Daily Archives: May 14, 2020

Modern crypto standards pave the way to stronger security

Cyberthreats are a ubiquitous concern for organizations operating in the digital world. No company is immune — even large and high-profile organizations like Adobe, Yahoo, LinkedIn, Equifax and others have reported massive data breaches in recent years. Cyberattacks are only growing in frequency, affecting billions of people and threatening businesses. What’s being done to bolster information security as cyberattacks continue to happen? The National Institute of Standards and Technology (NIST), a non-regulatory agency of the … More

The post Modern crypto standards pave the way to stronger security appeared first on Help Net Security.

Windows 10 users get protection against PUAs

Windows 10 users who upgrade to v2004 will finally be able to switch on a longstanding Windows Defender feature that protects users against potentially unwanted applications (PUAs). What are PUAs? Also called PUPs (potentially unwanted programs), PUAs are applications that often cannot be outright classified as malware, but still violate users’ security and privacy interests. Some examples of PUAs: Adware and ad-injectors (software that pushes ads onto users without their permission) Software that tracks how … More

The post Windows 10 users get protection against PUAs appeared first on Help Net Security.

Plugins

Every plugin or add-on you install in your browser can expose you to more danger. Only install the plugins you need and make sure they are always current. If you no longer need a plugin, disable or remove it from your browser via your browser's plugin preferences.

New software enables existing sensors to detect ransomware

Engineers from SMU’s Darwin Deason Institute for Cybersecurity have developed software to detect ransomware attacks before attackers can inflict catastrophic damage. Ransomware is crippling cities and businesses all over the world, and the number of ransomware attacks have increased since the start of the coronavirus pandemic. Attackers are also threatening to publicly release sensitive data if ransom isn’t paid. The FBI estimates that ransomware victims have paid hackers more than $140 million in the last … More

The post New software enables existing sensors to detect ransomware appeared first on Help Net Security.

COVID-19 online fraud trends: Industries, schemes and targets

The telecommunications, retail and financial services industries have been increasingly impacted by COVID-19 online fraud, according to TransUnion. From a consumer perspective, Millennials have been most targeted by fraudsters using COVID-19 scams. Overall, the percent of suspected fraudulent digital transactions rose 5% from March 11 to April 28 when compared to Jan. 1 to March 10, 2020. More than 100 million risky transactions from March 11 to April 28 have been identified. “Given the billions … More

The post COVID-19 online fraud trends: Industries, schemes and targets appeared first on Help Net Security.

Businesses vulnerable to emerging risks have a gap in their insurance coverage

The majority of business decision makers are insured against traditional cyber risks, such as breaches of personal information, but most were vulnerable to emerging risks, such as malware and ransomware, revealing a potential insurance coverage gap, according to the Hanover Insurance Group. The report surveyed business decision makers about cyber vulnerabilities and risk mitigation efforts. Insurance purchasing decisions influenced by media coverage Most businesses surveyed indicated they had purchased cyber insurance, and more than 70% … More

The post Businesses vulnerable to emerging risks have a gap in their insurance coverage appeared first on Help Net Security.

Educational organizations use cloud apps to share sensitive data outside of IT control

Many educational organizations are at risk of data security incidents during the current period of working from home and virtual learning, a Netwrix report reveals. Weak data security controls According to the survey, even before the COVID-19 pandemic, the majority of educational organizations had weak data security controls. In particular, 54% of IT professionals in the educational sector confessed that employees put data at risk by sharing it via cloud apps outside of IT knowledge. … More

The post Educational organizations use cloud apps to share sensitive data outside of IT control appeared first on Help Net Security.

Elastic launches new alerting framework to bring native alerting workflows to Elastic Stack users

Elastic, the company behind Elasticsearch and the Elastic Stack, announced the launch of a new alerting framework delivered across the Elastic Stack to provide first-class experiences with tailored interfaces that allow users to create powerful alerts in the normal flow of their daily tasks. The new alerting framework is delivered via Kibana across the Elastic Stack and available within the SIEM, Uptime, APM, and Metrics applications. From monitoring application transactions to tracking brute force login … More

The post Elastic launches new alerting framework to bring native alerting workflows to Elastic Stack users appeared first on Help Net Security.

SolarWinds’ new solution provides upgraded CMDB model and increased security for enterprises

SolarWinds, a leading provider of powerful and affordable IT management software, announced the launch of SolarWinds Service Desk Enterprise, a new solution to help enterprises manage IT complexity, scale IT support services, and increase security within the service desk. SolarWinds Service Desk Enterprise offers advanced ITSM capabilities that meet the heightened security expectations of modern enterprises and improve key service management processes for employees. Mature organizations require an enhanced level of dedicated support, the Enterprise … More

The post SolarWinds’ new solution provides upgraded CMDB model and increased security for enterprises appeared first on Help Net Security.

Sony releases two models of intelligent vision sensors with AI processing functionality

Sony announced the upcoming release of two models of intelligent vision sensors, the first image sensors in the world to be equipped with AI processing functionality. Including AI processing functionality on the image sensor itself enables high-speed edge AI processing and extraction of only the necessary data, which, when using cloud services, reduces data transmission latency, minimizes any privacy concerns, and reduces power consumption and communication costs. These products expand the opportunities to develop AI-equipped … More

The post Sony releases two models of intelligent vision sensors with AI processing functionality appeared first on Help Net Security.

Crooks stole $10 million from Norway’s state investment fund Norfund

Norway’s state investment fund, Norfund, suffered a business email compromise (BEC) attack, hackers stole $10 million.

Hackers stole $10 million from Norway’s state investment fund, Norfund, in a business email compromise (BEC) attack.

Norfund is a private equity company established by the Norwegian Storting (parliament) in 1997 and owned by the Norwegian Ministry of Foreign Affairs. The fund receives its investment capital from the state budget.

The fraudsters compromised the Norfund email system and monitored communications between the employees of the fund and their partners for months.

Once identified the employee that responsible for money transfers. the attackers created a Norfund email address to impersonate an individual authorized to transfer large sums of money through the bank Norfund.

In a classic BEC scheme, hackers replaced the payment information provided to the partners to hijack the transfer to an account under their control in a bank in Mexico.

“Through an advance data breach, the defrauders were able to access information concerning a loan of USD 10 million (approx. 100 million NOK) from Norfund to a microfinance institution in Cambodia.” reads a notice published by Norfund.

“The defrauders manipulated and falsified information exchange between Norfund and the borrowing institution over time in a way that was realistic in structure, content and use of language. Documents and payment details were falsified”

Norfund was not able to block the fraudulent wire transfer because the attackers managed to delay of its discovery.

The BEC attack took place on March 16, but it was discovered more than a month later, on April 30 when the fraudsters attempted to carry out a new fraud, that was detected and blocked.

To delay the discovery of the scam, the attacker sent an email to the Cambodian beneficiary informing it of a delay due to the current Coronavirus lockdown in Norway.

“This is a grave incident. The fraud clearly shows that we, as an international investor and development organisation, through active use of digital channels are vulnerable. The fact that this has happened shows that our systems and routines are not good enough. We have taken immediate and serious action to correct this” said company CEO, Tellef Thorleifsson.

Pierluigi Paganini

(SecurityAffairs – BEC, hacking)

The post Crooks stole $10 million from Norway’s state investment fund Norfund appeared first on Security Affairs.

Nvidia GTC 2020: Ampere is here, meet the EGX A100 accelerator

During the Nvidia GPU Technology Conference today, Nvidia CEO Jensen Huang revealed the Nvidia EGX A100 converged accelerator powered by the company’s next-generation Ampere graphics processing unit (GPU) architecture.

Though the Ampere GPU architecture is still shrouded in mystery, it has been confirmed that it will be built using TSMC’s 7nm transistors. Ampere is considered to be a major architectural redesign from the current Volta architecture. 

Ampere’s first product, the A100, will strictly target heavy workstation workloads such as simulation, rendering, machine learning, and cloud virtualizations. The particular GPU on the A100 consists of 54 billion transistors and new features like new security engine, third-gen Tensor cores with new Floating Point 32 precision. The A100 also integrates the Nvidia Mellanox CoonnectX-6DX network adapter onboard.

Nvidia EGX Edge AI software stack

“By installing the EGX into a standard x86 server, you turn it into a hyper-converged, secure, cloud-native, AI powerhouse, it’s basically an entire cloud data centre in one box,” said Huang.

Complementing the EGX A100 is Nvidia’s EGX cloud-native AI platform with a focus on remote management and secure data processing.

The A100 is also designed with scalability in mind. With the multi-instance GPU (MIG) feature, a single A100 can be partitioned into up to seven independent GPUs, each with its own dedicated resources. Or, several A100 servers can act as a single GPU by connecting through Nvidia’s NVLink.

On its product page, Nvidia claims that the A100 can deliver up to six times higher performance for training and seven times higher performance for inference compared to Volta, Nvidia’s previous architecture.

The Nvidia EGX A100 is in full production and shipping to customers worldwide. Expected system integrators include Amazon Web Services (AWS), Cisco, Dell Technologies, Google Cloud, Microsoft Azure among others. More details on the Ampere architecture will be revealed on Tuesday, May 19, at Nvidia’s GTC virtual event.

Cisco Threat Response takes the leap with SecureX

Reimagine the grocery delivery experience

Even in typical times, grocery and household shopping is time consuming. Especially, if you need to visit multiple stores – a main supermarket for your basics, a specialty store to accommodate diet restrictions, and another for bulk items. In a fast-paced world – with time spent working, family caregiving, and other responsibilities – grocery shopping is a tedious but necessary chore…or is it? The evolution of acquiring groceries and household goods has been one to watch as grocery delivery services, such as Instacart and Shipt, is increasingly relevant. These companies have each built a platform with a network of grocery providers to solve the problem – a simple and efficient way for customers to purchase groceries without having to leave their homes.

Now let’s take grocery shopping to the next level. What if you didn’t even need to proactively browse items and put them in your Instacart grocery order. Imagine if your “smart” refrigerator had sensors to detect inventory levels, and connected to Instacart, your recipes, and meal planning apps. Groceries could be ordered automatically or on-demand based on the menu you’ve planned and what you actually need. One platform with all of your apps integrated and automated to simplify not only your grocery shopping experience but your entire cooking experience. This and many other platform experiences have been developing over the last several years to bring two (or more) sides of a connection together with more efficiency and use cases.

What does grocery shopping have in common with cybersecurity?

The cybersecurity industry is ripe for this type of innovation. We all know that the industry has historically been quite fragmented – at last count, an estimated 3000+ vendors are in this space and customers use, on average, 75 security tools[1]. What does that mean for your security teams? Multiple tools share limited context between them with incomplete, labor-intensive workflows. Going back to the grocery experience, this is akin to visiting seven different stores in one day to tackle a shopping list for each store, and hoping you don’t miss an item. Also consider high lifecycle costs associated with maintaining interoperability, which is often limited. When you need to take into account an ever-evolving threat landscape and attack surface, this trend is not sustainable.

