Daily Archives: May 15, 2020

U.S. Secret Service: “Massive Fraud” Against State Unemployment Insurance Programs

A well-organized Nigerian crime ring is exploiting the COVID-19 crisis by committing large-scale fraud against multiple state unemployment insurance programs, with potential losses in the hundreds of millions of dollars, according to a new alert issued by the U.S. Secret Service.

A memo seen by KrebsOnSecurity that the Secret Service circulated to field offices around the United States on Thursday says the ring has been filing unemployment claims in different states using Social Security numbers and other personally identifiable information (PII) belonging to identity theft victims, and that “a substantial amount of the fraudulent benefits submitted have used PII from first responders, government personnel and school employees.”

“It is assumed the fraud ring behind this possesses a substantial PII database to submit the volume of applications observed thus far,” the Secret Service warned. “The primary state targeted so far is Washington, although there is also evidence of attacks in North Carolina, Massachusetts, Rhode Island, Oklahoma, Wyoming and Florida.”

The Secret Service said the fraud network is believed to consist of hundred of “mules,” a term used to describe willing or unwitting individuals who are recruited to help launder the proceeds of fraudulent financial transactions.

“In the state of Washington, individuals residing out-of-state are receiving multiple ACH deposits from the State of Washington Unemployment Benefits Program, all in different individuals’ names with no connection to the account holder,” the notice continues.

The Service’s memo suggests the crime ring is operating in much the same way as crooks who specialize in filing fraudulent income tax refund requests with the states and the U.S. Internal Revenue Service (IRS), a perennial problem that costs the states and the U.S. Treasury hundreds of millions of dollars in revenue each year.

In those schemes, the scammers typically recruit people — often victims of online romance scams or those who also are out of work and looking for any source of income — to receive direct deposits from the fraudulent transactions, and then forward the bulk of the illicit funds to the perpetrators.

A federal fraud investigator who spoke with KrebsOnSecurity on condition of anonymity said many states simply don’t have enough controls in place to detect patterns that might help better screen out fraudulent unemployment applications, such as looking for multiple applications involving the same Internet addresses and/or bank accounts. The investigator said in some states fraudsters need only to submit someone’s name, Social Security number and other basic information for their claims to be processed.

The alert follows news reports by media outlets in Washington and Rhode Island about millions of dollars in fraudulent unemployment claims in those states. On Thursday, The Seattle Times reported that the activity had halted unemployment payments for two days after officials found more than $1.6 million in phony claims.

“Between March and April, the number of fraudulent claims for unemployment benefits jumped 27-fold to 700,” the state Employment Security Department (ESD) told The Seattle Times. The story noted that the ESD’s fraud hotline has been inundated with calls, and received so many emails last weekend that it temporarily shut down.

WPRI in Rhode Island reported on May 4 that the state’s Department of Labor and Training has received hundreds of complaints of unemployment insurance fraud, and that “the number of purportedly fraudulent accounts is keeping pace with the unprecedented number of legitimate claims for unemployment insurance.”

The surge in fraud comes as many states are struggling to process an avalanche of jobless claims filed as a result of the Coronavirus pandemic. The U.S. government reported Thursday that nearly three million people filed unemployment claims last week, bringing the total over the last two months to more than 36 million. The Treasury Department says unemployment programs delivered $48 billion in payments in April alone.

A few of the states listed as key targets of this fraud ring are experiencing some of the highest levels of unemployment claims in the country. Washington has seen nearly a million unemployment claims, with almost 30 percent of its workforce currently jobless, according to figures released by the U.S. Chamber of Commerce. Rhode Island is even worse off, with 31.4 percent of its workforce filing for unemployment, the Chamber found.

“The banks targeted have been at all levels including local banks, credit unions, and large national banks,” the Secret Service alert concluded. “It is extremely likely every state is vulnerable to this scheme and will be targeted if they have not been already.”

Congress to Consider Competing COVID-19 Privacy Bills

Democrats and Republicans Introduce 2 Versions of Legislation With Similar Goals
As COVID-19 rages and technology firms race to develop contact-tracing apps and other digital tools to help contain the spread, congressional Democrats have followed Republicans in introducing privacy legislation aimed at protecting consumer data collected during public health emergencies.

Threat Roundup for May 8 to May 15

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between May 8 and May 15. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More



20200515-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The post Threat Roundup for May 8 to May 15 appeared first on Cisco Blogs.

Chinese APT Tropic Trooper target air-gapped military Networks in Asia

Chinese threat actors, tracked as Tropic Trooper and KeyBoy, has been targeting air-gapped military networks in Taiwan and the Philippines.

Chinese APT group Tropic Trooper, aka KeyBoy, has been targeting air-gapped military networks in Taiwan and the Philippines, Trend Micro researchers reported.

The Tropic Trooper APT that has been active at least since 2011, it was first spotted in 2015 by security experts at Trend Micro when it targeted government ministries and heavy industries in Taiwan and the military in the Philippines.

The threat actor targeted government offices, military, healthcare, transportation, and high-tech industries in Taiwan, the Philippines, and Hong Kong.

Since December 2014, the threat actors are using a malware dubbed USBferry in attacks against military/navy agencies, government institutions, military hospitals, and also a national bank.

“Recently, we discovered the Tropic Trooper group targeting Taiwanese and the Philippine military’s physically isolated environment using a USBferry attack (the name derived from a sample found in a related research).” reads the analysis published by Trend Micro. “USBferry has variants that perform different commands depending on specific targets; it can also combine capabilities, improve its stealth in infected environments, and steal critical information through USB storage”

Tropic Trooper

The USBferry USB malware could execute various commands on specific the infected system and allow to exfiltrate sensitive data through USB storage.

According to Trend Micro’s telemetry, attacks that employ USBferry attack are ongoing since December 2014 and has been targeting military or government users located in Asia.

The malware was first mentioned in a PwC report that attributes it to Tropic Trooper APT, but that did not include a detailed analysis.

The attackers would first target organizations related to military or government that implements fewer security measures compared with the real targets, then they attempt to use them as a proxy to the final target. In one case, the hackers compromised a military hospital and used it to move to the military’s physically isolated network.

Trend Micro researchers identified at least three versions of the malware with different variants and components.”

“Tropic Trooper uses the old way of achieving infection: by ferrying the installer into an air-gapped host machine via USB.” continues the report. “They employ the USB worm infection strategy using the USB device to carry the malware into the target’s computer and facilitate a breach into the secure network environment.”

The group used “tracert” and “ping” commands to map the target’s network
architecture (i.e. “tracert -h 8” collects the route (path) and measures transit delays of packets across an Internet Protocol (IP) network, while pings allow testing the target network’s connectivity).

The attackers attempted to determine if the infected machine has access to the internal network and the target mail portal.

In the absence of network connectivity, the malware collects information from the machine and copy the data to the USB drive.

