Daily Archives: January 20, 2020

Expert found a hardcoded SSH Key in Fortinet SIEM appliances

Expert found a hardcoded SSH public key in Fortinet ’s Security Information and Event Management FortiSIEM that can allow access to the FortiSIEM Supervisor. 

Andrew Klaus, a security specialist from Cybera, discovered a hardcoded SSH public key in Fortinet’s Security Information and Event Management FortiSIEM that can be used by attackers to the FortiSIEM Supervisor. 

The expert discovered that the Fortinet devices share the same SSH key for the user ‘tunneluser‘, and it is stored in plain text.

FortiSIEM has a hardcoded SSH public key for user “tunneluser” which is the same between all installs. An attacker with this key can successfully authenticate as this user to the FortiSIEM Supervisor.” reads the security advisory. “The unencrypted key is also stored inside the FortiSIEM image. While the user’s shell is limited to running the /opt/phoenix/phscripts/bin/tunnelshell script, SSH authentication still succeeds.”

Fortinet published a security advisory for the issue that is tracked as CVE-2019-17659.

The vulnerability could be exploited by attackers to trigger a confition of denial of service. 

“A use of hard-coded cryptographic key vulnerability in FortiSIEM may allow a remote unauthenticated attacker to obtain SSH access to the supervisor as the restricted user “tunneluser” by leveraging knowledge of the private key from another installation or a firmware image.” reads the advisory.

The user ‘tunneluser‘ only runs in a restricted shell that lets only that user create tunnel connections from the supervisor to the originating IP.

The feature was implemented to enable connecting to collectors from the supervisor when there is a firewall between the collector and the supervisor.

Fortinet invites customers that are not using the reverse tunnel feature to disable SSH on port 19999 that only allows tunneluser to authenticate. Fortinet also advise customers to disable “tunneluser” SSH access on port 22.

Below the timeline of the vulnerability:

  • Dec 2, 2019: Email sent to Fortinet PSIRT with vulnerability details.
  • Dec 3, 2019: Automated reply from PSIRT that email was received.
  • Dec 23, 2019: Sent a reminder email to PSIRT about requesting a human confirmation.
  • Jan 3, 2019: Public Release.

The flaw affects FortiSIEM version 5.2.6 and below, the tech firm addressed it with the release of FortiSIEM version 5.2.7. 

Pierluigi Paganini

(SecurityAffairs – FortiSIEM, hacking)

The post Expert found a hardcoded SSH Key in Fortinet SIEM appliances appeared first on Security Affairs.

Data-driven vehicles: The next security challenge

Companies are increasingly building smart products that are tailored to know the individual user. In the automotive world, the next generation passenger vehicle could behave like a personal chauffeur, sentry and bodyguard rolled into one. Over the next decade, every car manufacturer that offers any degree of autonomy in a vehicle will be forced to address the security of both the vehicle and your data, while also being capable of recognizing and defending against threats … More

The post Data-driven vehicles: The next security challenge appeared first on Help Net Security.

Review: Enzoic for Active Directory

Seemingly every day news drops that a popular site with millions of users had been breached and its user database leaked online. Almost without fail, attackers try to use those leaked user credentials on other sites, making password stuffing one of the most common attacks today. Users often use the same username/email and password combination for multiple accounts and, unfortunately, enterprise accounts are no exception. Attackers can, therefore, successfully use leaked credentials to access specific … More

The post Review: Enzoic for Active Directory appeared first on Help Net Security.

Techniques and strategies to overcome Kubernetes security challenges

Five security best practices for DevOps and development professionals managing Kubernetes deployments have been introduced by Portshift. Integrating these security measures into the early stages of the CI/CD pipeline will assist organizations in the detection of security issues earlier, allowing security teams to remediate issues quickly. Kubernetes as the market leader The use of containers continues to rise in popularity in test and production environments, increasing demand for a means to manage and orchestrate them. … More

The post Techniques and strategies to overcome Kubernetes security challenges appeared first on Help Net Security.


When traveling, it is very easy to forget where you are when discussing business with colleagues. That airport, taxi, restaurant or hotel lobby may have individuals nearby eavesdropping on your conversation. When discussing confidential information, agree to hold off on the conversation until you can be assured of privacy. Also, be careful not to share sensitive information with strangers you meet.

Revenue from cloud IT infrastructure products declines

Vendor revenue from sales of IT infrastructure products (server, enterprise storage, and Ethernet switch) for cloud environments, including public and private cloud, declined in the third quarter of 2019 (3Q19) as the overall IT infrastructure market continues to experience weakening sales following strong growth in 2018, IDC reveals. The decline of 1.8% year over year was much softer than in 2Q19 as the overall spend on IT infrastructure for cloud environments reached $16.8 billion. IDC … More

The post Revenue from cloud IT infrastructure products declines appeared first on Help Net Security.

BakerHostetler’s multidisciplinary practice group helps clients leverage data and technology

Data is everything to businesses and organizations across the globe. For more than a decade, different teams at law firm BakerHostetler have been at the forefront of helping clients leverage data and technology to transform their products and services. Following its own advice of using an enterprise approach to address these issues, BakerHostetler merged its teams into a unique multidisciplinary practice group to help clients address the spectrum of issues in this area. The new … More

The post BakerHostetler’s multidisciplinary practice group helps clients leverage data and technology appeared first on Help Net Security.

Datadog expands support for channel partners with Partner Network

Datadog, the monitoring and analytics platform for developers, IT operations teams and business users in the cloud age, announced the Datadog Partner Network, a new program expanding Datadog’s support for channel partners. The Datadog Partner Network will bring benefits to partners including: Go-to-market collateral; Self-service training for implementation; Opportunity registration in the Partner Portal; and a Partner Locator Listing. Members of the Datadog Partner Network will have access to training and accreditation programs for Datadog … More

The post Datadog expands support for channel partners with Partner Network appeared first on Help Net Security.

Mellanox OpenStack software includes native upstream support for HDR 200 Gb InfiniBand network

Mellanox Technologies, a leading supplier of high-performance, end-to-end smart interconnect solutions for data center servers and storage systems, announced that OpenStack software includes native and upstream support for virtualization over HDR 200 gigabit InfiniBand network, enabling customers to build high-performance OpenStack-based cloud services over the most enhanced interconnect infrastructure, taking advantage of InfiniBand’s extremely low latency, high data-throughput, In-Network Computing and more. By leveraging the upstream OpenStack ‘Train’ software release, data center managers and providers … More

The post Mellanox OpenStack software includes native upstream support for HDR 200 Gb InfiniBand network appeared first on Help Net Security.

Synopsys joins Autonomous Vehicle Computing Consortium to deliver safer and affordable vehicles

Synopsys announced that it has joined the new Autonomous Vehicle Computing Consortium. The Consortium brings together leading experts in the automotive, automotive supply, semiconductor and computing industries to help accelerate the delivery of safer and affordable vehicles. As a member of the Consortium, Synopsys will actively contribute to the development of a set of recommendations for system architectures and computing platforms that will be used to address the challenges of deploying self-driving vehicles at scale. … More

The post Synopsys joins Autonomous Vehicle Computing Consortium to deliver safer and affordable vehicles appeared first on Help Net Security.

Anexsys partners with Brainspace to help clients solve complex data challenges

Anexsys, the leading UK consulting firm specialising in legal support and e-discovery is delighted to announce their new partnership with Brainspace, the world’s leading data analytics platform for investigations, eDiscovery, and compliance. Anexsys has integrated the Brainspace platform as part of the firm’s e-discovery managed services solution, enabling clients to conduct early case assessments and manage the growing volume and complexity of complex litigation and investigations. “At Anexsys we are committed to delivering innovative new … More

The post Anexsys partners with Brainspace to help clients solve complex data challenges appeared first on Help Net Security.

