The key challenge facing security leaders and putting their organizations at risk of breach is misplaced confidence that the abundance of technology investments they have made has strengthened their security posture, according to a study conducted by Forrester Consulting. The study surveyed over 250 senior security decision-makers in North America and Europe. Participants included CISO, CIO, IT and security VPs from organizations ranging from 3,000 to over 25,000 employees. Currently, security leaders employ a variety … More →
Over a year on from the introduction of the General Data Protection Regulation (GDPR), the Capgemini Research Institute has found that companies vastly overestimated their readiness for the new regulation with just 28% having successfully achieved compliance. This is compared to a GDPR readiness survey last year which found that 78% expected to be prepared by the time the regulation came into effect in May 2018. However, organizations are realizing the benefits of being compliant: … More →
It's been a bit of intense country-hopping since the last update so this one is a consolidated "this week in tweets" version. I actually found it kind of interesting going back through the noteworthy incidents of the week in lieu of having original content of my own, see what you think. Given the coming schedule (and a deep, deep desire for a few days of downtime), the next one might be more of the same so I hope it resonates!
Because this week is predominantly about noteworthy tweets, I'm going to do the references a little differently. Firstly, with a sponsor shout-out:
This is fascinating: an amazing story of technology having a profound effect on someone’s wellbeing. Equally, a technology that’s only possible due to constant monitoring and tracking. https://t.co/3pI0OdfYBz
There are periodic flareups of anti-HTTPS sentiment thanks to a grumpy technologist who doesn't want to upgrade his sites. Read this by @troyhunt for why even static sites need a security and privacy standard that's been around since 1994. https://t.co/zdxeqP1aBa
Only 8 percent of companies are securing 75 percent or more of their cloud-native applications with DevSecOps practices today, with that number jumping to 68 percent of companies securing 75 percent or more of their cloud-native applications with DevSecOps practices in two years, according to ESG. The study results also revealed that API-related vulnerabilities are the top threat concern (63 percent of respondents) when it comes to organizations use of serverless. Overall, the study analyzed … More →
In this interview, Jason Spies, VP of Engineering & Chief Architect, ThreatConnect, talks about the powerful features of the ThreatConnect Platform. Oftentimes, the ability for a product to support growth (scale effectively) is forgotten in lieu of a customer being dazzled by individual features or capabilities. Can you talk about the importance of technical considerations when it comes to a Platform scaling to support multiple teams and growing demands overtime? Bottom line, it’s a balance … More →
DevOps is concerned with uniting two particular tribes: development and operations. These tribes have seemingly competing priorities: developers value features while operations value stability. These contradictions are largely mitigated by DevOps. A strong argument could be made that the values of the security tribe – defensibility – could just as easily be brought into the fold, forming a triumvirate under the DevSecOps umbrella. The security tribe’s way forward is to find ways to unify with … More →
Fall is officially here, and that can only mean that SecTor is right around the corner! All summer long, I’ve been planning and prepping new ideas for this year’s IoT Hack Lab and training session. With just a few weeks to go until the conference kicks off, I’m more than a little excited about the […]… Read More
Every year when I go to Black Hat USA and DEFCON, I am reminded of the constant battle between light and dark…wait…that’s Return of the Jedi…. I mean of the constant battle between infosec and the big bad hacker. And it’s not just the uber sophisticated hacks that involve fuzzing and SQL Injections (Am I […]… Read More
Cloudflare, the security, performance, and reliability company helping to build a better Internet, announced support for HTTP/3, the new standard of the web that will make the Internet faster, more secure, and more reliable, for everyone. Cloudflare has been collaborating with industry peers, including Google Chrome and Mozilla Firefox, to bring HTTP/3 to the masses and progress the Internet into the future. An efficient Internet requires the adoption of common, shared protocols to allow computers … More →
