Daily Archives: October 3, 2019

Effective methods for enterprises to detect and prevent network intrusions

Estimated reading time: 2 minutes

Enterprise networks are susceptible to brutal intrusions – some of these intrusions could be in the form of systems on the network running unauthorized applications with vulnerabilities and backdoors. When such vulnerabilities are exploited, unsolicited access to the network occurs which can have a range of unpleasant consequences for businesses.

To prevent such unauthorized intrusions on the network, it is essential to deploy a security solution which can detect these events and work actively towards prevention. An Intrusion Detection System (IDS) monitors all incoming and outgoing network activity and identifies any signs of intrusion in your systems that could jeopardize your business. Its main function is to raise an alert when it discovers any such activity and hence it is commonly known as a passive monitoring system.

Nowadays, IDS systems have received a facelift. We now have an advanced solution viz. IPS that is helping enterprises in a huge way to cope up with the menace of cyber-attacks that happen through business networks.

IPS is part of and a salient feature of Unified Threat Management (UTM), a highly effective product to block threats penetrating via business networks.

What are IPS and how does it help in the prevention of network intrusions?

An Intrusion Prevention System (IPS) is a step ahead of IDS with its capabilities. The system detects and blocks anomalies on a company’s network. It does that through:

  • Monitoring routers, firewalls, key servers and files and matching intrusions with a signature database in the event of a breach
  • Raising an alarm with targeted notifications at key personnel when there is a breach
  • The number of false alarms is low because of the cross-verification with a signature database
  • Detecting patterns by identifying various types of attacks and providing insights on administrators for further protection
  • Maintaining regulatory compliance by providing greater visibility across the entire network

How does UTM as a whole help in defending your business network?

Seqrite’s Unified Threat Management (UTM) offers a one-stop solution for all enterprise security needs which includes intrusion detection and prevention as a standard feature.

UTM’s in-built IDS and IPS components keep enterprises safe by:

  • Monitoring, evaluating and catching threats in real-time
  • Preventing Denial of Service (DoS)/Distributed Denial of Service (DDoS) attacks
  • Preventing the discovery of open ports by attackers

Seqrite UTM’s IPS acts as a security barrier against unwanted intrusions into your network and forestalls a broad range of DoS and DDoS attacks before they penetrate the network. Deploying this level of protection can benefit an enterprise in various ways, including:

  • Providing a snapshot of network security at one glance
  • Protection of enterprise assets within the network
  • Triggers raised on detection of any suspected breach or activity in the network
  • A holistic approach towards prevention of intrusions

Apart from its powerful Intrusion Prevention System, Seqrite’s Unified Threat Management (UTM) solution is equipped with other key features like Gateway Antivirus, Web Filtering, High Availability, Centralized Management System (CMS), etc. to ensure it acts as the first line of defence against all network attacks.

The post Effective methods for enterprises to detect and prevent network intrusions appeared first on Seqrite Blog.

New infosec products of the week: October 4, 2019

Anomali Altitude automates detection, analysis, and threat response The Anomali Altitude platform delivers Anomali Lens, Anomali ThreatStream, and Anomali Match. The integrated product suite allows customers to automate detection, analysis, and response for high-priority external and internal threats. Anomali Lens allows anyone, from security operations staff to board members, to automatically and immediately know if their organizations are being attacked, who adversaries are, and if the attacks have been successful. Titus Accelerator for Privacy reduces … More

The post New infosec products of the week: October 4, 2019 appeared first on Help Net Security.

Enterprises leaving themselves vulnerable to cyberattacks by failing to prioritize PKI security

IoT is one of the fastest growing trends in technology today, yet enterprises are leaving themselves vulnerable to dangerous cyberattacks by failing to prioritize PKI security, according to new research from nCipher Security. The 2019 Global PKI and IoT Trends Study, conducted by research firm the Ponemon Institute and sponsored by nCipher Security, is based on feedback from more than 1,800 IT security practitioners in 14 countries/regions. The study found that IoT is the fastest-growing … More

The post Enterprises leaving themselves vulnerable to cyberattacks by failing to prioritize PKI security appeared first on Help Net Security.

Educational organizations massively vulnerable to cyber attacks

The education sector is facing a crisis as schools grapple with high levels of risk exposure – driven in large part by complex IT environments and digitally savvy student populations – that have made them a prime target for cybercriminals and ransomware attackers, according to Absolute. The summer months of 2019 saw the number of publicly-disclosed security incidents in K-12 school districts in the U.S. reach 160, exceeding the total number incidents reported in 2018 … More

The post Educational organizations massively vulnerable to cyber attacks appeared first on Help Net Security.

Being compliant with laws and regulations is not a guarantee against data breaches

Compliance is not a guarantee against data breaches. These are the results of the Advisera survey carried out with 605 respondents, coming from countries on five continents, from various industries, mostly from smaller and medium-size companies, and acting predominantly in IT and security positions. Security and compliance are tightly related Nearly 85% of respondents consider security and compliance to be highly related and feel that they need to be implemented together. “This perception of respondents … More

The post Being compliant with laws and regulations is not a guarantee against data breaches appeared first on Help Net Security.

McAfee MVISION Insights helps orgs move to an action-oriented, proactive security posture

McAfee, the device-to-cloud cybersecurity company, announced McAfee MVISION Insights to help organizations move to an action-oriented, proactive security posture by pinpointing threats that matter, offering insights into the effectiveness of their defenses and providing the ability to respond quickly and accurately to these threats. Security teams will soon be able to utilize the data gathered by McAfee from more than one billion sensors worldwide correlated with their own threat data to provide the information needed … More

The post McAfee MVISION Insights helps orgs move to an action-oriented, proactive security posture appeared first on Help Net Security.

Cynamics offers network visibility and improved prediction of attacks for smart cities and govts

Cynamics, an Israeli USA-based Network Performance Monitoring & Diagnostics (NPMD) company, has launched a new holistic approach to network security that grants smart cities and governments unprecedented network visibility and improved prediction of attacks, all at a fraction of the cost of prevailing solutions. Cynamics’ proprietary artificial intelligence-based algorithms comb through traffic patterns, looking for anomalies that signal an imminent attack. The SaaS solution requires no appliance, network modifications, or agent installation. A minimum viable … More

The post Cynamics offers network visibility and improved prediction of attacks for smart cities and govts appeared first on Help Net Security.

ADTRAN SD-WAN helps small businesses take advantage of cloud-based networking

ADTRAN, a leading provider of next-generation open networking and subscriber experience software, announced its new SD-WAN solution designed to help small-to-medium businesses and distributed enterprises take advantage of cloud-based networking while keeping existing voice and security solutions in place to make the transition easier, faster and more affordable. “The benefits of SD-WAN are now available to more than just the large enterprise. With this move toward mainstream within the distributed enterprise and the SMB market, … More

The post ADTRAN SD-WAN helps small businesses take advantage of cloud-based networking appeared first on Help Net Security.

McAfee’s Unified Cloud Edge vision enables orgs to secure people, devices and data in the cloud

McAfee, the device-to-cloud cybersecurity company, introduced Unified Cloud Edge, an industry first initiative, to address the security concerns of the cloud by converging the capabilities of its award-winning McAfee MVISION Cloud, McAfee Web Gateway, and McAfee Data Loss Prevention offerings—all to be available through the MVISION ePolicy Orchestrator (ePO) platform—to enable a borderless IT environment. This convergence enables security professionals to reduce risk and increase productivity for organizations as they move to secure cloud adoption. … More

The post McAfee’s Unified Cloud Edge vision enables orgs to secure people, devices and data in the cloud appeared first on Help Net Security.

PCI SSC unveils new assessor qualification program

The PCI Security Standards Council (PCI SSC) launched a new assessor qualification program to support the PCI Software Security Framework (SSF), a collection of standards and programs for the secure design, development, and maintenance of payment software. Through the SSF Assessor Program, PCI SSC qualifies companies and their employees to assess vendors’ software lifecycle management practices and payment software products to the PCI Secure Lifecycle (Secure SLC) and Secure Software Standards. “Software Security Framework Assessor … More

The post PCI SSC unveils new assessor qualification program appeared first on Help Net Security.

Code42’s Data Loss Protection solution now integrates with Box

Code42, the leader in data loss protection, announced its Code42 Next-Gen Data Loss Protection solution includes a new integration with Box, a leading cloud content management platform. Code42’s integration helps information security teams rapidly detect, investigate and respond to data loss, leak and theft through corporate Box environments, complementing Box’s native security functionality to further mitigate insider threats. The Box integration marks a key expansion to the growing list of cloud collaboration and content management … More

The post Code42’s Data Loss Protection solution now integrates with Box appeared first on Help Net Security.

OPAQ and CNA partnership provides policyholders holistic risk management

OPAQ, the network security cloud company, announced a partnership with CNA, one of the largest commercial property and casualty insurance companies in the United States, to offer a cloud-based cyber security solution that will enable CNA’s cyber insurance policyholders to easily deploy and enforce advanced security policy across wide-area networks (WANs). “As cyberattacks continue to escalate, companies are looking for effective and easy-to-manage cyber security solutions that have demonstrated security controls,” said Brian Robb, Underwriting … More

The post OPAQ and CNA partnership provides policyholders holistic risk management appeared first on Help Net Security.

Tech Data and Carbon Black add security solutions portfolio to cover the full cyberattack lifecycle

Tech Data announced that it has expanded its security solutions portfolio in the U.S. and Canada with Carbon Black, a leading provider of cloud-native endpoint protection. As a result, Tech Data customers have full access to Carbon Black’s complete product line, which includes next-generation antivirus (NGAV), and endpoint detection and response (EDR) capabilities, for both cloud and on-premises technology. “Growing trends in mobility and cloud have made the endpoint the new perimeter. New and emerging … More

The post Tech Data and Carbon Black add security solutions portfolio to cover the full cyberattack lifecycle appeared first on Help Net Security.

Keysight and PCTEST deliver OTA performance and certification testing of 5G devices

Keysight Technologies, a leading technology company that helps enterprises, service providers and governments accelerate innovation to connect and secure the world, announced that PCTEST has selected Keysight’s 5G network emulation solutions to address testing of critical regulatory requirements mandated by the Federal Communications Commission (FCC) for 5G mobile devices. Keysight’s end-to-end 5G test solutions enable PCTEST to characterize the performance of a 5G mmWave device in an over-the-air (OTA) test environment and certify the device … More

The post Keysight and PCTEST deliver OTA performance and certification testing of 5G devices appeared first on Help Net Security.

Databricks and Tableau Software enabling access to more complete and timely data for business insights

Databricks, the leader in Unified Data Analytics, announced a partnership with Tableau Software, the leading visual analytics platform, to enable data teams to run business intelligence on data lakes faster and more reliably. Data lakes are frequently the largest source of data within organizations, but user analytics directly on the data lake often suffers from poor quality data and performance challenges. The new Databricks Connector, just released in version Tableau 2019.3, is optimized for performance … More

The post Databricks and Tableau Software enabling access to more complete and timely data for business insights appeared first on Help Net Security.