Quanergy Systems announces corporate changes to drive next phase of growth

Quanergy Systems, a leading provider of LiDAR (Light Detection and Ranging) sensors and perception software solutions, announced a number of important corporate changes to ensure successful execution in the company’s next phase of growth. The fast-growing global LiDAR market is estimated to reach $10B by 2025, and throughout 2019 Quanergy achieved several important milestones that solidified its position as an industry leader. Quanergy strengthened its financial performance, asserted product leadership, and expanded dominance in target … More

The post Quanergy Systems announces corporate changes to drive next phase of growth appeared first on Help Net Security.

WorldRemit appoints Scott Eddington to lead the Asia Pacific business

Leading mobile payments company WorldRemit has appointed seasoned digital executive Scott Eddington to lead the Asia Pacific business as it positions itself to help even more customers make secure, quick and affordable cross border payments. Scott will be responsible for accelerating WorldRemit’s mobile payments service in Asia Pacific, which currently allows customers to send from Australia, New Zealand, Japan, Hong Kong and Singapore. Developments in Asia such as the ASEAN Economic Community (AEC) envision free … More

The post WorldRemit appoints Scott Eddington to lead the Asia Pacific business appeared first on Help Net Security.

Judi Dotson to lead Booz Allen Hamilton’s National Security business

Booz Allen Hamilton announced that Judi Dotson, an Executive Vice President, will lead the firm’s National Security business and join the firm’s Leadership Team, effective April 1. Throughout her 31 years at the firm, Dotson has developed market strategies, built teams and shaped business with a wide variety of federal defense and civilian clients. She now leads the firm’s Joint Combatant Command account, with clients throughout the Defense Department’s technology community. “Judi Dotson is an … More

The post Judi Dotson to lead Booz Allen Hamilton’s National Security business appeared first on Help Net Security.

DDoS Mitigation Firm Founder Admits to DDoS

A Georgia man who co-founded a service designed to protect companies from crippling distributed denial-of-service (DDoS) attacks has pleaded to paying a DDoS-for-hire service to launch attacks against others.

Tucker Preston, 22, of Macon, Ga., pleaded guilty last week in a New Jersey court to one count of damaging protected computers by transmission of a program, code or command. DDoS attacks involve flooding a target Web site with so much junk Internet traffic that it can no longer accommodate legitimate visitors.

Preston was featured in the 2016 KrebsOnSecurity story DDoS Mitigation Firm Has History of Hijacks, which detailed how the company he co-founded — BackConnect Security LLC — had developed the unusual habit of hijacking Internet address space it didn’t own in a bid to protect clients from attacks.

Preston’s guilty plea agreement (PDF) doesn’t specify who he admitted attacking, and refers to the target only as “Victim 1.” Preston declined to comment for this story.

But that 2016 story came on the heels of an exclusive about the hacking of vDOS — at the time the world’s most popular and powerful DDoS-for-hire service.

KrebsOnSecurity exposed the co-administrators of vDOS and obtained a copy of the entire vDOS database, including its registered users and a record of the attacks those users had paid vDOS to launch on their behalf.

Those records showed that several email addresses tied to a domain registered by then 19-year-old Preston had been used to create a vDOS account that was active in attacking a large number of targets, including multiple assaults on networks belonging to the Free Software Foundation (FSF).

The 2016 story on BackConnect featured an interview with a former system administrator at FSF who said the nonprofit briefly considered working with BackConnect, and that the attacks started almost immediately after FSF told the company’s owners they would need to look elsewhere for DDoS protection.

Perhaps having fun at the expense of the FSF was something of a meme that the accused and his associates seized upon, but it’s interesting to note that the name of the FSF’s founder — Richard Stallmanwas used as a nickname by the co-author of Mirai, a potent malware strain that was created for the purposes of enslaving Internet of Things (IoT) devices for large-scale DDoS attacks.

Ultimately, it was the Mirai co-author’s use of this nickname that contributed to him getting caught, arrested, and prosecuted for releasing Mirai and its source code (as well as for facilitating a record-setting DDoS against this Web site in 2016).

According to a statement from the U.S. Justice Department, the count to which he pleaded guilty is punishable by a maximum of 10 years in prison and a fine of up to $250,000, or twice the gross gain or loss from the offense. He is slated to be sentenced on May 7.

Citrix Releases First Patches to Fix Severe Vulnerability

Researchers Discovered Software Flaw in December
Citrix has released the first of several patches that address a vulnerability in its Application Delivery Controller and Gateway products that was discovered by researchers in December. If left unpatched, the vulnerability is remotely exploitable and could allow access to applications and internal networks.

How Industry Collaboration Created a Unified PIN Standard

On the blog we discuss a joint collaboration between PCI SSC and ASC X9 to create a unified PIN standard with Troy Leach, Senior Vice President, of the PCI SSC and Steve Stevens, Executive Director of ASC X9.  In response to industry feedback, the Accredited Standards Committee X9 Inc. (ASC X9) and the PCI Security Standards Council (PCI SSC) have recently completed a joint initiative to create one unified PIN Security Standard for payments stakeholders.

Mitsubishi Electric discloses data breach, media blame China-linked APT

Mitsubishi Electric disclosed a security breach that might have exposed personal and confidential corporate information.

Mitsubishi Electric disclosed a security breach that might have exposed personal and confidential corporate data. According to the company, attackers did not obtain sensitive information about defense contracts.

The breach was detected almost eight months ago, on June 28, 2019, with the delay being attributed to the increased complexity of the investigation caused by the attackers deleting activity logs.

“On June 28, last year, a suspicious behavior was detected and investigated on a terminal in our company, and as a result of unauthorized access by a third party, data was transmitted to the outside,” reads a data breach notification published by the company.

The intrusion took place on June 28, 2019, and the company launched an investigation in September 2019. Mitsubishi Electric disclosed the security incident only after two local newspapers, the Asahi Shimbun and Nikkei, reported the security breach.

Mitsubishi Electric had also already notified members of the Japanese government and Ministry of Defense.

This morning, at a press conference, Yoshii Kan, a secretary-general of Japan, said that the company had reported the intrusion. Although Mitsubishi Electric is dealing with government agencies such as the Ministry of Defense, Mr. Kan said, “I was notified that it was confirmed that there was no leak of sensitive information such as defense equipment and electric power.”

“Mitsubishi Electric, a major general electronics maker , has been hit by a large-scale cyber attack , and it has been found that information about public and private business partners such as highly confidential defense-related and important social infrastructure such as electric power and railroad may leak out.” reported the Asahi Shimbun. “An internal survey found that computers and servers at headquarters and major sites were subject to numerous unauthorized accesses.”

Mitsubishi Electric

The two media outlets attribute the cyber attack to a China-linked cyber espionage group tracked as Tick (aka Bronze Butler).

The hacker group has been targeting Japanese heavy industry, manufacturing and international relations at least since 2012,

According to the experts, the group is linked to the People’s Republic of China and is focused on exfiltrating confidential data.

“According to people involved, Chinese hackers Tick may have been involved. According to Mitsubishi Electric, “logs (to check for leaks) have been deleted and it is not possible to confirm whether or not they actually leaked.” reported the Nikkei.

