Daily Archives: October 6, 2019

Insider threats are security’s new reality: Prevention solutions aren’t working

Insider threats expose companies to breaches and put corporate data at risk. New research from Code42 questions whether the right data security solutions are being funded and deployed to stop insider threats and asserts that legacy data loss prevention solutions fall short in getting the job done. Today, 79% of information security leaders believe that employees are an effective frontline of defense against data breaches. However, this year’s report disputes that notion. Wake-up call: Insider … More

The post Insider threats are security’s new reality: Prevention solutions aren’t working appeared first on Help Net Security.

PoS malware infections impacted four restaurant chains in the U.S.

Four restaurant chains in the U.S. disclosed payment card theft via PoS malware that took place over the summer.

Four restaurant chains in the United States disclosed security breaches that impacted their payment systems over the summers, crooks used PoS malware to steal payment card data of the customers.

The restaurant chains are McAlister’s Deli, Moe’s Southwest Grill, Schlotzsky’s, and Hy-Vee, they confirmed the presence of PoS malware at certain locations.

Moe’s, McAlister’s and Schlotzsky’s are owned by Focus Brands, the fact that they simultaneously disclosed the payment card breaches suggests that attackers were able to compromise some infrastructure shared by the two restaurant chains.

The three restaurant chains confirmed that hackers compromised the payment systems in a period between April 29, 2019 and July 22, 2019. 

“A thorough investigation is being conducted and is nearly complete. It appears that unauthorized code designed to copy payment card data from cards used in person was installed in certain corporate and franchised restaurants at different times over the general period of April 29, 2019 to July 22, 2019.” reads an excerpt of a data breach notification published by the three brands.

Only Schlotzsky’s reported that the attacks begun on April 11, 2019, the other two confirmed that attacks started on April 29.

The three restaurant chains reported that the PoS malware was discovered only at certain locations, and at most locations it was present for only a few weeks in July.

The brands did not reveal the number of impacted customers.

Customers were initially alerted about the incident on August 20, when the restaurant chains were investigating the security incidents.

The PoS malware was designed to capture data from the magnetic stripe of a payment card during the payment process, including the card number, expiration date, and internal verification code, and sometimes it the cardholder name.

The fourth brand that suffered a payment card breach is Hy-Vee, the restaurant chain provided an update to the notice of payment card data incident released on August 14.

The company confirmed that on July 29, crooks compromised some payment processing systems, in this case, the PoS malware remained active more than a month.

The update provided by the company revealed that infections at the fuel pumps began on December 14, 2018, while payment systems at restaurants and drive-thru coffee shops were infected starting January 15.

“The specific timeframes when data from cards used at these locations involved may have been accessed vary by location over the general timeframe beginning December 14, 2018, to July 29, 2019 for fuel pumps and beginning January 15, 2019, to July 29, 2019, for restaurants and drive-thru coffee shops.” reads the update provided by the company. “There are six locations where access to card data may have started as early as November 9, 2018, and one location where access to card data may have continued through August 2, 2019.”

The company also published a Location Look Up Tool to determine the Hy-Vee impacted locations.

Pierluigi Paganini

(SecurityAffairs – restaurant chains, PoS malware)

The post PoS malware infections impacted four restaurant chains in the U.S. appeared first on Security Affairs.

Consumers have concerns about cybersecurity, value education on best practices

Nearly three-quarters of consumers (74%) would be likely to participate in a cybersecurity awareness or education program from their financial institution if they offered it. The survey conducted by The Harris Poll on behalf of Computer Services also found that an overwhelming majority of consumers (92%) have concerns about the security of their personal confidential data online. The poll ran online July 1-3, 2019, and it represents feedback from more than 2,000 U.S. adults ages … More

The post Consumers have concerns about cybersecurity, value education on best practices appeared first on Help Net Security.

The top 10 strategic government technology trends CIOs should plan for

The top 10 government technology trends for 2019-2020 that have the potential to optimize or transform public services have been identified by Gartner. Government CIOs should include these trends in their strategic planning over the next 12 to 18 months. The top 10 strategic technology trends for government were selected in response to pressing public policy goals and business needs of government organizations in jurisdictions around the globe. They fit into a broader set of … More

The post The top 10 strategic government technology trends CIOs should plan for appeared first on Help Net Security.

64% of IT decision makers have reported a breach in their ERP systems in the past 24 months

ERP applications are ‘critical’ to business operations, according to the IDC survey of 430 IT decision makers. ERP-related breach Sixty-four percent of the 191 decision makers surveyed whose organizations rely on SAP or Oracle E-Business Suite confirmed that their deployments have had an ERP-related breach in the last 24 months. “Enterprise Resource Planning (ERP) applications such as Oracle E-Business Suite and SAP (ECC) can be foundational for businesses. A breach of such critical ERP applications … More

The post 64% of IT decision makers have reported a breach in their ERP systems in the past 24 months appeared first on Help Net Security.

