Even before COVID-19 initiated an onslaught of additional cybersecurity risks, many chief information security officers (CISOs) were struggling. According to a 2019 survey of cybersecurity professionals, these critical data defenders were burned out. At the time, 64% were considering quitting their jobs, and nearly as many, 63%, were looking to leave the industry altogether. Of course, COVID-19 and the ensuing remote work requirements have made the problem worse. It’s clear that companies could be facing … More
The post CISOs are critical to thriving companies: Here’s how to support their efforts appeared first on Help Net Security.
Kill Chain is an HBO documentary made and produced by Simon Arizzone, Russell Michaels and Sarah Teale. Kill Chain: Inside the documentary Arizzone and Michaels already worked on a documentary in 2006 called Hacking Democracy, which was about uncovering voting machines vulnerabilities and about how votes were manipulated, leading to George W. Bush winning the elections (2004). And here we are again in 2020 talking about the same problem and uncovering the same old security … More
The post Review: Kill Chain: The Cyber War on America’s Elections appeared first on Help Net Security.
Have you ever done a jigsaw puzzle with pieces missing? Or tried to do a complicated one with only part of the picture showing on the box lid? If so, you will know how it feels to be the folks working to create secure, robust, and seamless enterprise IT systems. Enterprise IT has morphed into something that can feel complex and messy at best and out of control at worst. Each deployment can be convoluted, … More
The post How a good user experience brings the pieces of the enterprise IT jigsaw together appeared first on Help Net Security.
As most of the UK’s cybersecurity workforce now sits at home isolated while carrying out an already pressurised job, there is every possibility that this could be affecting their mental health. In light of Mental Health Awareness Week, and as the discussion around employee wellbeing becomes louder and louder amidst the COVID-19 pandemic, we spoke with five cybersecurity experts to get their thoughts on how organisations can minimise the negative mental and physical impacts on … More
The post Mental Health Awareness Week: Coping with cybersecurity pressures amidst a global pandemic appeared first on Help Net Security.
Organizations that put data at the center of their vision and strategy realize a differentiated competitive advantage by mitigating cost and risk, growing revenue and improving the customer experience, a Collibra survey of more than 900 global business analysts reveals. Orgs rarely use data to guide business decisions Despite a majority of companies saying they valued using data to drive decisions, many organizations are not consistently executing. While 84% of respondents said that it is … More
Tony Sager, Senior Vice President and Chief Evangelist at CIS (Center for Internet Security) joins us to discuss the best approaches to the changing security landscape in the wake of COVID-19. Tony is a lifelong defender, with more than 44 years of experience. He spent most of his career at the NSA and now leads […]… Read More
The post Podcast Episode 7: The Perimeter Really Is Gone – CIS Controls and COVID-19 with Tony Sager appeared first on The State of Security.
Our everyday lives are not what they used to be three months ago. Many users have made the transition from working in an office to working from home and students have adopted distance learning. But while the world focuses on one virus sweeping the globe, criminals see an opportunity to spread other types of viruses across our networks and devices.
As users adapt to their increased time spent at home and online, hackers are taking advantage by spreading malware and other scams. Let’s break down some of the major malware scams affecting users today, as well as how they can stay secure.
Remote Workers Targeted Through RDP Ports
With recent events accelerating the WFH trend, many companies have restricted employee travel and allocated more resources to enable virtual work. According to McAfee security researcher Thomas Roccia, a key component of enabling remote work and allowing employees to access internal corporate resources remotely is Remote Desktop Protocol (RDP). RDP is a Microsoft protocol that allows communication with a remote system. At a time where connectivity is more important now than ever before, it’s critical for users to be able to easily access the same tools and apps that they would in their office from their newfound remote work environments. However, it’s likely that many organizations brought systems online quickly with minimal security checks in place, giving attackers the opportunity to infiltrate them with ease. Because RDP ports are often exposed to the internet, an attacker could gain access to an entire network and consequentially, access a remote employee’s system. What’s more, these networks can be used as entry points for spreading malware or other malicious activities.
Since March 2020, the McAfee Advanced Threat Research team has seen a significant increase in the number of exposed RDP ports. But what does that mean for users working remotely? Because exposed RDP ports grant criminals access to remote systems, they are able to implement a number of malicious threats that could not only impact users working from home but also the organizations they work for. These threats include spreading spam and malware, as well as using the compromised RDP port to disguise malicious activity and compile their tools on the machine.
Phishing Emails Spreading Malware and Ransomware
Recently, hackers have also leveraged phishing emails regarding today’s current events to lure people into engaging with malicious content and enabling threats to gain access to their systems. Once established, that foothold can allow hackers to leverage malware to steal usernames and passwords, data, monitor user activity, capture user keystrokes, track network traffic and browser activity, and infiltrate networks and cloud services beyond the home. Criminals can also impersonate their victim to send emails from the infected devices to propagate themselves on numerous other systems. What’s more, hackers could spread ransomware that encrypts system files and refuse to decrypt them until the victim sends a ransom payment.
Stay Secure in the New Digital Landscape
Hackers will always seek to capitalize on current events in order to spread cyber misfortune. The recent surge of remote employees and users taking to the internet in order to pass the time is no exception. However, there are several steps users can take to facilitate a safe online environment for themselves and their families. Here’s what you can do to stay protected from malware regarding the current health emergency and similar threats:
Secure your RDP protocol
Because RDP remains one of the most used vectors to breach into organizations and personal networks, it’s important to follow best security practices. This includes using strong passwords and multi-factor authentication, patching vulnerabilities immediately, and not allowing RDP connections over the open internet. Discover more best practices on how to secure your RDP protocol in our blog on RDP security.
Beware of messages from unknown users
If you receive a text, email, social media message, or phone call from an unknown user regarding the current health emergency, it’s best to proceed with caution and avoid interacting with the message altogether.
Go directly to the source
If you receive information from an unknown user, go directly to the source instead of clicking on links within messages or attachments. Using a tool like McAfee WebAdvisor can help users stay safe from malware and other threats while searching the web.
The post How to Stay Protected From Malware While Online at Home appeared first on McAfee Blogs.
HackerOne, the leading hacker-powered security platform, announced that it became the first and only hacker-powered security platform to achieve Federal Risk and Authorization Management Program (FedRAMP) Tailored Low Impact-Software as a Service (LI-SaaS) Authorization for its full suite of hacker-powered security solutions. Sponsored by the General Service Administration (GSA), this final authorization step means that HackerOne’s hacker-powered security offering is now available on the FedRAMP Marketplace — a menu of authorized solutions for government organizations. … More
The post HackerOne achieves FedRAMP Tailored LI-SaaS authorization from U.S. federal government appeared first on Help Net Security.
Accenture has acquired Byte Prophecy, an automated insights and big data analytics company based in Ahmedabad, India, to meet the growing demand for enterprise-scale AI and digital analytics solutions across the region. The acquisition will add nearly 50 data science and data engineering experts, with a particular focus on insight automation, to Accenture Applied Intelligence. The move will deepen existing consulting and technology capabilities that help clients in areas such as data foundations and advanced … More
The post Accenture acquires Byte Prophecy to deliver advanced analytics and AI solutions to enterprises appeared first on Help Net Security.
A security bug in the iOS app has impacted over 6,400 Edison Mail users, the issue allowed some users to access other people’s email accounts.
An update released for iOS application of the Edison Mail introduced a security bug that resulted in some users being given access to other people’s email accounts.
“On Friday, May 15th, 2020, a software update enabled users to manage accounts across their Apple devices. This update caused a technical malfunction that impacted approximately 6,480 Edison Mail iOS users. The issue only impacted a fraction of our iOS app users (and no Android or Mac users were affected). This temporary issue was a bug, and not related to any external security issues.” reads a post published by the company.
“Data from these individual’s impacted email accounts may have been exposed to another user. No passwords were compromised. “
The Edison Mail app allows users to manage their Gmail, Yahoo, Outlook, iCloud, and other email services in a single place. The company offers apps for iOS, Android and macOS, and says its products are used by millions of individuals.
The update was rolled out on May 15, it included a feature that allows users to manage their accounts across their Apple devices.