A platform journey two years in the making

Nearly two years ago, Cisco Threat Response debuted to combat this problem for Security Operations teams. As a valuable add-on application to several Cisco Security products — at no additional cost – Threat Response accelerated investigations and remediation by aggregating and correlating intelligence and data across your security products, both Cisco and third party. Threat Response has helped nearly 9,000 customers simplify their security operations. As Don Bryant, CISO for The University of North Carolina at Pembroke, says, “Having a holistic security platform has helped us simplify and accelerate our security operations. All of our tools seamlessly integrated through Threat Response gives us one view into our layered protection and valuable time back.”

Cisco Threat Response application for threat investigation and remediation
Figure 1: Cisco Threat Response application for threat investigation and remediation

As background, Threat Response provides a visual, real-time answer for if, and how, threats have impacted your environment, so, you can take first-strike response actions in the same interface. Security operations teams use Threat Response to:

  • Aggregate global threat intelligence: Search, consume, and operationalize threat intelligence, both public and private sources, with one application.
  • Accelerate threat hunting and investigations: Visualize threats and incidents across multiple technologies in one view, then take response actions without leaving the console.
  • Simplify incident management: Coordinate security incident handling across technologies and teams by centralizing and correlating alerts and triaging those that are high priority.

Now we’re continuing our mission of simplifying security and building on Threat Response core capabilities with SecureX, a built-in platform experience included with Cisco Security products. SecureX will make life even easier for Security Operations, and will also benefit Network Operations and IT Operations. Let’s talk about this evolution.

Is SecureX just a cool new name for Threat Response?

Since we announced SecureX at RSA Conference in February, you might be wondering, what’s the difference between Threat Response and SecureX? Are they one and the same – and SecureX is just a sleek rebranding?

The short answer is no. If Threat Response is like the Instacart of today, SecureX is the reimagined seamless grocery shopping experience we’ve envisioned above. Whether it’s the grocery or cybersecurity industry, the goal is always simplification. SecureX builds upon Threat Response’s core concepts of integrating your security products – both Cisco and third-party tools – to simplify security operations. Leveraging the success of Threat Response with Security Operations teams, SecureX takes this foundation to the next level to drive collaboration between SecOps, NetOps, and ITOps. SecureX simplifies security through:

Unifying visibility across your entire security environment.

Enabling automation in workflows to maximize your operational efficiency by eliminating repetitive tasks and human error.

Adding more out-of-box interoperability to unlock new potential from your Cisco Security investments and cascade them across your existing security infrastructure.

SecureX connects your entire security infrastructure
Figure 2: SecureX connects your entire security infrastructure

Enhanced Threat Response capabilities, now part of SecureX

Now as a key component of SecureX, Threat Response is enhanced to unlock even more value from your investments. Here’s how:

  • You already know that Threat Response aggregates and correlates security context from multiple technologies into a single view, but now as SecureX threat response, users will have a customizable dashboard with ROI metrics and operational measures. And when you leave the dashboard, SecureX follows you to maintain contextual awareness and improve collaboration wherever you are in your Cisco Security infrastructure.
  • Users will now be able to cut down investigation time even further by automating threat hunting and investigation workflows. With the orchestration feature in SecureX, users can set up event-based triggers to periodically hunt for indicators of compromise, create or add to a casebook, and post a summary in a chat room for collaboration.
  • Threat Response had been rapidly growing its partner ecosystem, and SecureX not only expands the ecosystem instantly upon commercial availability but extends past it to include your core infrastructure. Together, our out-of-box interoperability with built-in and pre-packaged integrations from Cisco or select technology partners reduces the time spent integrating multiple technologies, or worse, working across multiple consoles. We’ll continue to support custom integrations via APIs, so any of the features of SecureX will work with your existing investments.

Similar to the reimagined grocery experience, SecureX brings greater efficiency and simplification in the midst of major market forces. The enhanced visibility, automation, and integrated platform capabilities with SecureX threat response further reduces mean dwell time by accelerating investigations and MTTR for SecOps. Without having to swivel between multiple consoles or do the heavy lifting integrating disjointed technologies, you can speed time to value and reduce TCO. SecureX will enable better collaboration across SecOps, NetOps, and ITOps – and ultimately simplify your threat response.

To get warmed up for SecureX access next month, activate Cisco Threat Response today!

[1] Momentum Cyber Cybersecurity Almanac 2019

The post Cisco Threat Response takes the leap with SecureX appeared first on Cisco Blogs.

Surveys show conflicting support by Canadians for COVID-19 tracing app

Canadian governments are planning to approve COVID-19 mobile contact tracing apps to help health authorities track the spread of the infectious disease. However, two recent surveys offer conflicting numbers on whether residents here want the apps to be voluntary or mandatory.

The issue is crucial: Health experts say wide adoption of an app — perhaps as much as 50 per cent of the population — is needed for it to be useful.

In the most recent survey, released this morning by KPMG Canada, 55 per cent of respondents said digital contact tracing should be voluntary, citing privacy concerns and potential abuse of civil liberties. Two-thirds of respondents said they wouldn’t download such an app, calling it still “too invasive.”

Yet 57 per cent of respondents don’t believe such an app would be effective unless it is mandatory.

On the other hand, a survey commissioned by three Canadian Senators released last week found 65 per cent of respondents support the mandatory use of contact tracing apps.

However, in an interview one of those senators acknowledged the question on mandatory/voluntary adoption may not have been neutral. And Canadian privacy expert Ann Cavoukian said the Senate survey question “has no validity.” (See below for more detail)

Most privacy experts around the world say COVID contact tracing apps must be voluntary to get widespread adoption. That’s the position of federal and provincial privacy commissioners as part of a statement of principles they urge governments here follow on tracing apps. Alberta, the first Canadian jurisdiction to release an app, has made its adoption voluntary. But some privacy experts worry that if adoption is low a government will be tempted to make it mandatory.

Despite Alberta jumping the gun, federal and provincial officials are looking at about a dozen proposed apps for approval.

Related:

Skepticism from a Canadian panel

A number of contact tracing apps are being developed around the world, some — like Alberta’s — based on one of the earliest developed by Singapore. Broadly speaking, tracing apps use Bluetooth to capture encrypted ID signals from closeby mobile devices that also have an app, usually with a time limiter. (For example, Alberta’s app won’t obtain an ID number unless a person is nearby another for a total of 15 minutes over 24 hours). Depending on the app, each mobile device holds a list of contacts for a set number of days.

Depending on the app, one of two things happens if a person tests positive for COVID-19: Either the list of encrypted digital IDs is uploaded by the user so a health authority can notify and trace those who have been in contact with the victim, or the app transmits an alert directly to the apps of those on the list for those users to see. Either way, recipients of warnings would be expected to take appropriate steps, such as notify their doctors, monitor their health or take a COVID-19 test.

KPMG Canada surveyed 2,000 Canadians online between May 7 and 12. 

Among the highlights:

  • 62 per cent of respondents are in favour of letting the government use location tracking to send phone alerts to people who have come into contact with a person infected by COVID-19;
  • 82 per cent would be more comfortable with an app run by the health system that shows aggregate community “hot spots” for COVID-19 so they can make their own decisions about their health;
  • 65 per cent say any contact-tracing program needs to be administered by an independent body from the provincial or federal government.

“It’s clear that Canadians understand that contact-tracing apps are effective if participation is high, but the design of such apps must limit threats to privacy as most people aren’t comfortable letting the government have free rein to track their phones,” Sylvia Kingsmill, partner and national digital privacy leader for KPMG, said in a statement. “To make this work, governments will need to be completely transparent on how data will be collected, stored, erased, and managed – it’s about trust.

“There should be clarity about the circumstances under which that data will be shared, now and in the future. To this end, policies should be implemented and enforced to prevent misuse and/or abuse of the data to provide assurances to the public that principles of accountability and data minimization are being respected.”

The Senate’s online survey of 1,530 respondents was commissioned by Senators Colin Deacon, Donna Dasko and Rosemary Moodie and conducted between May 2 and May 4.

Among the findings:

  • In the absence of a vaccine or treatment for COVID-19, 90 per cent of respondents believe that it will be necessary to continue contact tracing in general (that may or may not include an app).
  • 80 per cent of respondents support the use of mobile device data by public health officials to notify those who have
    been close to someone who has tested positive for COVID-19.
  • 87 per cent of respondents believe contact tracing apps should trigger testing of themselves and others.
  • If assured that their data was kept confidential, large numbers of Canadians would share information from contact tracing apps with their physician (96 per cent), their family (95 per cent), public health officials (91 per cent) and health researchers (87 per cent). Fewer would share with employers and co-workers (75 per cent), other government officials (73 per cent), law enforcement (68 per cent), and social media platforms (35 per cent).
  • 65 per cent of respondents support the mandatory use of contact tracing apps.

[UPDATE, May 14, 3:30 pm EST]: In an interview this afternoon, Senator Colin Deacon acknowledged the question on mandatory/voluntary use of an app may not have been fair. The question was: “In some countries the installation of this app is mandatory. How supportive would you be for this to be the case in Canada.” Twenty-three per cent were very supportive and 42 per cent were somewhat supportive.

Asked if he thought that was a loaded question, Deacon said “potentially it is … I don’t know that it does. It asks, ‘What are your thoughts.'”

When it was suggested a neutral question would be ‘Should adoption be mandatory or voluntary,’ Deacon said, “That’s a fair point.”

Some experts object to the use of a mobile contact tracing app on privacy grounds, saying any system that collects personal data puts a user at risk. However, Deacon said the use of a contact tracing app has to be looked at as an aid to COVID-19 infection control. He said any approved app must protect privacy first. But, he added, many critics use smartphones and social media and manage access to their data. “As long as the [contact] data doesn’t leave your phone” except to notify people they should get tested “I don’t see how that is any more invasive” than people who test positive for the virus have to tell health authorities who they have recently been in close contact, with, he said.

“Alongside this strong support for the use of contact tracing apps, we do find concerns about personal privacy and the security of personal data,” said a report that analyzed the Senate survey findings. “Accordingly, any roll-out of an app(s) will require robust privacy protection to be in place in a manner that earns the support of potential users of the app.”

A contact tracing app could help health authorities who do manual contact tracing he said. It’s “unsustainable” to have large numbers of Canadians at home and not working because of the virus.

Former Ontario privacy commissioner Ann Cavoukian denounced the Senate survey mandatory adoption question. “It’s crazy,” she said in an interview. “It’s so skewed. To me this [question and result] has no validity … It creates the myth that the app is going to be mandatory,”

To her, the response to the KPMG Canada survey question is more credible.

