Daily Archives: January 21, 2020

Windows 7 reaches End of Life (EOL) – Are you ready for the risks or would you rather update your OS?

Estimated reading time: 2 minutes

14 Jan 2020 marked a huge day for Windows, as Microsoft ended support for Windows 7, the operating system that had been touching lives for nearly 11 years.

Introduced almost a decade back, Windows 7 was designed basically to fix the failures that came with Windows Vista. The popularity of this OS was so massive that it took Microsoft years of efforts, to instigate people to upgrade to Windows 10 for free. In fact, millions of PCs even today continue to run on Windows 7 especially in the corporate environment, which now leaves them susceptible to security vulnerabilities and exploits as Microsoft ends its mainstream support.

What does End of Support mean?

Well, during the lifecycle of an operating system, constant support in terms of security patches and bug fixes are provided to users of that OS, to protect them against new and advanced malware threats.

Thus, end of life for Windows 7 OS would specifically mean that no more security patches, bug fixes or new functionalities would be available for its users (individual or enterprise), leaving them susceptible to malware attacks. While users can continue using Windows 7, remember that the cost of using an outdated operating system can be really high.

Not to forget the devastating cyber-attacks like WannaCry in 2017 that widely affected the Windows 7 version. Imagine the impact of yet un-discovered and unknown vulnerabilities possibly still lurking around in Windows 7.

For those who are still reluctant about updating to Windows 10 OS, Microsoft will continue to provide support, but at a cost! So, businesses wanting to continue with Windows 7 can still do so, by making costly investments for extended security updates.

Preparing for Windows 7 EOL

Despite Microsoft notifying its users about the Windows 7 EOL for a considerably long time, there are still an estimated 200 million PC users who continue to run Windows 7 (https://zd.net/30lKOC0). The simplest way out of this crisis is to upgrade to Windows 10 OS. The longer users take to upgrade their OS, the bigger are the risks of potential cyber-attacks, especially for those using the OS for accessing business or personal data. So, the best things current users of Windows 7 OS can do are:

  • Immediately upgrade all devices currently running on Windows 7 to Windows 10.
  • Do not use the Windows 7 OS for accessing bank, personal or other sensitive data.
  • Consider accessing personal Email IDs or other important logins from different device.

How Seqrite can help Windows 7 Users

To your much relief, Seqrite products will continue detecting malware files/infections and providing support on Windows 7 OS just as on any other supported Microsoft OS.

We will no more be able to support external dependency features of SEQRITE EPS specifically such as Vulnerability Scan and Patch Management since these are dependent on Microsoft for any further updates.

For example, if a Seqrite product requires Microsoft to provide a fix and Microsoft does not provide the fix, then the support cannot be provided any longer.

We assure to keep you posted about any latest advancements in this regard.

NOTE: End of Life (EOL) is for Windows server 2008 and 2008 R2 as well and same rules are applicable for these versions too.

The post Windows 7 reaches End of Life (EOL) – Are you ready for the risks or would you rather update your OS? appeared first on Seqrite Blog.

Container security requires continuous security in new DevSecOps models

When Jordan Liggitt at Google posted details of a serious Kubernetes vulnerability in November 2018, it was a wake-up call for security teams ignoring the risks that came with adopting a cloud-native infrastructure without putting security at the heart of the whole endeavor. For such a significant milestone in Kubernetes history, the vulnerability didn’t have a suitably alarming name comparable to the likes of Spectre, Heartbleed or the Linux Kernel’s recent SACK Panic; it was … More

The post Container security requires continuous security in new DevSecOps models appeared first on Help Net Security.

Companies risk revenue growth due to innovation achievement gap

While a majority of CEOs express strong confidence in the effectiveness of their current IT systems, most are struggling to close the innovation achievement gap to drive growth and revenue, according to a global study by Accenture. The is based on Accenture’s largest enterprise IT study conducted to date, including survey data from more than 8,300 organizations across 20 countries and 885 CEOs. Innovation achievement gap: Adopting new technologies The research, which analyzed the adoption … More

The post Companies risk revenue growth due to innovation achievement gap appeared first on Help Net Security.

Windows 7 reaches End of Life (EOL) – Are you ready for the risks or would you rather upgrade your OS?

14 Jan 2020 marked a huge day for Windows, as Microsoft ended support for Windows 7, the operating system that had been touching lives for nearly 11 years. Introduced almost a decade back, Windows 7 was designed basically to fix the failures that came with Windows Vista. The popularity of…

Email security industry miss rates when encountering threats are higher than 20%

Email security miss rates are definitely a huge issue. Malicious files regularly bypass all of today’s leading email security products, leaving enterprises vulnerable to email-based attacks including ransomware, phishing and data breaches, according to BitDam. BitDam conducted an empirical study to measure leading email security products’ ability to detect unknown threats at first encounter. Unknown threats are produced in the wild, sometimes hundreds in a day. The study employs the retrieval of fresh samples of … More

The post Email security industry miss rates when encountering threats are higher than 20% appeared first on Help Net Security.

State CIOs see innovation as critical priority, only 14% report extensive innovation

Most state CIOs see innovation as a major part of their job – 83% said innovation is an important or very important part of their day-to-day leadership responsibilities – while only 14% reported extensive innovation initiatives within their organizations, Accenture and the National Association of State Chief Information Officers (NASCIO) reveal. Previously, NASCIO had highlighted innovation as a top ten current issue facing state CIOs. “The pace of technological change keeps accelerating, bringing new challenges … More

The post State CIOs see innovation as critical priority, only 14% report extensive innovation appeared first on Help Net Security.

Download: State of Breach Protection 2020 survey results

What are the key considerations security decision makers should take into account when designing their 2020 breach protection? To answer this, Cynet polled 1,536 cybersecurity professionals to understand the common practices, prioritizations and preferences of organization today in protecting themselves from breaches. Security executives face significant challenges when confronting the evolving threat landscape. For example, what type of attacks pose the greatest risk and what security products would best address them? Is it better to … More

The post Download: State of Breach Protection 2020 survey results appeared first on Help Net Security.

Navigating ICS Security: Best Practices for ICS Decision-Makers

As a security consultant, I’m not going into an environment to design and build an organization’s network from the ground up in most situations. For the majority of the time, I’m working with legacy environments where some old technologies might be phasing out and newer ones joining the mix of solutions. In the case of […]… Read More

The post Navigating ICS Security: Best Practices for ICS Decision-Makers appeared first on The State of Security.

The Vendor Security Assessment (VSA): What You Need to Know

Requesting that a SaaS company answer a Vendor Security request has become a regular thing for companies who work in the cloud. But have you thought about how the reverse works, that is, when your customer has a VSA process focusing on you? The Vendor Security Assessment, or VSA, is the means by which your […]… Read More

The post The Vendor Security Assessment (VSA): What You Need to Know appeared first on The State of Security.

Stellar Cyber’s new app applies machine learning to firewall data to spot anomalies

Security provider Stellar Cyber, with the first Open-XDR platform, announced its new Firewall Traffic Analysis (FTA) Application, which supercharges firewalls by analyzing their data to spot undetected anomalies. With this new App, security analysts get an automated assistant to detect firewall misconfigurations, malicious users and abnormal traffic to gain new value from firewall data, improving analyst productivity typically over 20x. The FTA Application supports firewalls from many vendors including Cisco, Check Point, Fortinet, Palo Alto … More

The post Stellar Cyber’s new app applies machine learning to firewall data to spot anomalies appeared first on Help Net Security.

FireEye Mandiant unveils two new services to help orgs improve detection, investigation, and response

FireEye, the intelligence-led security company, announced the availability of two new FireEye Mandiant services. Cloud Security Assessments help organizations evaluate and harden security in cloud platforms, and Cyber Defense Operations consulting services help organizations achieve security transformation by improving the detection and response capabilities of their security operations center (SOC). “For more than 15 years, FireEye Mandiant has been at the forefront of cyber security and cyber threat intelligence. We have a deep understanding of … More

The post FireEye Mandiant unveils two new services to help orgs improve detection, investigation, and response appeared first on Help Net Security.

STEALTHbits StealthRECOVER 1.5: Easier and faster AD rollback and recovery

STEALTHbits Technologies, a cybersecurity software company focused on protecting an organization’s sensitive data and the credentials attackers use to steal that data, announced the release of StealthRECOVER 1.5, their fine-grained rollback and recovery solution for Active Directory (AD). As a component of STEALTHbits’ AD Management and Security solution portfolio, StealthRECOVER enables organizations to quickly and easily rollback and recover unintended and unwanted directory changes. Users are enabled with point in time rollback and recovery of … More

The post STEALTHbits StealthRECOVER 1.5: Easier and faster AD rollback and recovery appeared first on Help Net Security.

Skylo raises $116M to bring affordable IoT connectivity to over 1 billion devices globally

Skylo, maker of the world’s most affordable and ubiquitous network that connects any machine or sensor, announced that the company has emerged from Stealth with $116 million in total funding. The company previously raised $13 million in a Series A round that was co-led by DCM and Innovation Endeavors, and joined by Moore Strategic Ventures. The new Series B round raised $103 million, led by SoftBank Group and joined by all existing investors. Skylo will … More

The post Skylo raises $116M to bring affordable IoT connectivity to over 1 billion devices globally appeared first on Help Net Security.

Brazil Charges Glenn Greenwald with Cybercrimes

Glenn Greenwald has been charged with cybercrimes in Brazil, stemming from publishing information and documents that were embarrassing to the government. The charges are that he actively helped the people who actually did the hacking:

Citing intercepted messages between Mr. Greenwald and the hackers, prosecutors say the journalist played a "clear role in facilitating the commission of a crime."