Whitepaper: Identifying Web Attack Indicators

Attackers are always looking for ways into web and mobile applications. The 2019 Verizon Data Breach Investigation Report listed web applications the number ONE vector attackers use when breaching organizations. In this paper, Signal Sciences examine malicious web request patterns for four of the most common web attack methods and show how to gain the context and visibility that is key to stopping these attacks. Key learnings: Four common web layer attack types: account takeover, … More

The post Whitepaper: Identifying Web Attack Indicators appeared first on Help Net Security.

Secure Configuration in Cloud – IaaS, PaaS and SaaS Explained

If I asked you what security products you had in place to manage your risk within your IT organisation 10 years ago, you’d probably have been able to list a half dozen different tools and confidently note that most of your infrastructure was covered by a common set of key products such as antivirus, DLP, […]… Read More

The post Secure Configuration in Cloud – IaaS, PaaS and SaaS Explained appeared first on The State of Security.

Automating Secure Configuration Management in the Cloud

For many organizations moving to the cloud, Infrastructure as a Service (IaaS) like AWS EC2, Azure Virtual Machines or Google Compute Engine often forms the backbone of their cloud architecture. These services allow you to create instances of pretty much any operating system almost instantly. Unfortunately, moving your IT infrastructure to the cloud doesn’t relieve […]… Read More

The post Automating Secure Configuration Management in the Cloud appeared first on The State of Security.

FusionLayer publishes new reference architecture for Microsoft shops

FusionLayer announced that it has published a new reference architecture for managing hybrid enterprise networks that utilize Microsoft Active Directory (AD), Microsoft Azure, and Amazon Web Services (AWS). The new blueprint architecture is aimed at enterprises who have traditionally run Microsoft Windows Server and Microsoft Active Directory (AD), as the foundation of their Information Technology (IT) business infrastructure, and are now migrating some of their business application workloads from on-premise data centers into public clouds. … More

The post FusionLayer publishes new reference architecture for Microsoft shops appeared first on Help Net Security.

AdvisorAssist launches AdvisorCloud 360, a new compliance intelligence engine

AdvisorAssist, the industry leading regulatory compliance and business risk management consulting firm, announces the rollout of AdvisorCloud 360, delivering a next-generation compliance intelligence engine. AdvisorCloud 360 is the evolution of AdvisorAssist’s proprietary compliance engine, AdvisorCloud, which supports over 500 advisory firms and over 3,000 supervised persons in meeting their annual compliance obligations. AdvisorCloud 360 is the solution to empower Advisors and their Chief Compliance Officers to navigate the increasingly complex regulatory requirements with full transparency … More

The post AdvisorAssist launches AdvisorCloud 360, a new compliance intelligence engine appeared first on Help Net Security.

Wipro renews and extends partnership with XebiaLabs as Strategic Enterprise DevOps Partner

XebiaLabs, the recognized leader in enterprise-class DevOps and Continuous Delivery software, announced that Wipro Limited, a leading global information technology, consulting, and business process services company, has renewed and extended its partnership with XebiaLabs as their Strategic Enterprise DevOps Partner across the globe. The partnership represents a powerful combination of a leading DevOps technology platform and strong DevOps expertise that enables large organizations to accelerate the delivery of high-value software at scale. Achieving DevOps at … More

The post Wipro renews and extends partnership with XebiaLabs as Strategic Enterprise DevOps Partner appeared first on Help Net Security.

Iran-linked Phosphorus group hit a 2020 presidential campaign

Microsoft says that the Iran-linked cyber-espionage group tracked as Phosphorus (aka APT35Charming KittenNewscaster, and Ajax Security Team) a 2020 presidential campaign.

Microsoft’s Threat Intelligence Center (MSTIC) revealed that an Iran-linked APT group tracked as Phosphorus (aka APT35Charming KittenNewscaster, and Ajax Security Team) attempted to access to email accounts belonging to current and former US government officials, journalists, Iranians living abroad, and individuals involved in a 2020 US presidential campaign.

The Phosphorus group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011. 

The experts revealed that the recent campaign carried out by the APT group took place between August and September.

“In a 30-day period between August and September, the Microsoft Threat Intelligence Center (MSTIC) observed Phosphorus making more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers and then attack 241 of those accounts.” reads the analysis published by Microsoft. “The targeted accounts are associated with a U.S. presidential campaign, current and former U.S. government officials, journalists covering global politics and prominent Iranians living outside Iran.”