Asked how an app should be introduced in Canada, Cavoukian urged governments to follow the Apple/Google framework, which doesn’t send the mobile IDs gathered by an app to health authorities for decryption and follow-up with individuals. Instead, when a user tests positive for COVID-19 they instruct the app to send a warning direct to those with a similar app whose mobile ID has been connected. That’s why Apple and Google have recently changed the description of their framework from a contact tracing app to “exposure notification,” she said.

(This story has been updated from the original by adding comments by Senator Colin Deacon and Ann Cavoukian)

Open-sourcing new COVID-19 threat intelligence

A global threat requires a global response. While the world faces the common threat of COVID-19, defenders are working overtime to protect users all over the globe from cybercriminals using COVID-19 as a lure to mount attacks. As a security intelligence community, we are stronger when we share information that offers a more complete view of attackers’ shifting techniques. This more complete view enables us all to be more proactive in protecting, detecting, and defending against attacks.

At Microsoft, our security products provide built-in protections against these and other threats, and we’ve published detailed guidance to help organizations combat current threats (Responding to COVID-19 together). Our threat experts are sharing examples of malicious lures and we have enabled guided hunting of COVID-themed threats using Azure Sentinel Notebooks. Microsoft processes trillions of signals each day across identities, endpoint, cloud, applications, and email, which provides visibility into a broad range of COVID-19-themed attacks, allowing us to detect, protect, and respond to them across our entire security stack. Today, we take our COVID-19 threat intelligence sharing a step further by making some of our own indicators available publicly for those that are not already protected by our solutions. Microsoft Threat Protection (MTP) customers are already protected against the threats identified by these indicators across endpoints with Microsoft Defender Advanced Threat Protection (ATP) and email with Office 365 ATP.

In addition, we are publishing these indicators for those not protected by Microsoft Threat Protection to raise awareness of attackers’ shift in techniques, how to spot them, and how to enable your own custom hunting. These indicators are now available in two ways. They are available in the Azure Sentinel GitHub and through the Microsoft Graph Security API. For enterprise customers who use MISP for storing and sharing threat intelligence, these indicators can easily be consumed via a MISP feed.

This threat intelligence is provided for use by the wider security community, as well as customers who would like to perform additional hunting, as we all defend against malicious actors seeking to exploit the COVID crisis.

This COVID-specific threat intelligence feed represents a start at sharing some of Microsoft’s COVID-related IOCs. We will continue to explore ways to improve the data over the duration of the crisis. While some threats and actors are still best defended more discreetly, we are committed to greater transparency and taking community feedback on what types of information is most useful to defenders in protecting against COVID-related threats. This is a time-limited feed. We are maintaining this feed through the peak of the outbreak to help organizations focus on recovery.

Protection in Azure Sentinel and Microsoft Threat Protection

Today’s release includes file hash indicators related to email-based attachments identified as malicious and attempting to trick users with COVID-19 or Coronavirus-themed lures. The guidance below provides instructions on how to access and integrate this feed in your own environment.

For Azure Sentinel customers, these indicators can be either be imported directly into Azure Sentinel using a Playbook or accessed directly from queries.

The Azure Sentinel Playbook that Microsoft has authored will continuously monitor and import these indicators directly into your Azure Sentinel ThreatIntelligenceIndicator table. This Playbook will match with your event data and generate security incidents when the built-in threat intelligence analytic templates detect activity associated to these indicators.

These indicators can also be accessed directly from Azure Sentinel queries as follows:

let covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string )
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv"]
with (format="csv"));
covidIndicators

Azure Sentinel logs.

A sample detection query is also provided in the Azure Sentinel GitHub. With the table definition above, it is as simple as:

  1. Join the indicators against the logs ingested into Azure Sentinel as follows:
covidIndicators
| join ( CommonSecurityLog | where TimeGenerated >= ago(7d)
| where isnotempty(FileHashValue)
) on $left.FileHashValue == $right.FileHash
  1. Then, select “New alert rule” to configure Azure Sentinel to raise incidents based on this query returning results.

CyberSecurityDemo in Azure Sentinel logs.

You should begin to see Alerts in Azure Sentinel for any detections related to these COVID threat indicators.

Microsoft Threat Protection provides protection for the threats associated with these indicators. Attacks with these Covid-19-themed indicators are blocked by Office 365 ATP and Microsoft Defender ATP.

While MTP customers are already protected, they can also make use of these indicators for additional hunting scenarios using the MTP Advanced Hunting capabilities.

Here is a hunting query to see if any process created a file matching a hash on the list.

let covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string )
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv"]
with (format="csv"))
| where FileHashType == 'sha256' and TimeGenerated > ago(1d);
covidIndicators
| join (DeviceFileEvents
| where Timestamp > ago(1d)
| where ActionType == 'FileCreated'
| take 100) on $left.FileHashValue  == $right.SHA256

Advanced hunting in Microsoft Defender Security Center.

This is an Advanced Hunting query in MTP that searches for any recipient of an attachment on the indicator list and sees if any recent anomalous log-ons happened on their machine. While COVID threats are blocked by MTP, users targeted by these threats may be at risk for non-COVID related attacks and MTP is able to join data across device and email to investigate them.

let covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string )    [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv"] with (format="csv"))
| where FileHashType == 'sha256' and TimeGenerated > ago(1d);
covidIndicators
| join (  EmailAttachmentInfo  | where Timestamp > ago(1d)
| project NetworkMessageId , SHA256
) on $left.FileHashValue  == $right.SHA256
| join (
EmailEvents
| where Timestamp > ago (1d)
) on NetworkMessageId
| project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0])
| join (
DeviceLogonEvents
| project LogonTime = Timestamp, AccountName, DeviceName
) on AccountName
| where (LogonTime - TimeEmail) between (0min.. 90min)
| take 10

Advanced hunting in Microsoft 365 security.

Connecting an MISP instance to Azure Sentinel

The indicators published on the Azure Sentinel GitHub page can be consumed directly via MISP’s feed functionality. We have published details on doing this at this URL: https://aka.ms/msft-covid19-misp. Please refer to the Azure Sentinel documentation on connecting data from threat intelligence providers.

Using the indicators if you are not an Azure Sentinel or MTP customer

Yes, the Azure Sentinel GitHub is public: https://aka.ms/msft-covid19-Indicators

Examples of phishing campaigns in this threat intelligence

The following is a small sample set of the types of COVID-themed phishing lures using email attachments that will be represented in this feed. Beneath each screenshot are the relevant hashes and metadata.

Figure 1: Spoofing WHO branding with “cure” and “vaccine” messaging with a malicious .gz file.

Name: CURE FOR CORONAVIRUS_pdf.gz

World Health Organization phishing email.

Figure 2: Spoofing Red Cross Safety Tips with malicious .docm file.

Name: COVID-19 SAFETY TIPS.docm

Red Cross phishing email.

Figure 3: South African banking lure promoting COVID-19 financial relief with malicious .html files.

Name: SBSA-COVID-19-Financial Relief.html

Financial relief phishing email.

Figure 4: French language spoofed correspondence from the WHO with malicious XLS Macro file.

Name: -✉-Covid-19 Relief Plan5558-23636sd.htm

Coronavirus-themed phishing email.

If you have questions or feedback on this COVID-19 feed, please email msft-covid19-ti@microsoft.com.

The post Open-sourcing new COVID-19 threat intelligence appeared first on Microsoft Security.

Ohio Votes to Outlaw Attempted Hacks

Ohio Votes to Outlaw Attempted Hacks

The Ohio House of Representatives has voted through new legislation that will criminalize all malicious hacking attempts, whether they succeed or not. 

Backers of House Bill 368 say changes are necessary as currently only malicious computer hacks that succeed are punishable under Ohio law.  

House Bill 368 was passed yesterday with a vote of 93–1, with the lone "nay" cast by state Representative Tavia Galonski. 

If approved by the Senate, the new law will prohibit a person from gaining access to, attempting to gain access to, or causing access to be gained to a computer, computer system, or computer network when certain conditions apply. 

Ethical hackers, such as those hired to test a company's cybersecurity, would not be punishable under the new law, even if they were to accidentally access data that they were not supposed to.

The legislation also proposes making penalties for offenders convicted of computer trespass harsher if they are found to have acted recklessly or if they have deliberately targeted elderly or disabled users. 

Under the new bill, victims of cybercrime would be permitted to file a civil lawsuit pursuing compensation from offenders convicted of cyber-offenses. 

Currently, Ohio only has two categories of offense covering computer crimes: criminal mischief and unauthorized use of a computer. The new legislation would update and expand these offenses with several new felony-level offenses.

Electronic data tampering and electronic data manipulation, electronic data theft, unauthorized data disclosure, electronic computer service interference, and computer trespass are among the new felony-level offenses. 

The bill was sponsored by state Representative Brian Baldridge. Speaking in support of the bill on the House floor yesterday, state Representative David Leland said: “It really corrects some glaring holes in our criminal statute related to cybersecurity."

Leland added that the newly proposed offenses would penalize crimes such as a recent attempt by an unknown malicious hacker to partially take down Ohio’s unemployment benefits website. 

The website is used by employers to report workers who have quit or refused to work during the COVID-19 pandemic, putting them at risk of losing their unemployment benefits.

$70k for Zoom classes? Virus crisis leaves U.S. students miffed – France24

While students around the world are learning and working from home, schools and universities are getting creative with online options to ensure the health and safety of students. However, as the coronavirus crisis settles in, students — many of whom take out huge loans to finance their degrees — are wondering how to justify spending $70,000…

Critical Flaws Found in Cyberoam Security Devices

Critical Flaws Found in Cyberoam Security Devices

Critical flaws have been discovered in a cybersecurity company's next-generation firewall and VPN technology.

Researchers at vpnMentor detected two vulnerabilities in cybersecurity devices developed by Cyberoam Technologies. Founded in 1999, Ahmedabad-based company Cyberoam was bought by British security software and hardware company Sophos Group plc in 2014.

Cyberoam employs 550 people globally and serves 65,000 users in over 120 countries, offering security solutions to “global corporations in the manufacturing, healthcare, finance, retail, IT sectors, and more, in addition to educational institutions, public sector and large government organizations.”

The first vulnerability was found in the FirewallOS of Cyberoam SSL VPNs in the last quarter of 2019, while the second was shared with vpnMentor by an anonymous ethical hacker at the beginning of 2020 and verified at vpnMentor's Research Lab.

"After confirming their findings, our team discovered a third flaw, which had also gone unnoticed," wrote researchers.

"These vulnerabilities, both independently and when put together, could have been potentially exploited by sending a malicious request, which would enable an unauthenticated, remote attacker to execute arbitrary commands."

Cyberoam software works by forming a gateway that blocks unauthorized access to a network. Researchers revealed that the main flaw in Cyberoam’s security involved two separate weaknesses in how an email is "released from quarantine" on a Cyberoam device.