For instance, prosecutors contend that Mr. Greenwald encouraged the hackers to delete archives that had already been shared with The Intercept Brasil, in order to cover their tracks.

Prosecutors also say that Mr. Greenwald was communicating with the hackers while they were actively monitoring private chats on Telegram, a messaging app. The complaint charged six other individuals, including four who were detained last year in connection with the cellphone hacking.

This isn't new, or unique to Brazil. Last year, Julian Assange was charged by the US with doing essentially the same thing with Chelsea Manning:

The indictment alleges that in March 2010, Assange engaged in a conspiracy with Chelsea Manning, a former intelligence analyst in the U.S. Army, to assist Manning in cracking a password stored on U.S. Department of Defense computers connected to the Secret Internet Protocol Network (SIPRNet), a U.S. government network used for classified documents and communications. Manning, who had access to the computers in connection with her duties as an intelligence analyst, was using the computers to download classified records to transmit to WikiLeaks. Cracking the password would have allowed Manning to log on to the computers under a username that did not belong to her. Such a deceptive measure would have made it more difficult for investigators to determine the source of the illegal disclosures.

During the conspiracy, Manning and Assange engaged in real-time discussions regarding Manning's transmission of classified records to Assange. The discussions also reflect Assange actively encouraging Manning to provide more information. During an exchange, Manning told Assange that "after this upload, that's all I really have got left." To which Assange replied, "curious eyes never run dry in my experience."

Good commentary on the Assange case here.

It's too early for any commentary on the Greenwald case. Lots of news articles are essentially saying the same thing. I'll post more news when there is some.

Can AI put humans back in the loop?

Scientists at Germany's Technische Universität Darmstadt have developed a procedure for a human domain expert to look at the inner workings of an AI model as it is trained to solve a simple problem, and to correct where the machine goes wrong. Can it work for more complex problems?

Yomi Hunter Catches the CurveBall

Yomi implements detection for CurveBall exploits and also supports CVE-2020-0601 exploit detection even for signed Powershell modules. 

The recent CurveBall vulnerability shook the Info-Sec community worldwide: a major vulnerability reported directly by the US National Security Agency.

Such uncommon vulnerability reporter alerted the whole Industry, CVE-2020-0601 quickly conquered most of the headlines. 

The reason for this unusual outreach is still not clear, but Microsoft, along with many experts in the industry, confirmed it actually is an important vulnerability having real chances of being abused in the wild.  

The Malware Threat behind CurveBall

There was a little misunderstanding during the first hours after the disclosure of the CVE-2020-0601 vulnerability. Many system administrators and companies were rushing to update internet exposed machines, like web servers or gateways, worried about possible remote code execution, reviving the EternalBlue/WannaCry crisis in their mind. 

Luckily, CurveBall is not the same type of issue. But, if this is true, how exactly it may impact the IT infrastructure and why did the NSA raise such alarm?

What the NSA states is real: CVE-2020-0601 exposes companies to high risks. But it does in a more stealthier way and, differently from EternalBlue, not in a way could be exploited by criminals and vandals for an Internet wide CryptoWorm infection.

In fact, CurveBall enables attackers to trick Windows 10, Windows Server 2016 and Windows Server 2019, to impersonate other trusted parties such as Microsoft itself, resulting in being successfully cryptographically verified by the vulnerable hosts.

Pragmatically, this means organizations relying on CVE-2020-0601 vulnerable cryptography implementations to protect their communication are at risk of man in the middle attacks, and impersonification in general. Even cryptographically signed files and emails are exposed to spoofing and tampering, violating the core parts of the threat models most of the company use to secure their businesses.

Is it all? No. 

CurveBall also poses at risk endpoints and security perimeters due to its appeal for one of the most relevant threats for modern businesses: Malware.

In fact, signed files equal signed malware in the modern threat panorama. Thus, several threat actors, both state-sponsored and cyber criminals, may likely abuse the CurveBall vulnerability to fake Microsoft signed executables, impersonating legit files and potentially tricking perimetral and endpoint security technologies relying on the faulty Windows cryptographic validation. 

Yomi Hunter Catches CVE-2020-0601

So, after evaluating the risks of CurveBall exploitation in the wild, especially considering the release of public tools to abuse the vulnerability to sign arbitrary files, we rolled out a new update of Yomi Hunter able to catch CurveBall exploit attempts.

Now, both Private and Public instances of the Yomi Sandbox are actively looking for CVE-2020-0601 exploits trying to evade traditional security controls. The new detection logic is available into malware reports generated by Yomi-Hunter community (e.g. LINK), within the new VirusTotal integrated reports, and for every private instances in use by Yoroi’s Cyber Security Defence Center customers.

Figure. CVE-2020-0601 exploit on Yomi Hunter

But, Yomi Hunter does not limit to hunt for Portable Executable files exploiting Curveball. The cryptographic detection mechanism rolled out in the new update supports CVE-2020-0601 exploit detection even for signed Powershell modules.  

If you want to try Yomi: The Malware Hunter please register here!

Pierluigi Paganini

(SecurityAffairs – Curveball, hacking)

The post Yomi Hunter Catches the CurveBall appeared first on Security Affairs.

sLoad launches version 2.0, Starslord

sLoad, the PowerShell-based Trojan downloader notable for its almost exclusive use of the Windows BITS service for malicious activities, has launched version 2.0. The new version comes on the heels of a comprehensive blog we published detailing the malware’s multi-stage nature and use of BITS as alternative protocol for data exfiltration and other behaviors.

With the new version, sLoad has added the ability to track the stage of infection on every affected machine. Version 2.0 also packs an anti-analysis trick that could identify and isolate analyst machines vis-à-vis actual infected machines.

We’re calling the new version “Starslord” based on strings in the malware code, which has clues indicating that the name sLoad may have been derived from a popular comic book superhero.

We discovered the new sLoad version over the holidays, in our continuous monitoring of the malware. New sLoad campaigns that use version 2.0 follow an attack chain similar to the previous version, with some updates, including dropping the dynamic list of command-and-control (C2) servers and upload of screenshots.

Tracking the stage of infection

With the ability to track the stage of infection, malware operators with access to the Starslord backend could build a detailed view of infections across affected machines and segregate these machines into different groups.

The tracking mechanism exists in the final-stage, which, as with the old version, loops infinitely (with sleep interval of 2400 seconds, higher than the 1200 seconds in version 1.0). In line with the previous version, at every iteration of the final stage, the malware uses a download BITS job to exfiltrate stolen system information and receive additional payloads from the active C2 server.

As we noted in our previous blog, creating a BITS job with an extremely large RemoteURL parameter that includes non-encrypted system information, as the old sLoad version did, stands out and is relatively easy to detect. However, with Starslord, the system information is encoded into Base64 data before being exfiltrated.

The file received by Starslord in response to the exfiltration BITS job contains a tuple of three values separated by an asterisk (*):

  • Value #1 is a URL to download additional payload using a download BITS job
  • Value #2 specifies the action, which can be any of the following, to be taken on the payload downloaded from the URL in value#1:
    • “eval” – Run (possibly very large) PowerShell scripts
    • “iex” – Load and invoke (possibly small) PowerShell code
    • “run” – Download encoded PE file, decode using exe, and run the decoded executable
  • Value #3 is an integer that can signify the stage of infection for the machine

Supplying the payload URL as part of value #1 allows the malware infrastructure to house additional payloads on different servers from the active C2 servers responding to the exfiltration BITS jobs.

Value#3 is the most noteworthy component in this setup. If the final stage succeeds in downloading additional payload using the URL provided in value #1 and executing it as specified by the command in value #2, then a variable is used to form the string “td”:”<value#3>”,”tds”:”3”. However, if the final stage fails to download and execute the payload, then the string formed is “td”:”<value #3>”,”tds”:”4”.

The infinite loop ensures that the exfiltration BITS jobs are created at a fixed interval. The backend infrastructure can then pick up the pulse from each infected machine. However, unlike the previous version, Starslord includes the said string in succeeding iterations of data exfiltration. This means that the malware infrastructure is always aware of the exact stage of the infection for a specific affected machine. In addition, since the numeric value for value #3 in the tuple is always governed by the malware infrastructure, malware operators can compartmentalize infected hosts and could potentially set off individual groups on unique infection paths. For example, when responding to exfiltration BITS jobs, malware operators can specify a different URL (value #1) and action (value #2) for each numeric value for value #3 of the tuple, essentially deploying a different malware payload for different groups.

Anti-analysis trap

Starslord comes built-in with a function named checkUniverse, which is in-fact an anti-analysis trap.

As mentioned in our previous blog post, the final stage of sLoad is a piece of PowerShell code obtained by decoding one of the dropped .ini files. The PowerShell code appears in the memory as a value assigned to a variable that is then executed using the Invoke-Expression cmdlet. Because this is a huge piece of decrypted PowerShell code that never hits the disk, security researchers would typically dump it into a file on the disk for further analysis.

The sLoad dropper PowerShell script drops four files:

  • a randomly named .tmp file
  • a randomly named .ps1 file
  • a ini file
  • a ini file

It then creates a scheduled task to run the .tmp file every 3 minutes, similar to the previous version. The .tmp file is a proxy that does nothing but run the .ps1 file, which decrypts the contents of main.ini into the final stage. The final stage then decrypts contents of domain.ini to obtain active C2 and perform other activities as documented.

As a unique anti-analysis trap, Starslord ensures that the .tmp and.ps1 files have the same random name. When an analyst dumps the decrypted code of the final stage into a file in the same folder as the .tmp and .ps1 files, the analyst could end up naming it something other than the original random name. When this dumped code is run from such differently named file on the disk, a function named checkUniverse returns the value 1, and the analyst gets trapped:

What comes next is not very desirable for a security researcher: being profiled by the malware operator.