The experts also discovered that the hackers use different backdoors in a recent attack, including WelCome To SvchostWelcome To IDShell, and Hey! Welcome Server.

The arsenal of the APT group includes scanning tools, a command-line remote control listener/port relay tool, and backdoor payload/steganography payload execution loaders.

“This targeted attack operation can be broken down into four important points.” concludes the report. “First, putting critical data in physically isolated networks is not an overarching solution for preventing cyberespionage activities. Second, their preferred technique of steganography isn’t just used to deliver payloads, but also for sending information back to the C&C server. Third, several hacking tools and components can be used to fulfill attacks in different target networks and environments. These tools and components also have a selfdelete command to make it tricky to trace the attack chain and all the related factors. Lastly, using an invisible web shell hides their C&C server location and makes detecting malicious traffic more difficult for network protection products

Pierluigi Paganini

(SecurityAffairs – Tropic Trooper, hacking)

The post Chinese APT Tropic Trooper target air-gapped military Networks in Asia appeared first on Security Affairs.

Hackers Double Ransom Demands, Implicate Trump in Celebrity Law Firm Hack

The hackers who attacked a major entertainment and media law firm have now doubled the sum they’re demanding, and have included a threat to reveal compromising data on President Donald Trump.

Grubman Shire Meiselas & Sacks represents high-profile clients including U2, Madonna, Lizzo, Drake, and Lady Gaga among many others. The firm was targeted with ransomware earlier this month, which led to the reported exfiltration of 756 gigabytes of data, including contracts and client correspondence. REvil, the hacking group claiming responsibility for the attack, initially demanded $21 million in ransom and released contracts relating to a recent Madonna tour as proof of their access to the firm’s data. They have since doubled their demand.

“The ransom is now $42,000,000,” the hackers announced in a statement on the dark web. “The next person we’ll be publishing is Donald Trump… Grubman, we will destroy your company down to the ground if we don’t see the money.”

Donald Trump is not a client of the firm, which raises questions as to what data, if any, they have access to.

Grubman Shire Meiselas & Sacks has refused to cooperate with the hackers’ demands.

“The leaking of our clients’ documents is a despicable and illegal attack by these foreign cyberterrorists who make their living attempting to extort high-profile U.S. companies, government entities, entertainers, politicians, and others,” the firm said in an announcement.

The post Hackers Double Ransom Demands, Implicate Trump in Celebrity Law Firm Hack appeared first on Adam Levin.

Android Spyware Hidden in Apps for 4 Years: Report

Mandrake Malware Still Lurks in Apps in Google Play Store, Bitdefender Says
A sophisticated cyber-espionage campaign using spyware called Mandrake has been targeting Android users for at least four years, according to security firm Bitdefender. The malware has the ability steal a range of data, including SMS authentication messages from banks.

‘Security Incident’ Knocks UK’s ARCHER Supercomputer Offline

Other European Supercomputers Also Affected, Officials Say
ARCHER, a British high-performance computing system for academic and theoretical research, has been offline since May 11, when a "security incident" forced the University of Edinburgh to take down the supercomputer. The security incident also affected supercomputers in other parts of Europe, university officials say.

Digital transformation accelerated in a post-COVID world

I’m working across more than 100 global non-profit programs pro bono and thus have deep insights of the world currently and post-COVID.  What is happening is the rapid acceleration of the 4th Industrial Revolution into Society 5.0—taking 3 years rather than 10. For example, digital integration in healthcare expected by 2030 is happening now. In…

Iowa Civil Rights Meeting Zoom-bombed

Iowa Civil Rights Meeting Zoom-bombed

A Des Moines civil rights meeting was abandoned yesterday after being digitally crashed twice by racist cretins.

The joint meeting between the city's Civil and Human Rights Commission and Des Moines City Council was being held virtually using the videoconferencing app Zoom due to lockdown measures intended to decelerate the spread of COVID-19.

Before the meeting was called to order, an unknown person gained access to the online gathering to aim offensive comments at the commission. The attacker singled out two specific members of the commission, leveling several ignorant, racist slurs and trotting out the n-word.

As the meeting opened, Joshua Barr, Des Moines's civil and human rights director, told the council that he and other members of the commission had been "zoom-bombed."

“There were some racial slurs and things that were posted. I’ll just be candid with it," Barr told the virtual meeting attendants. "If that does happen again, we will have to end the meeting for the protection of the public."

After Barr's acknowledgement, an attempt was made to continue with the meeting. But moments later, as Mayor Frank Cownie delivered his opening remarks, a Zoom-bomber interrupted proceedings with more repellant rubbish.

To spare the attendees from any more offensive idiocy, the meeting was then cancelled. 

Cownie described the actions of the zoom-bomber as a "disgusting and sickening display of racial intolerance" that would only strengthen the city's resolve to educate those unfortunate people who in 2020 are somehow still mired in a ridiculous historical hatred.

Commission chair Kameron Middlebrooks said the sorry incident underlined the need for the community to come together in a spirit of love, equality, and positivity. 

"What occurred proves hate and ignorance is alive and well. But I stand steadfast in my resolve to continue to be an agent of change," said Middlebrooks. "Our commission has started the path to bridging the gap we face in our community and will continue to work cooperatively with council and Des Moines residents to ensure we drive this hate into the darkness and uplift neighbors with love and equitable policies."   

The City of Des Moines is currently operating under a Proclamation of Emergency issued on March 5, 2020, and Governor Jay Inslee’s Stay-at-Home order issued March 23, 2020, in response to the COVID-19 pandemic.

Forget Whitelists and Blacklists: Go for ‘Allow’ or ‘Deny’

Terminology Shift Announced by Britain's National Cyber Security Center
Forget "whitelists" and "blacklists" in cybersecurity. So recommends Britain's National Cyber Security Center, in a bid to move beyond the racial connotations inherent to the terminology. Henceforth, NCSC - part of intelligence agency GCHQ - will use the terms "allow list" and "deny list." Will others follow?

Digital Contact-Tracing Apps Must Win Hearts and Minds

We Need These Apps, But Some Nations' Security and Privacy Follies Don't Bode Well
Despite the need to battle COVID-19, several nations' in-development digital contact-tracing apps are already dogged by security and privacy concerns. Whether enough users will ever trust these apps to make them effective remains a major question. Is it too late to get more projects back on track?

Live Webinar | Your Next Security Risk Assessment Needs to Talk Dollars and Sense

What if you could not only identify your organization's current security gaps but ALSO understand and communicate the financial risk of potential cyberattacks and the financial gains of proposed security measures?

The answer is clear: you would be able to make decisions that optimize both your company's security and your bottom line with an always on risk assessment solution.

Attend this webinar to discover how you can quantify both risk and mitigation in economic terms to prioritize where to mitigate risk for the greatest impact.