Shortly after the patch was released, some users started reporting they could access other people’s email accounts from the iOS app without authentication.
Edison quickly solved the issue, the company confirmed that the bug potentially impacted 6,480 iOS users.
Edison Mail also confirmed that user credentials were not exposed.
The company addressed the issue with two updates, the first one on Saturday that prevented impacted users from accessing any account from the Edison app, the second one on Sunday morning, which re-enabled access for impacted users.
“A new version of the application was made available early Sunday morning in the App Store that restores full functionality for these 6,480 users. Other users were not impacted and no action is required.” added the company.
“We have notified all individual users who may have been impacted by this issue via email, and as an additional safety precaution, suggested that impacted users also change their email account password. If you did not receive an email on this issue then your account was not impacted,”
(SecurityAffairs – Edison Mail, hacking)
The post A bug in Edison Mail iOS app impacted over 6,400 users appeared first on Security Affairs.
Several state governments have been targeted by a sophisticated fraud campaign that has likely siphoned millions of dollars in unemployment payments earmarked for the record number of Americans seeking benefits as a result of the pandemic, a new Secret Service memo warns.
According to an internal memo, a group of Nigeria-based criminals have been filing phony unemployment claims in multiple states using a personally identifying information (PII), specifically stolen or compromised Social Security numbers. The information being used was most likely procured through various forms of identity theft and/or known data breaches and compromises.
“It is assumed the fraud ring behind this possesses a substantial PII database to submit the volume of applications observed thus far,” stated the memo.
The fraud campaign comes in the wake of a massive increase in unemployment as a result of the Covid-19 pandemic. State unemployment offices are vulnerable to this kind of fraud as they scramble to get funds to Americans in need as quickly as possible.
The Secret Service has identified Washington as the primary target of the fraud campaign, but has seen “evidence of attacks in North Carolina, Massachusetts, Rhode Island, Oklahoma, Wyoming, and Florida,” according to the memo.
The post International Fraud Ring Stealing Unemployment Funds appeared first on Adam Levin.
We are very pleased to share the news that Cisco Advanced Malware Protection (AMP) for Endpoints earned high marks in malware protection tests, while achieving the lowest false alarms in the first AV Comparatives Business Main Test Series for 2020. This achievement demonstrates our steadfast commitment to delivering consistent security efficacy, enabling our customers to get superior protection from advanced threats.
The test series includes two types of tests, the Malware Protection Test and Business Real-World Protection Test. Cisco consistently showed a balance of high protection rates with very low false alarm across both tests. Here’s how.
The Malware Protection Test
The Malware Protection Test assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution. We did very well, garnering a protection rate of 100% with zero false positive – performing better than Crowdstrike, Sophos, Fortinet, Kaspersky, Cybereason and FireEye among others. This test ran in March and consisted of having 1,192 recent malware samples thrown at us during that time. A passing score required a 90% or higher detection rate.
The Real-World Protection Test
The Real-World Protection Test examines how well the security product protects the endpoint in the most realistic way, using all protection capabilities at its disposal. We came in with 99.3% real-world protection rate. The whole idea here is to simulate what happens in the real world. In addition, products were also tested for false positive (FP) alarms on non-business applications to better determine the ability to distinguish good from bad. Cisco ranked in the lowest false positive group achieving a “Very Low” FP rate, performing better than Crowdstrike, VMware Carbon Black, Microsoft, FireEye, Cybereason and Panda. Vendors in the “Very High” FP rate had as many as 101-150 false positives.
To sum up, AMP for Endpoints achieved test results that demonstrated a balance of strong protection rates with very low false positives. In the end, our customers benefit the most from our solution’s top-rated accuracy, reliability and consistency in protecting their endpoints from malware and other threats.
Beyond Testing: What Our Customers Are Saying
We believe it’s important to put our technology to the test and we feel the results speak to how our solution helps our customers protect their organizations. But real-world feedback from customers who are using our endpoint security solution is critical. Now let’s take a look at the following examples of what our customers are saying about how Cisco AMP for Endpoints has protected them against from two of the most dangerous threats to their environment: fileless malware and ransomware.
Fileless malware operates in the memory to avoid detection. Unlike traditional malware, these types of attacks do not have signatures, making them more difficult to detect and prevent. Fileless malware targets our day-to-day applications and can infiltrate the endpoints by exploiting vulnerabilities in software and operating system processes.
To defend against threats that target vulnerabilities in applications and operating system processes, Cisco AMP for Endpoints uses our exploit prevention engine to monitor the memory structure before attacks even begin. Exploit prevention is a true preventive engine that does not require policy tuning, prior knowledge, or rules to operate. When it stops an attack, it stops the application from running and logs contextual data in the AMP for Endpoints device trajectory, allowing users to see exactly where and how the malware entered a device.
Ransomware is a type of malicious software that typically attempts to encrypt the files on a victim’s computer. Upon successful encryption, it demands payment before the ransomed data is decrypted and access returned to the victim. Ransomware attacks are typically carried out using a malicious payload that is distributed as a legitimate file that tricks the user into downloading or opening when it arrives as an email attachment.
Cisco AMP for Endpoints defends your endpoints by monitoring the system and identifying processes that exhibit malicious activities when they execute. We detect threats by observing the behavior of the process at run time, allowing us to determine if a system is under attack, by a new variant of ransomware or malware that may have eluded other security products and detection technology, such as legacy signature-based malware detection, and stop them from running. As a result, we are able to quickly identify, block, and quarantine ransomware attacks on the endpoint.
Beyond fileless malware and ransomware defense, Cisco AMP for Endpoints provides multiple, powerful protection capabilities that work together to protect the endpoint from advanced threats in-memory (e.g. exploit prevention), on-disk (e.g. next gen AV) and post-infection (e.g. Indication of Compromise or IOC). For details on our protection techniques, click here.
We also know that endpoint protection is only as good as the intelligence it acts on. That’s why we employ machine learning and multiple protection engines fueled by Cisco Talos, the largest non-governmental threat intelligence organization on the planet. We discover more vulnerabilities than other vendors and push out protection before the bad guys can exploit them, giving you an advantage. And because we’re Cisco, Talos sees more network traffic than any other vendor. Whether a threat originates on the Internet, in an email, or on someone else’s network, our cloud-based global telemetry sees a threat once, anywhere in the world, and blocks it everywhere, across AMP for Endpoints and our entire security platform.
AV-Comparatives’ testing is continuing through the rest of the year and we are looking forward to their ensuing reports.
The post Endpoint Security from Cisco Earns High Marks in Independent Malware Protection Test appeared first on Cisco Blogs.
Chicago Children's Hospital Sued Over Data Breaches
Lurie Children's Hospital of Chicago is being sued by the parent of a pediatric patient over two recent data breaches.
An anonymous plaintiff and her 4-year-old daughter filed a complaint against the hospital and two former employees in the Circuit Court of Cook County, Illinois, on May 8.
Mother and daughter, referred to as Jane Doe and Baby Doe, are seeking class-action status and a trial by jury with the support of law firm Edelson P.C.
In the suit, the plaintiffs accuse Lurie of breach of contract, breach of confidentiality, and negligent supervision for allegedly failing to keep Baby Doe's medical records safe.
Jane Doe received a letter on December 24, 2019, informing her that her daughter's records had been accessed by an unnamed nursing assistant without authorization between September 10, 2018, and September 22, 2019.
Baby Doe, then aged 3, had been taken to Lurie for an examination after her mother developed a suspicion that the toddler had become a victim of sexual abuse.
The suit alleges that Baby Doe's records were accessed as part of a larger data breach in which thousands of patients’ names, addresses, dates of birth, and medical information like diagnoses, medications, appointments, and procedures were accessed without authorization.
Lurie fired the employee at the center of the cybersecurity incident after the breach was detected. The hospital stated at the time that no evidence had been found to suggest the employee had misused or shared any patient data.
On Monday, May 4, Jane Doe was notified of a second data breach concerning her daughter's medical records by Lurie. The hospital said that Baby Doe's records were accessed without authorization by another unnamed hospital worker between November 1, 2018, and February 29, 2020.