If the host belongs to a trapped analyst, the file downloaded from the backend in response to the exfiltration BITS job, if any, is discarded and overwritten by the following new tuple:

hxxps://<active C2>/doc/updx2401.jpg*eval*-1

In this case, the value #1 of the tuple is a URL that’s known to the backend for being associated with trapped hosts. BITS jobs from trapped hosts don’t always get a response. If they do, it’s a copy of the dropper PowerShell script. This could be to create an illusion that the framework is being updated as the URL in value #1 of the tuple suggests (hxxps://<active C2>/doc/updx2401.jpg).

However, the string that is included in all successive exfiltration BITS jobs from such host is “td”:”-1”,”tds”:”3”, eventually leading to all such hosts getting grouped under value “td”:”-1”. This forms the group of all trapped machines that are never delivered a payload. For the rest, so far, evidence suggests that it has been delivering the file infector Ramnit intermittently.

Durable protection against evolving malware

sLoad’s multi-stage attack chain, use of mutated intermediate scripts and BITS as an alternative protocol, and its polymorphic nature in general make it a piece malware that can be quite tricky to detect. Now, it has evolved into a new and polished version Starlord, which retains sLoads most basic capabilities but does away with spyware capabilities in favor of new and more powerful features, posing even higher risk.

Starslord can track and group affected machines based on the stage of infection, which can allow for unique infection paths. Interestingly, given the distinct reference to a fictional superhero, these groups can be thought of as universes in a multiverse. In fact, the malware uses a function called checkUniverse to determine if a host is an analyst machine.

Microsoft Threat Protection defends customers from sophisticated and continuously evolving threats like sLoad using multiple industry-leading security technologies that protect various attack surfaces. Through signal-sharing across multiple Microsoft services, Microsoft Threat Protection delivers comprehensive protection for identities, endpoints, data, apps, and infrastructure.

On endpoints, behavioral blocking and containment capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) ensure durable protection against evolving threats. Through cloud-based machine learning and data science informed by threat research, Microsoft Defender ATP can spot and stop malicious behaviors from threats, both old and new, in real-time.

 

 

Sujit Magar

Microsoft Defender ATP Research Team

The post sLoad launches version 2.0, Starslord appeared first on Microsoft Security.

Breaking down a two-year run of Vivin’s cryptominers

News Summary

  • There is another large-scale cryptomining attack from an actor we are tracking as “Vivin” that has been active since at least November 2017.
  • “Vivin” has consistently evolved over the past few years, despite having poor operational security and exposing key details of their campaign.

By Andrew Windsor.

Talos has identified a new threat actor, internally tracked as “Vivin,” conducting a long-term cryptomining campaign. We first began linking different samples of malware dropping illicit coin miners to the same actor in November of 2019. However, upon further investigation, Talos established a much longer timeline of activity. Observable evidence shows that Vivin has been active since at least November 2017 and is responsible for mining thousands of U.S. dollars in Monero cryptocurrency off of their infected hosts.

Vivin has shown to rotate the use of multiple cryptocurrency wallet addresses, in addition to altering the delivery chain of their payloads, over different time periods of activity. An interesting aspect of the actor’s delivery method is their use of modified pirated software as their initial attack vector before the samples move on to common “living-off-the-land” methods at later stages of the attack. Vivin makes a minimal effort to hide their actions, making poor operational security decisions such as posting the same Monero wallet address found in our observable samples on online forms and social media. Nor do they discriminate in their targeting, attempting to capitalize on general user behavior, rather than targeting, to generate as large a victim pool as possible.

Despite the market downturn for cryptocurrency values in 2018, cryptomining remained a popular attack method for malicious actors throughout 2019 and heading into 2020. Over the course of last year, Talos Incident Response observed a number of cryptomining attacks, some of which potentially involved higher coordinated cybercrime groups and collaboration between multiple different threat actors. While more sophisticated actors certainly pose a significant threat, organizations should remain cognizant of the additional threat posed by less advanced actors employing wide or unrestricted targeting. Talos has previously documented one such actor, “Panda,” illustrating their potential for long-term exploitation of their victims’ resources and their resilience from being deterred from future action. These attributes make Vivin, and other actors like them, legitimate risks to organizational resource abuse and potential data theft.

Read More >>

The post Breaking down a two-year run of Vivin’s cryptominers appeared first on Cisco Blogs.

What is Zeppelin Ransomware? Steps to Prepare, Respond, and Prevent Infection

English

Zeppelin is the latest member of the VegaLocker ransomware family, which also contains strains like Jamper, Storm, or Buran. Zeppelin is an example of well-organized threat actors, as those behind Zeppelin have been incredibly strategic in carefully targeting these ransomware attacks. First spotted in November 2019, Zeppelin has been targeting primarily large companies in Europe and the United States.     

How Does Zeppelin Work?

The VegaLocker family appears to be an example of an increasingly common Ransomware-as-a-service (RaaS), in which cybercriminals create ransomware, and either sell it to others or rent it and take a portion of any bounty collected when it is used in a successful attack. This model not only allows people who don’t know how to create ransomware to be become attackers, it also means that similar strains can be run by entirely different people. Unlike the broader reach of VegaLocker family attacks geared toward Russian speakers, the threat actors behind Zeppelin are running a precision campaign, targeting high-profile technology and healthcare companies in western countries. A more recent attack may also indicate that real estate firms are their latest target.

Other VegaLocker strains used methods like malvertising, in which malware laden advertisements are placed directly on webpages or through advertising networks, infecting anyone who clicks on them. Zeppelin, on the other hand, is believed to be relying heavily on water-holing attacks, in which websites that are likely to be visited by targeted victims are embedded with malware. It has also been found on Pastebin, a plaintext storage site where code snippets are posted for review. Additionally, Zeppelin is easily configurable and can be deployed as a .dll or .exe file, or wrapped in a PowerShell loader.

Once Zeppelin has entered the infrastructure, it installs itself in a temporary folder named .zeppelin, and spreads throughout the infected device. Once spread, it begins to encrypt files. Though what is encrypted can be configured by the threat actor, by default, it encrypts Windows operating system directories, web browser applications, system boot files, and user files in order to preserve system function. Once encryption is complete, a note appears in Notepad informing the victims that they have been attacked, and that ransom must be paid for the return of their data. The contents have varied from a generic one titled, !!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT, to those more personalized to the organization. There is often an offer of free decryption of a single file offered as proof that decryption is possibly used as a lure to encourage payment.

What to do After a Zeppelin Attack

Researchers have found that in some instances, files were only partially encrypted, which may be a bug, or an intentional feature to make the files unusable. In a recent case, data was not even encrypted, but simply stolen, either to add additional pressure to pay the ransom, or to try and sell the data on the dark web if payment didn’t go through. Either way, once you receive the ransom note, there are only two options: pay the ransom or rebuild from backups/scratch. No matter your decision, it is strongly recommended that you contact authorities. For example, U.S. companies can contact the FBI, either through their local office, or with an IC3 complaint form. Such agencies are often the most capable of widely disseminating information, putting other organizations on high alert. From there, the focus should be on rebuilding with stronger safeguards in place with a strong emphasis on early detection.

How to Prevent Zeppelin Attacks

Ransomware infection can be difficult to prevent, as it is often transmitted through social engineering attacks, which regularly come down to careless or unassuming users. However, ransomware typically lurks for some time, finding sensitive files to steal or encrypt. The ransom only occurs at the end of the attack, so as long as you can detect the ransomware before then, it significantly reduces the risk of long term or permanent damage.  

This can be swiftly accomplished with Network Insight, an agentless, and OS/platform agnostic compromised device detection solution which is able to detect malware infections like Zeppelin with certainty. Network Insight uses threat intelligence collected by our global sensor network to identify and track the indicators of compromise since it first appeared on the scene. Zeppelin uses a legitimate domain IPLogger to track IP addresses and the location of victims, using compromised shortened URLs that redirect to malicious downloads. We can track these malicious URL strings with Network Insight. Additionally, we can also follow the user agent field in the HTTP traffic, as it uses “ZEPPELIN” in the field.

Our understanding of normal network behaviours and highlighting network behaviours outside this norm enables Core Security to detect highly sophisticated attacks, even APTs, without having ever seen them before. This may sound simple, but in fact we use over 14 years of data science and applied machine learning containing tens of billions of data points to be able to detect these attacks before the damage of ransomware can occur.

Pen testing and pen testing solutions like Core Impact can also help prepare users better recognize ransomware infection methods. Zeppelin, for instance, is capable of being transmitted through phishing attacks, when a user is tricked into clicking a link in an email designed to look as though it came from a trusted source. Social engineering pen testing can uncover who is susceptible to these attacks, and recommend additional training to make your employees more vigilant before clicking another suspicious email.  

cs-cts-zeppelin-ransomware-article-700x350.jpg

What is zeppelin ransomware
Network Insight Penetration testing
Big text: 
Article
Resource type: 
Articles
Is Your Environment Infected?

Download our guide on how to identify compromised devices with certainty and get ahead of threats before it's too late.

Surge in Ships Seeking Cybersecurity Classification

Surge in Ships Seeking Cybersecurity Classification

A leading offshore safety and verification body has reported a rapid rise in the number of ships seeking to gain a cybersecurity classification. 

Ship classification society Bureau Veritas Marine & Offshore (BV) says it has seen a surge in the number of ships applying for its "Cyber Managed" notation. The notation is based on BV's rule NR659 on cybersecurity for the classification of marine units, which was co-developed with marine security experts.