MobileIron, the company that introduced the industry’s first mobile-centric, zero trust platform for the enterprise, announced support for the upcoming release of Oculus for Business. Organizations will be able to onboard, configure and manage Oculus’ leading all-in-one virtual reality (VR) headsets, Oculus Quest and Oculus Go, as part of their established unified endpoint management (UEM) infrastructure, simplifying the entire device lifecycle – from enrollment to retirement. Built for easy adoption and scalability across a variety … More →
HITRUST, a leading data protection standards development and certification organization, announced a significant new release of its information risk and compliance assessment SaaS platform. HITRUST is continually innovating MyCSF to help streamline and simplify how organizations assess information risk and manage compliance. The October 2019 release features a redesigned user interface, capability to create custom assessments tailored to specific regulatory or control requirements, streamlined workflows throughout the third-party assurance process, and sharing of assessments with … More →
Tripwire, a leading global provider of security and compliance solutions for enterprises and industrial organizations, announced the next generation of Tripwire Connect, which consolidates data from both Tripwire Enterprise and Tripwire IP360 to provide a single view of security and compliance states, and can be deployed both on-premises and as a software-as-a-service (SaaS) application. The new version of the Tripwire Connect analytics, reporting, integration and management platform delivers scalable, flexible and centralized vision into the … More →
OPSWAT, a leader in critical infrastructure protection, announced a new critical infrastructure protection (CIP) cybersecurity training and certification program, OPSWAT Academy. Designed for cybersecurity professionals and CIP stakeholders, OPSWAT Academy will provide beginner, intermediate and advanced education strategically designed to reflect the real-world responsibilities and technical proficiencies required of modern-day critical infrastructure security professionals and stakeholders. Through courses that promote best practices and practical approaches to CIP cybersecurity, OPSWAT Academy will help properly prime what … More →
Adobe and Google Open Redirects Abused by Phishing Campaigns
Experts reported that phishing campaigns are leveraging Google and Adobe open redirects to bypass spam filters and redirect users to malicious sites.
Phishers are abusing Google and Adobe open redirects to bypass spam filters and redirect users to malicious sites.
Crooks abuse Google and Adobe services to create URLs that point to malicious websites that anyway are able to bypass security filtersbecause they appear as legitimate URLs from trusted IT giants.
“Open redirectors take you from a Google URL to another website chosen by whoever constructed the link. Some members of the security community argue that the redirectors aid phishing, because users may be inclined to trust the mouse hover tooltip on a link and then fail to examine the address bar once the navigation takes place.“ reads the post published by Google.
“Our take on this is that tooltips are not a reliable security indicator, and can be tampered with in many ways; so, we invest in technologies to detect and alert users about phishing and abuse, but we generally hold that a small number of properly monitored offers fairly clear benefits and poses very little practical risk.”
An example of Google open redirect is https://www.google.com/url?q=[url] that could be abused by attackers.
“Phishing campaigns commonly utilize open redirects from well known companies as they feel users will be more likely to click on a link if it belongs to Google or Adobe.” reported BleepingComputer.
Below an example of a phishing message that uses Google open redirect that points to a fake login page.
In a similar way, attackers could abuse the Adobe redirect service in phishing campaigns.
Experts suggest administrators and users remain vigilant on open redirects.
Windows 10 version 1903 on ARM has gotten an additional virtualization-based security feature that creates secured regions of memory that are isolated from the operating system. These secured and isolated regions of memory can then be used by security solutions so that they are better protected from vulnerabilities in the operating s [...]
This week a zero-day vBulletin remote code execution vulnerability and exploit was publicly disclosed and is being used by bad actors to attack vBulletin forums. Cloudflare has now created a special rule that will prevent this exploit from working on vBulletin sites behind Cloudflare's service. [...]