The plaintiffs allege that Lurie failed to state what action would be taken to ensure the security of the patient’s medical records.
In a statement, Lurie spokesperson Julie Pesch said: “In December 2019 and May 2020, Lurie Children’s notified some of our patients about two nurse assistants who had accessed certain patients’ medical records without an identified patient need. We have no reason to suspect any misuse of patient information associated with this incident. Lurie Children’s addressed this issue in accordance with our disciplinary policies, and the employees no longer work for the Hospital.”
U.S. facilities that produce, use or store hazardous chemicals are vulnerable to cyberattacks, in part because cybersecurity guidelines from the Department of Homeland Security are outdated, according to a recent GAO audit.
Texas Takes Second Ransomware Hit
The Texas Department of Transportation (TxDOT) has been hit by ransomware just days after the state's judiciary system suffered the same fate.
According to a May 15 message posted on Twitter by TxDOT, the attack struck on May 14, when a threat actor gained unauthorized access to the department's computer network.
The network was shut down as soon as the attack was detected in an effort to contain the threat and prevent any further unauthorized access.
TxDOT executive director James Bass said in the statement: "We want every Texan to rest assured that we are doing everything we can to swiftly address this issue. We also are working to ensure critical operations continue during this interruption."
Federal law enforcement was informed of the attack, and TxDOT said that no mercy will be shown to whomever is found to be responsible for it.
Bass said: "TxDOT is working closely with the FBI to find the individual(s) responsible and prosecute them to the fullest extent of the law."
TxDOT oversees all air, road, and railway transportation in the state. At time of publication, the department's website was back up and running.
News of the TxDOT attack comes days after a ransomware attack hit the state's judicial agencies and appellate courts on May 8. As a result of the incident, access to case management systems was lost and court offices were unable to connect to the internet.
With the usual channels disabled by cyber-criminals, staff were reduced to using social media to announce legal rulings.
The first attack was identified by the Office of Court Administration (OCA). No information as to whether the two attacks were linked in any way has been forthcoming.
Neither the OCA nor TxDOT shared any information regarding what, if any, data had been encrypted or stolen. Similarly, neither ransomware target has disclosed any details of a ransom demand.
Texas is fast becoming a hotspot for cyber-attacks. In 2019, ransomware was used to target 22 local governments across the Lone Star State in a single attack. The collective ransom demand for the coordinated assault was $2.5m.
Cyber Insurers Increase Scrutiny Amid Pandemic
Heightened cybersecurity risks triggered by the outbreak of COVID-19 are causing insurers to grill policyholders more closely.
According to the Wall Street Journal, insurers have increased their scrutiny of policyholders' security arrangements as the rise in remote working drives up risk.
Stephen Viña, a senior vice president in Marsh & McLennan Co.’s cyber insurance brokering business, told the WSJ that insurers want more details than ever before.
Describing the surveys insurers ask companies to complete so that their risk can be assessed and their premiums calculated, Viña said: "There are a lot more questions being asked."
Companies are now expected to supply more details than before regarding how they would respond to a data breach and what action they would take if hit by ransomware or any other form of cyber-attack.
Depending on how the companies answer the survey, they could end up with a costlier policy or in some cases be denied coverage.
Viña said insurers are deeply concerned that working conditions during the pandemic will expose companies to additional risks that simply weren't considered when their insurance policy was being created.
For example, companies that had tight control over the security of employees working in a central office could face increased and unplanned-for risks as workers toil remotely to comply with lockdown measures, relying on home networks and personal equipment.
Chief innovation officer at London-based insurer CFC Underwriting Ltd. Graeme Newman said policyholders were being asked to show insurers that remote-working situations had been taken into account in their business continuity plans.
Cyber-insurance claims have increased as data breaches and ransomware attacks continue to blight every industry. According to data from regulatory filings compiled by Fitch Ratings, direct loss ratios for stand-alone cyber-insurance policies rose to 47% in 2019 from 34% in 2018. Direct loss ratios measure the percentage of income paid to claimants by insurance companies.
Fitch managing director Jim Auden said that although the data is incomplete because it doesn't contain certain elements, including reimbursements insurers received from their own insurers, it is a good indicator of overall trends.
He said: “We think that with more risk being covered, and maybe newer underwriters getting into the business that don’t have that pricing expertise, that’ll lead to more losses over time."
A new ransomware attack hit the Texas government, the malware this time infected systems at the state’s Department of Transportation (TxDOT).
The Texas government suffered two ransomware attacks in a few weeks, the first one took place on May 8, 2020 and infected systems at the Texas court.
Now ransomware has infected malware the systems at the state’s Department of Transportation (TxDOT), that attack forced the administrators to shut down the systems to avoid the propagation of the ransomware.
The state’s Department of Transportation (TxDOT) discovered the second attack on May 14, the infection follows an unauthorized access to the Department’s network.
“The Texas Department of Transportation determined that on May 14, 2020, there was unauthorized access to the agency’s network in a ransomware event” states the TxDOT.
The agency immediately took steps to prevent further damages and isolated impacted systems, it “working to ensure critical operations continue during this interruption.”
The agency reported the incident to local authorities and is investigating into the incident with the help of the FBI.
At the time of writing it is not clear if the two attacks are connected, there are no technical details about both incidents either if the attackers have stolen any data.
In August 2019, Texas was hit by a wave of ransomware attacks that are targeting local governments.
At least 23 local government organizations were impacted by the ransomware attacks, the Department of Information Resources (DIR) is currently investigating them and providing supports to mitigate the attacks.
(SecurityAffairs – TxDOT, hacking)
The post Texas Department of Transportation (TxDOT) hit by a ransomware attack appeared first on Security Affairs.
Good malware protection doesn’t need to slow you down!
“Security software slows down my PC.” This is a comment that is often heard when talking about malware protection on computers and laptops. While this may be true for many security products, even including the security software that is built into the Windows operating system, this is not the case with McAfee security. As a matter of fact, independent tests since 2016 have proven that McAfee is not only good at catching malware, it’s also one of the lightest security products available today.
What is malware protection?
Security software continuously keeps an eye on all the data that comes in and goes out of your PC. It does this in order to verify that there are no security threats to your personal data, privacy and identity while you are, for example, shopping online, checking your social media or working remotely.
Because security software is always active and protecting in the background many users have the idea that malware protection necessarily slows down the performance of their PCs. This idea however is likely based on experiences from long ago as certain security products did indeed have serious impacts on the user experience.
Measuring PC Performance
To measure how much impact malware protection nowadays has on PC performance, some independent test labs include performance impact benchmarks in their security product tests. The most well-known of these test labs are AV-TEST, which is based in Germany, and Austria based AV-Comparatives. These independent labs are among the most reputable and well-known anti-malware test labs in the world.
In their tests both labs look at ~20 security brands, including McAfee, and the test results show that McAfee Total Protection is one of the lightest security products available today.
Let’s have a closer look at what AV-TEST and AV-Comparatives have to say.
Every two months AV-TEST publishes the results of its on-going tests of 20 security products. As part of these tests the lab continuously evaluates the latest versions of all products using their default settings and measures the average impact of the product on computer speed in daily use.
A security product can achieve a maximum of 6 points depending on the test results. McAfee has consistently received the highest score in all performance tests since May 2018:
Because of these excellent test results McAfee Total Protection was awarded the ‘2019 Performance Award’ by AV-TEST in March 2020.
Below is what AV-TEST states about the award and about McAfee Total Protection:
Only products that make a high-performance finish in the AV-TEST labs throughout the test period of an entire year can claim this proof of absolute peak performance. With the AV-TEST Awards, a security product proves not only its technical superiority. Above all, it proves that it is documented as being the best the market currently has to offer in the fight against cyber-attacks.
With ‘Total Protection’, McAfee succeeded at fielding a top product in 2019 which was able to meet the high standards of the AV-TEST Institute. In the consumer field, McAfee receives recognition for best performance and is thus given the Best Performance 2019 Award by the AV-TEST Institute.
With ‘Total Protection’, McAfee proves that good malware defense does not have to sacrifice system performance, says Andreas Marx, CEO of AV-TEST. Hardly any other software was able to achieve such stellar results in the category of performance in the annual test. Which is why McAfee receives the Performance Award for consumer software.