“According to the company, at least tens of PCs and servers in Japan and overseas have been found to have been compromised. The amount of unauthorized access is approximately 200 megabytes, mainly for documents.”

The security breach was discovered after Mitsubishi Electric staff found a suspicious file on one of the company’s servers, further investigation allowed the company to determine that hack of an employee account.

According to the media, hackers gained access to the networks of around 14 company departments, including sales and the head administrative office. Threat actors stole around 200 MB of files including:

  • Personal information and recruitment applicant information (1,987) 
  • New graduate recruitment applicants who joined the company from October 2017 to April 2020, and experienced recruitment applicants from 2011 to 2016 and our employee information (4,566) 
  • 2012 Survey results regarding the personnel treatment system implemented for employees in the headquarters in Japan, and information on retired employees of our affiliated companies (1,569) 

“Exchanges with government agencies such as the Ministry of Defense, the Nuclear Regulatory Commission, the Agency for Natural Resources and Energy, the Cabinet Office, and the Ministry of the Environment,” as well as “transaction-related conference materials such as joint development with private companies such as electric power, railways, and telecommunications, and product orders” might also have been leaked.” reported Kyodo News.

The company is still investigating the security breach, but it seems that attackers have attempted to delete any evidence of the attack.

Mitsubishi Electric is going to report the incident to the affected customers.

“We are informing the affected customers of the possible breach of trade secrets,” states the company.

Pierluigi Paganini

(SecurityAffairs – data breach, hacking)

The post Mitsubishi Electric discloses data breach, media blame China-linked APT appeared first on Security Affairs.

US Could Appoint a Cybersecurity Leader for Each State

US Could Appoint a Cybersecurity Leader for Each State

The USA is considering legislation that would protect local governments by requiring the appointment of a cybersecurity leader for each state.

Backers of the Cybersecurity State Coordinator Act of 2020 say the proposed law will improve intelligence sharing between state and federal governments and speed up incident response times in the event of a cyber-attack.

Under the legislation, the director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency would be tasked with appointing an employee of the agency in each state to serve as cybersecurity state coordinator. 

Money to create these positions would come from the federal government, which would be required to ring-fence the necessary funding. 

The role of each state coordinator would be multifaceted, combining elements of training, advisory work, and program development.

Each leader would serve as a principal federal cybersecurity risk advisor, coordinating efforts to prepare for, respond to, and remediate cyber-attacks. Another core responsibility would be to raise awareness of the financial, technical, and operational resources available to nonfederal entities from the federal government.

Coordinators would be expected to support training, exercises, and planning for continuity of operations to expedite as swift a recovery as possible from cybersecurity incidents. Furthermore, they would be called on to assist nonfederal entities in developing and coordinating vulnerability disclosure programs consistent with federal and information security industry standards.

"State, local, Tribal, and territorial entities face a growing threat from advanced persistent threat actors, hostile nation states, criminal groups, and other malicious cyber actors," reads the bill. "There is an urgent need for greater engagement and expertise from the Federal Government to help these entities build their resilience and defenses."

The bill, which has attracted bi-partisan support, was introduced by Senators Maggie Hassan and Gary Peters and is co-sponsored by senators John Cornyn of Texas and Rob Portman of Ohio.

Portman said: "This bipartisan bill, which creates a cybersecurity state coordinator position, would help bolster state and local governments' cybersecurity by facilitating their relationship with the federal government to ensure they know what preventative resources are available to them as well as who to turn to if an attack occurs."

How companies can prepare for a heightened threat environment

With high levels of political unrest in various parts of the world, it’s no surprise we’re also in a period of increased cyber threats. In the past, a company’s name, political affiliations, or religious affiliations might push the risk needle higher. However, in the current environment any company could be a potential target for a cyberattack. Companies of all shapes, sizes, and varying security maturity are asking what they could and should be doing to ensure their safeguards are primed and ready. To help answer these questions, I created a list of actions companies can take and controls they can validate in light of the current level of threats—and during any period of heightened risk—through the Microsoft lens:

  • Implement Multi-Factor Authentication (MFA)—It simply cannot be said enough—companies need MFA. The security posture at many companies is hanging by the thread of passwords that are weak, shared across social media, or already for sale. MFA is now the standard authentication baseline and is critical to basic cyber hygiene. If real estate is “location, location, location,” then cybersecurity is “MFA, MFA, MFA.” To learn more, read How to implement Multi-Factor Authentication (MFA).
  • Update patching—Check your current patch status across all environments. Make every attempt to patch all vulnerabilities and focus on those with medium or higher risk if you must prioritize. Patching is critically important as the window between discovery and exploit of vulnerabilities has shortened dramatically. Patching is perhaps your most important defense and one that, for the most part, you control. (Most attacks utilize known vulnerabilities.)
  • Manage your security posture—Check your Secure Score and Compliance Score for Office 365, Microsoft 365, and Azure. Also, take steps to resolve all open recommendations. These scores will help you to quickly assess and manage your configurations. See “Resources and information for detection and mitigation strategies” below for additional information. (Manage your scores over time and use them as a monitoring tool for unexpected consequences from changes in your environment.)
  • Evaluate threat detection and incident response—Increase your threat monitoring and anomaly detection activities. Evaluate your incident response from an attacker’s perspective. For example, attackers often target credentials. Is your team prepared for this type of attack? Are you able to engage left of impact? Consider conducting a tabletop exercise to consider how your organization might be targeted specifically.
  • Resolve testing issues—Review recent penetration test findings and validate that all issues were closed.
  • Validate distributed denial of service (DDoS) protection—Does your organization have the protection you need or stable access to your applications during a DDoS attack? These attacks have continued to grow in frequency, size, sophistication, and impact. They often are utilized as a “cyber smoke screen” to mask infiltration attacks. Your DDoS protection should be always on, automated for network layer mitigation, and capable of near real-time alerting and telemetry.
  • Test your resilience—Validate your backup strategies and plans, ensuring offline copies are available. Review your most recent test results and conduct additional testing if needed. If you’re attacked, your offline backups may be your strongest or only lifeline. (Our incident response teams often find companies are surprised to discover their backup copies were accessible online and were either encrypted or destroyed by the attacker.)
  • Prepare for incident response assistance—Validate you have completed any necessary due diligence and have appropriate plans to secure third-party assistance with responding to an incident/attack. (Do you have a contract ready to be signed? Do you know who to call? Is it clear who will decide help is necessary?)
  • Train your workforce—Provide a new/specific round of training and awareness information for your employees. Make sure they’re vigilant to not click unusual links in emails and messages or go to unusual or risky URLs/websites, and that they have strong passwords. Emphasize protecting your company contributes to the protection of the financial economy and is a matter of national security.
  • Evaluate physical security—Step up validation of physical IDs at entry points. Ensure physical reviews of your external perimeter at key offices and datacenters are being carried out and are alert to unusual indicators of access attempts or physical attacks. (The “see something/say something” rule is critically important.)
  • Coordinate with law enforcement—Verify you have the necessary contact information for your local law enforcement, as well as for your local FBI office/agent (federal law enforcement). (Knowing who to call and how to reach them is a huge help in a crisis.)

The hope, of course, is there will not be any action against any company. Taking the actions noted above is good advice for any threat climate—but particularly in times of increased risk. Consider creating a checklist template you can edit as you learn new ways to lower your risk and tighten your security. Be sure to share your checklist with industry organizations such as FS-ISAC. Finally, if you have any questions, be sure to reach out to your account team at Microsoft.

