing their customer’s data.

3. Maintenance of vulnerability management program

Protect all systems as malware and update anti-virus software regularly

Malware infection vulnerability is the very reason why POS and ATM machines are usually running a variant of the Unix and Linux operating systems. This is due to the number of malware available in the Windows platform, it is not recommended for use in merchandising and banking purposes.

Develop and maintain highly secure systems and applications

Many banks maintain their old but still dependable Unix systems, some banks even uses the decades-old mainframe systems for the same reason, security.

4. Introducing powerful access control methods

Restrict access to cardholder data to the extent necessary for business

Also known as user account control, only those bank employees and merchant staff tasks with handling data of customers should have access to customer information.

Identify and authenticate access to system components

Aside from time-tested vaults, banks using their Unix/Linux systems have elaborate components that work together in a secure fashion.

Restrict physical access to cardholder data

Same as number 7, however, securing data on the card is itself is the full responsibility of the owner. Misuse of the card does not make the bank responsible for fraudulent transactions.

5. Regular monitoring and testing of the network

  • Track and monitor all access to network resources and cardholder data
  • Test security systems and processes regularly

6. Development of information security policy

  • Develop a policy to support information security for all personnel

Also, Read:

Cybersecurity Risk Readiness Of Financial Sector Measured

11 Signs That We May Be Nearing Another Global Financial Crisis

How Financial Apps Could Render You Vulnerable to Attacks

The post Why PCI DSS Compliance Is Important For Smartcards? appeared first on .

Fighting talk and fines obscure other GDPR lessons from BA and Marriott data breaches

There’s been lots of talk about regulations with bite, a watchdog baring its teeth, and that ‘the gloves are off’ after the UK Information Commissioner’s Office one-two punch of a £184 million fine against British Airways, and £99 million against Marriott International announced a day later.

It certainly looks like the ICO went for the jugular (sorry, it’s contagious) over breaches of the General Data Protection Regulation. But it reminds me of the build-up to the regulation before May 2018. Then, much of the coverage focused on the potentially huge fines at stake. In the same way, last week’s news shouldn’t obscure the lessons beyond the attention-grabbing sums of money.

A wake-up call

The first thing to clarify is that these fines haven’t been issued yet. In both cases, the ICO is saying it’s an intention to fine – it’s giving both companies a warning. Whether or not the amounts will be close to the published figures, we know there will be fines for sure. Companies should take this as a wake-up call that non-compliance with GDPR requirements may result in tough penalties.

As I noted in the SANS Institute newsletter, the fines are not for having a breach, but for poor security that helped it. The ICO press statement makes this very clear. “The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information,” it said.

Strong message

That being said, the proposed fine nevertheless amounts to 1.5 per cent of British Airways’ revenue. “This should send a strong message to all organisations that are regulated by the GDPR to take the security and privacy of their customer data seriously,” I wrote.

In an interview with Bank Info Security, I said that more GDPR fines are likely on the way. “Many GDPR data breaches, especially the highly publicised ones, can take a long time for proper investigations by the supervisory authorities… What we are seeing now are the beginnings of the supervisory authorities issuing penalties under GDPR, and I expect we will see many more over the coming months.”

The ICO’s moves last week aren’t the first fines that a supervisory authority has imposed under GDPR. As Tracy Elliott noted in our blog marking the first year post-GDPR, there have been other, smaller fines issued in the UK, Portugal and France. We also know that Ireland’s Data Protection Commission (DPC) has several cases ongoing against Facebook, Google and Quantcast.

(Don’t just) follow the money

Last week, I was at the Maastricht University European Centre on Privacy and Cybersecurity, where I contribute to certification training for data protection officers (DPOs). Some attendees said their senior management were now asking what the fines could mean. They also wondered what assurances they have that their own organisations aren’t at risk from a similar incident.

After the race to get ready for GDPR by May 2018, a certain amount of complacency set in. Since these breaches, the size of these proposed fines has raised GDPR on senior management’s radar again. (Side note: BA’s share price fell by more than £115 million after the news came out.)

There are broader lessons from last week’s news. It’s important to look beyond the financial repercussions, particularly in companies whose business model relies on gathering and processing data. Bear in mind that fines are just one penalty that a regulator can impose. They could compel companies to delete data or stop processing certain types of data. That could have a bigger long-term impact on their business than a monetary fine which they could absorb. Not being able to gather data in a certain way could have negative repercussions on how you do business.