ReliaQuest acquires Threatcare to increase protection for its enterprise customers

ReliaQuest, the leader in enterprise cybersecurity, announced that it has entered into an agreement to acquire Austin-based Threatcare, the leader in proactive cyber defense. The acquisition will increase protection for ReliaQuest’s enterprise customers by providing integrated threat simulations that validate controls, content, and accompanying workflows instantly, enabling proactive improvement of security programs. The addition of Threatcare’s technology to ReliaQuest’s GreyMatter platform will also enable CISOs to improve visibility over their cybersecurity tech stacks and increase … More

The post ReliaQuest acquires Threatcare to increase protection for its enterprise customers appeared first on Help Net Security.

Avaya announces strategic partnership with RingCentral

Avaya Holdings Corp. kicked off the month of October with some major news.

While it didn’t get acquired like many were anticipating, the unified communications and contact center solutions provider today announced a strategic partnership with RingCentral.

Through this exclusive partnership, Avaya, which also provides desktop equipment and services, announced the introduction of Avaya Cloud Office by RingCentral, a new global unified communications as a service (UCaaS) solution that’s set to launch in 2020.

Avaya chief executive officer Jim Chirico said the partnership will deliver a dramatic boost to the company’s ongoing shift to the cloud, which is good news for both customers and partners. According to Avaya’s second quarter fiscal 2019 financial results, the company’s public cloud seats increased more than 165 per cent year-over-year.

“This also gives us the opportunity to unlock value from a largely unmonetized base of our business as it brings compelling value to our customers and partners,” said Chirico in a press release.

Vlad Shmunis, founder, chairman and CEO of RingCentral, said the pairing will lead to a differentiated solution that will lean on Avaya’s installed base of more than 100 million users and 4,700 partners.

RingCentral is contributing $500 million to its partnership with Avaya, including a $125 million investment of 3 per cent redeemable preferred equity that is convertible at $16 per share. RingCentral will also pay Avaya an advance of $375 million, primarily in stock, for future payments and certain licensing rights.

The transaction, still subject to customary closing conditions and regulatory approvals, is expected to close in the fourth quarter of this year.

The news comes after several months of speculation around the future of Avaya, which began in May when Avaya announced it had “engaged J.P. Morgan to evaluate strategic alternatives to maximize shareholder value.”

Avaya has nearly 4 million subscribers on their platform and is furthering their growth into UCaaS, as evidenced by the company’s growing as-a-service model. An Avaya acquisition appeared imminent.

Chirico today appeared to suggest the door isn’t closed on that opportunity.

“The strategic actions that we are executing as a result of our comprehensive review create new growth opportunities, return capital to our shareholders and de-lever our balance sheet. With a clear path forward, we will further invest in technology and innovation to continue bringing state-of-the-art solutions to our valued customers and partners.”

Avaya exited bankruptcy protection in December 2017 and began trading publicly almost a year after being placed in Chapter 11 by its private equity owners TPG and Silver Lake.

NS1 raises $33M to accelerate penetration into edge computing, service delivery, and IoT

NS1, a leader in next generation DNS and application traffic management solutions, announced it has raised a $33 million Series C venture round. The round was led by Dell Technologies Capital, with participation from Cisco Investments and existing investors Deutsche Telekom Capital Partners, Entrée Capital, Flybridge Capital Partners, GGV Capital, Mango Capital, Salesforce Ventures, Sigma Prime Ventures, Telstra Ventures, and Two Sigma Ventures. NS1 solutions provide application delivery and traffic control that is critical for … More

The post NS1 raises $33M to accelerate penetration into edge computing, service delivery, and IoT appeared first on Help Net Security.

6 cyber-espionage campaigns since 2013 attributed to PKPLUG China-linked group

Security experts linked a number of cyber-espionage campaigns observed over the years to the same Chinese threat actor, tracked as PKPLUG.

Security experts linked a number of cyber-espionage campaigns observed over the years to the same Chinese threat actor, tracked as PKPLUG. The name comes from the threat actor using PlugX inside ZIP archives containing the ASCII magic bytes “PK” in the header.

“For three years, Unit 42 has tracked a set of cyber espionage attack campaigns across Asia, which used a mix of publicly available and custom malware. Unit 42 created the moniker “PKPLUG” for the threat actor group, or groups, behind these and other documented attacks referenced later in this report.” reads the report published by Palo Alto Networks. “We say group or groups as our current visibility doesn’t allow us to determine with high confidence if this is the work of one group, or more than one group which uses the same tools and has the same tasking.”

Hackers targeted entities in the Southeast Asia region, most of the victims were in Myanmar, Taiwan, Vietnam, and Indonesia. Experts believe the PKPLUG also targeted other countries in Asia, including Tibet, Xinjiang, and Mongolia. 

The China-linked APT group has been active for at least six years, it used both custom-made and publicly available malware.

Researchers at Palo Alto Networks’ Unit 42 reported that some of the tools used in the campaigns were also involved in attacks carried out by other threat actors.

The experts observed the threat actor mainly delivered the PlugX backdoor, but the attackers also used the HenBox Android malware, the Farseer backdoor for Windows, the 9002 and Zupdax trojans, and Poison Ivy RAT.

Below the timeline of the PKPLUG attacks over the years:


The first campaign associated with the PKPLUG was observed in November 2013, when the group targeted Mongolian individuals with PlugX RAT. In April 2016, researchers from Arbor Network uncovered a campaign aimed at delivering the Poison Ivy to targets in Myanmar and other countries in Asia. A month later, Unit 42 researchers spotted another campaign that targeted entities from Myanmar, the Uyghur minority, Tibet, Vietnam, Indonesia, and Taiwan with the 9002 Trojan.

In March 2017, the Hong Kong-based cybersecurity company VKRL spotted a campaign targeting entities in Mongolia. One year later, on March 2018, Unit 42 experts spotted a campaign involving a new Android malware family named “HenBox.” Hackers targeted primarily the Uyghurs minority.

Early 2019, Unit 42 researchers discovered a previously-unknown Windows backdoor Trojan called Farseer that was used by the threat actors in attacks against targets in Myanmar. Experts noticed overlaps between the infrastructure and the malware used in different campaigns.

“Overlaps between the different campaigns documented, and the malware families used in them, exist both in infrastructure (domain names and IP addresses being reused, sometimes in multiple cases) and in terms of malicious traits (program runtime behaviors or static code characteristics are also where relationships can be found or strengthened).” continues the analysis.

In at least four of the six campaigns, the threat actors used a shared set of IP addresses as command and control (C2) infrastructure.

Researchers also discovered that attackers used the same registrant for various domain names hosted at those addresses.

“Based on what we know and what we’ve gleaned from others’ publications, and through industry sharing, PKPLUG is a threat group, or groups, operating for at least the last six years using several malware families — some more well-known: Poison Ivy, PlugX, and Zupdax; some are less well-known: 9002, HenBox, and Farseer.” concludes the analysis. “Unit 42 has been tracking the adversary for three years and based on public reporting believes with high confidence that it has origins to Chinese nation-state adversaries.”

Pierluigi Paganini

(SecurityAffairs – PKPLUG, China)

The post 6 cyber-espionage campaigns since 2013 attributed to PKPLUG China-linked group appeared first on Security Affairs.

Keeping Up with the Bots: How the Rise of RPA Impacts IGA


Robotic Process Automation (RPA) is a type of automation technology currently transforming the way businesses operate. RPA software robots manipulate and communicate with business systems and applications to streamline processes and reduce the burden on employees. RPA can automate tasks, including claims processing and call center support to data management, IT services, and invoice processing, and everything in between. Opportunities for automation exist virtually everywhere throughout the business, enabling greater organizational performance and efficiency.

The growth of robotic process automation is unprecedented. In fact, a recent Forrester study, highlighted in Forbes, predicted that the “RPA market will reach $1.7 billion in 2019 and $2.9 billion by 2021,” and “more than 40 percent of enterprises will create state-of-the-art digital workers by combining AI (artificial intelligence) with Robotic Process Automation.” This incredible growth suggests a tremendous shift in overall business strategy toward automating specific processes and reducing reliance on human workers for repetitive tasks that can be performed more efficiently and accurately by software bots.

report by Deloitte also suggests that “as many as 50 percent of the activities performed by a given employee are mundane, administrative, manual-labor intensive tasks,” indicating that ”RPA will replace 16 percent of jobs by 2025.“ Yet the same study indicates that only 17 percent of leaders and workforces are “ready to handle a workforce consisting of people, robots, and AI working side by side.” Clearly, RPA is changing the nature of business today. And as we advance further into automation during this century, organizations will need to change how they manage bot identities and put into place the right identity governance policies to manage their access levels within the organization. So what is the real impact of RPA on Identity Governance and Administration (IGA) and how can organizations today effectively respond to the rise of bots within their business?

Why IGA and RPA Go Hand-in-Hand

The relationship between IGA and RPA should be both mutually dependent and mutually beneficial. According to the IGA, RPA, and Managing Software Robot Identities report from Gartner, ”robotic process automation will have a profound impact on IGA. RPA introduces robotic software whose identities and access must be managed and controlled.” Further, “technical professionals must prepare to extend IGA architecture to address these requirements, while assessing RPA for automating IGA tasks.” This means that organizational IGA policies and programs must be extended to intelligently manage the identities of bots, and concurrently, RPA can aid in automating manual IGA tasks. For the remainder of this piece, we will explore the role of identity governance in managing bots within organizations today and save the discussion of robotic process automation to enhance efficiencies for IGA in a follow-up blog.  

Bots Have Identities Too

Just like the human users within an organization, non-human users, often known as service accounts or software robots, are an increasing target for attack. External threat actors have become more sophisticated in their malicious activities that target users inside the organization—whether human or robot. According to the 2019 Insider Threat Report from Cybersecurity Insiders, 70 percent of cybersecurity professionals surveyed believe that the frequency of insider attacks has increased in the last year alone. And an incredible 62 percent of organizations have experienced at least one insider attack in the past 12 months. With the increasing number of tasks that bots are now performing within organizations today, and the significant access they have to company systems, applications, and data, how can the business effectively manage their levels of access and ensure the organization is protected?

The answer is by including service accounts under the identity governance umbrella, and managing them in a similar, yet distinct way from how human users are managed. Specifically, treating service accounts as contingent workers within the organization, separate from human users, is a best practice approach for giving bots identities and managing them intelligently. Although bots act in the same way as humans, taking on the mundane, repetitive tasks of human users, categorizing them as contingent workers will clearly define the systems and applications they should and should not access. Ultimately, by extending the definition of users to incorporate bots as part of the contingent workforce, organizations can increase visibility across all their environments and more effectively protect their organization as the digital workforce continues to expand.

The User Lifecycle for Service Accounts in Robotic Process Automation

Treating bots as part of the contingent workforce begins when the service account is initiated or ‘onboarded.’ This is where the software robot receives initial account access to appropriate systems and applications. Over time, the robot may need new or different access to complete its task, so an effective IGA program must be able to manage this change. Finally, if the bot is no longer needed, accounts should be immediately disabled to avoid orphaned accounts that are prone to attack. According to Gartner, “software robot identity lifecycle management processes can be modeled to contingent workers when organizations keep software robot identities distinctly separate from people. Just as with humans, each software robot can have a supervisor or sponsor—the person who is responsible for overseeing the operation of the software robot.” By treating service accounts and software robots in a similar manner as contingent workers, organizations can more effectively manage the levels of access they have across the non-human user lifecycle, and easily onboard and offboard software robots securely and efficiently.