Crypto-Lock and Tell: Ransomware Gangs Double Down on Leaks

Dedicated Leak Sites Are Likely Driving More Victims to Pay, Security Experts Warn
More ransomware-wielding gangs are not just crypto-locking victims' systems, but also stealing and threatening to leak data unless they get their demanded bitcoin ransom payoff. A growing number of security experts believe the strategy is leading more victims to pay.

Investment Firm Hit by BEC Scam

Norway's Norfund Investigating Breach of Internal Network
Fraudsters have conned Norfund, a private equity investment firm based in Oslo, Norway, out of more than $10 million in what the company calls an "advanced data breach." But the incident bears the hallmarks of a business email compromise scam.

ITL Staff Recognized at 47th Annual NIST Awards Ceremony

On December 4th, 15 ITL staff members were honored for their exceptional accomplishments during the 2019 NIST Awards Ceremony. The following ITL staff received awards: Alden Dima, Computer Scientist Gold Medal Ramaswamy Chandramouli, Computer Scientist Gold Medal Ann Rickerds, Information Specialist Bronze Medal Oliver Borchert, Computer Scientist William Haag Jr., Computer Scientist Tim McBride, Supervisory IT Specialist (INFOSEC) Douglas Montgomery, Supervisory Computer Scientist Scott Rose, Computer Scientist Murugiah Souppaya, Computer Scientist Kotikalapudi Sriram, Electronics Engineer

Technology Transfer Activity as a “Concierge Service” to the Scientific and Engineering Community

Commercialization Academy Director for Venture Partners of the University of Colorado, Boulder, Ms. Sally Hatcher, who is my colleague and fellow Technology Transfer (T2) professional, recently described her most effective T2 activities as being something like a concierge service for university faculty and student scientists, engineers and other technical professionals. In my opinion, this service goes beyond the bounds of the university. University T2 activities, like those of Federal labs, reach out to the private sector and often to agencies of state and local governments. T2 activities

Applied Category Theory Workshop (POSTPONED)

The focus of this workshop in on fostering the development of tooling and use-cases supporting the applied category theory community. We are particularly interested in bringing together practitioners who are engaged with susceptible domains as well as those involved in the implementation, support, and utilization of software and other tools. There will be a number of talks/demos showcasing existing approaches as well as ample time for discussion Confirmed Speakers John C. Baez, University of California, Riverside Arquimedes Canedo, Siemens Daniel Cicala, New Haven University James Fairbanks

Norway’s Wealth Fund Loses $10m in Data Breach

Norway's Wealth Fund Loses $10m in Data Breach

Norway's state-owned investment fund Norfund has halted all payments after losing $10m in an "advanced data breach."

Norfund is a private equity company established by the Norwegian Storting in 1997 and owned by the Norwegian Ministry of Foreign Affairs. The fund receives its investment capital from the state budget and is the largest sovereign wealth fund in the world. 

On May 13, Norfund announced that it was "cooperating closely with the police and other relevant authorities" after "a series of events" allowed fraudsters to make off with $10m. 

The fund said that a data breach allowed defrauders to access information concerning a loan of US$10m from Norfund to a microfinance institution in Cambodia. 

Using a mixture of manipulated data and falsified information, the fraudsters managed to impersonate the borrowing institution and divert funds away from the genuine recipient and into their own pockets. 

"The defrauders manipulated and falsified information exchange between Norfund and the borrowing institution over time in a way that was realistic in structure, content and use of language. Documents and payment details were falsified," said a Norfund spokesperson.

Funds were diverted to an account in Mexico under the same name as the Cambodian microfinance institution. The theft took place on March 16 but went undetected until April 30, when the scammers attempted to fraudulently obtain more money. 

“This is a very unfortunate situation," said Olaug Svara, chair of the board of directors. "We now have to get a full overview of the chain of events in order to get to the bottom of this."

Norfund's board has engaged PwC to undertake a full review of the company's security systems and routines.

Norfund CEO Tellef Thorleifsson said: "The fact that this has happened shows that our systems and routines are not good enough. We have taken immediate and serious action to correct this.”

Commenting on how the fraud might have been committed, Chris Hazelton, director of security solutions at Lookout, said: “There is no specific information on how this attack took place, nevertheless, how the threat actors were able to 'manipulate the communication between Norfund and the intended recipient' points to either BEC or phishing as a likely entry point for attackers."

API Attacks Increase During Lockdown

API Attacks Increase During Lockdown

Cyber-attacks against API endpoints have increased since lockdown measures were introduced to slow the spread of COVID-19.

Threat research published today by California cybersecurity software company Cequence noted a huge spike in malicious traffic since April, with API endpoints being targeted far more than usual. 

Describing the number of threats leveled at just one of their customers, Cequence researchers saw malicious traffic increase by 40% to 28 million events over the week commencing April 17. As time marched forward, the volume of attacks rose. 

"Week of April 23rd saw a massive spike of 279% to 78M with one attack campaign peaking at 100,000 requests per minute," noted researchers. "Week of May 1st showed yet another increase in malicious traffic to 139M requests or an 85% week over week increase."

Attackers were found to be directing the lion's share of traffic at one login API endpoint for the Android application. 

Asked why this particular API received a battering, CQ Threat Research team member and hacker in residence Jason Kent told Infosecurity Magazine: "Usually this is because an attack worked once against that endpoint. Often the focus API endpoint is old, learned either several months ago, or the attacker assumes the older endpoints are forgotten (often the case) and not monitored. 

"Additionally, it is much easier to decompose the API calls an application makes from Android because there are several tools to help with this, versus iOS, which is a bit more difficult."

According to Kent, the biggest trend observed in attacks instigated since "stay safe" became a standard email sign-off has been a growth in overall volume. He added that the tactics around volume, source IPs, and User-Agents (device type) have increased significantly. 

"Attackers are obviously focused on account takeover and are clearly trying to get past mitigation efforts: traffic is being distributed across approximately 1 million residential IP addresses from 15,000 different organizations owned by Bulletproof Proxy vendors, and they are rotating 3 million user agents," said Kent. 

"The heavy use of residential IP addresses, combined with Covid-19 driven stay-at-home orders, makes separating out malicious traffic from legitimate traffic even more important.  The attackers know if they can use residential IP addresses from Bulletproof Proxy Networks, they’ll be that much harder to catch and defend against."

Fake Canada website among many using COVID-19 relief offers to phish for credentials

With governments around the world making billions of dollars available for COVID-19 financial relief, criminals are making every effort to take advantage. That includes building phony official coronavirus relief templates for websites to trick victims into giving up sensitive personal information.

Among the sites discovered by security vendor Proofpoint are the bilingual Government of Canada site pages that attempt to get credentials from victims in either English and French. The news is part of a blog released Friday that also details phishing financial relief pages for the U.S. Internal Revenue Service, the U.K. Revenue and Customs and the official registration site for France.


Screenshot by Proofpoint of fake Canada COVID-19 relief page

The goal of the Canadian site is to capture social insurance numbers, which are valuable for creating fake IDs.