"Both unrelated issues could have been used to give hackers access to Cyberoam’s devices, and, as an end result, make it easier to exploit any device which their firewalls were guarding," wrote researchers. 

Hotfixes have been published by Sophos to resolve the vulnerabilities, which are not the first flaws to be discovered in Cyberoam's security products. 

"For many years, people have been identifying significant weaknesses in their software products and devices," wrote researchers, before citing three specific weaknesses.

The first of these dates back to July 2012, when it was revealed that Cyberoam was using the same SSL certificate across many of its devices, making it possible for hackers to access any affected device on the company's network and intercept its data traffic.

In 2018, massive portions of Cyberoam databases were discovered for sale on the dark web after being swiped by a hacker, according to Indian media reports.

Identity Breaches at 79% of Organizations

Identity Breaches at 79% of Organizations

New research published today by the Identity Defined Security Alliance (IDSA) has revealed that 79% of organizations have experienced an identity-related security breach in the last two years.

The worrisome finding emerged from a study titled “Identity Security: A Work in Progress,” which is based on an online survey of 502 IT security and identity decision makers conducted in April. The study was carried out to identify trends in identity-related security and to deduce how forward-thinking companies are trying to reduce the risk of a breach.

Researchers found that identity-related breaches are as common as mud, with 94% of organizations experiencing this particular calamity at some point and 79% saying that a breach had occurred within the past two years. 

Of those surveyed, 99% believe that the breach they experienced was preventable, but fewer than half have fully implemented key identity-related security outcomes.

Asked for their views on how identity-related breaches typically occur, 66% of respondents identified phishing as the most common cause. The results suggested that cybersecurity training could reduce the risk of a breach.

"Phishing presents a significant challenge for security leaders—of companies breached, 71% surveyed said the attack could have been prevented through better security awareness training," wrote researchers.  

The study revealed a link between an organization's attitude to cybersecurity and how recently it had experienced a breach. Only 34% of companies with a "forward-thinking" security culture have had an identity-related breach in the past year compared with 59% of companies that foster a "reactive" security culture.

Another key difference between reactive and proactive companies was the impact of a breach. Forward-thinking companies experienced similar phishing-related breaches, but fewer stolen credentials (34% vs 42%), compromised privileged credentials (27% vs 32%), inadequately managed privileges (35% vs 40%), and socially engineered passwords (32% vs 41%).

Researchers concluded that organizations could do more to prevent future breaches. They said: "There is no doubt that with explosive growth in identities in the last five years and what is still to come, organizations are shifting strategies to protect their most vulnerable attack vector with some success. But there is more work to be done."

Zerodium will no longer acquire certain types of iOS exploits due to surplus

The popular zero-day broker Zerodium announced new limitations it the submission of certain types of iOS exploits due to surplus.

The exploit broker Zerodium announced that it’s no longer accepting certain types of iOS exploits due to surplus, this implies that prices for them will drop in the near future.

The company announced via Twitter that it would no longer accept submissions for iOS local privilege escalation, Safari remote code execution, and sandbox escape exploits, at least for the next months.

Zerodium argued that it has taken this decision due to the high number of submissions, an information that could give us an idea of how is prolific the hacking community.

Company experts believe that the prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the next months.

Zerodium CEO Chaouki Bekrar criticized the current level of iOS security that is evidently going to zero.

“Let’s hope iOS 14 will be better,” said Chaouki Bekrar.

The decision of the company is coherent with the announcement made in September 2019 when Zerodium updated the price list for both Android and iOS exploits, with Android ones having surpassed the iOS ones for the first time.

For the first time, the price for Android exploits is higher than the iOS ones, this is what has emerged from the updated price list published by the zero-day broker Zerodium.

Currently a zero-click exploit chain for Android would be rewarded with up to $2.5 million, while an exploit chain for iOS only $2 million.

The tech giant is running a public bug bounty program through which it’s prepared to pay out up to $1 million for exploits that achieve persistence, bypass PAC and require no user interaction.

Pierluigi Paganini

(SecurityAffairs – zero-day vulnerability, hacking)

The post Zerodium will no longer acquire certain types of iOS exploits due to surplus appeared first on Security Affairs.

DWF Appoints Mark Hendry as Director of Data Protection and Cybersecurity

DWF Appoints Mark Hendry as Director of Data Protection and Cybersecurity

DWF has appointed Mark Hendry as its director of data protection and cybersecurity, joining from Deloitte where he was responsible for data protection and cybersecurity risk and remediation projects for clients.

At DWF, Hendry will work alongside the global head of data protection and cybersecurity, Stewart Room, and the wider leadership team, to develop and grow the global legal business’ cybersecurity consultancy services. He will help clients from different sectors to address their cybersecurity issues and requirements, particularly in the areas of multi-disciplinary incident response services, strategic improvement and risk remediation.

Hendry’s appointment follows a lengthy career in data protection and cybersecurity. Prior to his role at Deloitte, he worked at PwC for nine years where he held a variety of positions, including group leader for the 100+ headcount London cybersecurity and business resilience business, technology audit lead for the FTSE100 practice and leadership team member of the multi-disciplinary data protection group.

Before then, he worked for Research Machines Plc and British Telecom in client facing technical project and program management roles.

Commenting on the appointment, Room stated: “We are delighted to be welcoming Mark to DWF. He is an extremely experienced data protection and cybersecurity professional who provides DWF with an added edge in the market. Mark will be critical in advising clients across a range of sectors to address their cybersecurity issues, with a focus on incident response services, strategic improvement and risk remediation."

Hendry is the latest high profile appointment for DWF already this year, following the recruitment of James Drury-Smith as its new UK national leader of privacy and cyber security last month and Room as partner and global head of data protection and cybersecurity in February.

Hendry commented: “I am delighted to have joined DWF which is a business in prime position to serve our clients and grow with them. The combination of DWF's legal expertise and associated legal and non-legal services globally provides an incredibly powerful and united platform from which to serve our clients and markets.” 

Using Real-Time Events in Investigations

To understand what a threat actor did on a Windows system, analysts often turn to the tried and true sources of historical endpoint artifacts such as the Master File Table (MFT), registry hives, and Application Compatibility Cache (AppCompat). However, these evidence sources were not designed with detection or incident response in mind; crucial details may be omitted or cleared through anti-forensic methods. By looking at historical evidence alone, an analyst may not see the full story.

Real-time events can be thought of as forensic artifacts specifically designed for detection and incident response, implemented through Enterprise Detection and Response (EDR) solutions or enhanced logging implementations like Sysmon. During active-attacker endpoint investigations, FireEye Mandiant has found real-time events to be useful in filling in the gaps of what an attacker did. These events record different types of system activities such as process execution, file write activity, network connections, and more.

During incident response engagements, Mandiant uses FireEye Endpoint Security to track endpoint system events in real-time. This feature allows investigators to track an attacker on any system by alerting on and reviewing these real-time events. An analyst can use our solution’s built-in Audit Viewer or Redline to review real-time events.

Let’s look at some examples of Windows real-time events available on our solution and how they can be leveraged during an investigation. Let’s assume the account TEST-DOMAIN\BackupAdmin was an inactive Administrator account compromised by an attacker. Please note the examples provided in this post are based on real-time events observed during engagements but have been recreated or altered to preserve client confidentiality.

Process Execution Events

There are many historical process execution artifacts including AppCompat, AmCache, WMI CCM_RecentlyUsedApps, and more. A single artifact rarely covers all the useful details relating to a process's execution, but real-time process execution events change that. Our solution’s real-time process execution events record execution time, full process path, process identification number (PID), parent process path, parent PID, user, command line arguments, and even the process MD5 hash.

Table 1 provides an example of a real-time process execution event recorded by our solution.

Field

Example

Timestamp (UTC)

2020-03-10 16:40:58.235

Sequence Number

2879512

PID

9392

Process Path

C:\Windows\Temp\legitservice.exe

Username

TEST-DOMAIN\BackupAdmin

Parent PID

9103

Parent Process Path

C:\Windows\System32\cmd.exe

EventType

Start

ProcessCmdLine

"C:\Windows\Temp\legitservice.exe"  -b -m

Process MD5 Hash

a823bc31395539816e8e4664e884550f

Table 1: Example real-time process execution event

Based on this real-time process execution event, the process C:\Windows\System32\cmd.exe with PID 9103 executed the file C:\Windows\Temp\legitservice.exe with PID 9392 and the MD5 hash a823bc31395539816e8e4664e884550f. This new process used the command line arguments -b -m under the user context of TEST-DOMAIN\BackupAdmin.

We can compare this real-time event with what an analyst might see in other process execution artifacts. Table 2 provides an example AppCompat entry for the same executed process. Note the recorded timestamp is for the last modified time of the file, not the process start time.

Field

Example

File Last
Modified (UTC)

2020-03-07 23:48:09

File Path

C:\Windows\Temp\legitservice.exe

Executed Flag

TRUE

Table 2: Example AppCompat entry

Table 3 provides an example AmCache entry. Note the last modified time of the registry key can usually be used to determine the process start time and this artifact includes the SHA1 hash of the file.

Field

Example

Registry Key
Last Modified (UTC)

2020-03-10 16:40:58

File Path

C:\Windows\Temp\legitservice.exe

File Sha1 Hash

2b2e04ab822ef34969b7d04642bae47385be425c

Table 3: Example AmCache entry

Table 4 provides an example Windows Event Log process creation event. Note this artifact includes the PID in hexadecimal notation, details about the parent process, and even a field for where the process command line arguments should be. In this example the command line arguments are not present because they are disabled by default and Mandiant rarely sees this policy enabled by clients on investigations.

Field

Example

Write Time (UTC)

2020-03-10 16:40:58

Log

Security

Source

Microsoft Windows security

EID

4688

Message

A new process has been created.

Creator Subject:
      Security ID:             TEST-DOMAIN\BackupAdmin
      Account Name:            BackupAdmin
      Account Domain:          TEST-DOMAIN
      Logon ID:                0x6D6AD

Target Subject:
      Security ID:             NULL SID
      Account Name:            -
      Account Domain:          -
      Logon ID:                0x0

Process Information:
      New Process ID:          0x24b0
      New Process Name:        C:\Windows\Temp\legitservice.exe
      Token Elevation Type:    %%1938
      Mandatory Label:         Mandatory Label\Medium Mandatory Level
      Creator Process ID:      0x238f
      Creator Process Name:    C:\Windows\System32\cmd.exe
      Process Command Line:    

Table 4: Example Windows event log process creation event

If we combine the evidence available in AmCache with a fully detailed Windows Event Log process creation event, we could match the evidence available in the real-time event except for a small difference in file hash types.