The announcement of the award can be seen on the AV-TEST website here.
Every year in April and October AV-Comparatives publishes their Performance Test Report. For this report the lab looks at 17 security products including McAfee Total Protection and evaluates how much impact these have on PC performance.
The test lab uses low-end computers as these are most widely used and more at risk of suffering from resource consumption and thus performance impact. The tests also mimic daily usage as much as possible and focus on activities such as copying files, installing and uninstalling applications, launching applications, downloading files and browsing websites.
Based on the results on these tests the products are then evaluated and graded in award levels ranging from ADVANCED+ (the highest ranking) to STANDARD (the lowest ranking).
McAfee has achieved the ADVANCED+ ranking continuously since October 2016:
As a result, McAfee received the Silver Award in the category ‘Overall Performance (Low System-Impact)’ in February 2020 for demonstrating a lower impact on system performance than other products throughout 2019.
And in 2020 we are off to a good start again!
On May 8th AV-Comparatives published April 2020 Performance Test Report and McAfee Total Protection is again awarded with the highest possible rating: ADVANCED+.
With this result McAfee continues to show less impact on PC Performance than most other security products and is one of the lightest security products on the market:
Even though good malware protection is continuously monitoring all activity on your PC and laptop for cyber threats, this doesn’t have to mean that it also slows down the performance of your devices.
As we have seen in the test results of two of the world’s most reputable anti-malware test labs AV-TEST and AV-Comparatives, McAfee Total Protection has been achieving stellar test results in performance tests since October 2016 which also resulted in McAfee being awarded by both test labs with performance awards in 2019.
And with an excellent start in the 2020 test reports we believe that it is fair to say that good malware protection doesn’t need to slow you down and McAfee Total Protection is one of the lightest security products currently available.
The post Good Malware Protection Doesn’t Need to Slow You Down! appeared first on McAfee Blogs.
Graham Cluley Security News is sponsored this week by the folks at Recorded Future. Thanks to the great team there for their support! Drowning in alerts from many different sources and systems? Spending too much valuable time researching potential threats and vulnerabilities? You need Recorded Future Express, a new browser extension from the experts at […]
Microsoft CEO Satya Nadella recently said, “We have seen two years’ worth of digital transformation in two months.” This is a result of many organizations having to adapt to the new world of document sharing and video conferencing as they become distributed organizations overnight.
At Microsoft, we understand that while the current health crisis we face together has served as this forcing function, some organizations might not have been ready for this new world of remote work, financially or organizationally. Just last summer, a simple lightning strike caused the U.K.’s National Grid to suffer the biggest blackout in decades. It affected homes across the country, shut down traffic signals, and closed some of the busiest train stations in the middle of the Friday evening rush hour. Trains needed to be manually rebooted causing delays and disruptions. And, when malware shut down the cranes and security gates at Maersk shipping terminals, as well as most of the company’s IT network—from the booking site to systems handling cargo manifests, it took two months to rebuild all the software systems, and three months before all cargo in transit was tracked down—with recovery dependent on a single server having been accidentally offline during the attack due to the power being cut off.
Cybersecurity provides the underpinning to operationally resiliency as more organizations adapt to enabling secure remote work options, whether in the short or long term. And, whether natural or manmade, the difference between success or struggle to any type of disruption requires a strategic combination of planning, response, and recovery. To maintain cyber resilience, one should be regularly evaluating their risk threshold and an organization’s ability to operationally execute the processes through a combination of human efforts and technology products and services.
While my advice is often a three-pronged approach of turning on multi-factor authentication (MFA)—100 percent of your employees, 100 percent of the time—using Secure Score to increase an organization’s security posture and having a mature patching program that includes containment and isolation of devices that cannot be patched, we must also understand that not every organization’s cybersecurity team may be as mature as another.
Organizations must now be able to provide their people with the right resources so they are able to securely access data, from anywhere, 100 percent of the time. Every person with corporate network access, including full-time employees, consultants, and contractors, should be regularly trained to develop a cyber-resilient mindset. They shouldn’t just adhere to a set of IT security policies around identity-based access control, but they should also be alerting IT to suspicious events and infections as soon as possible to help minimize time to remediation.
Our new normal means that risks are no longer limited to commonly recognized sources such as cybercriminals, malware, or even targeted attacks. Moving to secure remote work environment, without a resilience plan in place that does not include cyber resilience increases an organization’s risk.
Before COVID, we knew that while a majority of firms have a disaster recovery plan on paper, nearly a quarter never test that, and only 42 percent of global executives are confident their organization could recover from a major cyber event without it affecting their business.
Operational resilience cannot be achieved without a true commitment to, and investment in, cyber resilience. We want to help empower every organization on the planet by continuing to share our learnings to help you reach the state where core operations and services won’t be disrupted by geopolitical or socioeconomic events, natural disasters, or even cyber events.
Learn more about our guidance related to COVID-19 here, and bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
Cryptocurrency-mining hackers appear to be behind a recent spate of supercomputer and high-performance computing system intrusions. But it's unclear if attackers might also have had data-stealing or espionage intentions.
Almost daily now there is news about flaws in commercial software that lead to computers getting hacked and seeded with malware. But the reality is most malicious software also has its share of security holes that open the door for security researchers or ne’er-do-wells to liberate or else seize control over already-hacked systems. Here’s a look at one long-lived malware vulnerability testing service that is used and run by some of the Dark Web’s top cybercriminals.
It is not uncommon for crooks who sell malware-as-a-service offerings such as trojan horse programs and botnet control panels to include backdoors in their products that let them surreptitiously monitor the operations of their customers and siphon data stolen from victims. More commonly, however, the people writing malware simply make coding mistakes that render their creations vulnerable to compromise.
At the same time, security companies are constantly scouring malware code for vulnerabilities that might allow them peer to inside the operations of crime networks, or to wrest control over those operations from the bad guys. There aren’t a lot of public examples of this anti-malware activity, in part because it wades into legally murky waters. More importantly, talking publicly about these flaws tends to be the fastest way to get malware authors to fix any vulnerabilities in their code.
Enter malware testing services like the one operated by “RedBear,” the administrator of a Russian-language security site called Krober[.]biz, which frequently blogs about security weaknesses in popular malware tools.
For the most part, the vulnerabilities detailed by Krober aren’t written about until they are patched by the malware’s author, who’s paid a small fee in advance for a code review that promises to unmask any backdoors and/or harden the security of the customer’s product.
RedBear’s service is marketed not only to malware creators, but to people who rent or buy malicious software and services from other cybercriminals. A chief selling point of this service is that, crooks being crooks, you simply can’t trust them to be completely honest.
“We can examine your (or not exactly your) PHP code for vulnerabilities and backdoors,” reads his offering on several prominent Russian cybercrime forums. “Possible options include, for example, bot admin panels, code injection panels, shell control panels, payment card sniffers, traffic direction services, exchange services, spamming software, doorway generators, and scam pages, etc.”
As proof of his service’s effectiveness, RedBear points to almost a dozen articles on Krober[.]biz which explain in intricate detail flaws found in high-profile malware tools whose authors have used his service in the past, including; the Black Energy DDoS bot administration panel; malware loading panels tied to the Smoke and Andromeda bot loaders; the RMS and Spyadmin trojans; and a popular loan scan script.
RedBear doesn’t operate this service on his own. Over the years he’s had several partners in the project, including two very high-profile cybercriminals (or possibly just one, as we’ll see in a moment) who until recently operated under the hacker aliases “upO” and “Lebron.”
From 2013 to 2016, upO was a major player on Exploit[.]in — one of the most active and venerated Russian-language cybercrime forums in the underground — authoring almost 1,500 posts on the forum and starting roughly 80 threads, mostly focusing on malware. For roughly one year beginning in 2016, Lebron was a top moderator on Exploit.
In 2016, several members began accusing upO of stealing source code from malware projects under review, and then allegedly using or incorporating bits of the code into malware projects he marketed to others.
up0 would eventually be banned from Exploit for getting into an argument with another top forum contributor, wherein both accused the other of working for or with Russian and/or Ukrainian federal authorities, and proceeded to publish personal information about the other that allegedly outed their real-life identities.