Here’s an overview of some of last week’s most interesting news, articles and podcasts: Cybersecurity automation? Yes, wherever possible Automated systems are invaluable when it comes to performing asset discovery, evaluation and vulnerability remediation, sifting through mountains of data, detecting anomalous activity and, consequently, alleviating the everyday burdens of security teams. How can we thwart email-based social engineering attacks? More than 99 percent of cyberattacks rely on human interaction to work, Proofpoint recently shared. More … More →
Now the Pakistani hacker claims to have stolen more than 218 million records from the popular mobile social game company Zynga Inc.
Zynga Inc is an American social game developer running social video game services founded in April 2007, it primarily focuses on mobile and social networking platforms.
Among the online games developed by the company, there are FarmVille, Words With Friends, Zynga Poker, Mafia Wars, and Café World that have over a billion players worldwide.
“Going by the online alias Gnosticplayers, the serial hacker told The Hacker News that this time, he managed to breach “Words With Friends,” a popular Zynga-developed word puzzle game, and unauthorisedly access a massive database of more than 218 million users.” reported The Hacker News.
Gnosticplayers shared a sample of stoled data with The Hacker News, exposed records includes:
Hashed passwords, SHA1 with salt
Password reset token (if ever requested)
Phone numbers (if provided)
Facebook ID (if connected)
Zynga account ID
Gnosticplayers revealed that he had access to data belonging to all Android and iOS game players who installed and signed up for the ‘Words With Friends’ game before 2nd September 2019.
Zynga confirmed that the account login information for certain players of Draw Something and Words With Friends that may have been exposed in the data breach. The company pointed out that hackers did not access financial information.
“We recently discovered that certain player account information may have been illegally accessed by outside hackers. An investigation was immediately commenced, leading third-party forensics firms were retained to assist, and we have contacted law enforcement.” reads the data breach notification published by the company.
“While the investigation is ongoing, we do not believe any financial information was accessed. However, we have identified account login information for certain players of Draw Something and Words With Friends that may have been accessed. As a precaution, we have taken steps to protect these users’ accounts from invalid logins. We plan to further notify players as the investigation proceeds.”
The hacker also claims to have accessed data of other Zynga gamers, including Draw Something and the discontinued OMGPOP game.
The company launched an investigation and hired third-party forensics firms to help it, of course, it also reported the incident to the law enforcement. As a precaution, the gaming firm has taken steps to protect these users’ accounts from invalid logins.
Users of the Words With Friends game, and let me suggest players of Zynga games, should immediately change the password for their account and also on any other services that share the same credentials.
A Pakistani hacker who previously made headlines earlier this year for selling almost a billion user records stolen from nearly 45 popular online services has now claimed to have hacked the popular mobile social game company Zynga Inc.
With a current market capitalization of over $5 billion, Zynga is one of the world's most successful social game developers with a collection of hit online
Researchers at Proofpoint have spotted a piece of downloader, dubbed WhiteShadow, that leverages Microsoft SQL queries to pull and deliver malicious payloads.
In August, malware researchers at Proofpoint spotted a new downloader which is being used to deliver a variety of malware via Microsoft SQL queries. The experts detected new Microsoft Office macros, which collectively act as a staged downloader, and tracked it as WhiteShadow.
Initially the downloader was involved in a small campaign aimed at distributing the Crimson RAT, over the time researchers observed the implementation of detection evasion techniques.
“In August 2019, the macros that make up WhiteShadow appeared in English-language cleartext. The only observed obfuscation technique was in the simple case altering of strings such as “Full_fILE” or “rUN_pATH.” In early September, we observed slight misspellings of certain variables such as “ShellAppzz.Namespace(Unzz).” Mid-September brought another change in macro code using reversed strings such as “StrReverse(“piz.Updates\stnemucoD\”)”.” reads the analysis published by Proofpoint.
“The most recently observed versions of the WhiteShadow macros contain long randomized text strings such as “skjfhskfhksfhksfhksjfh1223sfsdf.eDrAerTerAererer”.”
Experts believe that WhiteShadow is one component of a malware delivery service that includes a rented instance of Microsoft SQL Server to host various payloads retrieved by the downloader. Experts observed the downloader in campaigns spreading Crimson RAT, Agent Tesla, AZORult, and multiple keyloggers.