File Write Events

An attacker may choose to modify or delete important evidence. If an attacker uses a file shredding tool like Sysinternal’s SDelete, it is unlikely the analyst will recover the original contents of the file. Our solution’s real-time file write events are incredibly useful in situations like this because they record the MD5 hash of the files written and partial contents of the file. File write events also record which process created or modified the file in question.

Table 5 provides an example of a real-time file write event recorded by our solution.

Field

Example

Timestamp (UTC)

2020-03-10 16:42:59.956

Sequence Number

2884312

PID

9392

Process Path

C:\Windows\Temp\legitservice.exe

Username

TEST-DOMAIN\BackupAdmin

Device Path

\Device\HarddiskVolume2

File Path

C:\Windows\Temp\WindowsServiceNT.log

File MD5 Hash

30a82a8a864b6407baf9955822ded8f9

Num Bytes Seen Written

8

Size

658

Writes

4

Event reason

File closed

Closed

TRUE

Base64 Encoded
Data At Lowest Offset

Q3JlYXRpbmcgJ1dpbmRvd3NTZXJ2aWNlTlQubG9nJy
Bsb2dmaWxlIDogT0sNCm1pbWlrYXR6KGNvbW1hbmQ

Text At Lowest Offset

Creating 'WindowsServiceNT.log' logfile : OK....mimikatz(command

Table 5: Example real-time file write event

Based on this real-time file write event, the malicious executable C:\Windows\Temp\legitservice.exe wrote the file C:\Windows\Temp\WindowsServiceNT.log to disk with the MD5 hash 30a82a8a864b6407baf9955822ded8f9. Since the real-time event recorded the beginning of the written file, we can determine the file likely contained Mimikatz credential harvester output which Mandiant has observed commonly starts with OK....mimikatz.

If we investigate a little later, we’ll see a process creation event for C:\Windows\Temp\taskassist.exe with the MD5 file hash 2b5cb081721b8ba454713119be062491 followed by several file write events for this process summarized in Table 6.

Timestamp

File Path

File Size

2020-03-10 16:53:42.351

C:\Windows\Temp\WindowsServiceNT.log

638

2020-03-10 16:53:42.351

C:\Windows\Temp\AAAAAAAAAAAAAAAA.AAA

638

2020-03-10 16:53:42.351

C:\Windows\Temp\BBBBBBBBBBBBBBBB.BBB

638

2020-03-10 16:53:42.351

C:\Windows\Temp\CCCCCCCCCCCCCCCC.CCC

638

 

 

2020-03-10 16:53:42.382

C:\Windows\Temp\XXXXXXXXXXXXXXXX.XXX

638

2020-03-10 16:53:42.382

C:\Windows\Temp\YYYYYYYYYYYYYYYY.YYY

638

2020-03-10 16:53:42.382

C:\Windows\Temp\ZZZZZZZZZZZZZZZZ.ZZZ

638

Table 6: Example timeline of SDelete File write events

Admittedly, this activity may seem strange at a first glance. If we do some research on the its file hash, we’ll see the process is actually SDelete masquerading as C:\Windows\Temp\taskassist.exe. As part of its secure deletion process, SDelete renames the file 26 times in a successive alphabetic manner.

Network Events

Incident responders rarely see evidence of network communication from historical evidence on an endpoint without enhanced logging. Usually, Mandiant relies on NetFlow data, network sensors with full or partial packet capture, or malware analysis to determine the command and control (C2) servers with which a malware sample can communicate. Our solution’s real-time network events record both local and remote network ports, the leveraged protocol, and the relevant process.

Table 7 provides an example of a real-time IPv4 network event recorded by our solution.

Field

Example

Timestamp (UTC)

2020-03-10 16:46:51.690

Sequence Number

2895588

PID

9392

Process + Path

C:\Windows\Temp\legitservice.exe

Username

TEST-DOMAIN\BackupAdmin

Local IP Address

10.0.0.52

Local Port

57472

Remote IP Address

10.0.0.51

Remote Port

443

Protocol

TCP

Table 7: Example real-time network connection event

Based on this real-time IPv4 network event, the malicious executable C:\Windows\Temp\legitservice.exe made an outbound TCP connection to 10.0.0.51:443.

Registry Key Events

By using historical evidence to investigate relevant timeframes and commonly abused registry keys, we can identify malicious or leveraged keys. Real-time registry key events are useful for linking processes to the modified registry keys. They can also show when an attacker deletes or renames a registry key. This is useful to an analyst because the only available timestamp recorded in the registry is the last modified time of a registry key, and this timestamp is updated if a parent key is updated.

Table 8 provides an example of a real-time registry key event recorded by our solution.

Field

Example

Timestamp (UTC)

2020-03-10 16:46:56.409

Sequence Number

2898196

PID

9392

Process + Path

C:\Windows\Temp\legitservice.exe

Username

TEST-DOMAIN\BackupAdmin

Event Type

3

Path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
LegitWindowsService\ImagePath

Key Path

CurrentControlSet\Services\LegitWindowsService

Original Path

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LegitWindowsService

Value Name

ImagePath

Value Type

REG_EXPAND_SZ

Base64 Encoded
Value

QwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABsAG
UAZwBpAHQAcwBlAHIAdgBpAGMAZQAuAGUAeABlAAAAAA==

Text

C:\Windows\Temp\legitservice.exe

Table 8: Example real-time registry key event

For our solution's real-time registry events, we can map the event type to the operation performed using Table 9.

Event Type Value

Operation

1

PreSetValueKey

2

PreDeleteValueKey

3

PostCreateKey, PostCreateKeyEx, PreCreateKeyEx

4

PreDeleteKey

5

PreRenameKey

Table 9: FireEye Endpoint Security real-time registry key event types

Based on this real-time registry key event, the malicious executable C:\Windows\Temp\legitservice.exe created the Windows service LegitWindowsService. If we investigated the surrounding registry keys, we might identify even more information about this malicious service.

Conclusion

The availability of real-time events designed for forensic analysis can fill in gaps that traditional forensic artifacts cannot on their own. Mandiant has seen great value in using real-time events during active-attacker investigations. We have used real-time events to determine the functionality of attacker utilities that were no longer present on disk, to determine users and source network addresses used during malicious remote desktop activity when expected corresponding event logs were missing, and more.

Check out our FireEye Endpoint Security page and Redline page for more information (as well as Redline on the FireEye Market), and take a FireEye Endpoint Security tour today.

Employee mistakes lead to information exposure in Nova Scotia, U.K.

It’s bad enough that hackers are able to exploit software vulnerabilities in IT environments to make off with sensitive data, but too often mistakes and misconfigurations by employees also lead to data being exposed. Two incidents reported this week show how serious this can be.

CBC News discovered the first incident recently which involved perhaps a decade’s worth of unedited appeal decisions of the Nova Scotia Workers Compensation Board being posted on a legal website name of workers. Some of the informati0n also included intimate personal information about claimants. Usually, names and other identifying information in those cases are deleted.

Related:

Nova Scotia removed the unedited documents after being told of their discovery by CBC.

“It’s terrible to hear,” the broadcaster quoted one WCB claimant whose 2009 case was posted. “I was shocked more than anything.”

The incident involves decisions between 1998 and 2009 of the Nova Scotia Workers Compensation Appeals Tribunal (WCAT) that were uploaded to the website of the Canadian Legal Information Institute (CANLII). Lawyers and legal researchers use the decisions filed there to support their cases. However, the database is open to the public.

According to the CBC, all WCAT cases filed after 2010 had the names of the worker and their employer redacted.

Asked for comment, the tribunal issued a statement saying it “is aware of this situation, and WCAT is following the Province’s privacy breach protocol. The WCAT has reported this incident to the Privacy Review Officer.”

The provincial information and privacy commissioner’s office has been notified of the incident. Provincial legislation doesn’t mandate that victims of a WCAT data breach be notified.

In the second case, Wired.com discovered a presumably confidential U.K. health department document on a public Google drive with possible new features for the country’s COVID-19 contact tracing app. The series of slides, marked ‘OFFICIAL – SENSITIVE’, was part of a group of documents intended to be open so the public can see how the app, now in a trial, was developed.

Wired says the sensitive document was part of a group published by the U.K. National Health Service (NHS) on a Google Drive. It was accompanied by a privacy impact assessment of a U.K. COVID-19 contact tracing app now being tested and could be seen by anyone with a link. While other documents could not be accessed without approval, the sensitive slide deck with potential features wasn’t.

What could make the slide deck embarrassing to the government is it contains possible features to be added to the already controversial app now being tested among the population of the Isle of Wight. In addition to disputes over whether such mobile apps are effective in helping control the rate of infection, privacy and health experts are fighting over whether an approved app should hold encrypted contact information on a mobile device (the decentralized model pushed by Google and Apple) or uploaded to a government-controlled server (the centralized model). The U.K. app being tested uses a centralized model. However, this week news emerged that the U.K. government is also paying for the development of a decentralized app.

The slides say a future version of the app being tested could allow users to periodically enter their personal health status, as well as their postal code, demographic and location information to help the NHS in infection planning.

The most-targeted security vulnerabilities – despite patches having been available for years

Newly-discovered zero-day vulnerabilities may make the biggest headlines, but that doesn’t mean that they’re necessarily the thing that will get your company hacked.

This week, US-CERT has published its list of the “Top 10 Routinely Exploited Vulnerabilities”.

Read more in my article on the Tripwire State of Security blog.

Kaspersky Report Shows Need for Improved Password Storage

Kaspersky Report Shows Need for Improved Password Storage

More than four out of five people think up their own passwords, while 54% don’t know how to check if any of their credentials have been leaked. This is according to Kaspersky’s Defending digital privacy: taking personal protection to the next level report, which highlighted the growing need for better password storage, with people using an increasing number of online accounts.

Numerous studies have demonstrated the importance of having complex passwords that are changed regularly and differ across multiple accounts in order to prevent data breaches. Yet in this new report, 55% of users said they are able to remember all their passwords, suggesting that they do not make them sufficiently complex and unique.

The study also showed that of those who do keep a record of their passwords, many store them in places which make them vulnerable to being stolen. Of the 15,002 consumers surveyed across 23 countries, 19% stated that they store their passwords in a written file or on a computer, while 18% keep them saved on browsers their computers, smartphones, or tablets.

Kaspersky added that users should be made more aware of services such as ‘Have I Been Pwned?’ to enable them to check whether their passwords have been included in public leaks or data breaches without having to visit the dark web.

Marina Titova, head of consumer product marketing at Kaspersky, said: “Consumers can monitor the spread of personal data, including which passwords might have been leaked. And this is not only for the sake of ‘just being aware’; it also allows individuals to take the right action to minimize any invasion of privacy – along with any wider consequences. That’s why we at Kaspersky put a big focus on protecting consumer’s privacy.”

In order to minimize the risk of passwords being stolen, Kaspersky recommends that people never leave them in places where others may find them, whether written on paper or on a device.