The state-sponsored hackers initially conducted a reconnaissance operation to identify high-value targets. Microsoft observed more than 2,700 probes, then the attackers targeted 241 accounts, some of them associated with a U.S. Presidential campaign.

Microsoft confirmed that hackers breached four accounts, but the compromised accounts were not associated with the U.S. Presidential campaign or current and former U.S. government officials.

Microsoft notified all the impacted users about the hacks and provided supports to the victims to secure their accounts.

The hackers initially breached into the victim’s secondary email inbox associated with their Microsoft account, then used them to reset the password. Once they received the reset link to the secondary inbox, the hackers used it to take control of the primary Microsoft account.

“Phosphorus used information gathered from researching their targets or other means to game password reset or account recovery features and attempt to take over some targeted accounts.” continues the report. “For example, they would seek access to a secondary email account linked to a user’s Microsoft account, then attempt to gain access to a user’s Microsoft account through verification sent to the secondary account. In some instances, they gathered phone numbers belonging to their targets and used them to assist in authenticating password resets.”

Microsoft experts pointed out that the attacks attributed to the Phosphorus group even if they were not technically sophisticated used a significant amount of personal information to identify the targets’ accounts and hack them. 

Microsoft recommends its high-profile Microsoft involved in political campaigns, think tanks, or NGOs, to sign up for Microsoft AccountGuard that offers additional protection against the attacks.

“There are currently 60,000 accounts in 26 countries protected by AccountGuard, which provides monitoring and unified threat notification across the Office 365 accounts you use for work and the personal accounts of your staff and others affiliated with your organization that opt-in for this protection.” concludes Microsoft. “To date, we’ve made more than 800 notifications of attempted nation-state attacks to AccountGuard customers.

In March, Microsoft announced that it had taken control of 99 domains used by an Iran-linked APT group tracked by the company as Phosphorus.

The domains attempted to mimic legitimate services belonging to Microsoft and other legitimate online services, such as LinkedIn and Yahoo. The list of seized domains includes verification-live.com, outlook-verify.net, myaccount-services.net, verify-linkedin.net, and yahoo-verify.net.

The threat actors used the websites to serve malware to the victims, they also sent out emails alerting recipients of a security risk in order to trick them into handing over their account credentials.

Pierluigi Paganini

(SecurityAffairs – Iran, hacking)

The post Iran-linked Phosphorus group hit a 2020 presidential campaign appeared first on Security Affairs.

Week in review: MFA effectiveness, SMBs and Win7 security, the quantum computing threat

Here’s an overview of some of last week’s most interesting news, interviews and articles: Unpatched Android flaw exploited by attackers, impacts Pixel, Samsung, Xiaomi devices A privilege escalation vulnerability affecting phones running Android 8.x and later is being leveraged by attackers in the wild, Google has revealed. Sophos Managed Threat Response: An evolved approach to proactive security protection In its 2019 market guide for managed detection and response (MDR) services, Gartner forecasted that by 2024, … More

The post Week in review: MFA effectiveness, SMBs and Win7 security, the quantum computing threat appeared first on Help Net Security.

Security Affairs newsletter Round 234

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Once again thank you!

Hacker claims to have stolen over 218M Zynga ‘Words with Friends Gamers records

Masad Stealer Malware exfiltrates data via Telegram

Phishers continue to abuse Adobe and Google Open Redirects

WhiteShadow downloader leverages Microsoft SQL to retrieve multiple malware

A new critical flaw in Exim exposes email servers to remote attacks

Arcane Stealer V, a threat for lower-skilled adversaries that scares experts

eGobbler ‘s malvertising campaign hijacked over 1 billion ad impressions

Exclusive: MalwareMustDie analyzes a new IoT malware dubbed Linux/ AirDropBot

Irans oil minister orders ‘Full Alert for oil sector on against attacks

Microsoft will add new file types to the list of blocked ones in Outlook on the Web

A new Adwind variant involved in attacks on US petroleum industry

Danish company Demant expects to incur losses of up to $95 after cyber attack

Danish company Demant expects to incur losses of up to $95 Million after cyber attack

Frequent VBA Macros used in Office Malware

Gucci IOT Bot Discovered Targeting European Region

Hackers breached one of Comodo Forums, 245,000 users impacted

Singapore presented the Operational Technology (OT) Cybersecurity Masterplan

Teheran: U.S. has started ‘Cyber War against Iran

Tridium Niagara framework affected by 2 flaws in BlackBerry QNX OS

Asics apologizes after pornography ran on screens at central store in Auckland for hours