“This spoof is noteworthy because while it copies the behaviour of the Canadian government website effectively, it does not match the look and feel of the current Canadian government website,” Proofpoint notes. “The malicious template correctly copies the name of Canada’s revenue ministry in English and French, Canada Revenue Agency and Agence du revenu du Canada respectively. However, the layout, colours, and branding of the malicious template do not match that of the legitimate Canadian government website.”

Fake websites would be created for people doing internet searches for financial relief programs. They would also be the landing pages for links in a mass email and text campaigns previously outlined in our Cyber Security Today podcasts.

Proofpoint screenshot of fake UK COVID-19 relief page

Proofpoint says it’s found more than 300 different COVID-19 campaigns since January across nearly every industry it tracks. The creators include well-known, established threat actor groups and unknown individuals.

Creation of Covid-19 phishing landing pages increased sharply in early March, peaking around the beginning of April and then sharply dropping off, says the blog. That plunge probably is caused by a combination of saturation for COVID-19 payment theme phishing templates and a move towards other COVID-19 themes as many one-time payments were disbursed, Proofpoint believes.

“It’s clear threat actors follow trends closely,” the blog adds. “We’ve seen throughout the COVID-19 situation how threat actors have followed the news and adapted their themes to match the unfolding public narrative. The movement by governments in particular to offer financial support has caught the attention of threat actors who have moved not only to target those funds directly but to use them as themes for their malware and credential phishing attacks.”


Intel releases 10th gen vPro processors for businesses

Intel recently released its 10th gen vPro desktop and mobile businesses, bringing a bevy of management and security features along with improved performance.

In total, Intel launched 27 SKU across its mobile and desktop Core i5, Core i7, and Xeon ranges. All announced processors are ones based on the Comet Lake architecture instead of Ice Lake. Interestingly, several vPro processors have unlocked multipliers for overclocking, as denoted by their “K” suffix. While overclocking capabilities are interesting for enthusiasts, business owners care little for them. They favour a product’s consistency and reliability over tunable performance.

Intel’s vPro platform is a portfolio of both quality assurance and hardware features. vPro-certified processors have higher quality, carry hardware security features for low-level protection and more robust remote management. They also undergo a rigorous validation process to ensure that they’re compatible with new technologies. The vPro platform also sets criteria outside of the processor by requiring specific chipset and high-end memory I/O components like Optane memory.

Intel vPro features list (click to expand)

Intel’s 10th gen vPro processors also bring implications for Project Athena, Intel’s new standard for mobile laptops. Previously, Athena-certified business laptops like the HP Elite Dragonfly had to rely on Intel’s 8th gen vPro processors. The release of the 10th gen vPro processors will replace them in future Athena business laptop designs.

Intel 10th gen vPro desktop processors (click to expand)
Intel 10th gen vPro mobile processors (click to expand)


Intel 10th gen vPro processors will be coming to products from HP, Dell and Lenovo among others.

Interserve UK defense contractor hacked, up to 100,000 past and present employees details exposed

Britain’s Ministry of Defence contractor Interserve has been hacked, intruders have stolen up to 100,000 past and present employees’ details.

Interserve, a contractor for the Britain’s Ministry of Defence suffered a security breach, hackers have stolen up to 100,000 of past and current employees details. The company currently has around 53,000 employees. Stolen data includes payment information and details of their next of kin.

“Outsourcing group Interserve is recovering from a cyberattack which took place over the weekend that may have seen the details of up to 100,000 people stolen.” reported The Telegraph.

“Hackers broke into a human resources database owned by the outsourcing firm, which recently helped build the Birmingham Nightingale Hospital, on May 9 and stole information on current and former Interserve employees, a company insider said.”

Attackers might have accessed to names, addresses, bank details, payroll information, next of kin details, HR records, dates of absences, and pension information.

The security breach took place early May, at the time there are no details about the attack and it is unclear the number of affected individuals.

“Interserve was the target of a cyber security attack earlier this month.” reads a press release published by the company on its website.

“Interserve is working closely with the National Cyber Security Centre (NCSC) and Strategic Incident Response teams to investigate, contain and remedy the situation. This will take some time and some operational services may be affected. Interserve has informed the Information Commissioner (ICO) of the incident. We will provide further updates when appropriate.”

The defense contractor is investigating the incident with the help of the National Cyber Security Centre.

According to the defense contractor’s website, Interserve is present on 35 MoD sites, the company also announced that it is supporting the NHS during COVID-19.

Pierluigi Paganini

(SecurityAffairs – data breach, hacking)

The post Interserve UK defense contractor hacked, up to 100,000 past and present employees details exposed appeared first on Security Affairs.

AI and Machine Learning Critical to Tackling Cyber Threats Say NTT

AI and Machine Learning Critical to Tackling Cyber Threats Say NTT

Advanced artificial intelligence (AI) and machine learning tools are becoming increasingly critical in detecting and combatting cyber threats. This is according to Stefaan Hinderyckx, Senior Vice President, Security - Europe at NTT Ltd. speaking at the virtual NTT European Digital Press Roundtable 2020 on May 13 2020.

According to Hinderyckx, with organizations now handling so much data, coupled with a current shortage of cybersecurity experts, identifying security threats efficiently and quickly is only possible using these technologies.

He said the global technology services company gets around 280 billion logs per month across all its clients; these can be reduced to 1000 possible threats through its automated AI and machine learning tools, which utilize complex mathematical techniques such as pattern matching and advanced correlation. NTT’s analysts can then focus on investigating these potential threats closely.

“We have this massive haystack and we put that into a manageable number of incidents that analysts can still look at,” commented Hinderyckx. “You still need humans; machine learning and AI cannot completely replace our analysts, but you can simply do it much more efficiently and the need for speed of course is there because you can’t wait for five hours from the logs coming in and flagging the alert, it has to be near real-time.”

Hinderyckx also stated how these technologies are also able to pick up new threats that conventional security analysis techniques, such as security information and event management (SIEM), find difficult to identify. He gave the example of the emerging threat of zero day exploits. “By using AI we’re effectively addressing the white space,” he added.

Tetration and AWS = Win-Win for Cloud and Workload Protection

There are many benefits to using a cloud provider like Amazon Web Services (AWS). Better capacity planning with the flexibility to scale up or down to adjust to your business needs, the ability to rapidly deploy applications globally to better serve your customers, and a pay-as-you-go, consumption model, where you pay for only the computing resources you consume.

When deploying applications in public cloud, it important to understand the Shared Responsibility Model. In short, it places responsibility for security in the hands of both the cloud provider and the customer. The cloud provider is responsible for the security of the cloud and its infrastructure that runs the cloud-based services and the customer is responsible for securing their applications, workloads, and data hosted in the cloud.