Resources and information for detection and mitigation strategies

In addition, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

About the author

Lisa Lee is a former U.S. banking regulator who helped financial institutions of all sizes prepare their defenses against cyberattacks and reduce their threat landscape. In her current role with Microsoft, she advises Chief Information Security Officers (CISOs) and other senior executives at large financial services companies on cybersecurity, compliance, and identity. She utilizes her unique background to share insights about preparing for the current cyber threat landscape.

The post How companies can prepare for a heightened threat environment appeared first on Microsoft Security.

Possessing Ransomware Could Become Illegal in Maryland

Possessing Ransomware Could Become Illegal in Maryland

Lawmakers in the state of Maryland are considering making it a criminal offense to be in possession of ransomware. 

A bill was introduced on Tuesday, January 14, that seeks to penalize Marylanders who knowingly possess the malware and intend to use it to cause harm. The bill also grants victims of a ransomware attack the right to sue the hacker for damages in civil court. 

The state has already outlawed the use of malicious technology to extort money out of victims. Senate Bill 30, which was heard before the Senate Judicial Proceedings Committee last week, would make it a misdemeanor to be in possession of ransomware with the intent to use it in a malicious manner.

Any person convicted of this misdemeanor could face 10 years in prison and/or a fine of up to $10,000. 

The proposed law would not apply to cybersecurity researchers who may be in possession of ransomware for innocent research purposes.

Senator Susan Lee, who is the lead sponsor of the bill, said that it "gives prosecutors tools to charge offenders.”

Assuming a remarkable level of naiveté on the part of cyber-criminals who use ransomware to extort vast sums of money from organizations and individuals, Lee said that it was "important to establish [the bill] so criminals know it’s a crime."

In January 2019, the Salisbury, Maryland, police department suffered a ransomware attack that prevented officers from accessing the department's computer network. Four months later, Baltimore, the state's largest urban conurbation, was hit by a ransomware attack that is estimated to have cost around $18m. 

Possessing ransomware is already a criminal offense in several US states, including Michigan and California. The fight against ransomware was led by Wyoming, which in 2014 became the first state to make it illegal to possess ransomware, spyware, adware, keyloggers, and several other types of malware.

There's no denying that ransomware is causing problems in the United States. In 2019 alone, this particular strain of malware impacted at least 113 state and municipal governments and agencies, 764 healthcare providers, and 89 universities, colleges, and school districts, with estimated costs of $7.5bn. 

According to a ransomware report by cybersecurity firm Emsisoft,"the only way to stop ransomware is to make it unprofitable, and that means the public sector must practice better cybersecurity so that ransoms need not be paid."

Mitsubishi Electric Discloses Information Leak

Mitsubishi Electric Discloses Information Leak

Japanese company Mitsubishi Electric has today disclosed an information leak that occurred over six months ago. 

The century-old electronics and electrical equipment manufacturing firm announced the breach by issuing a brief statement on its website.

An official internal investigation was launched after suspicious activity was observed taking place on June 28, 2019. The company said that upon noting the unusual behavior on the network, measures were immediately taken to restrict external access. 

According to Nippon.com, hackers accessed servers and computers at Mitsubishi headquarters and other offices belonging to the company in a large-scale cyber-attack. 

Mitsubishi said: "We have confirmed that our network may have been subject to unauthorized access by third parties and that personal information and corporate confidential information may have been leaked to the outside."

Mitsubishi announced the breach today after it was reported by two newspapers, the Asahi Shimbun and Nikkei. A theory put forward by both local papers is that the attack was initiated by a cyber-espionage group with links to the People's Republic of China. 

While Nikkei reported that hackers swiped 200 MB of information from Mitsubishi, the manufacturer claims that its investigation of the incident uncovered no evidence that any sensitive data connected to its business partners or government defense contracts had been stolen or misused. 

In a statement no doubt intended to reassure Mitsubishi's corporate parents, the company wrote: "As a result of an internal investigation, it has been confirmed that sensitive information on social infrastructure such as defense, electric power, and railways, highly confidential technical information, and important information concerning business partners has not been leaked." 

When announcing the incident, Mitsubishi didn't explain why it had waited so long after discovering the breach to go public with the news. However, the inclusion of the comment "to date, no damage or impact related to this matter has been confirmed" could imply that the company chose to hold back information until it had a clear idea of what the effects of the breach might be.

Japan's chief cabinet secretary Yoshihide Suga said the government had been informed of the cybersecurity breach and that there was no leak of information related to defense equipment or to the electric power sector.

Sextortion scam leverages Nest video footage to fool victims into believing they are being spied upon everywhere

A bizarre sextortion scam is attempting to trick victims that not only has their smartphone been hacked to spy upon their private lives, but also every other device they have encountered which contains a built-in camera.

Read more in my article on the Hot for Security blog.

Citrix starts releasing permanent fixes for critical controller vulnerability

Citrix is urging infosec pros to quickly install fixes to versions of its Application Delivery Controller released Sunday to plug a vulnerability that is already being exploited by attackers.

“We urge customers to immediately install these fixes,” the company said on its website.

There are several versions of the controller, it added, and administrators have to apply the correct version fix to each system.

The patches are the first of several permanent fixes being released for the Citrix ADC, formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, and certain deployments of two older versions of Citrix SD-WAN WANOP product versions 10.2.6 and version 11.0.3 that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.

Until now admins could only apply mitigations to the vulnerability, called CVE-2019-19781, first announced on December 17.


Vulnerabilities found in Citrix products

The initial permanent fixes for ADC versions 11.1 and 12.0 are available as downloads here and here. Citrix says they also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated.

All Citrix ADC and Citrix Gateway 11.1 instances (MPX or VPX) have to be upgraded to build to install the security vulnerability fixes. It is necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 instances (MPX or VPX) to build to install the security vulnerability fixes.

Permanent fixes for other ADC versions and for SD-WAN WANOP will be released sooner than previously announced. The patches for ADC version 12.1, version 13 and 10.5 will all now be released January 24. In the meantime, the previously announced mitigations need to be applied for those products.

According to FireEye it hasn’t taken long for attackers to try to exploit the vulnerability.

“After analyzing dozens of successful exploitation attempts against Citrix ADCs that did not have the Citrix mitigation steps implemented, we’ve recognized multiple groups of post-exploitation activity,” FireEye said last week.

Interestingly, it added, one threat actor has recently been getting into Citrix devices vulnerable to this exploit and blocking others from using it. At the same time, though, it deploys a previously-unseen backdoor to NetScaler devices. FireEye suspects that attackers may be quietly collecting access to NetScaler devices for a subsequent campaign.

Clearview AI and Facial Recognition

The New York Times has a long story about Clearview AI, a small company that scrapes identified photos of people from pretty much everywhere, and then uses unstated magical AI technology to identify people in other photos.

His tiny company, Clearview AI, devised a groundbreaking facial recognition app. You take a picture of a person, upload it and get to see public photos of that person, along with links to where those photos appeared. The system -- whose backbone is a database of more than three billion images that Clearview claims to have scraped from Facebook, YouTube, Venmo and millions of other websites -- goes far beyond anything ever constructed by the United States government or Silicon Valley giants.

Federal and state law enforcement officers said that while they had only limited knowledge of how Clearview works and who is behind it, they had used its app to help solve shoplifting, identity theft, credit card fraud, murder and child sexual exploitation cases.