To be awarded a "Cyber Managed" class notation, ships must show that their design, construction, commissioning, and maintenance of onboard computer-based systems are in line with existing cybersecurity best practices and standards, such as IMO MSC-Fal 1-Circ3NIST, and BIMCO.

A BV spokesperson said: "Cyber Managed works because it is based on a security risk assessment developed from an initial mapping of onboard systems that results in a practical set of requirements.

"The initial risk analysis and mapping exercise can be performed either during the newbuilding phase or at any time during the lifecycle of the vessel. As such, the notation is applicable to both new and existing ships."

As part of the risk assessment process, all the ship's onboard handbook and onshore security policies are reviewed by BV. Vessels are then surveyed to ensure that the documentation they supplied accurately reflects the condition of the hardware installed. 

The notation doesn't require new equipment to be fitted to the ship, but rather it works by mitigating risk through protecting remote access and network connections. This can often be achieved through software updates. 

According to BV, shipowners in Greece have been pioneers in applying the notation, which is now gaining traction across the entire maritime ecosystem with other shipowners, ship managers, charterers, insurers, and offshore operators. By the end of January 2020, BV predicts that more than 100 ships will be operating under the "Cyber Managed" notation.

"We see that shipowners are willing to invest in ensuring they are addressing cyber-risks, and their charterers are increasingly interested as well," said Paillette Palaiologou, vice president for the Hellenic Black Sea & Adriatic Zone, Bureau Veritas. 

"We are seeing interest from insurers as well—and that this notation can be expected to be a factor in the response of underwriters’ assessment of risk."

Kids and Code: Object Orientated Programming with Code Combat

Kids and Code: Object Orientated Programming with Code Combat

Geez time flies. It's just a tad under 4 years ago that I wrote about teaching kids to code with code.org which is an amazing resource for young ones to start learning programming basics. In that post I shared a photo of my then 6-year-old son Ari holding a Lenovo Yoga 900 I gifted him as part of the Insiders program I'm involved in:

Kids and Code: Object Orientated Programming with Code Combat

He got a lot of mileage out of that machine and learned a lot about the basics of both code and using a PC. Today seemed like a good time to follow up on that post, starting with a new machine:

Kids and Code: Object Orientated Programming with Code Combat

This one is a Lenovo Yoga C940 and for full disclosure, it came courtesy of the same program his last one did. The 900 was a great machine but it ultimately succumbed to the sort of treatment you'd expect a 6 / 7 / 8 / 9 / 10-year-old to dish out over a period of 4 years. The new machine times well with him moving into year 5 which, for his school, is the first year that kids need to start bringing a laptop in with them. Curiously, the requirement there is for a Windows-based touch screen machine (I imagine Mac families aren't real happy about that...) which suits the Yoga just fine. Plus, it does the whole bendy flippy "yoga" thing so it can be used in tablet mode too (more on that later):

Kids and Code: Object Orientated Programming with Code Combat

Flush with good machines myself (I run a ThinkPad P1 as my primary machine and the P50 I wrote about years ago as a backup), when the C940 arrived the other day I thought it was time to do an updated post. I also want to use this post as an opportunity to plug a couple of upcoming free events Ari and I will be running for kids:

  1. DevClub @ NDC Security Oslo, Wednesday 22 Jan
  2. DevClub @ NDC London, Thursday 30 Jan

They both run at the end of the day during the respective NDC conferences and they're a great way to expose kids to code. I wrote about this briefly when we announced the events in November, let's now move on to a few of the Code Combat basics.

Firstly, get into it for free at codecombat.com. Being browser based there's no install, no setups, no elevated privileges required etc etc. Just point and go.

Code Combat takes you through a progression of levels that gradually introduce new concepts akin to the ones we use in everyday "adult" programming. For example, take a look at the following screen:

Kids and Code: Object Orientated Programming with Code Combat

You'll see the language is set to Python and the code window represents a whole bunch of common programmatic constructs including:

  1. Comments
  2. Variables
  3. Data types
  4. Methods
  5. Arguments

You can run the code as is (this is populated by default at the beginning of each level), but the objective of this particular exercise won't be met so the code will fail. You can then debug the code, modify it and re-run, just like we'd do when writing software as a profession. It's somewhat gamified with heroes fighting enemies and animations that make the whole thing a lot more engaging so at least in our experience, it's something he's quite happy sitting down plugging away at for decent amounts of time without it becoming tedious.

As with most games, as you progress through the levels new concepts are introduced and the complexity increases. For example, some of the aforementioned programmatic constructs are introduced in the "Defense of Plainswood" level:

Kids and Code: Object Orientated Programming with Code Combat

Keep going further through the levels and more concepts are introduced, including some you'll be pretty familiar with yourself if code is your day job:

Kids and Code: Object Orientated Programming with Code Combat

So that's Code Combat in a nutshell and I'd highly recommend getting your kids involved with it. If they're a bit younger like Ari was in that first blog post then get them on over to code.org but either way, give them the opportunity to code. I never push either of my kids in this direction (my 7-year-old daughter regularly uses code.org), but I've found just a little bit of exposure has been enough to have them coming back and continually asking to do more. Clearly, they enjoy it (this vid is a good example of where the touch screen and convertibility of the Lenovo Yoga is really handy too):

That's it on the kids coding front for now, if you're in Oslo this week or London next week then do please get along to one of the NDC events, we'd love to see a great turnout of parents and their kids. Who knows, it might just be the spark they need to set them on a passionate (and maybe even professional) coding journey.

US Cybersecurity Firm Founder Admits Funding DDoS Attacks

US Cybersecurity Firm Founder Admits Funding DDoS Attacks

An American businessman who co-founded a cybersecurity company has admitted to hiring criminals to carry out cyber-attacks against others.

Tucker Preston, of Macon, Georgia, confessed to having paid threat actors to launch a series of distributed denial-of-service (DDoS) attacks between December 2015 and February 2016. 

DDoS attacks prevent a website from functioning by bombarding it with so much junk internet traffic that it can't handle visits from genuine users.

In a New Jersey court last week, 22-year-old Preston pleaded guilty to one count of damaging protected computers by transmission of a program, code, or command. Preston admitted to causing at least $5,000 of damage to the business he targeted. 

"In or around December 2015, Preston arranged for an entity that engages in DDoS attacks to initiate attacks against a company. The entity directed DDoS attacks against the victim company, causing damage and disrupting the victim’s business," wrote the Department of Justice in a statement released on January 16.

The count to which Preston pleaded guilty is punishable by a maximum penalty of 10 years in prison and a fine of up to $250,000 or twice the gross gain or loss from the offense.

US Attorney Craig Carpenito credited special agents of the FBI, under the direction of Special Agent in Charge Gregory W. Ehrie in Newark, New Jersey, with the investigation that led to Preston's guilty plea.

The identity of the company that Preston paid criminals to attack has not been revealed, but Carpenito has confirmed that the targeted business had servers in New Jersey. 

Preston co-founded the cloud-based internet security and performance company BackConnect Security LLC, which claims to be "the new industry standard in DDoS mitigation" and is currently online using an invalid certificate. 

Preston was featured in the 2016 KrebsOnSecurity story "DDoS Mitigation Firm Has History of Hijacks," which detailed how BackConnect Security LLC had developed the unusual habit of hijacking internet address space it didn't own in a bid to protect clients from DDoS attacks. 

Preston will reappear before the court on May 7 for sentencing.

New report says Windows’ EFS encryption could be leveraged by ransomware

Infosec teams are being warned about a vulnerability in Windows’ file encryption capability which may mean temporarily abandoning the EFS encryption functionality

Windows has long offered the EFS file and folder capability in the Pro, Professional, Business, Ultimate, Enterprise and Education editions of the operating system. Organizations may find this built-in functionality useful for protecting certain data, although an enterprise-toughened encryption solution may be required for large corporations.

But in a blog this morning, SafeBreach Labs reported a proof-of-concept attack that would in effect turn EPS on itself, using the built-in encryption as a ransomware weapon to encrypt an entire disk.

This “EFS ransomware” type of attack was tested with Windows 10 64-bit versions 1803, 1809 and 1903, the blog says, but should also work on Windows 32-bit operating systems, and on earlier versions of Windows as far back as Vista.

Related: Ransomware now stealing data

To a threat actor, this type of attack has the advantage of encrypting files deep in the kernel at the NTFS driver level, and the modification wouldn’t be noticed by file-system filter drivers. It also doesn’t require administrator rights or human interaction.

On the other hand when files and/or folders are encrypted, a small yellow padlock icon is displayed at the top right corner of the file/folder main icon, which might tip off a user of something suspicious. And if a Data Recovery Agent is defined for the machine (this is not the default for standalone/workgroup machines, but it is the default for domain-joined machines), then recovery is trivial using the Data Recovery Agent.

What worried SafeBreach is that a test of several anti-ransomware solutions — including Windows 10 Controlled Folder Access — failed to catch the attack SafeBreach had crafted. Last fall it quietly contacted a number of security providers such as Avast, ESET Kaspersky and others. Many of them have since updated their software to detect such an attack or are about to issue updates.

SafeBreach said Microsoft told it last October that it considers Controlled Folder Access a defence-in-depth feature. “We assessed this submittal (by SafeBreach) to be a moderate class defence-in-depth issue, which does not meet the Microsoft Security Servicing Criteria for Windows. Microsoft may consider addressing this in a future product.”

Still, some organizations may want to stop using or turn off EFS until they are sure detection of this kind of attack is assured, or they may want to find another encryption solution.