However, as more organizations move their applications and workloads to the cloud, the complexity of their environment increases.  They can lose visibility into their cloud-based workloads, and those blind spots can be fatal.  No matter how secure a cloud provider is, inconsistent protection and lack of comprehensive visibility and control can leave organizations vulnerable.  Gartner estimates through 2025, 99% of cloud security failures will be the customer’s fault.*

As organizations embrace the cloud model, they’re investing in infrastructure that’s more dynamic and distributed, and as a result, security must become more dynamic as well. Fundamentally, to be protected, organizations must have visibility and control over their environments.  With on-premise data centers, it was challenging enough to protect critical applications, workloads, and data from attack, breach, and theft.  The hybrid cloud, public cloud environment makes the complexity of securing your entire environment much more challenging.

What can you do to address this complexity? Focus on protecting the workload with a product designed for that use case – Cisco Tetration.

Cisco Tetration addresses the cloud workload protection challenge in a comprehensive and scalable way. Tetration enables holistic workload protection for multi-cloud data centers through:

  • Scalable, consistent policy implementation for thousands of applications, spanning tens of thousands of workloads
  • Microsegmentation which allows the implementation of a zero trust whitelisting model
  • Detection of CVE’s (Common Vulnerabilities and Exposures) based on the installed software packages; proactively quarantine servers when vulnerabilities are detected
  • Ability to capture a million events per second and make policy decisions based on the behavior analysis of billions of flows, processes, and workload characteristics, allowing for real-time policy enforcement

Seems too good to be true – Well it is true.  Look at these free, technical resources to help you be successful.

Request a demo:  Want to see Tetration in action live?  Sign up here and we’ll come to you virtually. You’ll get all your questions answered in a customized session based on your needs.

Cisco Tetration Design & Implementation video playlist:  Learn how to use Tetration for workload security by watching this in-depth series.  It helps you understand the breadth and depth of Tetration’s cloud workload protection, microsegmentation, and visibility features.

Cisco Secure Cloud for AWS Design Guide: This lab-tested/validated design guide focuses on best practices for deploying Tetration in AWS.  It includes the following best practices on how to deeply:

  • Leverage the Tetration security dashboard for visibility into critical information like vulnerability score, process health score, attach surface score, forensics score, network anomaly score, and segmentation compliance score.
  • Leveraging Amazon EC2 tools to auto-provision Tetration sensors to provide visibility, segmentation, behaviors deviation, and software vulnerability data
  • Application Dependency Mapping to automatically discover the policies based on flow and other data received from workloads. Refine the discovered workload clusters and update the inventory filters to define policies to be enforced on our cloud workloads


*Smarter With Gartner, Is the Cloud Secure? October 10, 2019


The post Tetration and AWS = Win-Win for Cloud and Workload Protection appeared first on Cisco Blogs.

Russian APT Turla’s COMpfun malware uses HTTP status codes to receive commands

Russia-linked cyberespionage group Turla targets diplomatic entities in Europe with a new piece of malware tracked as COMpfun.

Security experts from Kaspersky Lab have uncovered a new cyberespionage campaign carried out by Russia-linked APT Turla that employs a new version of the COMpfun malware. The new malware allows attackers to control infected hosts using a technique that relies on HTTP status codes.

COMpfun was first spotted in the wild in 2014 by G DATA researchers, Kaspersky first observed the threat in autumn 2019 when it was employed in attacks against diplomatic entities across Europe.

“You may remember that in autumn 2019 we published a story about how a COMpfun successor known as Reductor infected files on the fly to compromise TLS traffic.” reads the analysis published by Kaspersky. “The campaign operators retained their focus on diplomatic entities, this time in Europe, and spread the initial dropper as a spoofed visa application.”

The Turla APT group (aka SnakeUroburosWaterbugVenomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

In March the APT group employed two new pieces of malware in watering hole attacks targeting several high-profile Armenian websites.

The COMpfun malware analyzed by Kaspersky implements a new technique to receive commands from the C2 as HTTP status codes.

COMpfun is a remote access trojan (RAT) that could collect system data, logs keystrokes, and takes screenshots.

Turla compfun

The new variant of the COMpfun malware includes two new features, the ability to monitor when USB removable devices plugged into or unplugged from the host, and the mentioned C2 communication technique.

The first feature was implemented to allow the malware propagating itself to the connected device.

The second feature was implemented to avoid detection, Turla vxers implemented new C2 protocol that relies on HTTP status codes.

HTTP status codes provide a state of the server and instruct clients on action to do (i.e. drop the connection), COMpfun exploited this mechanism to control the bot running on the compromised systems.

“We observed an interesting C2 communication protocol utilizing rare HTTP/HTTPS status codes (check IETF RFC 7231, 6585, 4918). Several HTTP status codes (422-429) from the Client Error class let the Trojan know what the operators want to do. After the control server sends the status “Payment Required” (402), all these previously received commands are executed.” continues the analysis.

For example, if the COMpfun server would respond with a 402 status code, followed by a 200 status code, the malicious code sends collected target data to C2 with the current tickcount.

Below the list of commands associated with common HTTP status codes:

HTTP statusRFC status meaningCorresponding command functionality
200OKSend collected target data to C2 with current tickcount
402Payment RequiredThis status is the signal to process received (and stored in binary flag) HTTP statuses as commands
422Unprocessable Entity (WebDAV)Uninstall. Delete COM-hijacking persistence and corresponding files on disk
423Locked (WebDAV)Install. Create COM-hijacking persistence and drop corresponding files to disk
424Failed Dependency (WebDAV)Fingerprint target. Send host, network and geolocation data
427Undefined HTTP statusGet new command into IEA94E3.tmp file in %TEMP%, decrypt and execute appended command
428Precondition RequiredPropagate self to USB devices on target
429Too Many RequestsEnumerate network resources on target

“The malware operators retained their focus on diplomatic entities and the choice of a visa-related application – stored on a directory shared within the local network – as the initial infection vector worked in their favor. The combination of a tailored approach to their targets and the ability to generate and execute their ideas certainly makes the developers behind COMPFun a strong offensive team.” concludes Kaspersky.

Pierluigi Paganini

(SecurityAffairs – Turla, malware)

The post Russian APT Turla’s COMpfun malware uses HTTP status codes to receive commands appeared first on Security Affairs.

This Week in Security News: How Researchers Used an App Store to Demonstrate Hacks on a Factory and Microsoft Again Surpasses 100 Vulnerabilities on Patch Tuesday

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about how researchers at Trend Micro used an app store to demonstrate hacks on a manufacturing facility. Also, learn about this month’s patch activity from Microsoft.

Read on:

How Two Researchers Used an App Store to Demonstrate Hacks on a Factory

When malicious code spread through the networks of Rheinmetall Automotive, it disrupted plants on two continents, temporarily costing up to $4 million each week. While awareness of these type of threats has grown, there’s still a risk that too many organizations view such attacks as isolated incidents, rather than the work of a determined attacker. Federico Maggi, a senior researcher at Trend Micro, set out to dispel that mindset.