Embrace the Rise of Bots in Your Organization Intelligently

As companies continue to increase reliance upon robotic process automation, and depend on service accounts to increase efficiency and drive organizational performance, they must also recognize the responsibility they have in managing these bots as actual users. Identity governance for RPA will continue to play a prominent role, and it is up to organizations to leverage leading-edge IGA solutions for improving organizational security throughout the software robot user lifecycle. Make sure your organization is ready for the rise of RPA and has the proper identity governance programs in place to keep your people and your robots protected.


Identity and Access Management
Big text: 
Resource type: 
Find out how you can respond to the rise of bots in your business.

Learn how intelligent identity governance can effectively manage access for service accounts in your organization with a live demo from one of our experts.

This Common Mistake You May Be Making Right Now Exposed an Entire Nation to Identity Theft

A routine data project revealed that the personally identifying information of the entire nation of Ecuador might be online for all to see–just like, potentially, your data.

The information included records belonging to deceased citizens and more than 7 million minors. It was discovered by researchers from the security firm vpnMentor while conducting “a wide-scale Web mapping project.”

According to vpnMentor’s report, the ongoing project made the discovery possible by scanning ports “to find known IP blocks.” It then searches for “vulnerabilities in the system that would indicate an open database.” When a compromise is discovered, the company then traces the data back to its source and delivers the bad news.

While the full extent of the damage done here is not clear, it’s sure sounds like a potentially Titanic-meets-iceberg level event.

What We (and the Bad Guys May) Know

The extremely granular personal information of more than 20 million people was exposed. Ecuador’s population is 16.5 million, which means nearly 4 million of the individuals affected may be deceased.

The data included personal and corporate tax ID numbers and bank account information–including current balance in the account, amounts financed, credit types, and the location of a bank branch used by an individual. The same information about family members was also available, as well as how people in the data set were related to each other.

All the essential information needed for account authentication and/or takeover were there, too. A short list of the available data included full name (first, middle, last); gender; date and place of birth; home and work addresses; email addresses; home, work, and cell phone numbers; marital status; date of marriage (where applicable); date of death (where applicable); and the highest level of education achieved.

WikiLeaks founder Julian Assange was even in there, Ecuador’s most famous asylum seeker.

Describing itself as an organization of ethical hackers, vpnMentor said in its statement about the discovery that it never sells, stores, or exposes compromised information, but rather uses the existence of a compromise or leak as a teachable moment.

Teachable Moments Are Expensive

Sponsored by IBM Security and independently conducted by the Ponemon Institute, the 13th-annual Cost of Data Breach Study found that the average per-record cost of a breach was $148 last year. That would put the cost of this compromise at nearly $3 billion.

So, what can we learn from this data debacle? The compromise was caused by–wait for it–a third-party vendor. According to CNN, the breach was found on an unsecured server in Miami, which appeared to be owned by an Ecuadorian consulting and analytics company called Novaestrat. While it remains unclear as to how Novaestrat gained access to the government database, it is presumed that someone currently, or formerly, in the Ecuadorian government handed over the data–no matter the reason–and in the process potentially exposed it to criminals around the world.

The first takeaway should be that you are only as secure as your least secure vendor and/or collaborator. In the realm of cyber-liability, that and three bucks will get you a cup of coffee to sip while you wait for the submarine to the unemployment line at the bottom of Loon Lake.

This sort of mistake keeps happening because people continue to doubt the persistent and pervasive threats we face in the business community and beyond.

It matters because the information exposed in this incident was sufficient for a competent identity thief to commit every imaginable identity-related crime. There’s gold and endless liability in them thar hills of data.

What You Can Do

Practice the 3Ms.

Minimize your exposure: Vet your vendors! Foster a culture where everyone from the mailroom to the boardroom is invested in privacy and data security. Train your employees from their first day and have an ongoing discussion about best security practices. Create a map of information access, and make sure your most sensitive data is only available to those who need to have access and practice proper cybersecurity protocols to keep the data safe. Have a sensible BYOD (Bring Your Own Device) policy, and remind employees about the importance of installing updates on connected devices. Hire a chief information security officer–never leave your security solely to the IT department.

Monitor your networks and your assets: Make sure regular assessments are conducted on the security of all your data assets–and don’t wait for a call from a “white hat” hacker.

Manage the damage: How an organization responds to a breach or compromise is a defining moment. It is crucial that you act urgently, transparently, and empathetically. In order to avoid an extinction-level event, have a robust incident response plan. Have a media plan, and consider putting a crisis management firm on retainer. Game various scenarios and have a team in place to help your clients, as well as both in-house and third-party experts who understand the timing and notification requirements in each state for various regulators, law enforcement officials, insurance companies, employees, and customers. Can your company really afford to roll the dice on cybersecurity?

The post This Common Mistake You May Be Making Right Now Exposed an Entire Nation to Identity Theft appeared first on Adam Levin.

Toronto hospital recovering from ransomware attack

A Toronto hospital is recovering after being hit last week by a variant of Ryuk ransomware. However, so far it seems the malware was only trying to exfiltrate data instead of demanding money.

Michael Garron Hospital chief executive officer Sarah Downey told CBC News that the hospital’s firewall stopped data from leaving the institution.

UPDATE: On Friday, communications director Shelley Darling said IT experts were able to confirm the malware was Ryuk by examining the malware. There was an email message for communicating with the attackers, she added. but the hospital is not contacting anyone about paying a ransom.

The hospital has over 100 servers and they are still being evaluated for infection, she said. After the attack was discovered two elective surgeries and out-patient clinics had to be rescheduled and staff had to resort to paper documentation. As of Friday morning, all email had been restored. However, some remote VPN access is still off. Certain portals that communicate with other health care data repositories are slowly being restored.  In addition,  what Darling called “minor administrative systems” — such a volunteer database — and “systems that talk to each other” are still offline.

“It’s probably going take us a few weeks to have confidence to say all of our systems are back online,” he said.

The hospital hasn’t estimated yet how much the attack will cost. Some of those costs may be recovered through insurance, Darling said.

The attack started in the early hours of Sept. 25  when what it calls a virus was discovered on one of the IT systems. As a result several systems were closed to prevent the malware, later identified as a Ryuk variant, from spreading.

Patient privacy has not been compromised, the hospital said. However, it is still in what the institution calls a Code Grey, which means IT systems have been impaired.

Darling said the suspicion so far is the attack started with an employee clicking on an infected email or going to an infected website. “In the last several days we’ve been re-educating our staff on cyber security email do’s and don’ts,” she added. There has been regular privacy training, but now “we are looking at putting more formal education in place.”

“While we hope these types of situations never take place, our expert hospital teams prepare for all issues and we have extensive processes in place to respond quickly when experiencing disruptions in clinical services,” Downey said in a statement after the attack was discovered. “We want to reassure our community that all current patients at MGH continue to receive safe, high-quality care from our health care teams.

“Our priority is to restore full computer functionality as quickly as possible and we apologize to the small number of patients whose care has been re-scheduled. I am so grateful to our staff, physicians, leaders and volunteers who have worked exceptionally hard and put in extra hours during this time to ensure safe, quality care to our community.”

Michael Garron Hospital until recently was called Toronto East General Hospital, and is one of the largest in the city. The emergency department alone sees about 80,000 patients a year.

According to a blog earlier this year from security vendor CrowdStrike, Ryuk ransomware began appearing in August 2018. Controlled by a group it dubs Grim Spider, Ryuk has been targeting large enterprises.  CrowdStrike says Ryuk was derived from the Hermes commodity ransomware, which can be bought on dark forums. However, researchers believe Ryuk is only used by the Grim Spider group.

CrowdStrike believes that the initial compromise often comes after a victim clicks on a link or a document in an email that downloads the TrickBot or Emotet trojans. But note that in June the U.K. National Cyber Security Centre published an advisory that pointed out often Ryuk isn’t spotted by victims until after some time following the initial infection, ranging from days to months.

That allows the threat actor time to carry out reconnaissance inside an infected network, identifying and targeting critical network systems. But, the advisory notes, it may also offer the potential to mitigate against a ransomware attack before it occurs, if the initial infection is detected and remedied.

In the first four months since Ryuk’s appearance the threat actors operating it netted over 705 Bitcoins across 52 transactions for a total current value of US$3,701,893.98, said CrowdStrike. Payouts have been going up ever since. According to one news report in June alone Florida municipalities hit by Ryuk paid out more than US$1.1 million dollars.

Microsoft Canada bags 2019 Jim Flaherty Award for Leadership, Inclusion and Accessibility

The Abilities Centre has honoured Microsoft Canada with the 2019 Jim Flaherty Award for Leadership, Inclusion and Accessibility. The award was presented in recognition to the inclusion strategy of the company. The Office 365 applications by Microsoft, for example, offer various built-in capabilities aimed at making content creation easier for everyone and ensuring that the…

Your password doesn’t matter—but MFA does!

Your pa$$word doesn’t matter—Multi-Factor Authentication (MFA) is the best step you can take to protect your accounts. Using anything beyond passwords significantly increases the costs for attackers, which is why the rate of compromise of accounts using any MFA is less than 0.1 percent of the general population.

All authenticators are vulnerable

There is a broad range of mechanisms to break authenticators. That doesn’t make all authenticators equally vulnerable. Costs vary massively by attack type, and attacks that preserve anonymity and don’t require proximity to the target are much easier to achieve. Channel-Jacking and Real-Time Phishing are the most dominant ways we see non-password authenticators compromised.

Channel independent, verifier impersonation-resistant authenticator types—such as smartcards, Windows Hello, and FIDO—are incredibly hard to crack. Given an overall strong authentication rate of only about 10 percent, doing any form of MFA takes you out of reach of most attacks. Turn on MFA now and start building a long-term authenticator strategy that relies on “phish proof” authenticators, such as Windows Hello and FIDO.

To learn more, read All your creds are belong to us!

The post Your password doesn’t matter—but MFA does! appeared first on Microsoft Security.

UK Youngsters seeking to Win the European Cyber Security Challenge

This October, ten of the UK’s sharpest young cybersecurity minds will head to Bucharest in Romania to compete against teams from 20 countries across Europe in this year’s European Cyber Security Challenge (ECSC). Managed by Cyber Security Challenge UK and led by Team Captain Sophia McCall, the team has spent the summer training with NCC Group and honing their skills using Immersive Labs. Now, they’re ready to bring home gold.

Sophia Mcall, UK Team Captain

Established in 2009, 'Cyber Security Challenge UK' is a non-profit organisation backed by some of the UK’s leading public, private and academic bodies with a longstanding mission to encourage more cybersecurity talent into the pipeline. 