Micropatch simulates workaround for recent zero-day IE flaw, removes negative side effects

ACROS Security has released a micropatch that implements the workaround for a recently revealed actively exploited zero-day RCE flaw affecting Internet Explorer (CVE-2020-0674). Remote code execution vulnerability affecting IE Last Friday, Microsoft released an out-of-band security advisory notifying Internet Explorer users of a remote code execution vulnerability affecting IE 11, 10 and 9 on various versions od Windows and Windows Server, which they know is being exploited in “limited targeted attacks”. Flagged by researchers from … More

The post Micropatch simulates workaround for recent zero-day IE flaw, removes negative side effects appeared first on Help Net Security.

Scottish Police Deploy Tech That Extracts Data from Locked Smartphones

Scottish Police Deploy Tech That Extracts Data from Locked Smartphones

Police Scotland has announced plans to establish "cyber kiosks" that will allow officers to scan locked smart devices for evidence. 

The 41 new kiosks will be located in police stations across local policing divisions, where they will be operated by over 400 specially trained officers.

Each kiosk is essentially a desktop computer capable of performing data extraction, transfer, and analysis. The extraction devices are manufactured by Israeli company Cellebrite and are used around the world to retrieve data from cell phones, drones, and other types of digital technology.

Police Scotland said the Cellebrite devices will speed up their workflow and get smartphones that are found not to contain any information pertinent to an investigation back into their owners' hands more quickly. 

"The technology allows specially trained officers to triage mobile devices to determine if they contain information that may be of value to a police investigation or incident. This will allow lines of inquiry to be progressed at a much earlier stage and devices that are not relevant to an investigation to be returned quicker," said Police Scotland.

Scottish police purchased the Cellebrite devices two years ago; however, legal concerns over how the technology may impact the public's right to privacy have delayed their deployment. 

The Scottish Human Rights Commission and Privacy International have each said that the legal powers under which Police Scotland will operate the new technology are "not sufficiently clear, foreseeable or accessible."

Privacy International has expressed concerns over "the failure of Police Scotland to carry out impact assessments" in relation to the new technology.

Deputy Chief Constable Malcolm Graham has said that the technology will only be used by the police where there is a "legal basis and where it is necessary, justified and proportionate" to an incident or crime under investigation.

Graham said: "Increases in the involvement of digital devices in investigations and the ever-expanding capabilities of these devices mean that demand on digital forensic examinations is higher than ever.

"Current limitations however, mean the devices of victims, witnesses and suspects can be taken for months at a time, even if it later transpires that there is no worthwhile evidence on them. By quickly identifying devices which do and do not contain evidence, we can minimize the intrusion on people’s lives and provide a better service to the public."

<![CDATA[Report: A Cyberattack Could Severely Disrupt the US Financial System]]>

A new staff report from the Federal Reserve Bank of New York highlights the risk and potential fallout that a sophisticated cyberattack might have on the United States. In the report, analysts examined a scenario in which a single-day shock hits the country???s payment network, Fedwire, measuring the broad impact it would have on the economy. The results? A significant 38 percent of the network would be affected on average by significant spillovers to other banks, damaging the stability of the broader financial system in the United States.

How an attack might unfold

According to the analysts, this hypothetical situation would unfold swiftly. It begins with a cyberattack that allows financial institutions to continue receiving payments but prevents them from sending any payments throughout the operating day. In this scenario, because payments are actualized when Fedwire receives requests from senders, an institution???s balance in the system immediately reflects those changes???yet the targeted financial institution is unable to interact with Fedwire, causing a backup in the system. Essentially, impacted banks would become black holes that absorb liquidity without distributing any money.

Timing matters too and can magnify the impacts of a breach. ???Attacks on seasonal days associated with greater payment activity are more disruptive relative to non-seasonal days, with average impacts that are about 13 percent greater,??? the report says. ???We estimate that, on average, attacking on the worst date for a particular large institution adds an additional 25 percent in impairment relative to the case of no specific knowledge.???

The domino effect of liquidity hoarding

An important point to consider from this analysis is that the consequence of hoarding cash and forgoing payments during a breach can worsen the situation. The report explains, ???We find that liquidity hoarding amplifies the network impact of the cyberattack, both increasing the average impact on the system and increasing the maximal risk.??? As banks are not necessarily perceptive of daily liquidity conditions because they have ample reserves on hand, they likely will not react to these irregularities very quickly. Thus, all institutions other than the one impacted by a breach will continue to make payments as usual, resulting in substantial interruptions in the network.

It???s a domino effect that could shake up the whole system. Analysts uncovered a correlation between assets and payments over 80 percent, finding that a smaller subset of banks plays a vital role in markets like equity and Treasury. A cyberattack on a single institution could impede the day-to-day functions of the payment network and cause quite a headache that extends beyond the impacted institutions, reaching into the economy.

Failing to respond to these issues strategically as they unfold can lead to that previously mentioned black hole of liquidity. This problem may be worsened if financial institutions use the same third-party service providers, which offers less incentive for banks to monitor activity and spot abnormalities that can cause liquidity interruptions.

Strengthening security for financial institutions

Considering the above scenario, data from our most recent State of Software Security report (SOSS) indicates that the financial industry has some work to do to shore up its application security. The figures reveal that, in the financial industry specifically, the median time to remediate security flaws in code (MedianTTR) is 67 days, which is higher than nearly every other industry we measured. Information leakage also has a high prevalence at 66 percent as opposed to 63 percent across all industries.

Our data uncovers best practices that are dramatically improving remediation times and reducing overall security debt. The analysis for this year???s report found that when organizations scan their applications for security more than 260 times per year their median fix time drops from 68 days to 19 days???a 72% reduction.

Get more details on the application security trends and best practices in the full SOSS report.

 

First patches for the Citrix ADC, Gateway RCE flaw released

As attackers continue to hit vulnerable Citrix (formerly Netscaler) ADC and Gateway installations, Citrix has released permanent fixes for some versions and has promised to provide them for other versions and for two older versions of SD-WAN WANOP by January 24. A short timeline before the situation update CVE-2019-19781, a critical vulnerability affecting Citrix ADC and Gateway that may allow unauthenticated attackers to achieve remote code execution and obtain direct access to an organization’s local … More

The post First patches for the Citrix ADC, Gateway RCE flaw released appeared first on Help Net Security.

GDPR: $126 Million in Fines and Counting

More than 160,000 Data Breaches Reported to EU Regulators, DLA Piper Finds
Since the EU's General Data Protection Regulation went into full effect in May 2018, European data protection authorities have received more than 160,900 data breach reports and imposed $126 million in fines under GDPR for a wide variety of infringements, not all involving data breaches.

SECURITY ALERT: 0-Day Vulnerability in Internet Explorer Is Abused in Targeted Attacks

A new malicious code is wreaking havoc in corporate IT networks by exploiting a 0-day vulnerability in Internet Explorer.

Even if this browser is not the default one used by endpoints within your organization, you still have reason to be concerned. The malicious code gets into your systems through email and has the potential to corrupt the internal memory and afterward execute arbitrary code.

Here is everything you need to know about the way in which this 0-day vulnerability in Internet Explorer gets abused and how to protect your organization.

The 0-Day Vulnerability Gets Exploited Through Malicious Email Links

According to our intel, this malicious code has been abused in targeted attacks delivered through spear phishing. The 0-day vulnerability in Internet Explorer can be activated by attackers either via a drive-by attack or through a malicious link sent to the target through email.

The vulnerability has been assigned CVE ID: CVE2020-0674 and has been the topic of an official warning from Microsoft. This is a vulnerability that can be abused to corrupt memory via jscript and thereby execute arbitrary code on vulnerable systems.

According to Microsoft, the remote code execution vulnerability could allow attackers to handle objects in memory in Internet Explorer through the scripting engine. Once an attacker obtains access to an endpoint in this manner, they could then gain the same user rights as the current user of that endpoint, and execute arbitrary code remotely.

This is even more dangerous if your organization does not practice Privileged Access Management (PAM), since by compromising a user with admin rights could help an attacker obtain access to your entire IT infrastructure through this 0-day vulnerability. According to Microsoft’s warning, “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

How to Stay Safe from this 0-Day Exploit

Don’t allow yourself to get breached by proactively addressing this issue before the 0-day vulnerability in Internet Explorer can be leveraged against you.

Currently, the only known workaround is to restrict access to jscript.dll in IE9-11 via “takeown”. For a 32bit operating system it will look like this:

takeown /f %windir%\system32\jscript.dll cacls %windir%\system32\jscript.dll /E /P everyone:N

We have seen several malicious domains that are exploiting this vulnerability and we are blocking them all. So if you are using our DNS traffic filtering solution, Thor Foresight Enterprise, you are safe from harm and don’t need to do anything more to secure your organization further against this zero day exploit.

Stay safe.

The post SECURITY ALERT: 0-Day Vulnerability in Internet Explorer Is Abused in Targeted Attacks appeared first on Heimdal Security Blog.

Report: A Cyberattack Could Severely Disrupt the US Financial System

Financial Cyberattack

A new staff report from the Federal Reserve Bank of New York highlights the risk and potential fallout that a sophisticated cyberattack might have on the United States. In the report, analysts examined a scenario in which a single-day shock hits the country’s payment network, Fedwire, measuring the broad impact it would have on the economy. The results? A significant 38 percent of the network would be affected on average by significant spillovers to other banks, damaging the stability of the broader financial system in the United States.

How an attack might unfold

According to the analysts, this hypothetical situation would unfold swiftly. It begins with a cyberattack that allows financial institutions to continue receiving payments but prevents them from sending any payments throughout the operating day. In this scenario, because payments are actualized when Fedwire receives requests from senders, an institution’s balance in the system immediately reflects those changes—yet the targeted financial institution is unable to interact with Fedwire, causing a backup in the system. Essentially, impacted banks would become black holes that absorb liquidity without distributing any money.