Expert disclosed details of remote code execution flaw in Whatsapp for Android

Experts found 20 Million tax records for Russian citizens exposed online

Former American Express employee under investigation for customers data abuse

Ten hospitals in Alabama and Australia have been hit with ransomware attacks

Zendesk 2016 security breach may impact Uber, Slack, and other organizations

6 cyber-espionage campaigns since 2013 attributed to PKPLUG China-linked group

Dutch police shut down bulletproof service hosting tens of DDoS botnets

FBI warns about high-impact Ransomware attacks on U.S. Organizations

Ukrainian police dismantled a bot farm involved in multiple spam campaigns

US Secretary of State Mike Pompeo warns Italy over 5G Chinese equipment supply

Egypt regularly spies on opponents and activists with mobile apps

Project Zero researcher found unpatched Android zero-day likely exploited by NSO group

The sLoad Threat: Ten Months Later

Magecart hackers are expanding their operations

NSA Launches New Cybersecurity Directorate


Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 234 appeared first on Security Affairs.

UK NCSC agency warns of APTs exploiting Enterprise VPN vulnerabilities

The UK’s National Cyber Security Centre (NCSC) warns of attacks exploiting recently disclosed VPN vulnerabilities in Fortinet, Palo Alto Networks and Pulse Secure

According to the UK’s National Cyber Security Centre (NCSC), advanced persistent threat (APT) groups have been exploiting recently disclosed VPN vulnerabilities in enterprise VPN products in attacks in the wild. Threat actors leverage VPN vulnerabilities in Fortinet, Palo Alto Networks and Pulse Secure, to breach into the target networks.

This week the NCSC issued an alert to warn organizations using the vulnerable products.

“The NCSC is investigating the exploitation, by Advanced Persistent Threat (APT) actors, of known vulnerabilities affecting Virtual Private Network (VPN) products from vendors Pulse securePalo Alto and Fortinet.” reads the alert issued by the NCSC.

“This activity is ongoing, targeting both UK and international organisations. Affected sectors include government, military, academic, business and healthcare,”

The UK agency reported that APT groups target several vulnerabilities, including CVE-2019-11510 and CVE-2019-11539 in Pulse Secure VPN solutions, and CVE-2018-13379,

The CVE-2018-13379 is a path traversal vulnerability in the FortiOS SSL VPN web portal that could be exploited by an unauthenticated attacker to download FortiOS system files. The CVE-2018-13379 flaw could be exploited to obtain administrator credentials in plain text.

The CVE-2019-11510 flaw in Pulse Connect Secure is a critical arbitrary file read vulnerability.

APT groups also exploit CVE-2018-13382, CVE-2018-13383, and CVE-2019-1579, in Palo Alto Networks products.

The vulnerabilities were first reported in July by researchers Orange Tsai and Meh Chang from DEVCORE that found several flaws in Fortinet, Palo Alto Networks and Pulse Secure products. The issues could be exploited by threat actors to access corporate networks and steal sensitive documents.

“Users of these VPN products should investigate their logs for evidence of compromise, especially if it is possible that patches were not applied immediately after their release.” concludes the NCSC.

“Apart from specific product advice below, administrators should also look for evidence of compromised accounts in active use, such as anomalous IP locations or times.

Snort rules are available in open source, but may not pick up events for exploits over HTTPS.”

Pierluigi Paganini

(SecurityAffairs – vBulletin, data breach)

The post UK NCSC agency warns of APTs exploiting Enterprise VPN vulnerabilities appeared first on Security Affairs.

Hacker is auctioning a database containing details of 92 million Brazilians

A database containing details of 92 million Brazilians was auctioned by a threat actor on underground forums along with a search service focused on Brazilians.

Someone is auctioning on several restricted underground forums a database containing personal information of 92 million Brazilian citizens. The threat actor, registered as X4Crow, is also advertising a search service that allows retrieving detailed information on Brazilian citizens.

Source: Bleeping Computer

The records are arranged per province, they include names, dates of birth, and taxpayer ID (CPF – Cadastro de Pessoas Físicas), taxpayer details about legal entities, or the CNPJ (Cadastro Nacional da Pessoa Jurídica).

The initial price to participate in the auction is $15,000, participants can raise the price of 110 each time.

“A post on one of the forums seen by BleepingComputer informs that the database is 16GB large, in SQL format. The starting price for the auction is $15,000 with a step up bid of $1,000.” reported Bleeping computer.

According to BleepingComputer researchers that received a sample of the database, the data are authentic.

At the time of writing, it seems that the seller has not received any bid.