But without public scrutiny, more than 600 law enforcement agencies have started using Clearview in the past year, according to the company, which declined to provide a list. The computer code underlying its app, analyzed by The New York Times, includes programming language to pair it with augmented-reality glasses; users would potentially be able to identify every person they saw. The tool could identify activists at a protest or an attractive stranger on the subway, revealing not just their names but where they lived, what they did and whom they knew.

And it's not just law enforcement: Clearview has also licensed the app to at least a handful of companies for security purposes.

Another article.

EDITED TO ADD (1/23): Twitter told the company to stop scraping its photos.

Citrix Releases Patches for Critical ADC Vulnerability Under Active Attack

Citrix has finally started rolling out security patches for a critical vulnerability in ADC and Gateway software that attackers started exploiting in the wild earlier this month after the company announced the existence of the issue without releasing any permanent fix. I wish I could say, "better late than never," but since hackers don't waste time or miss any opportunity to exploit

Defend Yourself Now and in the Future Against Mobile Malware

The world has gone mobile and the US is leading the way. It’s estimated that that the number of smartphone users alone topped 257 million in the States in 2018. That means three-quarters (74%) of households now boast at least one mobile device. And in this new digital world, it’s mobile applications that really matter. They’re a one-click gateway to our favorite videos, live messaging, email, banking, social media and much more.

There are said to be around 2.8 million of these apps on the official Google Play Store today. But unfortunately, where there are users, there are also hackers looking to capitalize. And one of their favorite ways to make money is by tricking you into downloading a malicious app they’ve sneaked onto the marketplace.

Most recently, 42 such apps had to be removed after being installed eight million times over the period of a year, flooding victims’ screens with unwanted advertising. This is just the tip of the iceberg. As more of us turn to mobile devices as our primary internet gateway, the bad guys will follow suit. Trend Micro blocked over 86 million mobile threats in 2018, and we can expect this figure to increase into the future.

So how can you protect your devices and your data from hackers?

Adware ahoy

The latest bunch of 42 apps are from a class of malicious software known as adware. This follows a previous discovery by Trend Micro earlier this year of a further 85 adware-laden apps downloaded eight million times. Cyber-criminals fraudulently make money by displaying unwanted ads on the victim’s device. In the meantime, the user has to contend with annoying pop-ups which can run down the device’s battery and eat up computing resources. Some even silently gather user information.

Ones to watch

Unfortunately, it’s increasingly difficult to spot malicious apps on the Play Store. A popular tactic for hackers is to hide their malware in titles which impersonate legitimate applications. A recent two-year study found thousands of such counterfeits on the Play Store, exposing users unwittingly to malware. Banking apps are a particularly popular type of title to impersonate as they can provide hackers with highly lucrative log-ins to open users’ accounts.

Some malware, like the recently disclosed Agent Smith threat, works by replacing all the legitimate apps on a user’s device with malicious alter-egos.

So, as we hit 2020, what other threats hidden in legitimate-seeming apps should mobile users be looking out for?

  • More intrusive adware.
  • Cryptocurrency mining malware. This will run in the background, eating up your device battery and computing power. Trend Micro noted a 450% increase in infections from 2017 to 2018.
  • Banking Trojans designed to harvest your log-ins so hackers can get their hands on your savings. Our detections of this malware soared 98% between 2017-18.
  • These attacks have evolved from simple screen lockers to malware designed to encrypt all the files on your device.
  • Premium rate services. Some malware will covertly text or call premium rate SMS numbers under the control of the hacker, thus making them money and costing you potentially significant sums. ExpensiveWall malware, for example, was found in 50 Google Play apps and downloaded millions of times, charging victims’ accounts for fake services.
  • Information theft. Some malware will allow hackers to eavesdrop on your conversations, and/or hoover up your personal data, including phone number, email address, and account log-ins. This data can then be sold on the dark web and used in follow-on identity fraud attempts.

Is Google helping?

The Android ecosystem has always and remains to be a bigger threat than iOS because it’s relatively easier for developers to get their applications onto the official marketplace. Now, it’s true that Google carries out some vetting of the apps on its Play Store and it is getting better and quicker at spotting and blocking malware. It says the number of rejected app submissions grew by over 55% in 2018 while app suspensions increased by over 66%.

However, Google’s Play Protect, which is pre-installed on Android devices, has garnered less than favorable reviews. This anti-malware solution is intended to scan for malicious apps to prevent you downloading them. However, it has received poor reviews for its “terrible malware protection.”

In fact, in independent tests run in July by German organization AV-TEST, Google Play Protect found just 44% of the 3,347 “real-time” online malware threats, and just 55% of the 3,433 malware samples that were collected in the previous month. According to Tom’s Guide, “these scores are all well below the industry averages, which were always 99.5% or above in both categories for all three rounds.”

How do I stay safe?

So how can mobile users ensure their personal data and devices are secure from the growing range of app-based threats?

Consider the following:

  • Only visit official app stores. Even though Google Play has a malware problem, it is more secure than third-party app stores. In fact, you are 23 times more likely to install a potentially harmful application (PHA) outside Play, according to Google.
  • Ensure you’re on the latest operating system version.
  • Do not root your device as this can expose it to threats.
  • Be cautious. If the app is requesting an excessive number of permissions, it may be malicious.
  • Install on-device AV from a reputable third-party provider like Trend Micro.

How Trend Micro Mobile Security helps

Trend Micro Mobile Security (TMMS) offers customers comprehensive anti-malware capabilities via its real-time Security Scan function. Security Scan alerts you to any malware hidden in apps before they are installed and suggests legitimate versions. It can also be manually run on devices to detect and remove malicious apps, including ransomware, that may already have been installed.

To use the manual scan, simply:

1. Tap the Security Scan panel in the TMMS Console. The Security Scan settings screen appears, with the Settings tab active by default.

2. Tap Scan Now to conduct a security scan. The result appears.

3. In the example shown, “Citibank” has been detected as a fake banking app, installed on the device before Mobile Security was installed. Apps are recommended for you to remove or to trust.

4. Tap Uninstall to uninstall the fake app. A Details screen defines the security threats.

5. Tap Uninstall A popup will ask if you want to uninstall the app.

6. Tap Uninstall once more to uninstall it. The app will uninstall.

7. If there are more potentially unwanted apps, tap the panel for Apps Removal Recommended to show the list of apps recommended for removal. The Removal Recommended list will show apps to Remove or Trust.

8. You can configure settings via Security Scan > Settings This will allow you to choose protection strength (Low, Normal, and High).

9. In Settings, check the Pre-Installation Scan, which is disabled by default, to block malware from Google Play before it’s installed. It sets up a virtual private network (VPN) and enables the real-time scan.

Among its other features, Trend Micro Mobile Security also:

  • Blocks dangerous websites from loading in any browsing app with Web Guard
  • Checks if public WiFi connections are safe with Wi-Fi Checker
  • Guards financial and commercial apps with Pay Guard Mobile
  • Optimizes your device’s performance System Tuner and App Manager
  • Protects your kids’ devices with Parental Controls
  • Protects your privacy on social media with Social Network Privacy
  • Provides Lost Device Protection.

To find out more about Trend Micro Mobile Security, go to our Mobile Security Solutions website, where you can also learn about our Mobile Security solution for iOS.

Tags: Mobile Security, Mobile Antivirus, Mobile Antimalware, Android Antivirus

The post Defend Yourself Now and in the Future Against Mobile Malware appeared first on .

Microsoft Warns of Zero-Day Internet Explorer Exploits

Patch Promised for Flaw Allegedly Exploited by 'DarkHotel' APT Gang
Microsoft says it's prepping a patch to fix a memory corruption flaw in multiple versions of Internet Explorer that is being exploited by in-the-wild attackers, and it's issued mitigation guidance. Security firm Qihoo 360 says the zero-day flaw has been exploited by the DarkHotel APT gang.