#LetsTalkSecurity: Hacker Adventures  

This Week, Rik Ferguson, Vice President of Security Research at Trend Micro, hosted the second episode of #LetsTalkSecurity featuring Jayson E. Street, Vice President at SphereNY. This series explores security and how it impacts our digital world. In discussion with some of the brightest and most influential minds in the community, Trend Micro explores this fascinating topic. Check out this week’s episode and follow the link to find information about upcoming episodes and guests.

Microsoft Again Surpasses 100 Vulnerabilities on Patch Tuesday

For the third consecutive month Microsoft issued a hefty list of Patch Tuesday security updates covering 111 CVEs with 16 making the critical list. This is the third month Microsoft has had more than 100 vulnerabilities listed in its monthly security rollup, but unlike the last few months, May’s list does not contain any vulnerabilities currently being exploited in the wild.

Principles of a Cloud Migration – Security W5H – The WHERE

Where do we add security in the cloud? Start by removing the thinking that security controls are tied to specific implementations. You don’t need an intrusion prevention wall that’s a hardware appliance much like you don’t need an agent installed to do anti-malware. This blog puts the focus on your configuration, permissions, and other best practices.

Securing Smart Manufacturing

Trend Micro recently published a report that surveys the Industry 4.0 attack surface, finding that within the manufacturing operation, the blending of IT and OT exposes additional attack surfaces. In the current report on rogue robots, Trend Micro collaborated with the Politecnico di Milano to analyze the range of specific attacks today’s robots face, and the potential consequences those attacks may have.

Package Delivery Giant Pitney Bowes Confirms Second Ransomware Attack in 7 Months

Package and mail delivery giant Pitney Bowes suffered its second ransomware attack in seven months. The incident came to light after a ransomware gang known as Maze published a blog post claiming to have breached and encrypted the company’s network. The Maze crew provided proof of access in the form of 11 screenshots portraying directory listings from inside the company’s computer network.

Tropic Trooper’s Back: USBferry Attack Targets Air-Gapped Environments

Trend Micro recently found that Tropic Trooper’s latest activities center around targeting Taiwanese and the Philippine military’s physically isolated networks through a USBferry attack. Trend Micro also observed targets among military/navy agencies, government institutions, military hospitals, and a national bank. The group employs USBferry, a USB malware that performs different commands on specific targets, maintains stealth in environments, and steals critical data through USB storage.

Texas Courts Won’t Pay Up in Ransomware Attack

A ransomware attack has hit the IT office that supports Texas appellate courts and judicial agencies, leading to their websites and computer servers being shut down. The office said that it will not pay the ransom requested by the cybercriminals. Specifically affected is the Office of Court Administration, which is the IT provider for the appellate courts and state judicial agencies within the Texas Judicial Branch.

New MacOS Dacls RAT Backdoor Show Lazarus’ Multi-Platform Attack Capability

Trend Micro found an application sample in April called TinkaOTP that seemed like a normal one-time password authentication tool. However, further investigation showed the application bearing a striking resemblance to Dacls remote access trojan (RAT), a Windows and Linux backdoor that 360 Netlab discovered in December 2019.

Facebook Awards Researcher $20,000 for Account Hijacking Vulnerability

Security researcher Vinoth Kumar says Facebook awarded him $20,000 after he discovered and reported a Document Object Model-based cross-site scripting (DOM XSS) vulnerability that could have been exploited to hijack accounts. The researcher says he discovered the vulnerability in the window.postMessage() method, which is meant to safely enable cross-origin communication between Window objects.

Cloud Security: Key Concepts, Threats, and Solutions

Enterprises may be migrating requirements to the cloud, starting fully in the cloud (going “cloud native”), or mastering their cloud-based security strategy. Regardless of what stage of the cloud journey a company is in, cloud administrators should be able to conduct security operations like performing vulnerability management, identifying important network events, carrying out incident response, and gathering and acting on threat intelligence — all while keeping many moving parts in compliance with relevant industry standards.

From Bugs to Zoombombing: How to Stay Safe in Online Meetings

Forced to now work, study, and socialize at home, the online digital world has become essential to our communications — and video conferencing apps have become our “face-to-face” window on the world. The problem is that as users flock to these services, the bad guys are also waiting to disrupt or eavesdrop on chats, spread malware, and steal data. In this blog, Trend Micro explores some of the key threats out there and how users can stay safe while video conferencing.

Surprised by Texas courts’ decision not to pay the ransom in its latest ransomware attack? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: How Researchers Used an App Store to Demonstrate Hacks on a Factory and Microsoft Again Surpasses 100 Vulnerabilities on Patch Tuesday appeared first on .

Criminals boost their schemes with COVID-19 themed phishing templates

Phishers are incessantly pumping out COVID-19 themed phishing campaigns and refining the malicious pages the targets are directed to. “Credential phishing attackers often tailor their email lures with themes they believe will be the most effective and use general websites for actual credential harvesting. The recent move to create custom COVID-19 payment phishing templates indicates that buyers view them as effective enough to warrant custom tactics to harvest credentials,” Proofpoint researchers have noted. The COVID-19 … More

The post Criminals boost their schemes with COVID-19 themed phishing templates appeared first on Help Net Security.

UK Power Grid Network Middleman Struck by Digital Attack

A middleman organization in the United Kingdom’s power grid network suffered a digital attack that affected its internal IT systems. Electricity trading arrangements provider Elexon publicly disclosed the attack in a bulletin posted to its website on May 14: We are advising you that today that ELEXON’s internal IT systems have been impacted by a […]… Read More

The post UK Power Grid Network Middleman Struck by Digital Attack appeared first on The State of Security.

Palo Alto Networks addresses tens of serious issues in PAN-OS

Palo Alto Networks addressed tens of vulnerabilities in PAN-OS, the software that runs on the company’s next-generation firewalls.

Palo Alto Networks has issued security updates to address tens of vulnerabilities in PAN-OS, the software that runs on the company’s next-generation firewalls.

One of the most severe vulnerabilities, tracked as CVE-2020-2018, is an authentication bypass vulnerability in the Panorama context switching feature. The flaw could be exploited by an attacker with network access to a Panorama’s management interface to gain privileged access to managed firewalls.

“An authentication bypass vulnerability in the Panorama context switching feature allows an attacker with network access to a Panorama’s management interface to gain privileged access to managed firewalls. An attacker requires some knowledge of managed firewalls to exploit this issue.” reads the advisory published by the vendor.

This vulnerability does not impact Panorama configured with custom certificates authentication for communication between Panorama and managed devices.

The issue received a CVSSv3.1 Base Score of 9, it affects PAN-OS 7.1 versions earlier than 7.1.26, PAN-OS 8.1 versions earlier than 8.1.12, PAN-OS 9.0 versions earlier than 9.0.6, and all versions of PAN-OS 8.0.