X4Crow also advertises a search service that allows retrieving detailed information on Brazilians (i.e. Email address, profession, education level, possible relatives, neighbors, license plates, vehicle, ID card, driver’s license) simply providing a full name, taxpayer ID, or phone number.

“There is no guarantee that all the details will be retrieved for all individuals but the report may provide, on average, 80% of the specifics listed above.” continues BleepingComputer.

Querying the service to retrieve data on a specific company and its corporate structure could cost up to $150.

According to BleepingComputer, X4Crow is a reliable actor in cybercrime underground even if it isn’t operating for a long time.

Pierluigi Paganini

(SecurityAffairs – Brazilians, cybercrime)

The post Hacker is auctioning a database containing details of 92 million Brazilians appeared first on Security Affairs.

Device & App Safety Guide for Families

app safetyWhile we talk about online safety each week on this blog, October is National Cybersecurity Awareness Month (NCSAM), a time to come together and turn up the volume on the digital safety and security conversation worldwide.

To kick off that effort, here’s a comprehensive Device and App Safety Guide to give your family quick ways to boost safety and security.

Device Safety Tips

  • Update devices. Updates play a critical role in protecting family devices from hackers and malware, so check for updates and install promptly.
  • Disable geotagging. To keep photo data private, turn off geotagging, which is a code that embeds location information into digital photos.
  • Turn off location services. To safeguard personal activity from apps, turn off location services on all devices and within the app. 
  • Review phone records. Monitor your child’s cell phone records for unknown numbers or excessive late-night texting or calls.
  • Lock devices. Most every phone comes with a passcode, facial, or fingerprint lock. Make locking devices a habit and don’t share passcodes with friends. 
  • Add ICE to contacts. Make sure to put a parent’s name followed by ICE (in case of emergency) into each child’s contact list.
  • Back up data. To secure family photos and prevent data loss due to malware, viruses, or theft, regularly back up family data. 
  • Use strong passwords. Passwords should be more than eight characters in length and contain a mix of capital and lower case letters and at least one numeric or non-alphabetical character. Also, use two-factor authentication whenever possible.  
  • Stop spying. Adopting healthy online habits takes a full-court family press, so choose to equip over spying. Talk candidly about online risks, solutions, family ground rules, and consequences. If you monitor devices, make sure your child understands why. 
  • Share wisely. Discuss the risks of sharing photos online with your kids and the effect it has on reputation now and in the future. 
  • Protect your devices. Add an extra layer of protection to family devices with anti-virus and malware protection and consider content filtering
  • Secure IoT devices. IoT devices such as smart TVs, toys, smart speakers, and wearables are also part of the devices families need to safeguard. Configure privacy settings, read product reviews, secure your router, use a firewall, and use strong passwords at all connection points. 

App Safety Tips

  • Evaluate apps. Apps have been known to put malware on devices, spy, grab data illegally, and track location and purchasing data without permission. Check app reviews for potential dangers and respect app age requirements.app safety
  • Max privacy settings. Always choose the least amount of data-sharing possible within every app and make app profiles private.
  • Explore apps together. Learn about your child’s favorite apps, what the risks are, and how to adjust app settings to make them as safe as possible. Look at the apps on your child’s phone. Also, ask your child questions about his or her favorite apps and download and explore the app yourself. 
  • Understand app cultures. Some of the most popular social networking apps can also contain inappropriate content that promotes pornography, hate, racism, violence, cruelty, self-harm, or even terrorism.
  • Monitor gaming. Many games allow real-time in-game messaging. Players can chat using text, audio, and video, which presents the same potential safety concerns as other social and messaging apps.
  • Discuss app risks. New, popular apps come out every week. Discuss risks such as anonymous bullying, inappropriate content, sexting, fake profiles, and data stealing. 
  • Avoid anonymous apps. Dozens of apps allow users to create anonymous profiles. Avoid these apps and the inherent cyberbullying risks they pose.
  • Limit your digital circle. Only accept friend requests from people you know. And remember, “friends” aren’t always who they say they are. Review and reduce your friend list regularly.
  • Monitor in-app purchases. It’s easy for kids to go overboard with in-app purchases, especially on gaming apps.

Our biggest tip? Keep on talking. Talk about the risks inherent to the internet. Talk about personal situations that arise. Talk about mistakes. Nurturing honest, ongoing family dialogue takes time and effort but the payoff is knowing your kids can handle any situation they encounter online.

Stay tuned throughout October for more NCSAM highlights and information designed to help you keep your family safe and secure in the online world.

The post Device & App Safety Guide for Families appeared first on McAfee Blogs.