NATO will send a counter-hybrid team to Montenegro to face Russia’s threat

The Chairman of the NATO Military Committee announced that the alliance has sent a counter-hybrid team to Montenegro to face Russian hybrid attacks.

Last week in Brussels, the Chairman of the NATO Military Committee (MC), Marshal Sir Stuart Peach, announced the effort of the Alliance in facing Russian hybrid attacks.

The term “Hybrid warfare” refers to a military strategy which employs political warfare and blends conventional warfare, irregular warfare and cyberwarfare with other influencing methods, such as fake news, diplomacy, lawfare and foreign electoral intervention.

Peach said that the NATO alliance had set up the first NATO counter-hybrid team in Montenegro.

“The first NATO counter-hybrid team has been deployed to our ally state, Montenegro, with the aim of helping to strengthen Montenegro’s capacities and deterring hybrid challenges”, Peach said.

Several countries, especially Russia, continue their aggressive operations against foreign states, and cyber warfare is becoming the main concern for almost any government.

The official explained that since 2014 the defence spending to face hybrid threats has continued to increase, it has been estimated that by 2024 that amount will reach $ 400 billion.

“NATO data shows a 4,6% increase in 2019. That is the fifth consecutive year of growth. By the end of this year, allies will have invested over $130 billion”, added Marshal Peach

United States Army General Mark Milley, the highest military officer and military adviser to the President, Minister of Defence and U.S. National Security Council, accused the Russian Government of attempting to destabilize the members of the alliance and divide it.

it is evident that Russia has been trying to divide NATO and make it weaker”. General Milley said.

“It would be their benefit. It would be detrimental to Europe and the US if NATO just collapsed and disintegrated.”

Representatives of Montenegro’s Defence Ministry confirmed that NATO counter-hybrid team visited Montenegro in November. Experts fear that Russia could attempt to influence the forthcoming parliamentary elections that will take place in October 2020.

“This visit was the first such engagement in one of the allies, and it was an important experience for Montenegro. Montenegro wants to enhance its capacities and the focus of NATO’s team was on strengthening legislative framework in this domain and its implementation”, said Ivica Ivanović, director general for defence policy.

On June 5, 2017 Montenegro officially joined NATO alliance despite the strong opposition from the Russian Government that threatened to retaliate.

Cybersecurity experts believe that a new wave of attacks from the cyberspace will hit the state. In February 2017, for the second time in a few months, Montenegro suffered massive and prolonged cyberattacks against government and media websites.

Researchers at security firm FireEye who analyzed the attacks observed malware and exploits associated with the notorious Russia-linked APT group known as APT28 (aka Fancy BearPawn StormStrontiumSofacySednit, and Tsar Team).

Another massive attack hit the country’s institutions during October 2016 elections, amid speculation that the Russian Government was involved.

Hackers targeted Montenegro with spear-phishing attacks, the malicious messages used weaponized documents pertaining to a NATO secretary meeting and a visit by a European army unit to Montenegro.

At the time, the cyberspies delivered the GAMEFISH backdoor (aka Sednit, Seduploader, JHUHUGIT, and Sofacy), a malware that was used only by the APT28 group in past attacks.

Pierluigi Paganini

(SecurityAffairs – Montenegro, elections)

The post NATO will send a counter-hybrid team to Montenegro to face Russia’s threat appeared first on Security Affairs.

€114m in Fines Imposed by Euro Authorities Under GDPR

€114m in Fines Imposed by Euro Authorities Under GDPR

Data protection regulators have imposed €114m ($126m/£97m) in monetary fines under the GDPR for a wide range of infringements, according to new findings from DLA Piper.

Whilst not all fines were related to data breach infringements, DLA Piper’s latest GDPR Data Breach Survey found that more than 160,000 data breach notifications have been reported across the 28 European Union Member States since the GDPR came into force on May 25 2018.

In terms of the total value of fines issued by geographical region, France (€51m), Germany (€24.5m) and Austria (€18m) topped the rankings, whilst the Netherlands (40,647), Germany (37,636) and the UK (22,181) had the highest number of data breaches notified to regulators.

The highest GDPR fine to date was €50m, imposed by the French data protection regulator on Google, for alleged infringements of the transparency principle and lack of valid consent. Earlier this year, the UK ICO published intentions to fine British Airways £183.39m and Marriott £99m following two high profile data breaches, although neither fine has been finalized at the time of writing.

Ross McKean, a partner at DLA Piper specializing in cyber and data protection, said: “GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12% compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organizations.

“The total amount of fines of €114m imposed to date is relatively low compared to the potential maximum fines that can be imposed under GDPR, indicating that we are still in the early days of enforcement. We expect to see momentum build with more multi-million Euro fines being imposed over the coming year as regulators ramp up their enforcement activity.”

Hashtag Trending – Montreal teen arrested in cryptocurrency scam; EU considering suspending facial recognition; Alphabet passes the trillion-dollar mark.

Welcome listeners, hope you’re all doing well this Monday morning. The top three stories to take in right now include a Montreal teen arrested in cryptocurrency scam bust, the European Union considering banning facial recognition, and Alphabet passing the trillion-dollar mark. Thank you for tuning in to Hashtag Trending, it’s Monday, January 20th, and I’m…

Evaluating Your Security Controls? Be Sure to Ask the Right Questions

Testing security controls is the only way to know if they are truly defending your organization. With many different testing frameworks and tools to choose from, you have lots of options. But what do you specifically want to know? And how are the findings relevant to the threat landscape you face at this moment? "Decide what you want to know and then choose the best tool for the job."

GDPR Regulators Have Imposed $126M in Fines Thus Far, Finds Survey

A new survey found that regulators have thus far imposed imposed $126 million worth of fines for data breaches and other GDPR infringements. According to DLA Piper’s GDPR Data Breach Survey, data protection regulators imposed €114 million (about US$126 million / £97 million) in GDPR-related fines between May 25, 2018 and January 27, 2020. The […]… Read More

The post GDPR Regulators Have Imposed $126M in Fines Thus Far, Finds Survey appeared first on The State of Security.

Citrix releases permanent fixes for CVE-2019-19781 flaw in ADC 11.1 and 12.0

Citrix addressed the actively exploited CVE-2019-19781 flaw in Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances.

Citrix has released security patches to address actively exploited CVE-2019-19781 vulnerability in Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances.

While security researchers were warning of ongoing scans for Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) servers affected by the CVE-2019-19781 vulnerability, many experts were announcing the availability online of proof-of-concept exploit code ([12]).

Researchers at MDSsec published technical details of the vulnerability along with a video that shows the exploit they have developed, but they decided to not release it to avoid miscreants use it in the wild.

In December Citrix disclosed the critical CVE-2019-19781 vulnerability and explained that it could be exploited by attackers to access company networks.

It has been estimated that 80,000 companies in 158 countries are potentially at risk, most of them in the U.S. (38%), followed by the UK, Germany, the Netherlands, and Australia. 

The CVE-2019-19781 vulnerability was discovered by Mikhail Klyuchnikov from Positive Technologies.

Now Citrix is announcing then permanent fixes for the above remote code execution vulnerability.

Permanent fixes for ADC versions 11.1 and 12.0 are available as downloads here and here,” reads a post published by Citrix’s CISO Fermin J. Serna.

“These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated.”