Third-party risk

The root causes of BA and Marriott’s breaches highlight a particular security risk: external third parties. BA’s breach was due to a software script integrated into its website. There were no checks in place to verify any changes to that code. The Marriott breach came from its acquisition of Starwood hotels in 2016. It only discovered in 2018 that Starwood’s customer database suffered a hack in 2014.

So, companies need to ask what due diligence they need to carry out against third-party vendors and suppliers. If your company plans to acquire or partner with businesses, you inherit their risk profile, security and data protection frameworks. You need to check what assurances you have that these third parties are adhering to your security requirements, rather than you inheriting theirs.

In light of the news, what actions should other companies take? Interestingly, even before the ICO’s news, the Irish DPC issued a short guide to information sources to consider when reviewing or setting security.

Companies should carry out continuous auditing and verification to ensure their security and privacy controls are working. And if they don’t have the internal resources to do this, to work with independent experts to verify those controls.

The post Fighting talk and fines obscure other GDPR lessons from BA and Marriott data breaches appeared first on BH Consulting.

DoppelPaymer, a fork of BitPaymer Ransomware, appeared in the threat landscape

Some of the crooks behind the Dridex Trojan have split from the gang and released a forked version of the BitPaymer ransomware dubbed DoppelPaymer.

Cybercrime gang tracked as TA505 has been active since 2014 and focusing on Retail and Banking industries. The group that is known for the distribution of the Dridex Trojan and the Locky ransomware, has released other pieces of malware including the tRat backdoor and the AndroMut downloader

In mid-2017, the group released BitPaymer ransomware (aka FriedEx) that was used in attacks against high profile targets and organizations. The ransomware was being distributed through Remote Desktop Protocol (RDP) brute force attacks.

“CrowdStrike® Intelligence has identified a new ransomware variant identifying itself as BitPaymer. This new variant was behind a series of ransomware campaigns beginning in June 2019, including attacks against the City of Edcouch, Texas and the Chilean Ministry of Agriculture.” reads the analysis published by CrowdStrike.

“We have dubbed this new ransomware DoppelPaymer because it shares most of its code with the BitPaymer ransomware operated by INDRIK SPIDER.”

Now experts found a new variant of the ransomware tracked as DoppelPaymer. The discovery suggests that some members of TA505 gang left the group and forked the source code of both Dridex and BitPaymer to develop a new malware.

First variants of BitPaymer initially delivered a ransom note containing the ransom amount and the onion address of the payment portal. Later versions did not include the above info, instead, the variant appeared in the threat landscape since July 2018 only included two emails to negotiate the ransom and to contact to receive the instructions for the payment.

The latest variant observed by the experts in November 2018 includes the victim’s name in the ransom note, it also uses 256-bit AES in cipher block chaining (CBC) mode for encryption.

“Since the update in November 2018, INDRIK SPIDER has actively used the latest version of BitPaymer in at least 15 confirmed ransomware attacks. These attacks have continued throughout 2019, with multiple incidents occurring in June and July of 2019 alone.” continues the analysis.

According to the experts, DoppelPaymer was used for the first time in a targeted attack in June 2019. Experts detected eight distinct malware builds that was used at least in attacks against three victims. 

The ransom amounts asked to the victims in the attacks were different and ranged from approximately $25,000 to $1,200,000 worth of Bitcoin. 

The ransom note dropped by the DoppelPaymer ransomware doesn’t include the ransom amount, instead, it contains the onion address for a TOR-based payment portal that is identical to the original BitPaymer portal. 

DoppelPaymer

The authors of DoppelPaymer improved the source code of the BitPaymer.

numerous modifications were made to the BitPaymer source code to improve and enhance DoppelPaymer’s functionality. For instance, file encryption is now threaded, which can increase the rate at which files are encrypted.” continues the report. “The network enumeration code was updated to parse the victim system’s Address Resolution Protocol (ARP) table, retrieved with the command arp.exe -a. The resulting IP addresses of other hosts on the local network are combined with domain resolution results via nslookup.exe.”

DoppelPaymer leverages ProcessHacker, a legitimate open-source administrative utility, to terminates processes and services that may interfere with the file encryption process.

“Both BitPaymer and DoppelPaymer continue to be operated in parallel and new victims of both ransomware families have been identified in June and July 2019.” concludes CrowdStrike. “The parallel operations, coupled with the significant code overlap between BitPaymer and DoppelPaymer, indicate not only a fork of the BitPaymer code base, but an entirely separate operation,”

Pierluigi Paganini

(SecurityAffairs – DoppelPaymer ransomare, TA505)

The post DoppelPaymer, a fork of BitPaymer Ransomware, appeared in the threat landscape appeared first on Security Affairs.