Lebron first appeared on Exploit in September 2016, roughly two months before upO was banished from the community. After serving almost a year on the forum while authoring hundreds of posts and threads (including many articles first published on Krober), Lebron abruptly disappeared from Exploit.
His departure was prefaced by a series of increasingly brazen accusations by forum members that Lebron was simply upO using a different nickname. His final post on Exploit in May 2017 somewhat jokingly indicated he was joining an upstart ransomware affiliate program.
According to research from cyber intelligence firm Intel 471, upO had a strong interest in ransomware and had partnered with the developer of the Cerber ransomware strain, an affiliate program operating between Feb. 2016 and July 2017 that sought to corner the increasingly lucrative and competitive market for ransomware-as-a-service offerings.
Intel 471 says a rumor has been circulating on Exploit and other forums upO frequented that he was the mastermind behind GandCrab, another ransomware-as-a-service affiliate program that first surfaced in January 2018 and later bragged about extorting billions of dollars from hacked businesses when it closed up shop in June 2019.
Multiple security companies and researchers (including this author) have concluded that GandCrab didn’t exactly go away, but instead re-branded to form a more exclusive ransomware-as-a-service offering dubbed “REvil” (a.k.a. “Sodin” and “Sodinokibi”). REvil was first spotted in April 2019 after being installed by a GandCrab update, but its affiliate program didn’t kick into high gear until July 2019.
Last month, the public face of the REvil ransomware affiliate program — a cybercriminal who registered on Exploit in July 2019 using the nickname “UNKN” (a.k.a. “Unknown”) — found himself the target of a blackmail scheme publicly announced by a fellow forum member who claimed to have helped bankroll UNKN’s ransomware business back in 2016 but who’d taken a break from the forum on account of problems with the law.
That individual, using the nickname “Vivalamuerte,” said UNKN still owed him his up-front investment money, which he reckoned amounted to roughly $190,000. Vivalamuerte said he would release personal details revealing UNKN’s real-life identity unless he was paid what he claims he is owed.
Vivalamuerte also claimed UNKN has used four different nicknames, and that the moniker he interacted with back in 2016 began with the letter “L.” The accused’s full nickname was likely redacted by forum administrators because a search on the forum for “Lebron” brings up the same post even though it is not visible in any of Vivalamuerte’s threatening messages.
Reached by KrebsOnSecurity, Vivalamuerte declined to share what he knew about UNKN, saying the matter was still in arbitration. But he said he has proof that Lebron was the principle coder behind the GandCrab ransomware, and that the person behind the Lebron identity plays a central role in the REvil ransomware extortion enterprise as it exists today.
Norfund, the Norwegian state-owned investment fund for developing countries, has revealed that it has been swindled out of $10,000,000 intended for an institution in Cambodia.
Read more in my article on the Bitdefender Business Insight blog.
Oftentimes, your organization’s endpoints can become key entry points for cyber attackers. With the evolution of workplace mobility and employees connecting to the Internet from their off-site endpoints across the globe, it should come as no surprise that devices are becoming increasingly vulnerable. And without the proper cybersecurity protection measures in place, malicious hackers can easily take advantage of any existing vulnerabilities. This is why the need for enhanced security tools that surpass traditional Firewalls and Antivirus solutions has emerged as an undeniably top priority for organizations large and small. EDR (short for Endpoint Detection and Response) is the term that encompasses threat hunting, prevention, and detection tools and has become the golden standard in cybersecurity.
In this article, I will try to elude what Endpoint Detection and Response (EDR) is and why it has become a vital part of your business.
Cybercriminals do their utmost to successfully target and attack your company’s endpoints for various reasons. They might want to exfiltrate your data or hold it for ransom, override your machines, exploit them in a botnet and conduct DDoS attacks, and much more.
What does EDR mean?
The term EDR stands for Endpoint Detection and Response (or Endpoint Threat Detection & Response). It was coined in 2013 by Anton Chuvakin, former VP and security analyst at Gartner, now security product strategist at Google:
“After a long agonizing process that involved plenty of conversations with vendors, enterprises and other analysts, I have settled on this generic name for the tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints: Endpoint Threat Detection & Response.” – Anton Chuvakin, Gartner’s blog
Essentially, Endpoint Detection Response (EDR) systems have been created to detect and actively respond to sophisticated malware and cyber-attacks. EDR solutions can recognize suspicious patterns that can be further investigated later on. As implied by their name, these tools have been designed specifically for endpoints (and not networks).
Why is EDR important?
Compared to traditional security solutions, EDR provides enhanced visibility into your endpoints and allows for faster response time.
Furthermore, EDR tools detect and protect your organization from advanced forms of malware (such as polymorphic malware), APTs, phishing, etc. It’s also worth mentioning that EDR solutions are based upon machine learning algorithms designed to spot yet unknown types of malware, which will subsequently make behavior-based categorization decisions.
In essence, if certain files seem to behave maliciously (and similar to already known kinds of malware), they will not manage to bypass EDR solutions.
EDR vs. Antivirus – What’s the difference?
In the past, a traditional Antivirus solution may have sufficed to cover the protection of your endpoints. But as malware evolved into more advanced and pervasive forms, it became clear that Antivirus was no longer enough and that prevention and detection mechanisms needed to keep up with the ever-evolving threatscape.
EDR solutions have several unique features and benefits which conventional Antivirus programs do not deliver.
Compared to the novel EDR systems, traditional Antivirus solutions are simpler in nature and should be seen as an important component of EDR.
Normally, Antivirus tools accomplish basic tasks such as scanning, detection, malware remover.
On the other hand, EDR is superior to the traditional Antivirus (which uses signature-based threat detection methods). EDR tools are much broader in scope and should include multiple security layers such as attack blocking, patching, exploit blocking, firewall, whitelisting/blacklisting, full category-based blocking, admin rights management, and a next-gen Antivirus.
EDR security solutions are therefore more suitable for today’s businesses as the traditional Antivirus has become an archaic security tool in terms of guaranteeing complete security.
Simple Antivirus protection is no longer enough.
Thor Premium Enterprise
to organizational defense.
- Next-gen Antivirus which stops known threats;
- DNS traffic filter which stops unknown threats;
- Automatic patches for your software and apps with no interruptions;
- Protection against data leakage, APTs, ransomware and exploits;
The main characteristics and benefits of EDR
The features of Endpoint Detection and Response tools can vary from vendor to vendor, yet we can notice a few main characteristics that define EDR and that are considered essential. Each tool can have a certain degree of sophistication, but below I would like to point out the five major characteristics of EDR:
#1. Integration with multiple tools
EDR solutions always come in multiple tools/layers. They feed intelligence into each other to successfully protect your organization from multiple angles.
#2. Alerts, reporting, and a unified overview of your environment
A dashboard that provides access to your endpoints’ protection status should be a mandatory feature of any EDR solution. At the same time, you should be able to receive timely alerts and have the capability to identify and monitor endpoint security threats and vulnerabilities.
Also, running reports for compliance purposes is a crucial aspect of all EDR tools.
#3. Advanced response capabilities and automation
An EDR technology should provide you with specialized tools for assessing and reacting to security incidents, including prevention, detection, threat intelligence, and forensics. At the same time, automation capabilities are essential.
#4. Global availability
EDR should allow you not to be dependent on platform constraints and be able to manage your environment wherever you or your teams are, at the time of your choosing.
Last in order but not of importance, an effective EDR technology must offer prevention methods and adaptive protection against next-generation malware, based on behavioral analysis of incoming and outgoing traffic in your organization, in order to prevent and mitigate attacks that cannot be detected by reactive solutions like an Antivirus.
Why Is HeimdalTM’s EDR technology the best on the market? Introducing E-PDR, the next-gen approach to EDR.
We’ve combined an Endpoint Protection Platform (EPP) with Endpoint Detection and Response (EDR) and achieved what we consider to be the golden standard in cybersecurity: E-PDR (Endpoint Prevention, Detection, and Response).
Below I will discuss the numerous ways in which you can benefit from our E-PDR technology, superior to other existing EDR tools.