Cyber Security Challenge UK selects, nurtures and mentors young talent to build the UK team, and strives to include individuals with diverse backgrounds and experiences. The team, from across the UK, has a strong mix of different cyber skills and brings a broad range of experiences to the competition. 
Cyber Security Challenge UK - helping to encourage new talent

In a sector facing an acute shortage of fresh talent, competitions like the ECSC are crucial as they allow competitors to meet industry leaders, network with peers from across the continent and get a taste for working in cybersecurity. By taking part, the team set themselves apart as outstanding individuals, equipped with the skills they need to pursue a career in the industry.

Run by ENISA, the European agency responsible for cybersecurity for the European Union, the ECSC is a three-day competition that challenges competitors to complete a series of security-related tasks from domains such as web and mobile security, reverse engineering and forensics. This year, the competition will be held in Bucharest, Romania from 9th to 11th October 2019.

Team Captain Sophia McCall: I have the Cyber Security Challenge and my lecturers in college to thank for the fact I’m pursuing a cybersecurity degree. I had no exposure to cybersecurity when I was younger, so without them I may never have ended up in the industry. It’s now my passion to get other young girls and people from all backgrounds involved, and competitions like the ECSC are an incredible way to explore opportunities in the industry and find out if it’s the right career for you.”

Dr Robert Nowill, Chairman, Cyber Security Challenge UK: Our mission is to be as inclusive as we can in order to increase the number of people entering the cybersecurity industry, and competitions like the ECSC are an integral part of our efforts to broaden the reach of cyber. We have always looked to encourage participation by those who may not otherwise have considered career pathways into cyber, and this year’s team represents an incredible mix of ages, genders and backgrounds. We’re already extremely proud of the team! They’ve been training hard all summer, and we can’t wait to see how they fare in Bucharest.”

Colin Gillingham, Director of Professional Services at NCC Group:Our long-standing training partnership with the Cyber Security Challenge is part of our mission to increase diversity in cybersecurity. Our aim is to make society safer and more secure, but this will only be achieved when the industry is as diverse and representative as the society that we are working to protect. This year’s Team Captain, Sophia McCall, has just completed a placement year at NCC Group, and we’re delighted to have supported her as she blazes a trail for the female cyber professionals of the future.”

James Hadley, Founder and CEO at Immersive Labs said: We believe strongly that challenge-based training exercises are by far the best way for cybersecurity experts to keep themselves ahead of the latest threats. We’re delighted to be supporting the UK team with access to our on-demand and gamified cyber skills content. Their points haul from our CTFs and Malware Analysis labs have been particularly impressive. We wish the team every success not just as they head to Bucharest but in their bright futures as professional cyber defenders.

FDA Issues Cybersecurity Warning for Medical Devices

FDA Issues Cybersecurity Warning for Medical Devices

The US Food and Drug Administration (FDA) issued a warning on Tuesday over vulnerabilities detected in decades-old software being used by many medical devices and hospital networks. 

The 11 vulnerabilities exist in IPnet, a third-party software component that supports network communications between computers. If exploited, the vulnerabilities could allow hackers to remotely control a medical device, change its function, obstruct service, or trigger information leaks that could stop it from working.

Makers of the original IPnet software, Interpeak, no longer support it, but some manufacturers have a license to use it without support, meaning it could be incorporated into other software applications, equipment, and systems still in use in medical devices. 

IoT security company Armis discovered the vulnerabilities in the IPnet stack, collectively known as URGENT/11, back in July 2019. As a result, more than 30 vendors have issued security advisories. 

When the vulnerabilities were discovered, it was thought that they only affected some versions of the popular real-time operating system Wind River VxWorks. However, the true impact of the cybersecurity risk is much greater because the IPnet software was licensed and used in multiple operating systems employed by the healthcare industry. 

According to the FDA, some versions of operating systems Integrity by Green Hills, ThreadX by Microsoft, Operating System Embedded by ENEA, ITRON by TRON Forum, and ZebOS by IP Infusion may contain the vulnerable software component. 

Medical devices affected so far include an imaging system, an infusion pump, and an anesthesia machine. The FDA said in its warning that it "expects that additional medical devices will be identified that contain one or more of the vulnerabilities associated with the original IPnet software." 

IPnet's vulnerabilities are zero-day, meaning that they have existed since the software's creation. 

The Cybersecurity and Infrastructure Security Agency issued a warning regarding cybersecurity vulnerabilities in Wind River VxWorks on July 30.

The news follows the release of a 45-page guidance document, Principles and Practices for Medical Device Cybersecurity, this week by the International Medical Device Regulators Forum (IMDRF).

The document, which was put together by the FDA and Health Canada, says regarding third-party components: "These components can create risk of their own, which is managed by the manufacturer through risk management, quality management, and design choice. Manufacturers should manage the cybersecurity implications of the components—software and hardware—that are part of their devices. 

"Similarly, post-market issues with a third-party component may also affect the security of the medical device, and manufacturers need to manage this risk. Users expect the manufacturer to understand how a security vulnerability in an underlying component such as an operating system or processor affects the medical device. Regulators will require it."

Threat Hunting: How to Gain the Most Value

Sean Mason, Director of Cisco Incident Response Services and
Jeff Bollinger, Investigations Manager, Cisco Security Incident Response Team (CSIRT)

As security practitioners who continuously look for adversarial malice, one of the questions we are asked frequently is: What’s around the corner? Threat actors evolve over time, so how do we know not only what they’re doing now, but also what’s next? And if things are quiet and we’re not observing any incidents, does that mean that everything is under control? Or are adversaries simply retooling?

To help answer these tough questions, we have threat hunting. The objective of this ongoing exercise is to find and eliminate adversaries that have penetrated defenses and are yet to be detected. Essentially, it’s a shift in mentality. Instead of waiting to respond to an incident after it has triggered an alarm, we’re turning over some rocks to find things we don’t know yet.

As explained in Cisco’s recent report, “Hunting for Hidden Threats,” threat hunting is one more tool in the incident responder’s arsenal. It’s not a silver bullet. But — based on our own 30 years of combined experience mitigating threats, not to mention the whole of Cisco’s experience — we believe it’s an essential component of making security foundational.

How valuable to you is the ability to keep your organization’s data from being stolen or locked, or to keep your organization’s name out of the headlines for a breach? If you can stop even one attack successfully, then all the time and money you’ve invested into threat hunting is worth its weight in gold.

Benefits of threat hunting

Although the ultimate objective is to get ahead of adversaries by finding and expelling them before they cause damage, threat hunting has many other benefits, some of which are:

Improving security operations: While threat hunting itself can sometimes be arduous, you can use it to improve efficiencies in other areas. Once you develop techniques and ways of discovering malicious activity, commoditize and operationalize that by creating playbooks as well as automating some of your day-to-day incident response. At Cisco, for example, our incident response team has more than 400 unique playbooks, many of them informed by our threat hunting activities. We use these plays regularly to look for suspicious activity and to free up analysts’ time.

Understanding your environment: Let’s say you’re a new CISO who needs to get a better picture of what’s going on in your network. A threat hunt, or a compromise assessment, is a good way to understand what you’ve inherited and have signed up to defend. The end result is concrete evidence that you can take to your leadership and ensure you have adequate resources to secure the organization. The hunt can prove that the threats are not just theoretical and are actually lurking inside your ecosystem.

Hardening the environment: From a day-to-day perspective, identifying gaps in security gives you the opportunity to remediate and fix larger problems. As you’re doing hunts, you’ll inevitably discover weaknesses that threat actors can exploit. Apply the knowledge you’ve gained through threat hunting to proactively improve tooling and strengthen the overall security posture.

What it takes to be successful

There are many components to a successful threat hunting program, but the ones that we can’t stress enough include access to the data, a diverse team, and the right mindset.

The importance of high-quality data is obvious, but you may be surprised how big a challenge access can be. We commonly find a lack of necessary data during threat hunts for our customers — and even in our own environment.

Instead of treating a data-access problem like a dead end, think outside the box. Can you look at things differently? Can you use a different set of network logs? And just as important, turn this into an opportunity to improve the outcome next time and go the extra mile to collaborate with those teams that can give you better data.

Which brings us to the people component. There are two aspects to it, and one is the importance of building relationships across teams. Especially those impacted by your security activities, such as the network admins and developers. The other side is the people on the hunting team. Success requires diversity of thought. Include individuals who can think creatively and look at the world a little differently, rather than only thinking in ones and zeroes. We find threat hunters from a variety of backgrounds — even nontechnical.

This also helps you hunt with the right mindset. It’s hard to be objective when you’re living and breathing your security environment day in and day out, especially if you’ve architected it. Taking a step back and asking what you may be missing is not easy. A diverse team that both designs and executes the hunt gives you new perspectives.

Jumping in

Besides the right people, you need the right technology and processes. You may already have a basic foundation you can build on — chances are, you’ve been doing threat hunting without even knowing it. If you’ve ever investigated attacks to try to understand what happened, you’ve been answering some of the same questions and following some of the same steps that hunters do.

A deliberate program, however, does take time to develop. Start with small steps and easy, tactical data sources, then build from there. Don’t make the mistake of throwing a bunch of data sources in at once, or you’ll run into challenges. You don’t even need complicated tools to get off the ground, because you can discover malicious behavior with OS event logs or logs your sysadmin keeps for troubleshooting purposes.

One final thought. There’s a misconception that only larger organizations can implement a threat hunting program. In reality, threat actors don’t concern themselves with size and are looking for easy targets — smaller organizations can benefit just as much, if not more, from getting ahead of these threats. If you don’t have in-house resources, outsource to an expert consultant. And if you already have an outside IR team on retainer, start the conversation about what it would take to proactively look for adversaries.

Want to learn more about establishing a threat hunting program? Download the recent Cisco Cybersecurity Series report, “Hunting for Hidden Threats: Incorporating Threat Hunting Into Your Security Program.”


IDA, I Think It’s Time You And I Had a Talk: Controlling IDA Pro With Voice Control Software


This blog post is the next episode in the FireEye Labs Advanced Reverse Engineering (FLARE) team Script Series. Today, we are sharing something quite unusual. It is not a tool or a virtual machine distribution, nor is it a plugin or script for a popular reverse engineering tool or framework. Rather, it is a profile created for a consumer software application completely unrelated to reverse engineering or malware analysis… until now. The software is named VoiceAttack, and its purpose is to make it easy for users to control other software on their computer using voice commands. With FLARE’s new profile for VoiceAttack, users can completely control IDA Pro with their voice! Have you ever dreamed of telling IDA Pro to decompile a function or show you the strings of a binary? Well dream no more! Not only does our profile give you total control of the software, it also provides shortcuts and other cool features not previously available. It’s our hope that providing voice control for the world’s most popular disassembler will further empower users with repetitive stress injuries or disabilities to more effectively put their reverse engineering skills to use with this new accessibility option as well as helping the community at large work more efficiently.

Check out our video demonstration of some of the features of the profile to see it in action.

How Does It Work?

Voice attack is an inexpensive software application that utilizes the Windows Speech Recognition (WSR) feature to enable the creation of user-defined, voice-activated macros. The user specifies a key word or phrase, then defines one or more actions to be taken when that word or phrase is recognized. The most common types of actions to be taken include key presses, mouse movement and clicks, and clipboard manipulation. However, there are many other more advanced features available that provide a lot of flexibility to users including variables, loops, and conditionals. You can even have the computer speak to you in response to your commands! VoiceAttack requires an internet connection, but only during the registration process, after which the network adapter can be disabled or configured to a network that cannot reach the internet without issue.