Citrix urges the upgrade for all Citrix ADC and Citrix Gateway 11.1 instances (MPX or VPX) to build It is also necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 instances (MPX or VPX) to build to install the security vulnerability fixes. 

The company also announced that it has postponed the release of permanent fixes for other ADC versions and for SD-WAN WANOP, below the expected release dates:

  • ADC version 12.1, now January 24
  • ADC version 13 and ADC version 10.5, now January 24
  • SD-WAN WANOP fixes, now January 24
Citrix ADC and Citrix Gateway
VersionRefresh BuildRelease Date 19, 2020 19, 2020 24, 2020
10.510.5.70.xJanuary 24, 2020 24, 2020
ReleaseCitrix ADC ReleaseRelease Date
10.2.611.1.51.615January 24, 2020
11.0.311.1.51.615January 24, 2020

Once applied mitigations, it is possible to use a tool released by Citrix to ensure the mitigations have successfully been applied.

“While all the mitigations associated with CVE-2019-19781 are effective across all known scenarios, we strongly encourage customers to apply the permanent fixes as soon as possible.” continues the post.

Security experts are observing a spike in the number of attacks against Citrix servers after that researchers announced the availability online of proof-of-concept exploits for the CVE-2019-19781 flaw in Citrix NetScaler ADC and Citrix NetScaler Gateway servers.

Researchers from FireEye recently noticed that one of the threat actors involved in the attacks is patching the vulnerable Citrix servers, installing their own backdoor, tracked as NOTROBIN, to clean up other malware infections and to lock out any other threat from exploiting the CVE-2019-19781 Citrix flaw.

Pierluigi Paganini

(SecurityAffairs – Citrix servers, hacking)

The post Citrix releases permanent fixes for CVE-2019-19781 flaw in ADC 11.1 and 12.0 appeared first on Security Affairs.

Travelex Begins Reboot as VPN Bug Persists

Travelex Begins Reboot as VPN Bug Persists

Under-fire foreign currency firm Travelex has claimed its first customer-facing services in the UK have gone live after a crippling ransomware attack in December, with experts suggesting an unpatched VPN bug may have been to blame.

The London-headquartered business has been slammed by customers after the suspected Sodinokibi (REvil) ransomware struck on December 31, forcing it to take systems offline as a precautionary measure.

Several complained that the foreign currency they ordered and paid for online is unavailable, leaving them out of pocket. The outage affected not just Travelex’s websites but its bricks-and-mortar outlets and services it provides to major UK high street banks such as Barclays and RBS.

However, the firm claimed in an update on Friday it has been working hard this month to restore online and customer-facing systems.

“On 17 January 2020, we confirmed that the first of our customer-facing systems in the UK were live and that the phased restoration of our systems globally was now firmly underway. We are prioritizing the UK as this is our single largest market,” it said.

Although unconfirmed, security experts believe that an unpatched critical vulnerability in Pulse Secure VPNs (CVE-2019-11510) may have allowed attackers to remotely execute malicious code on Travelex IT systems.

Troy Mursch of Bad Packets claimed to have reached out to the firm in September to flag the software flaw, which has a CVSS score of 10.0, but received no response.

On Friday, he said that there are still over 3000 vulnerable Pulse Secure VPN servers out there. That’s bad news because the bug is seeing “wide exploitation,” despite the fact that a patch has been available since April 2019, according to the US Cybersecurity and Infrastructure Security Agency (CISA).

“A remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials,” CISA said of CVE-2019-11510.

“It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.”

Although Travelex maintains that there is “no evidence that any data has left the organization,” the hackers behind the $6 million ransom demand have claimed they exfiltrated 5GB of sensitive customer data last year.

London Councils Lose Nearly 1300 Devices Over Three Years

London Councils Lose Nearly 1300 Devices Over Three Years

The number of London councils reporting lost or stolen mobile computing devices has more than doubled over the past three financial years, according to new Freedom of Information (FOI) data.

Think tank Parliament Street compiled responses from 23 out of the 31 local borough councils that operate across the UK capital.

It found that a total of 1293 devices were lost or stolen over the three financial years from 2016, including laptops, mobile phones and tablets. The figure jumped from 304 in 2016-17 to 635 in 2018-19, a 109% increase.

Phones went missing most often, accounting for 951 lost or stolen devices over the period. The figure rose 122%, from 215 in 2016-17 to 478 in 2018-19.

Laptop losses also almost doubled over the period, from 64 to 124, while tablet losses increased slightly from 26 to 33.

Lambeth was most affected by missing devices, recording 281 losses, 84% of which were mobile phones. Next came Richmond and Wandsworth (123) and Brent (170). Richmond and Wandsworth, which reported together, saw a 666% increase in lost and stolen devices, while the figure stood at 74% in Brent.

Absolute Software EMEA VP, Andy Harcup, warned that the rise of flexible working combined with opportunistic thieves is increasing the risk of confidential public sector data going missing.

“If said device ends up in the wrong hands, these councils and the constituents they serve could be facing severe consequences, including a major data breach with citizen details finding their way onto the dark web,” he added.

“It's time for all organizations to wake up to the very real risks posed by stolen devices in terms of data security. Every single council should have robust end-point security measures in place to ensure that devices reported missing can be accessed, tracked, deleted and frozen appropriately.”

Citrix Patches ADC Bug as Attacker Hoards Access

Citrix Patches ADC Bug as Attacker Hoards Access

Citrix has begun issuing patches for a serious vulnerability in its Application Delivery Controller (ADC) product which experts have warned is being exploited in the wild.

The tech giant revealed the CVE-2019-19781 bug in ADC and its Citrix Gateway back in December. If successfully exploited, it could allow an unauthenticated attacker to perform arbitrary code execution.

Although the firm announced a series of mitigations to help protect customers as it readied a permanent fix, researchers claimed to have discovered tens of thousands of users that were still exposed, including high value targets across verticals including finance, government and healthcare.

Part of the problem appeared to be that not all of these mitigations worked as intended. The Dutch authorities urged businesses to disable Citrix systems altogether.

With proof-of-concept exploits appearing online in recent days and reports of active attacks, Citrix appeared to accelerate the process of readying patches.

Permanent fixes for ADC versions 11.1 and 12.0 are now ready and it has “moved forward” availability dates for other versions 12.1, 13 and 10.5 to January 24. Its Citrix SD-WAN WANOP product will also be patched on the same day.

The news comes as FireEye warned it had spotted “dozens of successful exploitation attempts” against ADC deployments that had not put in place temporary pre-patch mitigations.

One particular payload, which it named “NotRobin,” appears to be hoarding access to exposed Citrix systems.

“FireEye believes that the actor behind NotRobin has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign. They remove other known malware, potentially to avoid detection by administrators that check into their devices after reading Citrix security bulletin CTX267027,” FireEye explained.

“NotRobin mitigates CVE-2019-19781 on compromised devices but retains a backdoor for an actor with a secret key. While we haven’t seen the actor return, we’re skeptical that they will remain a Robin Hood character protecting the internet from the shadows.”

The Top 19 Information Security Conferences of 2020

With the 2010s now over, the infosec industry is now fully invested in 2020 and beyond. The 2020s will no doubt present their fair share of challenging digital security threats. But they will also enable security professionals to discuss shared difficulties at conferences and summits. To help promote these collaborative events, we at The State […]… Read More

The post The Top 19 Information Security Conferences of 2020 appeared first on The State of Security.