Last week was World Password Day 2020, which promotes better password practice. This is an issue that takes on extra importance this year due to the unprecedented rise in people working from home as a result of COVID-19.

How to Secure Your Data Everywhere? It’s Easy With Unified Cloud Edge

The need to protect sensitive data has two main drivers, privacy legislation and protection of intellectual property against external breaches and insider threat. 58% of the countries worldwide now have legislation in place; these will become more onerous over time.  Breaches and insider theft of data is a frequently reported topic in the media due to the steady stream of brand impacting, high-profile cases.  Breaches are expensive due to fines, loss of revenue and remediation costs.

Historically data protection via DLP was implemented on the end point and in the business’s network.  Both approaches have strengths and weaknesses; network DLP is unable to monitor the movement of sensitive data to USB memory sticks and end point DLP doesn’t offer some of the more sophisticated DLP capabilities that require a lot of memory and compute power.  Many customers deployed both enterprise DLP solutions.

Other vendors without enterprise DLP offerings have added “DLP-lite” capabilities to their products, predominantly email and web security products and some businesses have chosen those over enterprise DLP solutions.

This approach was sustainable before widespread adoption of the cloud.  95% of companies have or are adopting cloud services and 79% of them admit to storing sensitive data there.  Data is now everywhere, on laptops, servers, in sanctioned apps, in unsanctioned Shadow IT apps and moving from cloud to cloud.  Protecting data within the four walls of an organization is no longer sufficient.

Businesses, particularly those with a Cloud First strategy have responded to this challenge by introducing a CASB solution such as McAfee’s MVISION Cloud product.  Dependent on the product this can address some, or all, of these cloud adoption challenges – MVISION Cloud addresses them all.

The problem however is that some businesses are living with gaps in their protection as they don’t deploy multiple products.  Endpoint DLP can’t solve for cloud, neither can cloud DLP solve for endpoint and web DLP can’t effectively solve for sanctioned apps allowing online collaboration, or endpoint.  When looking at common use cases along with potential DLP leak vectors you’ll appreciate why a single product isn’t a complete solution:

To attempt to address this, businesses deploy multiple products.  Doing so closes all the gaps but has downsides.  Multiple products are expensive to license, have higher IT management overheads and complexity due to subtly implementations.  These differences are due to different DLP policies, data classifications and content extraction engines which makes it difficult to ensure consistency of detection across products, as data classifications that have been fine-tuned over time have to be re-implemented from scratch with each additional product, leading to a reduction of efficacy.

McAfee’s Unified Cloud Edge (UCE) solution solves these problems.  UCE is a combination of endpoint DLP, web SaaS proxy and CASB, covering all the potential data leak vectors: endpoint, unsanctioned shadow IT apps, sanctioned apps (including email) and cloud to cloud transfers.  UCE is managed via a single console and uses the same DLP technology everywhere, such as policy and content extraction engines to maximize efficacy through consistent results.  Businesses can retain their investment in those carefully crafted data classifications, allowing use across all vectors and easy extension to the cloud.  UCE is a cloud native, highly scalable solution with industry leading uptime and availability.

Want to find out more?  Then head over to https://www.mcafee.com/enterprise/en-us/solutions/unified-cloud-edge.html

The post How to Secure Your Data Everywhere? It’s Easy With Unified Cloud Edge appeared first on McAfee Blogs.

The top 10 most-targeted security vulnerabilities – despite patches having been available for years

Newly-discovered zero-day vulnerabilities may generate the biggest headlines in the security press, but that doesn’t mean that they’re necessarily the thing that will get your company hacked. This week, US-CERT has published its list of what it describes as the “Top 10 Routinely Exploited Vulnerabilities” for the last three years. The list is designed to […]… Read More

The post The top 10 most-targeted security vulnerabilities – despite patches having been available for years appeared first on The State of Security.

Remote Workers Often Not Provided Secure Tools

Remote Workers Often Not Provided Secure Tools

The number of employees working from home is increasing, but the security technology to support them is not being deployed.

According to a survey of 694 IT security administrators and practitioners, most companies fail to authenticate remote workers properly or inadequately inspect their network traffic for threats.

The research, conducted by Cato Networks, found 68% of respondents said their organizations fail to deploy enough prevention or authentication technologies for remote users. In particular, 37% do not use multi-factor authentication (MFA) for remote users, while 55% of respondents fail to employ intrusion prevention software, or anti-malware technology, while 11% fail to inspect traffic altogether.

“A lack of security enforcement on remote access users should be of serious concern for IT managers: enterprises cannot enable widespread remote access at the expense of security protections,” said Yishay Yovel, CMO of Cato Networks. “Enterprises should be able to provide remote access for all users anywhere, in minutes, with the security protections and network optimizations they have in the office.”

Brian Honan, CEO of BH Consulting, told Infosecurity that the numbers did not surprise him, as many companies were already struggling to roll out better authentication technologies for remote users before the global pandemic hit.

He said: “With the rush to support remote working for many more users, companies rapidly expanded their remote access solutions or migrated systems to the cloud; this rush was to ensure the business could survive and support staff to continue working.

“However, now that those immediate goals have been met and our response to the pandemic may be more long term than initially planned, companies need to review the security and resilience of their remote access solutions.”

The news follows research from earlier this week, when a Tripwire survey found 94% of cybersecurity professionals were more concerned about security in the wake of COVID-19. Its survey of 345 IT security professionals found that 89% said remote working had made the job more difficult. Additional findings included: 

  • 49% said they cannot effectively secure employees’ home office environments
  • 41% said it is more challenging to manage what devices are connecting to their corporate networks
  • 38% said it is hard to gain visibility into remote assets and systems

The survey also found that 53% of respondents were increasing security investment with 28% investing in new tools. 

“The massive shift to working remotely represents a huge change for organizations’ attack surfaces,” said Tim Erlin, vice-president of product management and strategy at Tripwire. “It’s no surprise that security professionals are finding it challenging to monitor and minimize the new attack surfaces.”


Join our webinar on 28th May at 1pm EDT/6pm BST for a discussion on working from home and network security, and the issues being created. Register here.


CISSP vs. Master’s Degree – Please Take a Neutral Corner!

The UK’s designated national agency responsible for providing information and expert guidance on qualifications (UK NARIC) recently announced that the Certified Information Systems Security Professional (CISSP) credential offered by (ISC)2 is rated RQF Level 7, thereby placing it equal to a particular level of a Master’s Degree. This declaration is not without precedent. It follows […]… Read More

The post CISSP vs. Master’s Degree – Please Take a Neutral Corner! appeared first on The State of Security.

AMD releases Radeon Pro VII graphics card, offers big FP64 performance on a budget

AMD is targeting the pros with the announcement of its Radeon Pro VII workstation graphics card on May 13.

Based on the Vega 20 GPU, the Radeon Pro VII graphics card features 60 compute units (CUs), four fewer than the full Vega 20 GPU on the consumer Radeon VII graphics card. It comes with 16GB of ECC high-bandwidth memory (HBM) capable of reaching 1TB/s bandwidth. The card also communicates over the PCIe 4.0 bus, which has double the throughput as PCIe 3.0.

The AMD Radeon Pro VII excels at double-precision floating-point number crunching, offering 6.5 tera floating-point operations per second (TFLOPS) in FP64. With the Radeon Pro VII, AMD aims to offer an affordable option for design and simulation professionals working with high-precision workloads. Simultaneously, it hopes to capture the attention of VFX and media production teams with its 16GB memory buffer useful for holding high-res media assets.

One neat AMD’s exclusive feature is ProRender 2.0. Typically, the rendering process is done either through GPU or the CPU. ProRender 2.0 renders the CPU and GPU simultaneously to cut down on render time. It’s compatible with AMD Threadripper processors, as well as its consumer-oriented Ryzen 9 and 7 platforms. Applications with ProRender plug-in support include Unreal Engine, Autodesk Maya, SideFX Houdini, Blender among others. AMD made ProRender SDKs available under Apache Licence 2.0 to shaving off some back-and-forth legal headaches for developers looking to implement them into their software.

Radeon Pro VII comes with six DP1.4 ports for multi-panel synchronized high-resolution output. A typical use case would be a large scale, multi-panel digital signage, or filming using synchronized LED backdrops. By attaching up to four Radeon Pro VII to an AMD FirePro S400 sync module, up to 24 displays can work in sync as a common output.

The AMD Radeon Pro VII is available in June for US$1,900 (around CA$2,660) through Memory Express and Newegg Canada.

From Bugs to Zoombombing: How to Stay Safe in Online Meetings

The COVID-19 pandemic, along with social distancing, has done many things to alter our lives. But in one respect it has merely accelerated a process begun many years ago. We were all spending more and more time online before the virus struck. But now, forced to work, study and socialize at home, the online digital world has become absolutely essential to our communications — and video conferencing apps have become our “face-to-face” window on the world.

The problem is that as users flock to these services, the bad guys are also lying in wait — to disrupt or eavesdrop on our chats, spread malware, and steal our data. Zoom’s problems have perhaps been the most widely publicized, because of its quickly rising popularity, but it’s not the only platform whose users have been potentially at risk. Cisco’s WebEx and Microsoft Teams have also had issues; while other platforms, such as Houseparty, are intrinsically less secure (almost by design for their target audience, as the name suggests).

Let’s take a look at some of the key threats out there and how you can stay safe while video conferencing.

What are the risks?

Depending on the platform (designed for work or play) and the use case (business or personal), there are various opportunities for the online attacker to join and disrupt or eavesdrop on video conferencing calls. The latter is especially dangerous if you’re discussing sensitive business information.

Malicious hackers may also look to deliver malware via chats or shared files to take control of your computer, or to steal your passwords and sensitive personal and financial information. In a business context, they could even try to hijack your video conferencing account to impersonate you, in a bid to steal info from or defraud your colleagues or company.

The bad guys may also be able to take advantage of the fact that your home PCs and devices are less well-secured than those at work or school—and that you may be more distracted at home and less alert to potential threats.

To accomplish their goals, malicious hackers can leverage various techniques at their disposal. These can include:

  • Exploiting vulnerabilities in the video conferencing software, particularly when it hasn’t been updated to fend off the latest threats
  • Stealing your log-ins/meeting ID via malware or phishing attacks; or by obtaining a meeting ID or password shared on social media
  • Hiding malware in legitimate-looking video apps, links and files
  • Theft of sensitive data from meeting recordings stored locally or in the cloud.

Zooming in on trouble

Zoom has in many ways become the victim of its own success. With daily meeting participants soaring from 10 million in December last year to 200 million by March 2020, all eyes have been focused on the platform. Unfortunately, that also includes hackers. Zoom has been hit by a number of security and privacy issues over the past several months, which include “Zoombombing” (meetings disrupted by uninvited guests), misleading encryption claims, a waiting room vulnerability, credential theft and data collection leaks, and fake Zoom installers. To be fair to Zoom, it has responded quickly to these issues, realigning its development priorities to fix the security and privacy issues discovered by its intensive use.