To use VoiceAttack, you must first train Windows Speech Recognition to recognize your voice. Instructions on how to do so can be found here. This process only takes a few minutes at minimum, but the more time you spend training, the better the experience you will have with it.

What Does the IDA Pro Profile Provide?

FLARE’s IDA Pro profile for VoiceAttack maps every advertised keyboard shortcut in IDA Pro to a voice command. Although this is only one part of what the profile provides, many users will find this in itself very useful. When developing this profile, I was shocked to discover just how many keyboard shortcuts there really are for IDA Pro and what can be accomplished with them. Some of my favorite shortcuts are found under the View->Open Subviews and Windows menus. With this profile, I can simply say “show strings” or “show structures” or “show window x” to change the tab I am currently viewing or open a new view in a tab without having to move my mouse cursor anywhere. The next few paragraphs describe some other useful commands to make any reverse engineer’s job easier. For a more detailed description of the profile and commands available, see the Github page.


A series of voice commands can perform multi-step actions not otherwise reachable by individual keyboard shortcuts. For example, wouldn’t it be nice to have commands to toggle the visibility of opcode bytes (see Figure 1)? Currently, you have to open the Options menu, select the General menu item, input a value in the Number of opcode bytes text field, and click the OK button. Well, now you can simply say “show opcodes” or “hide opcodes” and it will be so!

Figure 1: Configuring the number of opcode bytes to show in IDA Pro's disassembly view

Defining a Unicode string in IDA Pro is a multi-step exercise, whether you navigate to the Edit->Strings menu or use the “string literals” keyboard shortcut Alt+A followed by pressing the U key as shown in Figure 2. Now you can simply say “make Unicode string” and the work is done for you.

Figure 2: String literals dialog in IDA Pro

Reversing a C++ application? The Create struct from selection action is a very helpful feature in this case, but it requires you to navigate to the Edit->Structs menu in order to use it. The voice command “create struct from selection” does this for you automatically. The “look it up” command will copy the currently highlighted token in the disassembly and search Google for it using your default browser. There are several other macros in the profile that are like this and save you a lot of time navigating menus and dialogs to perform simple actions.

Cursor Movement, Dialogs, and Navigation

The cursor movement commands allow the user to move the cursor up, down, left, or right, one or more times, in specified increments. These commands also allow for scrolling with a voice command that commences scrolling in a chosen direction, and another voice command for stopping scrolling. There are even voice commands to set the speed of the scroll to slow, medium, or fast. In the disassembly view, the cursor can also be moved per “word” on the current line of the disassembly or decompilation, or even per basic block or function.

Like many other applications, dialogs are a part of IDA Pro’s user interface. The ability to easily navigate and interact with items in a dialog with your voice is essential to a smooth user experience. Voice commands in the profile enable the user to easily click the OK or Cancel buttons, toggle checkboxes, and tab through controls in the dialog in both directions and in specified increments.

With the aid of a companion IDAPython plugin, additional navigation commands are supported. Commands that allow the user to move the cursor to the beginning or end of the current function, to the next or previous “call” instruction, to the previous or next instruction containing the highlighted token, or to a specified number of bytes forward or backwards from the current cursor position help to make voice-controlled navigation easier.

These cursor movement and navigation commands enable users to have full control of IDA Pro without the use of their hands. While this is true and an important goal for the profile, it is not practical for people who have full use of their hands to go completely hands-free. The commands that navigate the cursor in IDA Pro will never be as fast or easy as simply using the mouse to point and click somewhere on the screen. In any case, users will find themselves building up a collection of voice commands they prefer to use that will depend on personal tastes. However, enabling full voice control allows reverse engineers who do not have full use of their hands to still effectively operate IDA Pro, which we hope will be of great use to the community. Having such a capability is also useful for those who suffer from repetitive strain injury.

Input Recognition

The commands described so far give you control over IDA Pro with your voice, but there is still the matter of providing textual input for items such as function and variable names, comments, and other text input fields. VoiceAttack does provide the ability in macros to enable and disable what is called “Dictation Mode”. When in Dictation Mode, any recognized words are added to a buffer of text until Dictation Mode is disabled. Then this text can be used elsewhere in the macro. Unfortunately, this feature is not designed to recognize the kinds of technical terms one would be using in the context of reverse engineering programs. Even if it were, there is still the issue of having to format the text to be a valid function or variable name. Instead of wrestling with this feature to try to make it work for this purpose, a very large and growing collection of “input recognition” commands was created. These commands are designed to recognize common words used in the names of functions and variables, as well as full function names as found in the C runtime libraries and the Windows APIs. Once recognized, the word or function name is copied to the user’s clipboard and pasted into the text field. To avoid the inadvertent triggering of such commands during the regular operation of IDA Pro, these commands are only active when the “input mode” is enabled. This mode is enabled automatically when certain commands are activated such as “rename” or “find”, and automatically disabled when dialog commands such as “OK” or “cancel” are activated. The input mode can also be manually manipulated with the “input mode on” and “input mode off” commands.


Today, the FLARE team is releasing a profile for VoiceAttack and a companion IDAPython plugin that enables full voice control of IDA Pro along with many added convenience features. The profile contains over 1000 defined commands and growing. It is easy to view, edit, and add commands to this profile to customize it to suit your needs or to improve it for the community at large. The VoiceAttack software is highly affordable and enables you to create profiles for any applications or games that you use. For installation instructions and usage information, see the project’s Github page. Give it a try today!

Nearly 70 US Government Organizations Hit by Ransomware Since January

Nearly 70 US Government Organizations Hit by Ransomware Since January

Ransomware gangs, intent on stealing American dollars, have struck at least 621 targets in the US government, education, and healthcare sectors since January. 

report into stateside ransomware attacks, released on October 1 by antivirus company Emisoft, which is an associate partner in Europol’s No More Ransom Project, paints a picture of a nation in a serious cyber-predicament. 

At least 68 state, county, and municipal entities have been impacted by this particular type of attack since the beginning of the year. In just one attack on Baltimore, MD, carried out in May using the ransomware RobbinHood, recovery costs are estimated to have been $18.2 million. 

A Ryuk attack on Lake City, FL, in June led to insurers forking over a $460,000 ransom minus a $10,000 deductible, and only part of the data affected was recovered. 

So far this year, there have been at least 62 ransomware incidents involving school districts and other educational establishments, which potentially impacted operations at up to 1,051 individual schools, colleges, and universities.

The healthcare sector has suffered just under 500 attacks since this year's ball drop in Times Square heralded the start of 2019.

Fabian Wosar, Emisoft CTO, told Infosecurity Magazine: "When we look at absolute numbers in all areas—business, government, and home users—ransomware is on the decline. However, this is mostly due to the fact that ransomware gangs focus on business and government targets these days instead of the large-scale spray-and-pray attacks against home users that were dominant just a few years ago. So, while the pressure on home users went down dramatically, it skyrocketed for those other areas."

Describing the biggest ransomware payout he had come across, Wosar said: "The biggest confirmed payout I have seen was $700,000, but I cannot disclose specific details about that case."

How an organization decides to deal with a ransomware attack has a major bearing on whether it will be re-targeted at a later date. 

Wosar told Infosecurity Magazine: "What definitely will make you a big target is if you got ransomed and paid. During a lot of these attacks we have seen ransomware groups leave behind backdoors that allow them to access the systems again in the future. Given this backdoor access and your willingness to pay for your data, you become a prime target for a second attack later down the line."

Sharing his predictions on how ransomware attacks will evolve, Wosar said: "I believe that attacks on organizations with outsourced infrastructure and IT will become increasingly common. The tools used by MSPs and other service providers act as a gateway to their clients’ systems and, as we saw in the Texas and PercSoft incidents, enable multiple organizations to be ransomed in one fell swoop."

No More Mixed Messages About HTTPS

Today we’re announcing that Chrome will gradually start ensuring that https:// pages can only load secure https:// subresources. In a series of steps outlined below, we’ll start blocking mixed content (insecure http:// subresources on https:// pages) by default. This change will improve user privacy and security on the web, and present a clearer browser security UX to users.
In the past several years, the web has made great progress in transitioning to HTTPS: Chrome users now spend over 90% of their browsing time on HTTPS on all major platforms. We’re now turning our attention to making sure that HTTPS configurations across the web are secure and up-to-date.
HTTPS pages commonly suffer from a problem called mixed content, where subresources on the page are loaded insecurely over http://. Browsers block many types of mixed content by default, like scripts and iframes, but images, audio, and video are still allowed to load, which threatens users’ privacy and security. For example, an attacker could tamper with a mixed image of a stock chart to mislead investors, or inject a tracking cookie into a mixed resource load. Loading mixed content also leads to a confusing browser security UX, where the page is presented as neither secure nor insecure but somewhere in between.
In a series of steps starting in Chrome 79, Chrome will gradually move to blocking all mixed content by default. To minimize breakage, we will autoupgrade mixed resources to https://, so sites will continue to work if their subresources are already available over https://. Users will be able to enable a setting to opt out of mixed content blocking on particular websites, and below we’ll describe the resources available to developers to help them find and fix mixed content.
Instead of blocking all mixed content all at once, we’ll be rolling out this change in a series of steps.
  • In Chrome 79, releasing to stable channel in December 2019, we’ll introduce a new setting to unblock mixed content on specific sites. This setting will apply to mixed scripts, iframes, and other types of content that Chrome currently blocks by default. Users can toggle this setting by clicking the lock icon on any https:// page and clicking Site Settings. This will replace the shield icon that shows up at the right side of the omnibox for unblocking mixed content in previous versions of desktop Chrome.

Accessing Site settings, from which users will be able to unblock mixed content loads in Chrome 79.
    • In Chrome 80, mixed audio and video resources will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://. Chrome 80 will be released to early release channels in January 2020. Users can unblock affected audio and video resources with the setting described above.
    • Also in Chrome 80, mixed images will still be allowed to load, but they will cause Chrome to show a “Not Secure” chip in the omnibox. We anticipate that this is a clearer security UI for users and that it will motivate websites to migrate their images to HTTPS. Developers can use the upgrade-insecure-requests or block-all-mixed-content Content Security Policy directives to avoid this warning. 

    Omnibox treatment for websites that load mixed images in Chrome 80. 

    • In Chrome 81, mixed images will be autoupgraded to https://, and Chrome will block them by default if they fail to load over https://. Chrome 81 will be released to early release channels in February 2020.
    Resources for developers
    Developers should migrate their mixed content to https:// immediately to avoid warnings and breakage. Here are some resources:
    • Use Content Security Policy and Lighthouse’s mixed content audit to discover and fix mixed content on your site.
    • See this guide for general advice on migrating servers to HTTPS.
    • Check with your CDN, web host, or content management system to see if they have special tools for debugging mixed content. For example, Cloudflare offers a tool to rewrite mixed content to https://, and WordPress plugins are available as well.

    NiceHash Co-Founder, Wanted in the US, Arrested in Germany

    NiceHash Co-Founder, Wanted in the US, Arrested in Germany

    The co-founder and former CTO of cryptocurrency mining marketplace NiceHash has been arrested by German federal police in connection with US charges of racketeering and fraud. 