Timing matters too and can magnify the impacts of a breach. “Attacks on seasonal days associated with greater payment activity are more disruptive relative to non-seasonal days, with average impacts that are about 13 percent greater,” the report says. “We estimate that, on average, attacking on the worst date for a particular large institution adds an additional 25 percent in impairment relative to the case of no specific knowledge.”

The domino effect of liquidity hoarding

An important point to consider from this analysis is that the consequence of hoarding cash and forgoing payments during a breach can worsen the situation. The report explains, “We find that liquidity hoarding amplifies the network impact of the cyberattack, both increasing the average impact on the system and increasing the maximal risk.” As banks are not necessarily perceptive of daily liquidity conditions because they have ample reserves on hand, they likely will not react to these irregularities very quickly. Thus, all institutions other than the one impacted by a breach will continue to make payments as usual, resulting in substantial interruptions in the network.

It’s a domino effect that could shake up the whole system. Analysts uncovered a correlation between assets and payments over 80 percent, finding that a smaller subset of banks plays a vital role in markets like equity and Treasury. A cyberattack on a single institution could impede the day-to-day functions of the payment network and cause quite a headache that extends beyond the impacted institutions, reaching into the economy.

Failing to respond to these issues strategically as they unfold can lead to that previously mentioned black hole of liquidity. This problem may be worsened if financial institutions use the same third-party service providers, which offers less incentive for banks to monitor activity and spot abnormalities that can cause liquidity interruptions.

Strengthening security for financial institutions

Considering the above scenario, data from our most recent State of Software Security report (SOSS) indicates that the financial industry has some work to do to shore up its application security. The figures reveal that, in the financial industry specifically, the median time to remediate security flaws in code (MedianTTR) is 67 days, which is higher than nearly every other industry we measured. Information leakage also has a high prevalence at 66 percent as opposed to 63 percent across all industries.

Our data uncovers best practices that are dramatically improving remediation times and reducing overall security debt. The analysis for this year’s report found that when organizations scan their applications for security more than 260 times per year their median fix time drops from 68 days to 19 days—a 72% reduction.

Get more details on the application security trends and best practices in the full SOSS report.

 

The Mystery of Fbot

In a few days back, the MalwareMustDie team’s security researcher unixfreaxjp has published a new Linux malware analysis of Fbot that has focused on the decryption of the last encryption logic used by its bot client.

This is not the first time Fbot analysis has been published, and also Fbot binaries have been actively infecting the IoT devices since way before 2018.

This article explains what we have learned about the Fbot traced back from the year of 2014. And will discuss the mysteries that can be seen after Fbot has been detected.

The background before Fbot Mirai variant

Fbot is one of the Mirai’s variants, and Mirai is the Linux malware that originally has been detected in August 2016 by the same team who wrote the last analysis mentioned above. On the boom of Mirai source code leaks by its malware coder (nickname: AnnaSenpai), followed by the sharing of its source code openly in the Github within only a month after the analysis report has been published, a lot of young hackers involved in the “DDoS criminal ecosystem”, who had been actively using IoT devices for the DDoS purpose before Mirai malware was born, were racing in a big wave to learn how to install, adapt and transform Mirai to their DDoS botnet platforms, which most of them were built on Kaiten, STD, GafGyt (known also as Qbot or Torlus or Bashlite), or Perlbot malware source code, since Mirai had been proven to be more recently coded, powerful flood, is having anti-reverse-engineered tricks.

This wave is a significant timeline as a technology step-up for DDoS botnet and IoT malware development.

It is known in the underground that origin of Satori, the predecessor code of what is known as Fbot now, had been started to be developed after the leak of Mirai code, young botnet coders, who mostly also herders of Qbot (GafGyt) botnets. One of them who lives in the UK known under various nicknames of Vicious, ViciousAttack, Vi, Vamp, DustPan, NixFairy, HollySkye or RespectVicious, had allegedly been involved with this variant’s development too.

Fbot

(Figure 1 – Vamp’s account on Twitter)

Vamp was among a number of suspects who had been arrested across the United Kingdom on the investigation of the TalkTalk cyber incident that happened in 2015, and he is also a suspect on the activity of Mirai botnet that made great damage in the several parts of the globe from 2016. Vamp, along with other “partners” (including Nexus Zeta, who has been indicted of a similar crime in the US), had his involvement with the original development of Satori botnet. After the legal matter had happened, Vamp was out of the grid and the recent news about him is the legal matter of lifting of his anonymity in 2018. As you can also see it in The Irish News published an article on 14 March, 2018, we quoted:

“With the criminal case now concluded, Mr Simpson said: ” ..this young man has now been dealt with, and he is now over 18 (years old). On that basis Mr Justice Maguire agreed to discharge the prohibition on identifying the teenager.”

The mystery of Fbot

What had happened now is the re-emerged of the SATORI Mirai variant basis with the payload called Fbot.[.supported_architecture], which has been detected since September 2018 on several honeypot logs and has been reported also in the analysis we mentioned here.

Fbot

(Figure 2 – Fbot Scanning Activities with “SATORI” Keyword Detected)

The link between Fbot and Satori base is detected in its infection’s activity and executable file. For example, in the scanner log:

And also in the binary as hardcoded strings:

Fbot

(Figure 3 – The Hardcoded “SATORI” Strings in Fbot Binary)

Would it be one of the “partners” during Satori development has renamed compiled binaries of the Satori project into Fbot? What are Vamp, NexusZeta doing nowadays? Or, would it b someone else uses the whole source code of the Satori project and re-use it for his own by naming the compiled binaries as Fbot?

This is the mystery that comes to our mind after reading the complete report published in MalwareMustDie last report.

To make things more mysterious is, right now, the Fbot infected devices are detected to still performing infection to other IoT devices, but the payload is not being dropped from the C2 server.

The latest detection can be seen in the post of MalwareMustDie latest post too:

Fbot

(Figure 4 – Recent Record of Fbot Infection Log In the Analysis Article)

Although it has been confirmed by the researchers that since the analysis has been posted by in MalwareMustDie post, the C2 for Fbot is not dropping new payloads for the further infection activity.

Would it mean that the coder of Fbot is abandoning his botnet after all of this time?

Whoever the herder is, we all hope that the coder will stop his malicious activity for good.

Pierluigi Paganini

(SecurityAffairs – Fbot, malware)

The post The Mystery of Fbot appeared first on Security Affairs.

Unlock the power of threat intelligence with this practical guide. Get your free copy now

Graham Cluley Security News is sponsored this week by the folks at Recorded Future. Thanks to the great team there for their support! At Recorded Future, we believe every security team can benefit from threat intelligence. That’s why we’ve published “The Threat Intelligence Handbook.” It’s aimed at helping security professionals realize the advantages of threat […]

Researchers create OT honeypot, attract exploits and fraud

Trend Micro announced the results of research featuring a honeypot imitating an industrial factory. The highly sophisticated Operational Technology (OT) honeypot attracted fraud and financially motivated exploits. Hardware equipment that ran the factory Complex investigation The six-month investigation revealed that unsecured industrial environments are primarily victims of common threats. The honeypot was compromised for cryptocurrency mining, targeted by two separate ransomware attacks, and used for consumer fraud. “Too often, discussion of cyber threats to industrial … More

The post Researchers create OT honeypot, attract exploits and fraud appeared first on Help Net Security.

US-based children’s clothing maker Hanna Andersson discloses a data breach

The US-based children’s clothing maker Hanna Andersson has disclosed a data breach that affected its customers.

The US-based children’s clothing maker and online retailer Hanna Andersson discloses a data breach, attackers planted an e-skimmer on its e-commerce platform.

Like other Magecart attacks, crooks compromised the online store and injected a JavaScript code into checkout pages to steal payment data while users were making purchases.

Hacker groups under the Magecart umbrella continue to steal payment card data with so-called software skimmers. Security firms have monitored the activities of a dozen groups at least since 2010

According to a joint report published by RiskIQ and FlashPoint in 2019, some groups are more advanced than others, in particular, the gang tracked as Group 4 appears to be very sophisticated.

The list of victims of the groups is long and includes several major platforms such as British AirwaysNeweggTicketmasterMyPillow and Amerisleep, and Feedify

Millions of Magecart instances were detected over time, security experts discovered tens of software skimming scripts.

In a report recently published by RiskIQ, experts estimate that the group has impacted millions of users. At the time, RiskIQ reported a total of 2,086,529 instances of Magecart detections, most of them were supply-chain attacks.

Hanna Andersson started informing its customers via email, the company was informed by law enforcement on December 5 that data related to credit cards used by its customers on its websites were available for sale on the dark web.

The company immediately launched an investigation that revealed that a third-party ecommerce platform, Salesforce Commerce Cloud, was infected with an e-skimmer. Forensics experts hired by the company discovered that the malicious code was likely planted on September 16, 2019. The malware was completely removed on November 11, 2019.

While Hanna Andersson’s investigation into the security incident revealed that no all of the customers who paid using their payment cards through the Salesforce Commerce Cloud (previously known as Demandware), it was not able to pinpoint the ones who were.

“The incident potentially involved information submitted during the final purchase process on our website, www.hannaandersson.com, including name, shipping address, billing address, payment card number, CVV code, and expiration date,” reads a notice issued by the company.

“We have taken steps to re-secure the online purchasing platform on our website and to further harden it against compromise. In addition, we have retained forensic experts to investigate the incident and are cooperating with law enforcement and the payment card brands in their investigation of and response to the incident.”