The macros observed in the campaigns, once enables, execute SQL queries to retrieve the malicious code, stored as ASCII-encoded strings, from Microsoft SQL Server databases controlled by threat actors.
The result of the query is written to disk as a PKZip archive of a Windows executable.
“WhiteShadow uses a SQLOLEDB connector to connect to a remote Microsoft SQL Server instance, execute a query, and save the results to a file in the form of a zipped executable. The SQLOLEDB connector is an installable database connector from Microsoft but is included by default in many (if not all) installations of Microsoft Office.” continues the report.
“Once extracted by the macro, the executable is run on the system to start installing malware, which is determined by the actor based on the script configuration stored in the malicious Microsoft Office attachments.”
Proofpoint warns that the Microsoft SQL technique is still a rarity in the threat landscape, but threat actors could increasingly adopt it in future campaigns.
Experts at Juniper Threat Labs have discovered a new piece of malware dubbed Masad Stealer that exfiltrates cryptocurrency wallet files via Telegram.
Security researchers at the Juniper Threat Labs discovered a strain of malware dubbed Masad Stealer that is actively distributed. The malware could steals files, browser information, and cryptocurrency wallet data and send them to the botmasters using a Telegram.
“The malware is being advertised on black market forums as “Masad Clipper and Stealer”. It steals browser data, which might contain usernames, passwords and credit card information. Masad Stealer also automatically replaces cryptocurrency wallets from the clipboard with its own.” reads the analysis published by the experts.
“Masad Stealer sends all of the information it collects – and receive commands from – a Telegram bot controlled by the threat actor deploying that instance of Masad. Because Masad is being sold as off-the-shelf malware, it will be deployed by multiple threat actors who may or may not be the original malware writers.”
The Masad Stealer is written in Autoit scripts and is compiled into a Windows executable. The size of most of the samples analyzed by the experts was about 1.5 MiB, but experts revealed that it is possible to find larger executables bundled into other applications.
The malware appears to be linked to another threat dubbed “Qulab Stealer”.
Crooks are advertising the malware on hacking forums as a stealer and clipper, the ‘fully-featured’ variant is offered for sale at $85.
Masad Stealer is distributed masquerading it as a legitimate tool or bundling it into third party tools, such as CCleaner and ProxySwitcher.
Attackers attempt to trick users into downloading the malware by advertising it in forums, on third party download sites or on file sharing sites.
Victims can also get infected installing tainted versions of popular software and game cracks, and cheats.
Once infected a machine, Masad Stealer will collect a wide range of data, including system info, screenshots, desktop text files, Steam Desktop Authenticator sessions, Cryptocurrency Wallets, browser cookies, usernames, passwords, and Credit Card Browser Data.
Masad Stealer is also able to automatically replacesMonero, Bitcoin Cash, Litecoin, Neo, and Web Money cryptocurrency wallets from the clipboard with its own.
The malware achieves persistence by creating a scheduled task on all Windows devices it manages.
Once the malware has collected the information from the victims’ computers will zip them using a 7zip executable bundled within its binary, then it will exfiltrat the data to the command and control (C2) server using unique Telegram bot IDs.
The analysis of unique Telegram bot IDs and usernamesassociated to the malware allowed the experts to determine that there are at least 18 threat actors or campaigns actively targeting potential victims with the Masad Stealer.
“Of the more than 1,000 samples we identified to be variants of this malware, there where 338 unique Telegram Command and Control bot IDs. From this data, we can estimate the number of threat actors – or at least the number of different campaigns being run using the Masad Stealer malware – and the size of their operations.” continues the report.
Juniper Threat Labs pointed out that Masad Stealer is an active threat and the malicious code is still available for purchase on the black market.
Experts also published a list of indicators of compromise (IOCs) with malware sample hashes and domains involved in the attacks.