    According to the news website 24ur.com, Matjaz Škorjanc was arrested on Monday in Schwarzbach after crossing the German border in a car with Slovenian license plates. 

    Slovenian national Škorjanc is wanted in the US on suspicion of being a member of a criminal organization that committed a number of cyber-frauds between 2008 and 2013. 

    The US alleges that the 33-year-old set up and managed online password-protected hacking forum Darkode, in which cyber-criminals convened to buy, sell, trade, and share information, ideas, and tools to facilitate unlawful intrusions into others’ computers and electronic devices.

    Darkode was shut down in 2015 as part of an internationally coordinated law enforcement effort called Operation Shrouded Horizon.

    Škorjanc, who was known online as "iserdo" and "serdo," is further accused of creating and deploying the malicious botnet Mariposa, which harvested personal data from nearly a million computers around the world. Mariposa caused estimated damages of around $4 million after using cyber-scamming and denial-of-service (DOS) attacks to effectively turn infected computers into remotely controlled zombies. 

    An indictment was filed in the US District Court for the District of Columbia on December 4, 2018, against Škorjanc, fellow Slovene Mentor Leniqi, Spaniard Florence Carro Ruiz, and American Thomas McCormick. Each of the accused was charged with racketeering conspiracy and conspiracy to commit wire fraud and bank fraud. The racketeering conspiracy charge includes conspiracy to commit bank, wire, and access device fraud, identity theft, hacking, and extortion. 

    McCormick—the last known administrator of the Darkode forum—was also charged with five counts of aggravated identity theft. He was arrested at the FBI’s Washington Field Office in Washington, DC, six days after the indictment was filed.

    If convicted of the charges, each of the accused could spend up to 50 years behind bars.

    Škorjanc has already served four years and ten months in a Slovenian prison after being convicted for his role in the Mariposa botnet.

    Škorjanc's father and H-Bit CEO Martin Škorjanc said: "There is no real legal basis for the prosecution, as Matjaz Škorjanc was already convicted for the same act as prosecuted by the US prosecutor, and the sentence has already been fully passed in Slovenia. 

    "It is an inadmissible retrial of the same thing; it is forbidden by Slovenian, European, and American law."

    Security Serious Awards: Infosecurity Magazine, Canon Europe and Cordery Among Winners

    Security Serious Awards: Infosecurity Magazine, Canon Europe and Cordery Among Winners

    The annual Security Serious “Unsung Heroes” awards were announced at an event in central London last night.

    The fourth annual awards are intended to celebrate the people of the cybersecurity industry, recognizing the individuals and teams working hard to protect Britain from cybercrime and raise awareness of security issues.

    Compered by Stephen Bonner, partner at Deloitte UK, and organized by Eskenzi PR, Smile on Fridays and IT Security Guru, they were supported by sponsors (ISC)2, Nozomi Networks, KnowBe4 and LMNTRIX.   

    “It can often be a thankless task working in cybersecurity; and as an industry, we tend to focus on technology and innovation,” said lead organizer of Security Serious Week, Yvonne Eskenzi.

    “The cyber skills gap is a huge issue for this country and an event like this really shows off what a great industry it is to be a part of and the wonderful people that make it.”    

    The full list of winners were:  

    Security Leader
    Winner: Joe Hancock – MDR Cyber
    Highly Acclaimed: James Packer – (ISC)2
    Cyber Writer
    Winner: Dan Raywood – Infosecurity Magazine
    Highly Acclaimed: Kate O'Flaherty – Tech Journalist
    Best Security Awareness Campaign
    Winner: Host Unknown 
    Highly Acclaimed: City of London Police

    Rising Star
    Winner: Hamish McGowan – Channel 4
    Highly Acclaimed: Sophia McCall – Bournemouth University 
    Captain Compliance
    Winner: Jonathan Armstrong – Cordery Compliance
    Highly Acclaimed: David Hyett - UKRI

    Best Educator
    Winner: Bayside School Cyber Club supported by GVC Group 
    Highly Acclaimed: Toni Scullion and the Turing’s Testers
    Best Ethical Hacker / Pentester
    Winner: Rob Hillier – XQ Cyber
    Security Avengers
    Winner: Ascential
    CISO Supremo
    Winner: Quentyn Taylor – Canon Europe
    Highly Acclaimed: Shan Lee – Transferwise

    Godparent of Security
    Winner: Paul Simmonds – Global Identity Foundation
    Highly Acclaimed: Adrian Davis – Consulting COO & CIO

    FBI warns about high-impact Ransomware attacks on U.S. Organizations

    The U.S. Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) warns organizations about high-impact ransomware attacks.

    In a wake of the recent string of attacks against cities, school districts and hospitals, the U.S. Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) issued organizations about high-impact ransomware attacks.

    “Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent.” reads the public service announcement published by the IC3.

    “Since early 2018, the incidence of broad, indiscriminant ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information. Although state and local governments have been particularly visible targets for ransomware attacks, ransomware actors have also targeted health care organizations, industrial companies, and the transportation sector.”

    The FBI has observed cyber organizations using multiple techniques to deliver ransomware, including phishing campaigns and the exploitation of Remote Desktop Protocol (RDP) and software vulnerabilities.

    The authorities discourage victims from paying a ransom because there is no guarantee that files will be decrypted. Sometimes crooks don’t decrypt them after the payment, in other cases security issues in the encryption process, or in the malware development, make it impossible to decrypt the data.

    FBI urges victims to report the incident to the local FBI field office and to ic3.gov to receive the necessary support.

    “Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to law enforcement.” continues the announcement. “Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under U.S. law, and prevent future attacks.”

    Reporting the ransomware attacks to the FBI will help law enforcement to track the crooks behind the campaign and to collect the indicators of compromise associated with the threat.

    Below the cyber defense best practices shared by the FBI:

    • Regularly back up data and verify its integrity
    • Focus on awareness and training
    • Patch the operating system, software, and firmware on devices
    • Enable anti-malware auto-update and perform regular scans
    • Implement the least privilege for file, directory, and network share permissions
    • Disable macro scripts from Office files transmitted via email
    • Implement software restriction policies and controls
    • Employ best practices for use of RDP
    • Implement application whitelisting
    • Implement physical and logical separation of networks and data for different org units
    • Require user interaction for end-user apps communicating with uncategorized online assets

    Pierluigi Paganini

    (SecurityAffairs – FBI, ransomware)

    The post FBI warns about high-impact Ransomware attacks on U.S. Organizations appeared first on Security Affairs.

    Content Delivery Network: Why Use It?

    You may be one of those individuals who can’t let a day pass without interacting with numerous applications and websites. Do you know that many of these sites and apps are in one physical location only? However, if you’re accessing content from software or website from across the globe, your data needs to traverse wires from everywhere.

    For instance, you’re in a city in Asia. If the app server is in the USA, you’ll discover that the content takes a longer time to reach you than those individuals in California. If you’re farther away from the data center, you’ll experience slower load times. It can be a frustrating and inconsistent experience.

    Generally, mobile and web users can’t tolerate lag times because they want digital experiences in real-time.
    LoadStorm released a report that includes the following:

    • 25% of users won’t wait for more than four seconds for a website to load
    • 74% of users won’t wait for more than five seconds to load a mobile site
    • 46% of users will find other websites if they discover a site has unsatisfactory performance
    • Content delivery network (CDN) can fix these issues.

    What is a CDN?

    A content delivery network is simply a delivery method for content from your mobile app or website to the visitors efficiently and quickly, depending on their geographical location. It has a network of servers in various places around the world.

    An edge server is the closest to the user. If you want to request content from a website in a content delivery network, you connect to an edge server nearest you to ensure that you gain a superior online experience.

    If you have content, you can have a content delivery network to deliver it from an edge server to your user quickly. If a person wants to access content from your mobile app or website, he can request it from a nearby server. Data doesn’t need to travel from your origin server to his geographical location.

    A CDN can also update your content continuously, so users access the most relevant and current data. Content invalidation is the process of purging your content as often as necessary so that you can update it when needed.

    Benefits of a Content Delivery Network

    • A content delivery network has numerous benefits for your website. Here are some of them:
    • Speedy load times for mobile and web users
    • Prompt scalability during heavy traffic
    • Secured site stability by reducing risk of traffic spikes at the origin server
    • Reduced infrastructure costs because of traffic offloading
    • Enhanced site performance

    Difference between conventional and modern CDNs

    The late 1990s ushered in the CDNs; however, the traditional ones have lagged in technology and hardware advancements. Thus, they can’t offer similar benefits to their modern counterparts. Legacy content delivery networks don’t use agile software environments that allow companies to iterate constantly, improve their product, and incorporate customer feedback. The traditional CDNs haven’t experienced much change for at least five years already.

    Purging dynamic and static content

    Conventional CDNs cache static content only because they can’t update based on the user’s input. For example, static content comprises of Javascript, CSS, videos, and images. Dynamic content, however, includes content requiring server logic such as filling up a shopping cart or transacting using a credit card. It isn’t possible to cache these transactions because they need to pass through the origin server because of sensitive data.

    Some dynamic content can be cached, especially if the content doesn’t have personal data. However, such type of content is still frequently changing and unpredictable. It is event-driven based on an action by a machine or human. Examples of this content include user-generated comments, news headlines, sports scores, or stock prices. For many CDNs, this type of transaction is “uncacheable;” however, it is possible to cache these transactions.

    The edge server

    Classic CDNs offer limited edge because they depend on spinning hard disks. They prioritize caching of content at this type of server. The consequence in prearranging content is that smaller websites may not have comparable priority as the more substantial sites. On the other hand, modern CDNs use solid-state drives (SSDs) and don’t need to prioritize caching. Everyone benefits equally.

    Reverse proxying

    Another advantage of state-of-the-art CDNs is reverse proxying. Customers of traditional CDNs need to upload content initially to the cache servers. On the other hand, with modern CDNs, they only need to upload it at the origin server. No frontloading of content at the cache servers occur in contemporary CDNs. Dynamic content at traditional CDNs resides in the origin content. As such, users can experience slow loading because of traffic spikes.

    Who benefits from CDNs?

    Individuals and institutions with mobile application or website with various users who access it simultaneously must take advantage of a content delivery network. However, CDNs are primarily useful to websites and software with comprehensive dynamic content accessed by worldwide users.

    Moreover, content delivery networks have specific advantages to numerous types of organizations and businesses.


    A CDN site can deliver content efficiently and quickly even during heavy traffic like holidays and Black Friday shopping.


    Government websites that provide numerous contents can offer vital information efficiently and quickly through a content delivery network.


    Banking institutions can use content delivery networks for reliable, secure, and fast distribution of sensitive data to analysts and consumers.

    Media and Publishing

    Media websites must deliver updated information promptly. A content delivery network can help them update their news and headlines homepages in real-time. Moreover, it deletes outdated data.

    Mobile applications

    Mobile apps that have dynamic content can use CDNs to increase responsiveness and reduce load times.

    SaaS and Technology

    Users often access daily content from technology websites anywhere in the world. If these sites use content delivery networks, they gain excellent experience.