The company sanitized its e-commerce platform and declared to have implemented additional measures to protect the website.

The retailer is offering MyIDCare identity theft protection services through ID  Experts, it includes 12 months of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed id theft recovery services.

Pierluigi Paganini

(SecurityAffairs – Hanna Andersson, hacking)

The post US-based children’s clothing maker Hanna Andersson discloses a data breach appeared first on Security Affairs.

Supply Chain Cyber Security: What Are the Risks?

As organizations and their partners are increasingly becoming interconnected, cyber security risks can endanger all parties involved. And even when your business is protected by sophisticated security tools, you may never be certain your suppliers also have the same methods of protection in place. This is why should never ignore any potential supply chain cyber security risks when it comes to protecting your company and sensitive information.

A study conducted by Ponemon Institute has proven that 59% of companies were affected by a cyberattack through third-parties, so it’s clear that this aspect of your business must not be neglected.

Keep in mind that cyber attackers are always hunting for vulnerabilities to compromise your business, thus every security hole (including the ones in your supply chain) must be closed.

Here is an essential question you should ask yourself before partnering up with a vendor: After closing this partnership, will my supply chain cyber security keep pace?

The supply chain cyber security risks

First of all, what exactly does supply chain cyber security refer to? Here is how the Infosec Institute explains the concept:

Cyber security in the supply chain is a subset of supply chain security and is focused on the management of cyber security requirements for information technology systems, software, and networks, which are driven by threats such as cyber-terrorism, malware, data theft and the Advanced Persistent Threat (APT).

Basically, a supply chain attack happens when someone infiltrates your organization through a third-party: a partner or provider. Even though controlling this aspect may seem highly difficult at first glance, the good news is that there are some ways in which you can protect your business.

First of all, you should identify how your supply-chain partners may (unintentionally) compromise your business to be able to understand how to protect yourself. But I’ll cover the steps you should take to safeguard your company from supply chain cyber security attacks in more detail later on.

Examples of supply chain cyber security attacks

Now, let’s take a look at some examples of supply chain cyber security attacks that we saw in the past.

The Superfish adware (2014)

Imagine you’ve ordered brand new laptops for your entire team. Everyone’s excited to toss their old machines and start fresh. But after several months, you discover these new laptops used by your employees have some dubious software pre-installed that put your organization’s security at risk.

From August 2014 through early 2015, Lenovo sold laptops bundled with the Superfish software, which was used to insert ads into Google search results. Superfish intercepted HTTP(S) traffic using a self-signed root certificate, that was stored in the local certificate store, which provided a security concern. For example, when some would visit https://www.bankofamerica.com/, they would discover that the certificate wasn’t signed by VeriSign as expected, but rather by Superfish.

Superfish intercepted HTTP(S) traffic using a self-signed root certificate which represented a supply chain cyber security risk

Image source: arstechnica.com, initially posted on Twitter by security researcher Chris Palmer

The same certificate signed by Superfish appeared when you would access other HTTPS websites and it seems that in fact, all TLS-protected websites had been affected. This way, attackers could use the key to certify fake HTTPS websites that masqueraded as legitimate websites. In this case, machines that had the Superfish root certificate installed were not able to detect which websites were actually a fraud.

Generally, adware that affects HTTPS connections may make users vulnerable to Man-in-the-Middle attacks.

The Target data breach (2014)

Back in 2014, the Target data breach took place because one of the company’s vendors was compromised. In short, here is what happened.

An employee of Fazio Mechanical, a refrigeration contractor, opened a phishing email, which allowed Citadel, a variant of the Zeus banking trojan, to be installed on the vendor’s endpoints. Later on, the attackers managed to harvest login credentials from Fazio’s employees. The company did not have an anti-malware solution in place at that time that offered real-time protection and could prevent and stop this kind of threat and as a result, they became a victim.

Next, the attackers figured out which portal would be a good entry point for them to access Target’s internal network. Target never specifically mentioned which system was used, but security experts thought Ariba to be the main candidate. It was speculated that attackers abused a vulnerability in the web application (maybe an SQL injection, XSS, or a zero-day) to enter a system, escalate privileges and then take over the internal systems.

Afterward, the attackers gained control of Target’s servers. And again, it’s unclear how they managed to do that, but specialists indicated that servers might have been affected by an SQL-injection attack.

As the last step, cybercriminals took over Target’s POS systems. The malware that infected them is called Trojan.POSRAM. How does this type of malware work? In short, the “RAM-scraping” portion of the POS malware steals card information from the POS-devices’ memory when cards are swiped.

After the attack, Target aimed to improve its security posture and as they show on their website, they took several steps, such as enhancing their monitoring and logging, reviewing and limiting vendor access, reducing privileges for certain accounts, and training its employees to use more secure passwords.

Domino’s Pizza Australia data breach (2017)

The Domino’s Pizza Australia data breach also seems to have happened within the supply chain. The pizza delivery company was notified of the breach by its own customers, who discovered their data on online spam lists. According to the company, the incident took place because of a flaw in their online rating system provided by an online supplier (the company claimed that no one gained unauthorized access to their internal systems).

How to keep your organization safe from supply chain cyber security attacks

Supply chain organizations often fall victim to supply chain cyber security incidents since in most cases, they are simply unaware of potential threats and don’t have the proper protection measures in place. Attackers are well aware of this reality and spend a lot of their time and energy to find a vendor’s weak points so they can infiltrate and at a later time, get their hands on the bigger fish: your own organization.

So, here is how you can protect your business from potential supply chain cyber security risks.

#1. Always vet your vendors before starting any partnership

According to the Ponemon report, you do have the power to reduce the incident of a breach by 20%. More precisely, all it takes is to evaluate the security and privacy policies of all your suppliers and the likelihood of a data breach will decrease from 66% to 46%.

Easier said than done, right? To help you get started, below I’ve listed a few suggestions on how to assess your vendors before closing a partnership:

  • Ask them to do a security self-assessment (what security tools they are using, what privileged access management policy they have in place, are they keeping up with their patches and updates, etc.)
  • Perform audits on your provider and run your own penetration tests on them.
  • If needed, you may even advise your vendor to acquire cyber insurance.

In short, make sure your vendors are transparent and let you understand exactly how they secure their organization and that they are always open to suggestions and improvements.

#2. Continuously monitor data access

The first step when it comes to protecting your data is to know exactly who has access to what, from both your side and your vendors’. You should be able to tell at any point how interconnected you and your supplier actually are and what data and systems you share.

The Ponemon Institute survey pointed out that only 35% of companies created lists that contained all the third parties with whom they were sharing sensitive information. Try not to be one of them!

Remember the Target incident mentioned above, when the attackers stole the credentials from the vendor to gain access to Target’s customer data? Well, this scenario could happen anytime under the proper circumstances, so be certain you are prepared to deal with it.

#3. Train your team and know for sure your vendors educate their own employees too

I can’t stress enough the importance of cyber security training. All employees, no matter if they’re working for you or for your vendor, should be able to identify the signs of cyber-attacks and threats. So, cyber security awareness training is crucial and it certainly makes up a strong layer of defense for both your organization and your vendor. Every aspect related to security should be covered, such as common password mistakes, how to identify phishing and spear-phishing attempts, what is business email compromise (BEC) and vendor email compromise (VEC), how to identify types of malware, and what processes to follow if they are ever faced with any of these threats or notice anything suspicious going on inside the organization.

#4. Safeguard your organization using multiple layers of protection

Of course, securing your endpoints and networks is an essential step to prevent attacks. But other aspects, like having good patch management in place, properly managing admin rights in your organization, and securing email from different angles (preventing spam and more advanced email threats) are equally important. Thus, make sure you chose a suitable IT security partner to work with.

Our solutions are designed to offer you unique threat prevention and remediation, admin rights management, and email security. We can tailor our solutions to fit your exact needs, regardless of your company’s industry and size. Get in touch today at sales.inquires@heimdalsecurity.com to see how we can help you.

Conclusion

Organizations of all sizes, as well as their vendors and partners, can easily become victims of supply chain cybersecurity attacks if they don’t apply at least some basic protection measures. It’s crucial that all companies understand the risks that can live inside their supply chain and foster a culture of organization-vendor cross-collaboration to be able to prevent and minimize the risks.

The post Supply Chain Cyber Security: What Are the Risks? appeared first on Heimdal Security Blog.

Mitsubishi Electric Blames Anti-Virus Bug for Data Breach

Hackers Exploited AV Software Zero-Day Vulnerability Before Vendor Patched Flaw
Mitsubishi Electric says hackers exploited a zero-day vulnerability in its anti-virus software, prior to the vendor patching the flaw, and potentially stole trade secrets and employee data. The Japanese multinational firm announced the breach more than six months after detecting it in June 2019.

SIM Hijacking

SIM hijacking -- or SIM swapping -- is an attack where a fraudster contacts your cell phone provider and convinces them to switch your account to a phone that they control. Since your smartphone often serves as a security measure or backup verification system, this allows the fraudster to take over other accounts of yours. Sometimes this involves people inside the phone companies.

Phone companies have added security measures since this attack became popular and public, but a new study (news article) shows that the measures aren't helping:

We examined the authentication procedures used by five pre-paid wireless carriers when a customer attempted to change their SIM card. These procedures are an important line of defense against attackers who seek to hijack victims' phone numbers by posing as the victim and calling the carrier to request that service be transferred to a SIM card the attacker possesses. We found that all five carriers used insecure authentication challenges that could be easily subverted by attackers.We also found that attackers generally only needed to target the most vulnerable authentication challenges, because the rest could be bypassed.