Palo Alto Networks also addressed an XML external entity reference (‘XXE’) vulnerability, tracked as CVE-2020-2012, that could lead to information leak.

The flaw could be exploited by unauthenticated attackers with network access to the Panorama management interface to read arbitrary files on the system.

The vendor also fixed a high-severity vulnerability, tracked as CVE-2020-2011, that could be exploited by a remote, unauthenticated attacker to trigger a denial-of-service (DoS) condition to all Panorama services by sending specially crafted registration requests.

Other high severity issues affect the previous Nginx version used in PAN-OS software, some of them could be exploited without authentication.

Palo Alto Networks also addressed serious cross-site scripting (XSS) vulnerability in the GlobalProtect Clientless VPN can be exploited to compromise a user’s session by tricking the victims into visiting a malicious website.

The full list of vulnerabilities addressed by Palo Alto Networks is available here.

Pierluigi Paganini

(SecurityAffairs – PaloAlto Networks, hacking)

The post Palo Alto Networks addresses tens of serious issues in PAN-OS appeared first on Security Affairs.

HTTP Status Codes Command This Malware How to Control Hacked Systems

A new version of COMpfun remote access trojan (RAT) has been discovered in the wild that uses HTTP status codes to control compromised systems targeted in a recent campaign against diplomatic entities in Europe. The cyberespionage malware—traced to Turla APT with "medium-to-low level of confidence" based on the history of compromised victims—spread via an initial dropper that masks itself as

Attacks on Banks Spike 238% During #COVID19 Crisis

Attacks on Banks Spike 238% During #COVID19 Crisis

Attacks on financial institutions spiked by a massive 238% from the beginning of February to the end of April, as cyber-criminals took advantage of peaks in the COVID-19 news cycle, according to VMware Carbon Black.

The company’s third annual Modern Bank Heists report revealed that over a quarter (27%) of attacks so far this year have targeted either the healthcare or financial sectors.

Interestingly, rises in attack volumes seem to have coincided with major news events during the crisis, such as the first confirmed US case, the country’s first death, and the WHO declaring a pandemic. This could be because such events provide a useful lure for phishing emails.

Ransomware attacks against the financial sector increased nine-fold from the beginning of February to the end of April 2020.

Elsewhere, Emotet and Kryptik malware variants were among the most prolific, the latter used in the notorious 2015 attack on Ukrainian power grid. Aside from ransomware, the end goal is to transfer funds or exfiltrate sensitive data.

In fact, 82% of respondents claimed that attacks had become more sophisticated over the past year. Attackers have “dramatically increased” their understanding of internal policies and procedures and are aware of blind spots in incident response, the report claimed.

A third (33%) of respondents said they’d been hit by island hopping attacks via smaller supply chain partners, and a fifth (20%) had experienced a watering hole attack.

Of even greater concern is that a quarter (25%) said they’d been targeted by destructive attacks designed to cause maximum damage rather than to elicit a ransom payment.

“Over the years, bank heists have escalated to virtual hostage situations where cybercrime groups and nation-states have attempted to commandeer digital transformation efforts,” argued VMware’s head of security strategy, Tom Kellermann. “Now, as we address COVID-19’s impact on a global scale, it’s clear attackers are putting financial institutions directly in their crosshairs, according to our data.”

According to Accenture, the cost to address and contain cyber-attacks is higher for financial services than any other sector.

ICO’s BA and Marriott Fines Likely to Be Pushed Back Again

ICO’s BA and Marriott Fines Likely to Be Pushed Back Again

Legal experts have warned of more potential delays to the official GDPR fines set to be handed down to British Airways and Marriott International, potentially undermining the authority of the UK regulator.

The Information Commissioner’s Office (ICO), Europe’s largest data protection regulator by budget and employees, originally handed down a notice of intent to fine BA a massive £183.4 million fine after a Magecart-related breach on its site. A £99 million fine was slated for the hotel group soon after for its breach of 339 million customer records.

Although these were first published in July 2019, they’ve been subject to delays as the companies involved made detailed representations to the regulator.

The initial six-month period from notice of intent to fine was extended to May 2020, according to BA’s recent annual report.

However, experts at Cordery Compliance now believe the deadline will be pushed back again due to COVID-19, to around August-September time.

“Our understanding is that whilst still emphasizing the seriousness of the breaches, the ICO will apply a lenient approach to the amount of the fines due to the financial impact of COVID-19,” the compliance firm added in an alert.

This is likely to raise questions about the ability and resolve of the ICO to bring large cases against well-funded corporations.

“Although the impact of COVID-19 may explain some of the current continued delay, quite why what may end up being over a year to resolve these matters since the ICO announced its intentions to fine may leave some wondering whether GDPR enforcement is going as quickly as it should,” said Cordery.

“In addition, what was also expected to be a showcase for the first significant fines under GDPR in the UK may now be a let-down.”

That said, the two companies are still facing the prospect of potentially costly litigation from disgruntled customers, it added.

A report out last month argued that Europe’s GDPR regulators are woefully under-resourced financially and lacking in the in-house technical expertise needed to take on the major technology firms.

UK Power Grid Biz Suffers Outage After Cyber-Attack

UK Power Grid Biz Suffers Outage After Cyber-Attack

A UK power grid company has suffered a possible ransomware attack, although electricity supply to homes has not been affected.

Elexon administers a crucial part of the power supply chain, known as the Balancing and Settlement Code (BSC), with customers including the country’s suppliers, generators, distributors, traders, and energy importers and exporters.

The firm takes over one million meter readings everyday to compare what generators and suppliers say they will produce or consume with actual volumes, before calculating a price for the difference and transferring funds accordingly.

At nearly midday local time yesterday the firm posted an alert claiming its internal IT systems had been impacted by a cyber-attack.

“BSC Central Systems and EMR are currently unaffected and working as normal. The attack is to our internal IT systems and ELEXON’s laptops only. We are currently working hard to resolve this. However please be aware that at the moment we are unable to send or receive any emails,” the notice read.

A further message nearly four hours later revealed that the firm had “identified the root cause and we are taking steps to restore our internal IT systems.”

The National Grid took to Twitter to reassure customers about electricity supply.

“We’re aware of a cyber-attack on Elexon’s internal IT systems,” it noted. “We’re investigating any potential impact on our own IT networks. Electricity supply is not affected. We have robust cybersecurity measures across our IT and operational infrastructure to protect against cyber-threats.”

Although yet to be confirmed, the downtime to internal systems would seem to suggest a ransomware attack, although there are other possibilities.

The power grid, like other parts of critical national infrastructure (CNI), has come under increasing scrutiny from nation state actors in recent years, especially Kremlin-backed hackers.

Back in 2017, NCSC boss Ciaran Martin warned of Russian attacks on UK media, telecoms and energy sectors as part of its bid to “undermine the international system.”