First of all, HeindalTM’s EDR brings you real-time proactive security via DNS filtering, smart threat hunting, proactive behavioral detection, automated patch management, a next-gen Antivirus, and a module for automated admin rights escalation/de-escalation procedures. Thus, we deliver a layered security approach within a single and lightweight agent. Our customers get access to next-gen endpoint threat prevention and protection from existing and undiscovered threats, plus a market-leading detection rate and compliance, all in one package.
System admins waste 30% of their time manually managing user rights or installations.
which frees up huge chunks of sys-admin time.
- Automate the elevation of admin rights on request;
- Approve or reject escalations with one click;
- Provide a full audit trail into user behavior;
- Automatically de-escalate on infection;
Secondly, our dashboard always provides you with notifications and warnings for all active clients. It offers real-time threat and status reporting, delivered in the interval of your choosing. Your data will be graphed and scaled daily, weekly, or monthly and it can also be integrated into SIEM via API. The HeimdalTM Security Unified Threat Dashboard (UTD) stores the entire history throughout your customer lifecycle and helps you perform compliance audits and risk assessments. Alongside weekly reports, data exports, e-mail alerts, and built-in data drill down, the HeimdalTM UTD offers a powerful yet simple way to manage your environment.
Our platform also enables you to define policies for each of your components in great detail. For example, you can refine the blacklisting of websites, files, processes, or patches per active directory group of your HeimdalTM environment. This will give you the powerful option to individually tailor your IT environment and create policies to fit your exact needs across the Active Directory groups in your organization. Once configured, the HeimdalTM deployment is simple and easy and can happen through any MSI deployment tool.
Thirdly, because we’ve taken into consideration the evolving needs of the global enterprise, our E-PDR technology works anytime and anywhere in the world, for both on-site and remote work set-ups.
Last but not least, our multi-layered security suite combined into our E-PDR system comes in a user friendly and easy to deploy agent, that will be extremely lightweight on your systems and will certainly become the greatest time-saver for your sysadmins.
No matter which EDR solution you end up choosing, make sure it can be scaled up and down and that it fits your organization’s needs.
Security experts discovered a highly sophisticated Android spyware platform, dubbed Mandrake, that remained undetected for four years.
Researchers from Bitdefender discovered a high-sophisticated Android spyware platform dubbed Mandrake, it was involved in highly targeted attacks against specific devices. Mandrake is an advanced cyberespionage platform, but experts believe the attacks are financially motivated.
Threat actors behind this campaign managed to fly under the radar for as long as possible. Attackers carefully selected the devices to infect and avoid compromise devices in countries that are of interest to them.
“Mandrake stood in the shadow for at least 4 years. During this time, it stole data from at least tens of thousands of users.” reads the report published by Bitdefender. “It takes special care not to infect everyone” – This is exactly what the actor did and most likely why it remained under the radar for 4 full years. Because of this strategy, the actual number of infections we were able to trace is quite low; Google Play Apps used as droppers to infect targets have only hundreds or – in some cases – thousands of downloads. It might even be possible that some of the infected users won’t face an attack at all if they present no interest to the actor.”
Most of the infections are in Australia, followed in Europe, America, and Canada. Experts observed two different waves of attacks, a first one in 2016 and 2017.
Experts detected seven malicious applications delivering Mandrake in Google Play alone, namely Abfix, CoinCast, SnapTune Vid, Currency XE Converter, Office Scanner, Horoskope, and Car News.
Sinkholing performed by the experts revealed about 1,000 victims during a 3-week period. The researchers estimated that the tens of thousands, and probably hundreds of thousands, were infected in the last 4 years.
During the past four years, the platform has received numerous updates, operators constantly implemented new features.
Mandrake allows attackers to gain complete control over an infected device and exfiltrate sensitive data, it also implements a kill-switch feature (a special command called seppuku (Japanese form of ritual suicide)) that wipes all victims’ data and leave no trace of malware.
“The attacker has access to data such as device preferences, address book and messages, screen recording, device usage and inactivity times, and can
The list of targets is long and includes an Australian investment trading app, crypto-wallet apps, the Amazon shopping application, Gmail, banking software, payment apps, and an Australian pension fund app.
The malware avoids the detection delaying the activities and working in three stages: dropper, loader, and core.
The dropper is represented by the apps published in Google Play, while it is not possible to determine when the loader and the core are delivered.
The malware implements evasion techniques such as anti-emulation and leverages administrator privileges and the Accessibility Service to achieve persistence.
The report contains technical details about the threat, including Indicators of Compromise.
(SecurityAffairs – Mandrake, hacking)
The post Mandrake, a high sophisticated Android spyware used in targeted attacks appeared first on Security Affairs.
Covve Visual Network Ltd., a Cyprus-based app developer, acknowledges that it's the owner of 90GB of data - including tens of millions of records - that apparently was left exposed on an open Elasticsearch database. A portion of the data was posted on a darknet forum.
Several high-performance computers working on COVID-19 research have been forced offline following a string of attacks
The post European supercomputers hacked to mine cryptocurrency appeared first on WeLiveSecurity
Government officials said that a glitch in the State of Illinois’ Pandemic Unemployment Assistance (PUA) program exposed thousands of people’s Social Security Numbers (SSNs) and other private data. Jordan Abudayyeh, a spokesperson for Illinois Governor J. B. Pritzer, sent a statement to WBEZ on May 16. In it, she revealed that the Illinois Department of […]… Read More
The post ‘Glitch’ in Illinois’ PUA System Blamed for Exposing SSNs, Private Data appeared first on The State of Security.
Have your computers been hit by the ProLock ransomware? You might want to read this before you pay any money to the criminals behind the attack.
The makers of a popular iOS email app have warned their users that their accounts may have been compromised after a buggy software update made it possible to see strangers’ emails.
Read more in my article on the Hot for Security blog.
Responsible Cyber Announces Identity Acquisition and New Shareholders
Singaporean startup Responsible Cyber has announced the acquisition of fellow startup Secucial and new shareholders.
The Secucial acquisition adds a mobile digital identity wallet to its portfolio; a decentralized identity system that includes a mobile app with an identity wallet to provide secure authentication with biometrics and contextual multi-factor authentication to enable exchange of ID documents with a third party.
Responsible Cyber is part of the ICE71 Scale program, a landing pad that helps international and local cybersecurity startups seize opportunities and grow their businesses in Singapore and within Asia Pacific.
As a result of the acquisition, Responsible Cyber has also added NUS Enterprise, the entrepreneurial arm of the National University of Singapore, and Singtel Innov8, the venture capital arm of the Singtel Group, as new shareholders. NUS Enterprise and Singtel Innov8 are the co-founders of ICE71, the region’s first cybersecurity entrepreneur hub.
Secucial was part of the first cohort to graduate from ICE71 Accelerate, a three-month accelerator program designed to help early-stage cybersecurity startups achieve a product market fit in a unique technical and demanding industry.
“We welcome NUS Enterprise and Singtel Innov8 as our shareholders, especially during uncertain times like these,” said Magda Chelly, founder and managing director, Responsible Cyber.
“Our platform addresses the needs of business owners who do not have the right means and technical knowledge to implement cybersecurity measures for their businesses. By providing a user-friendly cybersecurity solution, we help small and medium businesses to continue operating remotely, reliably and securely, especially during this COVID-19 pandemic.”
A new malware, called Ramsey, can jump air gaps:
ESET said they've been able to track down three different versions of the Ramsay malware, one compiled in September 2019 (Ramsay v1), and two others in early and late March 2020 (Ramsay v2.a and v2.b).
Each version was different and infected victims through different methods, but at its core, the malware's primary role was to scan an infected computer, and gather Word, PDF, and ZIP documents in a hidden storage folder, ready to be exfiltrated at a later date.
Other versions also included a spreader module that appended copies of the Ramsay malware to all PE (portable executable) files found on removable drives and network shares. This is believed to be the mechanism the malware was employing to jump the air gap and reach isolated networks, as users would most likely moved the infected executables between the company's different network layers, and eventually end up on an isolated system.