And Zoom isn’t alone. Earlier in the year, Cisco Systems had its own problem with WebEx, its widely-used enterprise video conferencing system, when it discovered a flaw in the platform that could allow a remote, unauthenticated attacker to enter a password-protected video conferencing meeting. All an attacker needed was the meeting ID and a WebEx mobile app for iOS or Android, and they could have barged in on a meeting, no authentication necessary. Cisco quickly moved to fix the high-severity vulnerability, but other flaws (also now fixed) have cropped up in WebEx’s history, including one that could enable a remote attacker to send a forged request to the system’s server.

More recently, Microsoft Teams joined the ranks of leading business videoconferencing platforms with potentially deadly vulnerabilities. On April 27 it surfaced that for at least three weeks (from the end of February till the middle of March), a malicious GIF could have stolen user data from Teams accounts, possibly across an entire company. The vulnerability was patched on April 20—but it’s a reminder to potential video conferencing users that even leading systems such as Zoom, WebEx, and Teams aren’t fool-proof and require periodic vulnerability and security fixes to keep them safe and secure. This is compounded during the COVID-19 pandemic when workers are working from home and connecting to their company’s network and systems via possibly unsecure home networks and devices.

Video conferencing alternatives

So how do you choose the best, most secure, video conferencing software for your work-at-home needs? There are many solutions on the market today. In fact, the choice can be dizzying. Some simply enable video or audio meetings/calls, while others also allow for sharing and saving of documents and notes. Some are only appropriate for one-on-one connections or small groups, while others can scale to thousands.

In short, you’ll need to choose the video conferencing solution most appropriate to your needs, while checking if it meets a minimum set of security standards for working at home. This set of criteria should include end-to-end encryption, automatic and frequent security updates, the use of auto-generated meeting IDs and strong access controls, a program for managing vulnerabilities, and last but not least, good privacy practices by the company.

Some video conferencing options alongside Zoom, WebEx, and Teams include:

  • Signal which is end-to-end encrypted and highly secure, but only supports one-to-one calls.
  • FaceTime, Apple’s video chat tool, is easy-to-use and end-to-end encrypted, but is only available to Mac and iOS users.
  • Jitsi Meet is a free, open-source video conferencing app that works on Android, iOS, and desktop devices, with no limit on participants beyond your bandwidth.
  • Skype Meet Now is Microsoft’s free, popular conferencing tool for up to 50 users that can be used without an account, (in contrast to Teams, which is a paid, more business-focused platform for Office 365 users).
  • Google Duo is a free option for video calls only, while the firm’s Hangouts platform can also be used for messaging. Hangouts Meet is a more business-focused paid version.
  • Doxy.me is a well-known telemedicine platform used by doctors and therapists that works through your browser—so it’s up to you to keep your browser updated and to ensure the appropriate security and privacy settings are in place. Secure medical consultation with your healthcare provider is of particular concern during the shelter- and work-from-home quarantine.

How do I stay safe?

Whatever video conferencing platform you use, it’s important to bear in mind that cyber-criminals will always be looking to take advantage of any security gaps they can find — in the tool itself or your use of it. So how do you secure your video conferencing apps? Some tips listed here are Zoom-specific, but consider their equivalents in other platforms as general best-practice tips. Depending on the use case, you might choose to not enable some of the options here.

  • Check for end-to-end encryption before getting onboard with the app. This includes encryption for data at rest.
  • Ensure that you generate one-off meeting IDs and passwords automatically for recurring meetings (Zoom).
  • Don’t share any meeting IDs online.
  • Use the “waiting room” feature in Zoom (now fixed), so the host can only allow attendees from a pre-assigned list.
  • Lock the meeting once it’s started to stop anyone new from joining.
  • Allow the host to put attendees on hold, temporarily removing them from a meeting if necessary.
  • Play a sound when someone enters or leaves the room.
  • Set screen-sharing to “host only” to stop uninvited guests from sharing disruptive content.
  • Disable “file transfers” to block possible malware.
  • Keep your systems patched and up-to-date so there are no bugs that hackers can target.
  • Only download conferencing apps from official iOS/Android stores and manufacturer websites.
  • Never click on links or open attachments in unsolicited mail.
  • Check the settings in your video conferencing account. Switch off camera access if you don’t want to appear on-screen.
  • Use a password manager for video conferencing app log-ins.
  • Enhance passwords with two-factor authentication (2FA) or Single-Sign-On (SSO) to protect access, if available.
  • Install anti-malware software from a reputable vendor on all devices and PCs. And implement a network security solution if you can.

How Trend Micro can help

Fortunately, Trend Micro has a range of capabilities that can support your efforts to stay safe while using video conferencing services.

Trend Micro Home Network Security (HNS) protects every device in your home connected to the internet. That means it will protect you from malicious links and attachments in phishing emails spoofed to appear as if sent from video conferencing firms, as well as from those sent by hackers that may have covertly entered a meeting. Its Vulnerability Check can identify any vulnerabilities in your home devices and PCs, including work laptops, and its Remote Access Protection can reduce the risk of tech support scams and unwanted remote connections to your device. Finally, it allows parents to control their kids’ usage of video conferencing applications, to limit their exposure.

Trend Micro Security also offers protection against email, file, and web threats on your devices. Note too, that Password Manager is automatically installed with Maximum Security to help users create unique, strong passwords for each application/website they use, including video conferencing sites.

Finally, Trend Micro WiFi Protection (multi-platform) / VPN Proxy One (Mac and iOS) offer VPN connections from your home to the internet, creating secure encrypted tunnels for traffic to flow down. The VPN apps work on both Wi-Fi and Ethernet connections. This could be useful for users concerned their video conferencing app isn’t end-to-end encrypted, or for those wishing to protect their identity and personal information when interacting on these apps.

The post From Bugs to Zoombombing: How to Stay Safe in Online Meetings appeared first on .

Firewalling and VPN in the Remote Work Era

A cloud firewall vendor recently argued that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is “sounding the alarm around VPN security.” That scary-sounding statement is incorrect. It may get clicks, but it doesn’t benefit security practitioners protecting data and remote workers.

The U.S. Government is not sounding an alarm about VPNs. Rather, it is acknowledging the importance of security best practices in work-from-home operations. CISA’s recent VPN guidance recommends good security hygiene. Like security patching. And multi-factor authentication, to establish user identity before VPN access is granted. While those recommendations bear repeating, they are not new.

Even prior to the Covid-19 pandemic, global VPN use was rising. Cisco AnyConnect VPN is the world’s most widely used enterprise remote access VPN. AnyConnect supports smartphones, laptops, kiosks, and more. It is proven in both small offices and enterprises with over 100,000 users.

For years, Cisco has provided organizations with innovative solutions for secure connectivity. Only Cisco couples:

  • VPN scalability
  • Firewall reliability
  • Cisco Duo’s multifactor authentication
  • Cisco Umbrella’s DNS-based security that protects users, even when they’re off the VPN.

Additionally, many Cisco AnyConnect customers use its split-tunneling features. By policy, traffic can be split on-or-off VPN by application, or Cisco’s patented, DNS-based, Dynamic Split Tunneling (DST). DST can exclude low-risk browser traffic (like videoconferencing) from the VPN tunnel, maximizing VPN efficiency and network performance while lowering costs. Another AnyConnect differentiator is that it can natively assess endpoint posture (e.g., validating endpoint security software is up-to-date) before granting VPN access.

Additionally, Cisco has invested heavily in software-defined networking, SD-WAN, and security tools enabling zero-trust frameworks. Cisco is a bridge for organizations evolving their security posture to a zero-trust model. In fact, last year we were named a leader in the Forrester Wave Report for zero-trust.

Seeing a pattern? Cisco security has a depth of capabilities to meet diverse needs. Nowhere is that more evident in Cisco’s security portfolio than firewalling. Years ago, firewall only meant appliance. Today what’s most important is firewalling — intelligent control points everywhere — cloud-delivered Secure Access Service Edge (SASE), physical, virtual, and even workload-centric.

Cisco calls this flexible and comprehensive firewalling vision the future of firewall. Our approach protects multiple environments: traditional, micro-segmented, cloud, and de-perimiterized networks — as well as SaaS-delivered applications and micro services. Firewalling where you need it, unified with consistent policies, visibility, and threat correlation between endpoint and network security tools.

Firewalling is also foundational to Cisco’s recently-announced open platform approach to security. Our platform tools, like Cisco SecureX, integrate with our security products. They are not extra costs. SecureX reduces security complexity and shrinks administration time. For instance, based on load, SecureX can automate virtual firewall provisioning to grow remote access VPN capacity on demand. Additionally, our open platform unifies Cisco security tools and extends integration with third-party capabilities. The result is rapid identification, fencing, and remediation of incidents.

Returning to U.S. Government cyber news, the Trusted Internet Connections (TIC) 3.0 initiative’s Interim Telework Guidance grants government agencies greater flexibility for using SASE, Cloud Access Security Broker (CASB), and SD-WAN technologies. The acceptance of these new capabilities recognizes the rapid growth of roaming users, remote locations, and SaaS applications. It also acknowledges that backhauling all traffic via VPN to a head office is not always relevant, or practical.

It’s fun to read controversial statements about security. But it’s better to thoughtfully manage risk on your terms. For resources regarding security and connectivity using Cisco’s platform approach, please see these references:

Verify and secure your users:

Our firewalling and VPN solutions:

Platform tools included with all our security solutions:

Cisco SD-WAN:

The post Firewalling and VPN in the Remote Work Era appeared first on Cisco Blogs.

China-linked hackers are attempting to steal COVID-19 Vaccine Research

US authorities warned healthcare and scientific researchers that China-linked hackers were attempting to steal COVID-19 vaccine research.

US authorities warned healthcare and scientific researchers that China-linked hackers were attempting to steal research related to treatments and vaccines for COVID-19.

“The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are issuing this announcement to raise awareness of the threat to COVID-19-related research. The FBI is investigating the targeting and compromise of U.S. organizations conducting COVID-19-related research by PRC-affiliated cyber actors and non-traditional collectors.” reads the joint alert. “These actors have been observed attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research.”

“The F.B.I. and the Department of Homeland Security are preparing to issue a warning that China’s most skilled hackers and spies are working to steal American research in the crash effort to develop vaccines and treatments for the coronavirus. The efforts are part of a surge in cybertheft and attacks by nations seeking advantage in the pandemic.” reported The New York Times.

“These actors have been observed attempting to identify and illicitly obtain valuable intellectual property and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research,” reads a statement from the FBI and the CISA.

“China’s efforts to target these sectors pose a significant threat to our nations response to COVID-19”.

The US agencies recommend targeted organizations to adopt cybersecurity best practices to prevent state-sponsored hackers from stealing COVID-19-related material.