WP Database Reset WordPress plugin flaws allow website takeover

The WP Database Reset WordPress plugin is affected by an “easily exploitable” vulnerability that can allow attackers to take over vulnerable sites. 

Security experts from Wordfence discovered two security vulnerabilities in the WP Database Reset WordPress plugin that can van be used to take over the vulnerable websites.

The WordPress Database Reset plugin allows users to reset the database (all tables or the ones you choose) back to its default settings without having to go through the WordPress, it has over 80,000 installs. 

“On January 7th, our Threat Intelligence team discovered vulnerabilities in WP Database Reset, a WordPress plugin installed on over 80,000 websites.” reads the analysis published by Wordfence. “One of these flaws allowed any unauthenticated user to reset any table from the database to the initial WordPress set-up state, while the other flaw allowed any authenticated user, even those with minimal permissions, the ability to grant their account administrative privileges while dropping all other users from the table with a simple request.”

The first critical vulnerability, tracked as CVE-2020-7048, has been assigned a CVSS score of 9.1. The experts discovered that none of the database reset functions were secured potentially allowing any user to reset any database table without authentication. 

The second vulnerability, tracked as CVE-2020-7047, has received a CVSS score of 8.1 and allowed any authenticated to drop all other users by resetting the wp_users table and escalate to administrative privileges.

“Dropping all users during a database reset may be problematic, but we can always recreate users, right? Unfortunately, this was more complex. Whenever the wp_users table was reset, it dropped all users from the user table, including any administrators, except for the currently logged-in user.” continues the analysis. “The user sending the request would automatically be escalated to administrator, even if they were only a subscriber. That user would also become the only administrator, thus allowing an attacker to fully take over the WordPress site.”

Below the disclosure timeline:

January 7th, 2020 – Vulnerability initially discovered and analyzed.
January 8th, 2020 – Full details disclosed to plugin developer and custom firewall rule released to Wordfence premium users.
January 13th, 2020 – Developer responds and notifies us that a patch will be released the next day.
January 14th, 2020 – Patch released.
January 16th, 2020 – Public disclosure.

Users of the above plugin have to update their installs to the latest version of WP Database Reset, 3.15.  

Earlier this week, experts at security firm WebArx have disclosed vulnerabilities in WP Time Capsule and InfiniteWP plugins, both were patched earlier this month by the developer Revmakx.

The flaws in WP Time Capsule and InfiniteWP WordPress plugins could be exploited to take over websites running the popular CMS that are more than 320,000.

Pierluigi Paganini

(SecurityAffairs – WP Database Reset, hacking)

The post WP Database Reset WordPress plugin flaws allow website takeover appeared first on Security Affairs.

A look at cybersecurity for rail systems, building automation and the future of critical infrastructure

Waterfall Security Solutions announced a major expansion into new markets and industry verticals. In support of this expansion, Waterfall has secured a significant new funding round to enable aggressive growth. We caught up with Lior Frenkel, CEO and co-founder of the company, to find out more. So Lior, you folks just announced a big new expansion and investment. What are your main priorities for Waterfall Security in the next 5 years? Well, let me first … More

The post A look at cybersecurity for rail systems, building automation and the future of critical infrastructure appeared first on Help Net Security.

JhoneRAT uses Google Drive, Twitter, ImgBB, and Google Forms to target countries in Middle East

Researchers from Cisco Talos discovered a new Trojan named JhoneRAT that was used in targeted attacks against entities in the Middle East.

A new Trojan named JhoneRAT appeared in the threat landscape, it is selectively attacking targets in the Middle East by checking keyboard layouts.

The malware targets a very specific set of Arabic-speaking countries, including Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain, and Lebanon.

“Today, Cisco Talos is unveiling the details of a new RAT we have identified we’re calling “JhoneRAT.” This new RAT is dropped to the victims via malicious Microsoft Office documents.” reads the analysis published by Cisco Talos. “The dropper, along with the Python RAT, attempts to gather information on the victim’s machine and then uses multiple cloud services: Google Drive, Twitter, ImgBB and Google Forms.”


The experts discovered that the RAT is distributed via weaponized Office documents, it leverages multiple cloud services (i.e. Google Drive, Twitter, ImgBB and Google Forms) to avoid detection. 

The JhoneRAT is written in Python, it attempts to download additional payloads and upload the information gathered during the reconnaissance phase.

Talos researchers identified three weaponized Microsoft Office documents that download and load an additional document containing a Macro. The first document named “Urgent.docx” is dated back November 2019.  

The second document named “fb.docx” is dated January and claims to contain data on a Facebook information leak. The third document found in the mid-January pretends to be from a legitimate United Arab Emirate organization. 

The additional Office documents loaded and executed by the JhoneRAT are hosted through Google Drive in the attempt to avoid URL blacklisting. 

JhoneRAT is dropped through Google Drive, which hosts images with a base64-encoded binary appended at the end. Once the images are loaded onto a target machine will deploy the Trojan that harvests information from the victim’s machine (i.e. OS, disk serial numbers, the antivirus, and more). 

The malware used Twitter as C2 while exfiltrates information, it checks a public Twitter feed every 10 seconds.

When communicating with its command-and-control server (C2) in order to exfiltrate information, it checks for comments every 10 seconds.

“This RAT uses three different cloud services to perform all its command and control (C2) activities. It checks for new commands in the tweets from the handle @jhone87438316 (suspended by Twitter) every 10 seconds using the BeautifulSoup HTML parser to identify new tweets.” continues the analysis. “These commands can be issued to a specific victim based on the UID generated on each target (by using the disk serial and contextual information such as the hostname, the antivirus and the OS) or to all of them.”

Experts pointed out that stolen data are exfiltrated through cloud providers, for example, screenshots are uploaded to ImgBB, while commands are executed with output sent to Forms. The malware download binaries disguised has a picture from the Google Drive and execute them.

“The attacker put a couple of tricks in place to avoid execution on virtual machines (sandbox). The first trick is the check of the serial number of the disk. The actor used the same technique in the macro and in the JhoneRAT. By default, most of the virtual machines do not have a serial number on the disk.” continues the analysis.

“The attacker used a second trick to avoid analysis of the Python code. The actor used the same trick that FireEye in the Flare-On 6: Challenge 7: They removed the header of the Python bytecode.”

According to the experts, the campaign is still ongoing, even if the Twitter account is suspended, attackers can easily create new accounts and use them in the same way.

“This campaign shows a threat actor interested in specific Middle Eastern and Arabic-speaking countries. It also shows us an actor that puts effort in opsec by only using cloud providers.” concludes the report. “The malicious documents, the droppers and the RAT itself are developed around cloud providers. Additionally the attackers implemented anti-VM (and sandbox) and anti-analysis tricks to hide the malicious activities to the analyst.”

The analysis published by Talos contains additional technical details, including Indicators of Compromise.

Pierluigi Paganini

(SecurityAffairs – JhoneRAT, malware)

The post JhoneRAT uses Google Drive, Twitter, ImgBB, and Google Forms to target countries in Middle East appeared first on Security Affairs.

Waterfall Security Solutions secures significant new funding round

Waterfall Security Solutions, the OT security company, announced a major expansion into new markets and industry verticals. In support of this expansion, Waterfall has secured a significant new funding round to enable aggressive growth. Waterfall’s priorities for expansion are rail transport and Building Automation System markets for large facilities, including airports, casinos and large government installations. Waterfall reports several tier-1 customers in these arenas already, in addition to a large installed base in existing markets, … More

The post Waterfall Security Solutions secures significant new funding round appeared first on Help Net Security.