Earlier this month Donald Trump declared a national emergency over the threat of foreign adversaries launching crippling cyber-attacks against the US power grid.

The Unattributable “db8151dd” Data Breach

The Unattributable

I was reticent to write this blog post because it leaves a lot of questions unanswered, questions that we should be able to answer. It's about a data breach with almost 90GB of personal information in it across tens of millions of records - including mine. Here's what I know:

Back in Feb, Dehashed reached out to me with a massive trove of data that had been left exposed on a major cloud provider via a publicly accessible Elasticsearch instance. It contained 103,150,616 rows in total, the first 30 of which look like this:

The Unattributable

The global unique identifier beginning with "db8151dd" features heavily on these first lines hence the name I've given the breach. I've had to give it this name because frankly, I've absolutely no idea where it came from, nor does anyone else I've worked on with this.

My delving into the breach began back in Feb with a tweet:

I embedded my own record which you can pore through in more detail on Pastebin:

It's mostly scrapable data from public sources, albeit with some key differences. Firstly, my phone number is not usually exposed and that was in there in full. Yes, there are many places that (obviously) have it, but this isn't a scrape from, say, a public LinkedIn page. Next, my record was immediately next to someone else I've interacted with in the past as though the data source understood the association. I found that highly unusual as it wasn't someone I'd expect to see a strong association with and I couldn't see any other similar folks. But it's the next class of data in there which makes this particularly interesting and I'm just going to quote a few snippets here:

Recommended by Andie [redacted last name]. Arranged for carpenter apprentice Devon [redacted last name] to replace bathroom vanity top at [redacted street address], Vancouver, on 02 October 2007.
Met at the 6th National Pro Bono Conference in Ottawa in September 2016
Met on 15-17 October 2001 in Vancouver for the Luscar/Obed/Coal Valley arbitration.

It feels like a CRM. These are records of engagement the likes you'd capture in order to later call back to who had been met where and what they'd done. It wasn't just simple day to day business interaction stuff either, there was also this:

But nowhere - absolutely nowhere - was there any indication of where the data had originated from. The closest I could get to that at all was the occurrence of the following comments which appeared over and over again:

This contact information was synchronized from Exchange. If you want to change the contact information, please open OWA and make your changes there.
Exported from Microsoft Outlook (Do not delete)
Contact Created By Evercontact

Evercontact did actually reach out and we discussed the breach privately but it got us no closer to a source. I communicated with multiple infosec journalists (one of whose own personal data was also in the breach) and still, we got no closer. Over the last 3 months I kept coming back to this incident time and time again, looking at the data with fresh eyes and each time, coming up empty. And just before you ask, no, cloud providers won't disclose which customer owns an asset but they will reach out to those with unsecured assets.

Today is the end of the road for this breach investigation and I've just loaded all 22,802,117 email addresses into Have I Been Pwned.  Why load it at all? Because every single time I ask about whether I should add data from an unattributable source, the answer is an overwhelming "yes":

So, mark me down for another data breach of my own personal info. There's nothing you nor I can do about it beyond being more conscious than ever about just how far our personal information spreads without our consent and indeed, without our knowledge. And, perhaps most alarmingly, this is far from the last time I'll be writing a blog post like this.

Edit 1: No, I don't load complete and individual records into HIBP, only email addresses. As such, only the presence of an address is searchable, the data associated with the address is not stored nor retrievable.

Edit 2: No, I can't manually trawl through 100M+ records and extract yours out.

Threat actors are offering for sale 550 million stolen user records

Threat actors are offering for sale tens of databases on a hacker forum that contains roughly 550 million stolen user records.

Security experts from Cyble reported that a threat actor is attempting to sell twenty-nine databases on a hacker forum since May 7. Forum members could also buy each database individually. The archives allegedly contain a total of 550 million stolen user records.

Data appears to come from past data breaches, the oldest one dates back as 2012 while the latest one dates April 2020.

The data could be used by crooks to launch credentials stuffing attacks against individuals and organizations.

Hackers are also offering for sale a separate database containing 47.1 million phone numbers that are part of Dubsmash data breach that occurred in 2018.

Below the list of databases, published by Bleepingcomputer, that are available for sale:

CompanyAmountData Breach Date
Evite.com101 millionMarch 2019
Tokopedia.com91 millionApril 2020
piZap.com60.9 millionApril 2018
Netlog.com (Twoo.com)57 millionNovember 2012
Dubsmash.com Phone numbers47.1 millionDecember 2018
Shein.com42 millionJune 2018
Fotolog.com33.5 millionDecember 2018
CafePress.com23.6 millionFebruary 2019
Wanelo.com Customers23.2 millionDecember 2018
OMGPop.com21.4 millionAugust 2019
SinglesNet.com16.3 millionSeptember 2012
Bukalapak.com13 millionFebruary 2018
Bookmate.com8 millionJuly 2018
ReverbNation.com7.9 millionJanuary 2014
Wego.com6.5 millionN/A
EatStreet.com6.4 millionMay 2019
PumpUp.com6.4 millionN/A
CoffeeMeetsBagel.com6.2 millionMay 2018
Storybird.com4 millionDecember 2018
Minube.net3.2 millionMay 2019
Sephora.com3.2 millionJanuary 2017
CafeMom.com2.6 millionApril 2014
Coubic.com2.6 millionMarch 2019
Roadtrippers.com2.5 millionMay 2019
DailyBooth.com1.6 millionApril 2014
ClassPass.com1.6 millionOctober 2017
ModaOperandi.com1.3 millionApril 2019
Rencanamu.id (Youthmanual.com)1.1 millionJanuary 2019
StreetEasy.com1 millionMay 2018
Yanolja.com1 millionMarch 2019

Users can verify if their credentials are part of one of the above breaches querying the the Cyble’s amibreached.com data breach lookup service.

Those who have their account exposed in one of the above incidents are recommended to change their password.

Pierluigi Paganini

(SecurityAffairs – threat actors, hacking)

The post Threat actors are offering for sale 550 million stolen user records appeared first on Security Affairs.

Weekly Update 191

Weekly Update 191

I think I'm going to stick with the live weekly update model for the foreseeable future. It makes life so much easier when it comes to editing, rendering and uploading and it means I always have something out on time. So, that's that, other news this week is mostly just bits and pieces here and there and some banter with the audience and that's just fine, it's nice having a quieter week sometimes 😊

Weekly Update 191
Weekly Update 191
Weekly Update 191
Weekly Update 191


  1. Finally cleaned up my garage with an awesome bike storage solution (this makes me enormously happy 😊)
  2. The UniFi G4 Pro cameras are now hardwired in (tweet thread here including creating privacy and motion zones)
  3. Underneath the surface facade of success is a huge amount of "invisible" effort (yet somehow, a few people in that thread wanted to focus on how it's harder some people than others)
  4. Sponsored by NordVPN — an even faster VPN connection. Now powered by NordLynx, a WireGuard-based tunneling solution.