    A content delivery network or CDN is an essential service to mobile app developers and website owners. It enhances the user experience even though they provide overflowing information. If you have a mobile software or website with thousands of global users, you can harness its power.

    The post Content Delivery Network: Why Use It? appeared first on .

    Ukrainian police dismantled a bot farm involved in multiple spam campaigns

    The Ukrainian police dismantled a bot farm involved in spam campaigns carried out through various services, including email and social networks.

    Cybercrime is a prolific business, criminal organizations continues to make profits with illegal activities in the cyberspace, but police are ready to contrast them. Cyber experts at the Ukrainian police dismantled a bot farm involved in spam campaigns carried out through various services, including email and social networks.

    “Cyber ​​police officers, together with investigators of the Main Investigative Directorate of the National Police of Ukraine, under the procedural guidance of the Prosecutor General’s Office of Ukraine, exposed a large-scale service for mass distribution of electronic messages.” states the press release published by the Ukrainian police. “It is established that all works of the service are carried out exclusively at the request of interested clients. With this resource, it was possible to buy activated accounts in large numbers to various mail resources, social networks, payment systems and more. At the same time, verified accounts were also sold, the cost of which was much higher.”

    Operators behind the bot farm were offering large numbers of active accounts for multiple online services that their customers used to carry out spam campaigns.

    The Ukrainian Police raided houses, apartments, garages and rented offices in six Ukrainian cities (Kiev, Odesa, Lviv, Nikolaev, Rivne, and Kherson) and seized equipment used in the bot farm, including multi-SIM card modems and electronic equipment used to signup to payment systems.

    Crooks were using the SIM cars to register accounts on various services that require a phone number for the verification of users’ identity. Crooks were preserving their anonymity using VPN and TOR services.

    Police officers and the Main Investigative Directorate of Ukraine’s National Police carried out searches at houses, apartments, garages and rented offices where the group set up the illegal activity.

    To anonymize the bot farm traffic, the operators ran connections through VPN services and the Tor network. Details of how the officers were able to discover the physical addresses remain undisclosed.

    Authorities will analyze the seized equipment in an attempt to collect additional information on the crime rings.

    “The pre-trial investigation is ongoing within the framework of the previously initiated criminal proceedings under Art. 1889 (Requirement), Art. 258 (Terrorist Act), Art. Measures are being taken to prosecute those involved in the organization of such activities. ” concludes the statement.

    Today I had the pleasure to write a post on another successful operation conducted by law enforcement. A joint operation conducted by the Netherlands’ National Criminal Investigation Department and National Cyber Security Center allowed to track down and seize five servers that were composing a cybercrime underground bulletproof hosting service.

    The servers were hosted at an unnamed data center in Amsterdam, it was used by tens of IoT botnets involved in DDoS attacks worldwide. 

    Pierluigi Paganini

    (SecurityAffairs – bot farm, cybercrime)

    The post Ukrainian police dismantled a bot farm involved in multiple spam campaigns appeared first on Security Affairs.

    Google’s Password Manager now checks for breached credentials

    Google has taken the next step in its strategy to secure users' passwords. The search giant has taken a password-checking feature released in February as an extension to its Chrome browser and embedded it directly into its password manager service.

    Measuring the Security of IoT Devices

    In August, CyberITL completed a large-scale survey of software security practices in the IoT environment, by looking at the compiled software.

    Data Collected:

    • 22 Vendors
    • 1,294 Products
    • 4,956 Firmware versions
    • 3,333,411 Binaries analyzed
    • Date range of data: 2003-03-24 to 2019-01-24 (varies by vendor, most up to 2018 releases)


    This dataset contains products such as home routers, enterprise equipment, smart cameras, security devices, and more. It represents a wide range of either found in the home, enterprise or government deployments.

    Vendors are Asus, Belkin, DLink, Linksys, Moxa, Tenda, Trendnet, and Ubiquiti.

    CyberITL's methodology is not source code analysis. They look at the actual firmware. And they don't look for vulnerabilities; they look for secure coding practices that indicate that the company is taking security seriously, and whose lack pretty much guarantees that there will be vulnerabilities. These include address space layout randomization and stack guards.

    A summary of their results.

    CITL identified a number of important takeaways from this study:

    • On average, updates were more likely to remove hardening features than add them.
    • Within our 15 year data set, there have been no positive trends from any one vendor.
    • MIPS is both the most common CPU architecture and least hardened on average.
    • There are a large number of duplicate binaries across multiple vendors, indicating a common build system or toolchain.

    Their website contains the raw data.

    Discovery of Geost Botnet Made Possible by Attacker OpSec Fails

    A series of operational security (OpSec) failures on the part of attackers enabled researchers to discover the Geost botnet. In mid-2018, Virus Bulletin researchers Sebastian Garcia, María José Erquiaga and Anna Shirokova discovered Geost, one of the largest Android banking botnets known today, while analyzing another malware family called HtBot. The researchers found that HtBot […]… Read More

    The post Discovery of Geost Botnet Made Possible by Attacker OpSec Fails appeared first on The State of Security.

    Hashtag Trending – New privacy tools from Google, Alexa goes job hunting, UPS delivery drones approved

    Google rolls out new privacy features, Alexa steps up to help people find jobs, and UPS gets federal approval for a fleet of delivery drones.

    Chapter Preview: Birth to Age 2 – First Footprints

    When your baby is on the way, their privacy and digital security is probably the last thing you have on your mind. At least it’s way down there on the list—of course it is! You’re preparing for a bright, joyous addition to your family and home. Everything you’re doing is intended to create an environment that is safe and comfortable, so your baby knows a warm and loving world right from the start. Not to mention, you and your family are anticipating how much you’ll enjoy these milestones.

    Part of the enjoyment includes sharing these moments, which is mainly done online these days. (When’s the last time you took a picture on film and had it printed?) From digital invitations, to baby showers, and ultrasound pictures posted on social media—the weeks and months leading up to birth are a celebration as well. And that’s where your baby’s data lake gets its initial drops. Your posts on social media make up the first little digital streams feeding their data lake, along with anything else you share about them online.

    When my children were babies we spent a lot of time “baby proofing” the house. You know, putting special locks on the kitchen cabinets, plastic covers on electrical outlets, baby gates, and more. Today that behavior needs to extend online. We need to be the guardians of our baby’s privacy, identity, and security until they get to the age where they understand what’s at risk and can protect themselves.

    No doubt you will want to share all those precious moments as your bundle of joy fills your life with happiness, despite the possible risks. With that in mind, there’s an entire chapter in “Is Your Digital Front Door Unlocked?” dedicated to your baby’s first steps online, offering suggestions on what constitutes a healthy balance of what should and should not be shared. It also looks at other important considerations that you may not have thought of, such as getting your baby a Web address and monitoring their identity to make sure an identify thief hasn’t hijacked it—plenty of things many parents wouldn’t think of, but should, given the way our world works today.

    Gary Davis’ book, Is Your Digital Front Door Unlocked?, is available September 5, 2019 and can be ordered at amazon.com.

    The post Chapter Preview: Birth to Age 2 – First Footprints appeared first on McAfee Blogs.

    Airbus Supplier Attacks Part of Multi-Vertical Campaign

    Airbus Supplier Attacks Part of Multi-Vertical Campaign

    Security researchers have identified a new state-backed threat group they believe to be behind the recently disclosed attacks on European aerospace supply chain companies and organizations in other verticals.

    Reports had suggested the attacks — which affected UK engine-maker Rolls Royce, French tech supplier Expleo and two other French Airbus suppliers — had been carried out either by China’s APT10 group or a regional branch of the country’s Ministry of State Security, known as JSSD.

    However, security researchers at Context believe the attacks are the work of another nation state hacking group. Although the firm falls short of blaming China, it admits that the “Avivore” group does operate in the same time zone, and shares some similarities with APT10/JSSD.

    The group’s attack methodology follows a set pattern. After using compromised user credentials and legitimate remote access tools to infiltrate targeted networks, hackers escalate privileges by abusing legitimate tools and/or highly privileged accounts.

    Next, they conduct account and host enumeration using “net” commands, schedule execution of scripts and tooling run in the context of the “SYSTEM” user, and remove any traces of scripts, tooling and event logs following execution. RDP is also used for lateral movement.

    While many supply chain attacks are “vertical” in nature, involving an initial compromise of MSPs or software vendors, the Avivore campaigns are more “horizontal” — relying on island hopping techniques.

    The group abused the commercial VPNs and other collaborative solutions used by large multi-nationals and smaller engineering or consultancy firms in their supply chain. Other legitimate tools leveraged by Avivore include network scanning and certificate extractions tools, and Windows SysInternals tools such as ProcDump.

    Binaries were disguised as Windows DLLs, with tools executed remotely using scheduled tasks and then removed, according to Context.

    “Avivore showed themselves to be highly capable; adept at both 'living-off-the-land' and in their operational security awareness; including forensically covering their tracks. They demonstrated detailed knowledge of key individuals associated with projects of interest, and were able to successfully mirror working times and patterns of these users to avoid arousing suspicions,” explained the report.

    “They were also able to manipulate victim environments and security controls to facilitate and obfuscate their activities: e.g. modifying firewall rules to accept RDP over alternate ports; establishing hosts within the victim environment as remote access proxies.”

    Although most Avivore activity has taken place since early 2018, the researchers claimed that the PlugX Remote Access may have been deployed on victim networks as early as October 2015.

    Other verticals thought to have been targeted include automotive, consulting, energy/nuclear and satellite/space technology.

    Zendesk Breach Hits 10,000 Corporate Accounts

    Zendesk Breach Hits 10,000 Corporate Accounts

    Customer support software giant Zendesk has discovered a security breach dating back to 2016, affecting thousands of corporate clients.

    After being alerted to the incident by a third party, the firm last week identified 10,000 Zendesk Support and Chat accounts which had been accessed by an unauthorized third party.

    Although this number contained some trial accounts and others that are no longer active, Zendesk has a number of high-profile clients including Airbnb, Uber and OpenTable that could be affected.

    There’s apparently no evidence that ticket data was accessed. However, email addresses, names and phone numbers of agents and end users of certain Zendesk products up to November 2016 were accessed, as well as hashed and salted agent and end user passwords. In this context, “agents” are the customer support staff from client organizations who use the software, while “end users” are their customers.

    The firm said there’s no evidence these passwords were used to access Zendesk services.

    In addition, for around 700 accounts, the TLS encryption keys and the configuration settings of apps installed from the Zendesk app marketplace or private apps were accessed.

    “As a precautionary measure, in the next 24 hours, we are starting to implement password rotations for all active agents in Support and Chat, and all end users in Support created prior to November 1, 2016,” Zendesk explained.

    “This password rotation will impact all other products which share authentication with Support, including Guide, Talk and Explore. Upon their next login, each of these users will be required to create a new password. You will not be impacted by this if we have been able to identify that you have updated your password since November 1, 2016 or have implemented Single Sign-On in connection with your account.”

    The firm urged customers with accounts dating back prior to November 1 2016 to: rotate all credentials for any Zendesk Marketplace or private apps, upload new TLS certificates and revoke the old ones and rotate authentication credentials used in Zendesk products before the November date.