ESET says that during its research, it was not able to positively identify Ramsay's exfiltration module, or determine how the Ramsay operators retrieved data from air-gapped systems.
Honestly, I can't think of any threat actor that wants this kind of feature other than governments:
The researcher has not made a formal attribution as who might be behind Ramsay. However, Sanmillan said that the malware contained a large number of shared artifacts with Retro, a malware strain previously developed by DarkHotel, a hacker group that many believe to operate in the interests of the South Korean government.
Crypto-Miners Take Out Supercomputers Working on #COVID19
Supercomputers across Europe appear to have been targeted by cryptocurrency miners over the past few days, forcing offline key IT resources working on COVID-19 research.
One of the first to report problems was the University of Edinburgh’s Archer supercomputer, which was taken offline last Monday after “a security exploitation on the Archer login nodes.”
Working with the National Cyber Security Centre (NCSC), the institution has been forced to rewrite all existing passwords and SSH keys. It is still down at the time of writing.
The Computer Security Incident Response Team (CSIRT) at the European Grid Infrastructure (EGI) organization revealed two potentially related security incidents in an analysis on Friday. In both, a malicious actor was blamed for targeting academic data centers for CPU mining.
“The attacker is hopping from one victim to another using compromised SSH credentials,” it explained.
The attackers were logging in from three compromised networks, at the University of Krakow in Poland, Shanghai Jiaotong University and the China Science and Technology Network. It has been claimed that some credentials are shared between academic institutions, making it easier for would-be attackers.
It’s also claimed that the attackers are exploiting CVE-2019-15666 for privilege escalation before deploying a Monero cryptocurrency miner.
Other institutions affected by the campaign include the Swiss Center of Scientific Computations (CSCS), the bwHPC, which runs supercomputers across the German region of Baden-Württemberg, the University of Stuttgart’s HPE Hawk machine, the Leibniz Computing Center (LRZ) and an unnamed facility in Barcelona.
“What’s interesting about this is that it seems hackers have targeted the supercomputers completely remotely for the first time, as before there has always been an insider who installs the crypto-mining malware used for the attack,” argued ESET cybersecurity specialist, Jake Moore.
“All the SSH login credentials will now need resetting, which may take a while, but this is vital to stop further attacks. Once a list of credentials is compromised, it is a race against time to have these reset. Unfortunately, the lead time is usually enough of a head start for threat actors to take advantage of the mining software.”
The FBI issued a flash alert to warn organizations in the United States that the ProLock ransomware decryptor doesn’t work properly.
Early this month, the FBI issued a flash alert to warn organizations of the new threat actor targeting healthcare, government, financial, and retail industries in the US.
“The decryption key or ‘decryptor’ provided by the attackers upon paying the ransom has not routinely executed correctly,” states the alert.
“The decryptor can potentially corrupt files that are larger than 64MB and may result in file integrity loss of approximately 1 byte per 1KB over 100MB.”
Experts reported several ransomware attacks against businesses and organizations, the ProLock ransomware is just is yet another threat to the list.
The FBI is recommending victims of ransomware attacks to avoid paying the ransom to decrypt their files. Feds warned that the decryptor for the ProLock is not correctly working and using it could definitively destroy the data. The descriptor could corrupt files larger than 64MB during the decryption process.
The PwndLocker ransomware first appeared in the threat landscape by security researchers in late 2019, operators’ demands have ranged from $175,000 to more than $660,000 worth of Bitcoin.
According to the FBI, operators behind the threat gain access to hacked networks via the Qakbot (Qbot) trojan, but experts from Group-IB added that they also target unprotected Remote Desktop Protocol (RDP)-servers with weak credentials. It is still unclear if the ProLock ransomware was managed by the Qakbot gang, or if the ProLock operators pay to gain access to hosts infected with Qakbot to deliver their malware.
“ProLock operators used two main vectors of initial access: QakBot (Qbot) and unprotected Remote Desktop Protocol (RDP)-servers with weak credentials.” reads the report published by Group-IB.
“The latter is a fairly common technique among ransomware operators. This kind of access is usually bought from a third party but may be obtained by group members as well.”
In March, threat actors behind PwndLocker changed the name of their malware to ProLock, immediately after security firm Emsisoft released a free decryptor tool.
According to the popular investigator Brian Krebs, the systems at Diebold Nixdorf were recently infected by the ProLock ransomware (aka PwndLocker), the same piece of ransomware involved in the attack against Lasalle County, Ill. in March.
“Fabian Wosar, Emsisoft’s chief technology officer, said if Diebold’s claims about not paying their assailants are true, it’s probably for the best: That’s because current versions of ProLock’s decryptor tool will corrupt larger files such as database files.” reads the analysis published by Krebs.
“As luck would have it, Emsisoft does offer a tool that fixes the decryptor so that it properly recovers files held hostage by ProLock, but it only works for victims who have already paid a ransom to the crooks behind ProLock.
“We do have a tool that fixes a bug in the decryptor, but it doesn’t work unless you have the decryption keys from the ransomware authors,” Wosar said.”
(SecurityAffairs – ProLock, hacking)
The post FBI warns US organizations of ProLock ransomware decryptor not working appeared first on Security Affairs.
You can’t stop something you can’t see. In today’s world, threats are evolving constantly and dangerous attackers continue to cause serious damage to organizations across industries. Threat detection solutions monitor your environment for malicious activity, uncovering and alerting security teams of risk. Core Network Insight focuses on advanced threat detection across the enterprise, finding infections in every type of device, including high end IoT.
Core Network Insight
Network Insight focuses on advanced threat protection, uncovering infections and advanced persistent threats (APTs). By observing network communications from endpoints within an organization’s environment going to and coming from the internet, Network Insight can identify when those communications are taking place with external systems that may be threat actors intent upon exploiting a network’s devices for criminal purposes.
How Network Insight Works: Following the Data Funnel
So how exactly does Network Insight determine what is malicious and what isn’t? By making use of every piece of data it observes. Let’s look at how Network Insight can transform data into critical security information.
Network Insight leverages both what it observes locally, as well as the data of Core CSP, which runs in telecom networks and in-service provider networks, observing billions of DNS requests a day, and thousands of malware samples. All of this information goes into a database in Hadoop, where there are also nearly 100 billion domain names being tracked. Since Network Insight has been around for 15 years, there’s over a decade of evidence that has been collected and analyzed from millions of devices observed worldwide.
Network insight analyzes the network traffic using communication and risk profilers to narrow down which devices on your networks are communicating with notorious malware families and prioritizes them based on risk, and then passes the evidence along for further analysis.
Once this evidence is initially assessed, it then moves to the Case Analyzer, which determines the certainty of the infection status. Security teams don’t hear from Network Insight until infection is confirmed, so they don’t have to pursue benign notifications or false leads. An alert is sounded for actual infected devices along with the threat actor it is communicating with.
Responders are given a definitive verdict on network threats, and provided with forensic evidence about infected devices. These compromised devices are prioritized based on their risk level. With this information you can tell exactly what devices need to be remediated and act immediately, in real-time, to stop data loss. Organizations may not be able to prevent a breach, but Network Insight’s alerts can be used to thwart an attack, preventing the destruction caused by threat actors that are able to lurk in a system unnoticed.
Insight Into IoT
What type of devices are being monitored? Network Insight is unlike other advanced threat detection solutions because it can deliver intelligence about known and unknown threats regardless of the infection’s source, entry vector, or OS of the device. This means that any device of any kind can be observed, including countless types of IoT devices—SCADA systems, HVAC, Point of Sale (POS) systems, even MRI and X-ray machines. These IoT devices often lack traditional preventative layers like antivirus, making them ideal attack vectors, so monitoring them for signs of infection is especially critical.
Network Insight and the Threat Landscape
It is no longer enough to focus on purely prevention. With so many successful attacks taking place everyday, organizations must also have solutions focused on threat detection. With Network Insight, you’ll not only have assurance that threats will be swiftly detected, you’ll also be able to holistically monitor in your entire environment, knowing that no matter how devices there are in your infrastructure, no threat will go unseen.
Watch a brief demo to see for yourself how Network Insight transforms data into threat intelligence.