“What else is new with China? What else is new? Tell me. I’m not happy with China.” President Trump commented. “We’re watching it very closely,”.

“China’s long history of bad behavior in cyberspace is well documented, so it shouldn’t surprise anyone they are going after the critical organizations involved in the nation’s response to the Covid-19 pandemic,” said Christopher Krebs, the director of the Cybersecurity and Infrastructure Security Agency. He added that the agency would “defend our interests aggressively.”

The Chinese Government rejected the allegation Beijing on Monday.

“We are leading the world in COVID-19 treatment and vaccine research. It is immoral to target China with rumors and slanders in the absence of any evidence,” Foreign Affairs ministry spokesman Zhao Lijian said.

The Chinese government is not the only one interested in COVID-19 research, nation-state hackers from Russia, Iran, and North Korea are launching spear-phishing and misinformation campaigns in the attempt to target organizations and scientists involved in the vaccine research.

Last week the US and the UK issued a joint alert to warn of the rise in cyber attacks carried out by foreign states against healthcare organizations and researchers.

This is my interview on the topic at TRT World

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post China-linked hackers are attempting to steal COVID-19 Vaccine Research appeared first on Security Affairs.

US Government Exposes North Korean Malware

US Cyber Command has uploaded North Korean malware samples to the VirusTotal aggregation repository, adding to the malware samples it uploaded in February.

The first of the new malware variants, COPPERHEDGE, is described as a Remote Access Tool (RAT) "used by advanced persistent threat (APT) cyber actors in the targeting of cryptocurrency exchanges and related entities."

This RAT is known for its capability to help the threat actors perform system reconnaissance, run arbitrary commands on compromised systems, and exfiltrate stolen data.

TAINTEDSCRIBE is a trojan that acts as a full-featured beaconing implant with command modules and designed to disguise as Microsoft's Narrator.

The trojan "downloads its command execution module from a command and control (C2) server and then has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration."

Last but not least, PEBBLEDASH is yet another North Korean trojan acting like a full-featured beaconing implant and used by North Korean-backed hacking groups "to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration."

It's interesting to see the US government take a more aggressive stance on foreign malware. Making samples public, so all the antivirus companies can add them to their scanning systems, is a big deal -- and probably required some complicated declassification maneuvering.

Me, I like reading the codenames.

Lots more on the US-CERT website.

Effective Business Continuity Plans Require CISOs to Rethink WAN Connectivity

As more businesses leverage remote, mobile, and temporary workforces, the elements of business continuity planning are evolving and requiring that IT professionals look deep into the nuts and bolts of connectivity. CISOs and their team members are facing new challenges each and every day, many of which have been driven by digital transformation, as well as the adoption of other

Microsoft OLE Bugs Most Frequently Exploited Since 2016

Microsoft OLE Bugs Most Frequently Exploited Since 2016

The US government has released new technical guidance highlighting the 10 most commonly exploited vulnerabilities of recent years, in a bid to improve awareness and patching among organizations.

It warned that “foreign cyber-actors” often choose to focus on known and often dated vulnerabilities as they require fewer resources to exploit than researching zero-days. Although the top 10 list is for flaws exploited in 2016-19, two of the featured CVEs date back even before this period, to 2012 and 2015.

“The public and private sectors could degrade some foreign cyber threats to US interests through an increased effort to patch their systems and implement programs to keep system patching up to date,” the notice urged.

“A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.”

Microsoft’s Object Linking and Embedding (OLE) technology was most commonly targeted between 2016 and 2019, featured in the top two most exploited CVEs: CVE-2017-11882 and CVE-2017-0199. Along with OLE-related CVE-2012-0158 they comprise the three bugs most frequently used by state-sponsored attackers from China, Iran, North Korea and Russia.

Chinese attackers were also still using CVE-2012-0158 in December 2019, highlighting that organizations have yet to patch, despite the vulnerability being flagged in 2015 as a common target for Beijing-backed hackers.

As for vulnerabilities exploited so far in 2020, the report warned of attacks targeting VPN systems made by Citrix and Pulse Secure, particularly in light of the rapid shift to home working due to COVID-19.

The same vulnerabilities are also thought to have been exploited by cyber-criminals in sophisticated APT-style ransomware attacks, according to Microsoft.

“The DHS report appears to align what we are seeing in the wild,” said Edgescan CEO, Eoin Keary. “Ultimately, attackers don’t care where the vulnerability is, which is why a full-stack vulnerability management approach is advised in such a fast-changing threat landscape.”

Improper Microsoft Patch for Reverse RDP Attacks Leaves 3rd-Party RDP Clients Vulnerable

Remember the Reverse RDP Attack—wherein a client system vulnerable to a path traversal vulnerability could get compromised when remotely accessing a server over Microsoft's Remote Desktop Protocol? Though Microsoft had patched the vulnerability (CVE-2019-0887) as part of its July 2019 Patch Tuesday update, it turns out researchers were able to bypass the patch just by replacing the backward

Google WordPress Site Kit plugin grants attacker Search Console Access

Experts found a critical bug in Google’s official WordPress plugin ‘Site Kit’ that could allow hackers to gain owner access to targeted sites’ Google Search Console.

The Site Kit WordPress plugin makes it easy to set up and configure key Google products (i.e. Search Console, Analytics, Tag Manager, PageSpeed Insights, Optimize, and AdSense), giving users authoritative and up-to-date advice on how to succeed on the web, it has over 300,000 active installations.

Experts from Wordfence found a critical bug in the ‘Site Kit’ plugin that could be exploited by authenticated attackers to gain owner access to targeted sites’ Google Search Console.

“This flaw allows any authenticated user, regardless of capability, to become a Google Search Console owner for any site running the Site Kit by Google plugin.” reads the analysis published by Wordfence.

Site Kit

The vulnerability is caused by the disclosure of the proxySetupURL contained in the HTML source code of admin pages, it is used to redirect a site’s administrator to Google OAuth and run the site owner verification process through a proxy.

“In order to establish the first connection with Site Kit and Google Search Console, the plugin generates a proxySetupURL that is used to redirect a site’s administrator to Google OAuth and run the site owner verification process through a proxy.” continues the analysis.

“Due to the lack of capability checks on the admin_enqueue_scripts action, the proxySetupURL was displayed as part of the HTML source code of admin pages to any authenticated user accessing the /wp-admin dashboard.”

Experts also noticed another issue related to the verification request used to verify a site’s ownership was a registered admin action fails to check whether the requests to come from any authenticated WordPress user.

Chaining the two vulnerabilities it is possible to achieve the ownership of the Google Search Console allowing an attacker to modify sitemaps, remove pages from Google search engine result pages (SERPs), or to facilitate black hat SEO campaigns.

“These two flaws made it possible for subscriber-level users to become Google Search Console owners on any affected site,” continues Wordfence.

“An owner in Google Search Console can do things like request that URLs be removed from the Google Search engine, view competitive performance data, modify sitemaps, and more. Unwarranted Google Search Console owner access on a site has the potential to hurt the visibility of a site in Google search results and impact revenue as an attacker removes URLs from search results. More specifically, it could be used to aid a competitor who wants to hurt the ranking and reputation of a site to better improve their own reputation and ranking.”

The good news is that Google sends an email alert when a new Google Search Console owners have been added allowing admins to remove the unknown owner.

As an extra precaution, admin can also reset the WordPress Site Kit connection so that they will have to reconnect all previously connected Google services.

Wordfence discovered the privilege escalation issue on April 21 and reported to Google on April 22.

Google addressed the vulnerability on May 7 with the release of Site Kit 1.8.0.

At the time of writing over 200,000 website owners have updated their Site Kit plugins, but over 100,000 sites are still vulnerable.

Pierluigi Paganini

(SecurityAffairs – Site Kit, hacking)

The post Google WordPress Site Kit plugin grants attacker Search Console Access appeared first on Security Affairs.

New Ramsay malware allows exfiltrating files from air-gapped computers

Experts discovered a new strain of malware dubbed Ramsay that can infect air-gapped computers and steal sensitive data, including Word, PDF, and ZIP files.

Researchers from security firm ESET discovered a new advanced malware framework named Ramsay that appears to have been designed to infect air-gapped computers and exfiltrate sensitive data.

The malicious code collects sensitive files, including Word, PDF, and ZIP files, in a hidden storage folder, then waits for the opportunity to exfiltrate them.

“ESET researchers have discovered a previously unreported cyber-espionage framework that we named Ramsay and that is tailored for collection and exfiltration of sensitive documents and is capable of operating within air‑gapped networks.” reads the report published by ESET.

The malware was specifically designed to jump the air gap and reach computers withing the isolated networks to steal sensitive information.

The researchers found a sample of the Ramsay after it was uploaded to VirusTotal from Japan, then they discovered further components and versions of the framework, a circumstance that suggest the framework is still under active developmental stage.

Experts speculate that at least three variants of the malware exist, tracked as v1, v2.a, and v2.b. Ramsay v1 was first compiled in September 2019, and is also the least complex.

The v2.a and v2.b samples have been compiled on March 8 and March 27, respectively, both include a rootkit component, but experts noticed that only 2.a implements spreading capabilities.

Experts report that the less complex versions of the malware are dropped by weaponized documents exploiting CVE-2017-0199 and CVE-2017-11882, RCE vulnerabilities.

The Ramsay v2.a is delivered using a fake installer for the 7-zip file compression utility.

ramsay

Ramsay allows attackers to collect all Microsoft Word documents on the target computer, most recent variants are also able to exfiltrate PDF files and ZIP‌ archives on network drives and removable drives.

ESET researchers were not able to identify any Ramsay exfiltration module used by the malicious code.

ESET did not attribute the Ramsay malware to a specific threat actor, researchers only notice some similarities with the Retro malware family employed by the DarkHotel APT group.

“Based on the different instances of the framework found Ramsay has gone through various development stages, denoting an increasing progression in the number and complexity of its capabilities. Developers in charge of attack vectors seem to be trying various approaches such as old exploits for Word vulnerabilities from 2017 as well as deploying trojanized applications.” concludes ESET.

“We interpret this as that developers have a prior understanding of the victims’ environment and are tailoring attack vectors that would successfully intrude into targeted systems without the need to waste unnecessary resources.”

Pierluigi Paganini

(SecurityAffairs – Ramsay malware, hacking)

The post New Ramsay malware allows exfiltrating files from air-gapped computers appeared first on Security Affairs.

The MITRE ATT&CK Framework: Lateral Movement

It will be rare that an attacker exploits a single system and does not attempt any lateral movement within the network. Even ransomware that typically targets a single system at a time has attempted to spread across the network looking for other victims. More often than not, an attacker will gain an initial foothold and […]… Read More

The post The MITRE ATT&CK Framework: Lateral Movement appeared first on The State of Security.