    Microsoft will continue providing Windows 7 security updates for SMBs

    According to the latest Alert Logic’s research, most devices in small and midsize businesses (SMBs) run Windows versions that are expired or are about to expire soon. Luckily for SMBs that don’t want or can’t upgrade from Windows 7, Microsoft has decided to provide extended security updates (ESU) through January 2023 – if they are willing to pay for them, of course. Details about the ESU offer Windows is the most popular desktop operating system … More

    The post Microsoft will continue providing Windows 7 security updates for SMBs appeared first on Help Net Security.

    Over 20 Million Russian Tax Records Exposed in Privacy Snafu

    Over 20 Million Russian Tax Records Exposed in Privacy Snafu

    Over 20 million Russian tax records were found publicly exposed in a misconfigured Elasticsearch database last month, in yet another privacy snafu.

    Security researcher Bob Diachenko teamed up again with Comparitech to discover the unsecured server, which contained personally identifiable information (PII) on Russian citizens dating from 2009-2016.

    Lacking password protection or any other authentication mechanism, the Amazon Web Services Elasticsearch cluster was first indexed by search engines in May 2018. Diachenko discovered it on September 17 and notified the Ukraine-based owner.

    Although the researchers are still unclear what entity managed the database, it was made inaccessible three days after Diachenko raised the red flag.

    The unencrypted PII included names, addresses, residency status, passport and phone numbers, tax ID numbers, and employer names and phone numbers. It sat exposed for over a year.

    “The cluster contained multiple databases. Some seemed to contain mostly random and publicly sourced data. Two databases, however, included tax and personally identifiable information about Russian citizens. Most of those citizens appear to be from Moscow and the surrounding area,” explained Comparitech’s Paul Bischoff.

    “The first database contained more than 14 million personal and tax records from 2010 to 2016, and the second included over six million from 2009 to 2015.”

    The data is highly sensitive and could be used to craft convincing follow-on phishing and identity fraud schemes.

    Organizations across the globe are failing to protect their Elasticsearch databases. This year alone, researchers have used simple online search tools to find: 8TB of email metadata belonging to a leading Chinese university, 24 million financial records from multiple banks, a copy of the Dow Jones Watchlist containing 2.4 million records and PII on 82 million Americans exposed by a mystery company.

    AWS S3 buckets and MongoDB instances are also commonly misconfigured, exposing countless organizations and their customers to the threat of data theft.

    Dutch police shut down bulletproof service hosting tens of DDoS botnets

    Dutch police seized a bulletproof hosting service in a major takedown, the infrastructure was used by tens of IoT botnets involved in DDoS attacks.

    A joint operation conducted by the Netherlands’ National Criminal Investigation Department and National Cyber Security Center allowed to track down and seize five servers that were composing a cybercrime underground bulletproof hosting service.

    The servers were hosted at an unnamed data center in Amsterdam, it was used by tens of IoT botnets involved in DDoS attacks worldwide. The bulletproof hosting service was used to host malware and command and control systems of several DDoS botnets.

    “Middelburg, Veendam, Amsterdam, Driebergen – The police has taken five servers offline that were used to control a version of a so-called botnet.” reads the press release published by the Dutch police. “The hardware was seized and the business operations stopped. A 24-year-old man from Veendam and a 28-year-old man from Middelburg were arrested on Tuesday evening. They are suspected of, among other things, computer breach and the spread of malware.”

    Authorities revealed that they have received more than three thousand reports of malware spread through the bulletproof hosting service.over a period of one year.

    The authorities also arrested two Dutch nationals who had been running a Mirai botnet from the servers of KV Solutions BV (KV hereinafter) bulletproof hosting service.

    In this case, the police say, the people controlling those servers were a pair of Dutch nationals who had been running a Mirai botnet with cover from the bulletproof host.

    “The investigation also revealed that this botnet was very aggressively trying to infect other devices, up to over a million attempts per month on one device,” the translated police statement reads.

    “The investigation also revealed that this botnet was very aggressively trying to infect other devices, up to over a million attempts per month on one device. Which DDoS attacks can be attributed to this botnet is part of the further investigation.” continues the statement.

    Authorities are analyzing the seized servers and the data they contain will likely lead to the arrests of other players in the cybercrime underground.

    Pierluigi Paganini

    (SecurityAffairs – bulletproof hosting service, malware)

    The post Dutch police shut down bulletproof service hosting tens of DDoS botnets appeared first on Security Affairs.

    #VB2019: Telcos Faced Sustained Exfiltration Attack Efforts

    #VB2019: Telcos Faced Sustained Exfiltration Attack Efforts

    Speaking at the Virus Bulletin 2019 conference in London, Cybereason researchers Amit Serper, Mor Levi and Assaf Dahan discussed the “worldwide campaign against telecommunication providers” that they coined Operation Soft Cell.

    Described by Serper as an access operation which was a “multi-wave attack,” he said that the operation targeted call detail records (CDRs) which contain details of call information, where calls are made and the originating number and IMEI number.

    “With this you can build a complete picture of a person and where they are located through the day,” he said. “You get a lot of information without getting on the phone as metadata is siphoned off.”

    Levy said an investigation usually started with small pieces being tied together, and the researchers were able to learn more about the attacker. Levy said that the investigation started in 2018, and nothing was unusual at first, but second, third and fourth waves of attack were spotted, which led them to conclude that this was the same actor “as behavior and techniques were almost the same, and they were adaptive and changing indicators to bypass detection.” It was later revealed by the researchers that the compromise had sometimes gone on for up to seven years.

    During the third phase, the researchers realized the attacker was not after bill data or domain administrator details.

    Dahan said that the attacker was able to get in, do external reconnaissance, and use third party tools for exfiltration and to move laterally and obtain credentials.

    “We understood that the attack was on exfiltration, as they compressed and password protected it,” Dahan said. Serper pointed out that remote access Trojans like Poison Ivy were used. 

    Levy added that it was “hard to connect the dots but we knew the bigger picture,” and the purpose of the threat intelligence research was to get the big picture. The companies were informed, and it initially expanded from Cybereason’s customer to dozens of other telcos.

    The research also revealed that a lot of the attacks took place in GMT+8, the Chinese time zone, where a two-hour lunch break was also taken. Serper concluded by saying that upon telling those affected, he got very negative responses as “cyber insurance doesn’t cover nation state attacks as it is an act of war.”

    Want to Surf Anonymously? Try these 15 Android VPN Apps Free

    If you’re one of those who do a lot of things online using a mobile device, you should be concerned about Internet security. The virtual private network (VPN) is a technology that adds security level as you surf the Internet. It doesn’t compromise data privacy even when you use public Wi-Fi networks.
    Moreover, VPN apps offer a simple way to access content blocked within the region. If you’re an Android user, you can check the list of top 15 free Android VPN software if they’re useful to your requirements.

    Comodo VPN App

    Comodo VPN App is a well-known app with at least 1 million downloads all over the world. Thus, it gets the top spot on this list. Aside from the standard features that each virtual private network app offers, it secures the Wi-Fi connection by providing HTTPS encryption that is prevalent among banks. Thus, it protects your outgoing data from eavesdroppers.

    SecureLine VPN

    The antivirus company Avast created the SecureLine VPN as an app to add to its long list of excellent products. The software can encrypt data through the IPsec protocol to make it difficult for hackers to have access even in public Wi-Fi hotspots. With a single click, it will do everything for you.

    Spotflux VPN

    Spotflux offers two levels of protection for data seclusion. Moreover, it compresses data to reduce bandwidth consumption effectively. It is suitable for you if you want to data security and maximization of data plan on your device.

    Hola Free VPN

    Hola Free is an app for you if you want a free Android virtual private network software with impressive features. It provides data security, access to blocked geographical content, and speed of browsing by connecting to the most accessible server automatically. Hola Free VPN is available in at least 190 countries.

    Speed VPN

    Speed VPN can connect you to the Internet through different geographically located servers. It allows you to browse even the restricted geographical sites. Moreover, you can watch low-resolution videos. You gain access to the VPN app for an hour, but you can reconnect quickly by a click of the button.

    Super VPN

    Super VPN is an app with at least 5 million downloads across the world. It is uncomplicated to use and encrypts data traffic, so third-party entities can’t monitor your transmissions and receipts of information. If they want to intercept the data delivery, they need to configure your device settings or register with the software. Moreover, you gain anonymity when you browse websites with a single click of a button.

    Hideman VPN

    Hideman VPN ensures the security of data transmission and uses 256-bit encryption. It encrypts the data so that hackers monitoring it can’t understand its content without a key. It offers limited free use of five hours weekly, but you can gain premium hours through its ad networks.

    Touch VPN

    Touch VPN offers data encryption through Secure Socket Layer (SSL) by maintaining an encrypted and secure link between the client and server. Moreover, it conserves your device’s battery, unlike the other VPN applications. As such, it is essential software for you if you’re after the two features.

    Flash VPN Proxy

    Flash VPN offers an encrypted and secure network that ensures transmission and receipt of data is safe from data stealers and hackers. If you want to use it, you have confidence that you’ll use it efficiently at a satisfactory communication bandwidth similar to what multiple expensive software offers. Moreover, the app doesn’t limit the length of use.


    CyberGhost is an excellent software offering banking-level security. It respects your privacy and doesn’t access any of your information. Therefore, you don’t need to worry about your data on your device. If you avail of the free option, you have access to 23 servers in 15 countries. On the other hand, the premium version provides access to 300 servers located in 23 countries.

    Tigervpns Android VPN

    Tigervpns Android VPN protects your privacy and conceals your IP address. You gain free access of up to 500MB when you sign up.


    Mobiproxy is a useful app if you want to gain access to regional, restricted sites anonymously. Moreover, it gives extra protection for the transmission and reception of data.


    Psiphon offers a simple access method for everything on the Internet through a protected VPN tunnel. If you decide to use it, you can define your settings if you only want to use its web browser or to tunnel everything.

    Zero VPN

    Zero VPN is a software that provides free Android VPN services efficiently. You’ll discover its interface easy to use as you surf the Internet anonymously.

    VPN Master

    VPN Master is a superior app if you want to use the Internet anonymously. Moreover, it doesn’t require you to register before you can access it. You have a choice among the servers in Asia, Europe, or America. The app also ensures 99.9% uptime.

    Using a VPN is legal in many countries; however, you must know some significant caveats. You can use it anywhere it’s legal but ensure that you don’t use it for illegal acts like downloading copyrighted materials. China, Iraq, Russia, and North Korea are some of the countries that ban or restrict their use. Law enforcement may request information from VPN providers, although they promise not to keep logs.

    In previous years, VPN use had a poor reputation because some people use it for dubious activities. However, it now offers valid reasons why you should use it like streaming content restricted in your region. You can also use it to protect your details when using public Wi-Fi.

    If you’re ready to try virtual public networks, you can check the list of VPNs provided in this article. Often, we first try free services to learn about the features before availing of the premium services. That’s ok. Many people don’t want to spend a fortune on something that they may find useless later on. So, why don’t you have a free VPN service today?

    The post Want to Surf Anonymously? Try these 15 Android VPN Apps Free appeared first on .