It's a classic security vs. usability trade-off. The phone companies want to provide easy customer service for their legitimate customers, and that system is what's being exploited by the SIM hijackers. Companies could make the fraud harder, but it would necessarily also make it harder for legitimate customers to modify their accounts.

BitDam Study Exposes High Miss Rates of Leading Email Security Systems

Imagine receiving an email from US VP Mike Pence's official email account asking for help because he has been stranded in the Philippines. Actually, you don't have to. This actually happened. Pence's email was hacked when he was still the governor of Indiana, and his account was used to attempt to defraud several people. How did this happen? Is it similar to how the DNC server was hacked?

Health Quest Begins Notifying Patients Affected by Phishing Incident

Health Quest announced that it’s begun notifying patients whose information might have been exposed in a phishing incident. According to its website notice, Health Quest first learned of the incident in July 2018 when several employees fell for a phishing attack and thereby inadvertently disclosed their email account credentials to an unauthorized party. The Hudson […]… Read More

The post Health Quest Begins Notifying Patients Affected by Phishing Incident appeared first on The State of Security.

Mitsubishi Electric discloses data breach, possible data leak

Japanese multinational Mitsubishi Electric has admitted that it had suffered a data breach some six months ago, and that “personal information and corporate confidential information may have been leaked.” The company, though, claims that “sensitive information on social infrastructure such as defense, electric power, and railways, highly confidential technical information, and important information concerning business partners have not been leaked.” What was compromised in the Mitsubishi Electric data breach? Mitsubishi Electric is a manufacturer of … More

The post Mitsubishi Electric discloses data breach, possible data leak appeared first on Help Net Security.

Hong Kong Looks to GDPR as it Strengthens Privacy Laws

Hong Kong Looks to GDPR as it Strengthens Privacy Laws

Hong Kong is set to follow the lead of European regulators in applying tougher penalties for data protection infractions, following a serious breach at airline Cathay Pacific in 2018.

Proposed amendments to the regional government’s Personal Data (Privacy) Ordinance, which cited the GDPR, would see fines levied as a percentage of global turnover, according to reports.

The privacy commissioner may even be given powers to levy fines immediately depending on the severity of an incident, without first needing to issue an enforcement notice.

The proposals would also mandate breach notifications to the commissioner within five days, a couple of days longer than GDPR rules but still an improvement on the current situation.

The breach of Hong Kong’s national carrier two years ago, which affected over nine million customers, shone a light on the inadequacies of the Special Administrative Region (SAR)’s existing data protection regime.

It took Cathay seven months to report the incident, although it was under no legal obligation to do so at all.

The privacy commissioner was powerless to levy fines: instead, the only option was an enforcement notice citing violation of privacy laws and ordering the firm to improve its cybersecurity posture. Failure to comply with the order leads to a fine of just HK$50,000 ($6433).

Rights groups have written to Hong Kong’s Legislative Council (LegCo), arguing that the proposals still don’t go far enough.

The government’s current proposal is too narrow, and LegCo now has a critical opportunity to strengthen this outdated law and bring it closer to better models, such as Europe’s privacy laws,” said Sophie Richardson, China director at Human Rights Watch (HRW).

“Strong protections on how people’s personal data can be collected and used will help assuage fears that mass surveillance tactics used elsewhere could spread to Hong Kong.”

HRW also wants to see the definition of personal data under the ordinance broadened, and a distinction to be made between general personal data and sensitive data, with the latter subject to stricter conditions.

It also argued for stronger rights for data subjects over how their data is used: for example, mandating firms to obtain explicit consent before using personal data, and empowering individuals to have data erased if they choose.

Such elements are all key parts of the GDPR. Various parts of the EU regulation can also be found in the new California privacy law, CCPA.

UK Gov Database Leak Exposes 28 Million Children

UK Gov Database Leak Exposes 28 Million Children

The UK government is facing urgent questions after it was revealed that betting companies were given access to a Department for Education (DfE) database containing personal information on 28 million children.

Known as the Learning Record Service, the database stores information on students in England, Wales and North Ireland choosing to take post-14 qualifications like GCSEs.

However, according to a report in The Sunday Times, a data intelligence firm known as GB Group was able to sign an agreement with a third-party company to access the data. GB Group’s clients include gambling firms such as Betfair and 32Red, which apparently used the data for age and ID verification on their websites.

The third-party, Trust Systems Software (Trustopia), denies providing database access to GB Group. Both GB Group and the DfE are investigating the reports, with the latter having reportedly disabled access to the data trove and informed privacy watchdog the ICO.

“This was completely unacceptable and we have immediately stopped the firm’s access and ended our agreement with them. We will be taking the strongest possible action,” a spokesperson told the paper.

The children’s commissioner for England, Anne Longfield, reportedly said she was “very shocked to learn that data has been handed over in this way.”

Although the information used by the betting firms appears to have been limited, given it covers a huge number of children, the incident could well lead to a significant GDPR investigation by the ICO.

“This is not just a security breach, but a breach of trust, where there is an expectation of fair, lawful and transparent uses of the data by everyone who has access to it — which in this case has not happened,” argued KnowBe4 security awareness advocate, Javvad Malik.

“In all of this, the responsibility sits squarely with the Department for Education, which has collected vast amounts of children's data for nearly a decade with apparently little oversight.”

Zero-Day IE Bug is Being Exploited in the Wild

Zero-Day IE Bug is Being Exploited in the Wild

Both Microsoft and the US government are warning computer users of a critical remote code execution (RCE) vulnerability in Internet Explorer, which is currently being exploited in the wild.

The zero-day bug, CVE-2020-0674, exists in the way the scripting engine handles objects in memory in IE, according to a Microsoft advisory updated over the weekend.

Attackers could send phishing emails to victims, tricking them into visiting a specially crafted website designed to exploit the flaw through IE, Redmond claimed.

“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” it continued.

“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The vulnerability affects IE versions 9, 10 and 11 running on all Windows desktop and server versions, including the no-longer supported Windows 7 and Server 2008.

Despite admitting that the flaw is being exploited in “limited targeted attacks,” Microsoft has yet to release an emergency patch. Instead, it detailed a set of temporary mitigations which revolve around restricting access to the JavaScript component JScript.dll.

Carl Wearn, head of e-crime at Mimecast, advised organizations to enforce the use of alternative browsers until the issue is fixed.

“In addition to the threat from this zero-day vulnerability, I would also be wary of using IE at present due to the current resurgence in the use of exploit kits specifically designed to exploit IE vulnerabilities,” he added.

“Ransomware threat actors in particular are currently utilizing exploit kits such as Fallout and Spelevo. While posing no threat to other browsers these exploit kits will likely compromise any Windows machine utilizing Internet Explorer if it visits a compromised website.”

IE versions still have a combined global market share of over 5%, according to the latest figures from December 2019.

NIST releases version 1.0 of the Privacy Framework

The NIST released version 1.0 of Privacy Framework, it is a tool designed to help organizations to manage privacy risks.

The National Institute of Standards and Technology (NIST) has published the release version 1.0 of its privacy framework. The Framework is a voluntary tool that can be used by organizations to manage risks in compliance with privacy legislation, including the European GDPR.

The NIST Privacy Framework is designed to help organizations manage privacy risks, with specific focuses on:

  • Building customers’ trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals’ privacy and society as a whole;
  • Fulfilling current compliance obligations, as well as future-proofing products and services to meet these obligations in a changing technological and policy environment;
  • Facilitating communication about privacy practices with individuals, business partners, assessors, and regulators.

The framework provides building blocks that help organizations in achieving privacy goals.

The Framework is composed of three main parts, the Core, Profiles, and Implementation Tiers.

The Core enables communications within organizations about privacy protection activities and desired goals. Profiles allow organizations to prioritize the outcomes and activities according to privacy values, the business mission, and risks.

Implementation tiers help organizations to optimize the resources that are necessary to manage the risk.

Organizations, one analyzed the potential impact of privacy risks, may choose to prioritize according to their strategy. The response to privacy risk includes:

  • Mitigating the risk (e.g., organizations may be able to apply technical and/or policy measures to the systems, products, or services that minimize the risk to an acceptable degree);
  • Transferring or sharing the risk (e.g., contracts are a means of sharing or transferring risk to other organizations, privacy notices and consent mechanisms are a means of sharing risk with individuals);
  • Avoiding the risk (e.g., organizations may determine that the risks outweigh the benefits, and forego or terminate the data processing);
  • Accepting the risk (e.g., organizations may determine that problems for individuals are minimal or unlikely to occur, therefore the benefits outweigh the risks, and it is not necessary to invest resources in mitigation).

The framework should also organizations to keep up with technology advancements and new uses for data.

“A class of personal data that we consider to be of low value today may have a whole new use in a couple of years, or you might have two classes of data that are not sensitive on their own, but if you put them together they suddenly may become sensitive as a unit,” said Naomi Lefkovitz, NIST privacy policy adviser who led the development of the framework. “That’s why you need a framework for privacy risk management, not just a checklist of tasks: You need an approach that allows you to continually reevaluate and adjust to new risks.”

The Privacy Framework is considered complementary with the NIST Cybersecurity Framework, using both it is possible to have a good understanding of the different origins of cybersecurity and privacy risks and allow to determine the most effective solutions to address the risks.

Additional details are included in the document titled “NIST PRIVACY FRAMEWORK: A TOOL FOR IMPROVING PRIVACY THROUGH ENTERPRISE RISK MANAGEMENT.

Pierluigi Paganini

(SecurityAffairs – privacy, NIST)

The post NIST releases version 1.0 of the Privacy Framework appeared first on Security Affairs.