Security whilst online has been paramount for many years and with the ever-advancing technology available to us, cybersecurity is constantly evolving. Whilst the internet is an invaluable resource for our modern lives, it can also be a dangerous place but with these new advances in security, 2020 is set to show changes in cybersecurity in both good and bad ways, in this article we are going to explain this to you.
5 Ways Cyber Security Is Changing In 2020
1. Artificial Intelligence
Artificial intelligence or AI as it is more fondly know has been around for a while now, however, in 2020 it is estimated that this ever-changing form of technology is going to be used more frequently by those looking for targets online and by those trying to stop the ‘bad guys.’ This tech is able to detect patterns in online behavior and respond accordingly, leaving human intervention almost completely unnecessary.
There are a LOT of theories surrounding the rolling out of 5G, but until it is being widely used, no one can really predict its impact. However, one thing that is for sure is that it is something we will be exposed to this year and according to reports, it isn’t fully developed enough to withstand the high amount of threat online. Therefore, those at the top of tech are going to need to man all stations to keep on top of cybersecurity when using 5G.
3. Cyber Security Technology Platforms
This might seem like a complex term, and it is. However, in short, these platforms are essentially made up of five major components which will provide top-level security, and they look set to become a cybersecurity preference over the single-component tools of previous years.
4. Hackers Are Going To The Source
In years gone by hackers and cybercriminals would target individuals or companies but with the advances, we are seeing in technology, they are now able to target service providers. This means access to thousands of their customers and information. It sounds scary and it is. But on the flip side, these service providers also have access to just as innovative tech to fight the battle.
5. Risk Management
Attempting to handle individual cyber crimes is a fight that nobody is ever going to win. That being said, in 2020 it looks set to be more about managing the risks in order to put a stop to these types of crimes before the perpetrators have even had a chance to commit cybercrime. Businesses operating online now have access to an incredible amount of tools that can help them to prevent attacks, stopping them at the source.
It is astonishing how fast technology is moving forward and the speed at which this is happening is bound to translate into ever-changing online trends, and cybersecurity is no exception to this. If you are concerned about cybersecurity there are many tools and programs that you can use, funding this couldn’t be easier with the use of websites such as NowLoan which gives you the chance to find the best loans to fund your cybersecurity efforts.
The post 5 Ways Cyber Security Is Changing In 2020 appeared first on .
Police Catch Suspects Planning #COVID19 Hospital Ransomware
Police in Europe have swooped on a cybercrime gang they suspect of planning ransomware attacks using COVID-19 lures against hospitals.
The four-man “Pentaguard” group was formed at the start of the year, according to the Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT).
It amassed tools including ransomware, remote access trojans (RATs), and SQL injection tools to launch attacks against public and private sector organizations with the aim of stealing data, defacing websites and encrypting key systems.
“They intended to launch ransomware attacks, in the near future, on some public health institutions in Romania, generally hospitals, using social engineering by sending a malicious executable application, from the Locky or BadRabbit families, hidden in an e-mail and in the form of a file that apparently would come from other government institutions, regarding the threat of COVID-19,” the DIICOT update explained.
“Through this type of attack, there is the possibility of blocking and seriously disrupting the functioning of the IT infrastructures of those hospitals, part of the health system, which plays a decisive role at this time, to combat the pandemic with the new coronavirus.”
Officers carried out three house searches in Romania and one in neighboring Moldova.
Hospitals around the world have been under constant attack over the past few weeks as ransomware gangs try to take advantage of the current pandemic to put pressure on their victims to pay.
Microsoft warned recently that many of these attacks were detected using APT-style techniques such as exploitation of a VPN or remote access vulnerability, followed by reconnaissance, privilege escalation and lateral movement.
In April, INTERPOL was forced to issue a Purple Notice to all of its 194 member countries about the cyber-threat to hospitals and other front-line organizations.
On May 1st President Trump signed an Executive Order on “Securing the United States Bulk-Power System.” The order cites foreign adversaries and their increased creation and usage of vulnerabilities against the grid as the primary driver. In my opinion, perhaps more interesting is the inherent ties to the NERC standards, namely CIP-010 R4 and CIP-013 that […]… Read More
The post A Look at Trump’s Executive Order to Secure the Bulk Power System appeared first on The State of Security.
REvil Ransomware Gang Threatens to Release Dirt on Trump
Ransomware attackers that stole data from a New York law firm on its celebrity clients have doubled their demand and threatened to release sensitive information on US President Donald Trump.
The REvil group claimed to have lifted 756GB of data from Grubman Shire Meiselas & Sack, which counts the likes of Madonna, Bruce Springsteen, Run DMC and Mariah Carey among its clients.
The media and entertainment law firm confirmed last week that it had been a victim of a cyber-attack and that it was “working around the clock to address these matters.”
However, the ransomware group’s original deadline for payment of $21m ran out at the end of last week, and it has now upped the demand to $42m.
To show they mean business, the cyber-criminals recently released over 2GB of stolen documents related to contract dealings of Lady Gaga.
They also threatened to publish dirt on Donald Trump, although reports suggest he was never a client of the law firm.
“There's an election race going on, and we found a ton of dirty laundry on time. Mr Trump, if you want to stay President, poke a sharp stick at the guys, otherwise you may forget this ambition forever,” they claimed on a dark web site.
“To you voters, we can let you know that after such a publication, you certainly don't want to see him as President. Well, let's leave out the details. The deadline is one week.”
Recorded Future’s senior solutions architect, Allan Liska, pointed to the threats as just the latest in a long line of incidents where ransomware groups first breach their victims in a bid to force payment.
“Ransomware groups have grown increasingly bold in their targets and their ransom demands and so far have been able to operate with very little pushback,” he added.
“In addition, it has long been suspected that this group operates within Russia's locus of control. The Kremlin generally turns a blind eye to these activities, as long as the threat actors don't target Russian citizens. However, going after an ally of Russia may force Russian cybersecurity forces to turn their attention to the REvil team as well.”
Trump has consistently refused to comply with demands from federal prosecutors to release information on his financial affairs. Separate investigations are looking at whether he committed tax fraud and if his business dealings left him subject to the influence of foreign individuals or governments.
A critical flaw in the WP Product Review Lite plugin installed on over 40,000 WordPress sites could potentially allow their take over.
Attackers could exploit a critical vulnerability in the WP Product Review Lite WordPress plugin to inject malicious code and potentially take over vulnerable websites.
The WP Product Review Lite plugin allows site owners to quickly create custom review articles using pre-defined templates, it is currently installed on over 40,000 WordPress sites.
The vulnerability was discovered by researchers at Sucuri Labs, it is a persistent XSS that could be exploited by remote, unauthenticated attackers.
“During a routine research audit for our Sucuri Firewall, we discovered an Unauthenticated Persistent Cross-Site Scripting (XSS) affecting 40,000+ users of the WP Product Review plugin.” reads the analysis published by Sucuri.
“All user input data is sanitized but the WordPress function used can be bypassed when the parameter is set inside an HTML attribute. A successful attack results in malicious scripts being injected in all the site’s products.”
Attackers can bypass the WordPress user input data sanitization function to exploit the Stored Cross-Site Scripting (Stored XSS) issue. Upon triggering the flaw, the attackers could inject malicious scripts in all the products stored in the database of the targeted website.
An attacker could trick a site admin into accessing the compromised products, then they could redirect them to a rogue site, or steal the session cookies to authenticate on behalf of the administrator.
Once the attacker has authenticated as an admin, it could add a new admin account to take over the site.
Researchers at the Sucuri Labs revealed that they are not aware of any attacks in the wild exploiting the flaw.
Experts recommend site administrators to update their plugin to version 3.7.6 as soon as possible because unauthenticated attacks could be automated by attackers.
“Unauthenticated attacks are very serious because they can be automated, making it easy for hackers to mount successful, widespread attacks against vulnerable websites,” Sucuri Labs conclude.
“The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.”
The vulnerability was reported to the plugin developers on May 13, and it was fixed in only 24 hours, on May 14, 2020.
At the time of writing, more than 7,000 users have already fixed their WP Product Review Lite plugin, this means that more than 32,000 sites have yet to do it.
(SecurityAffairs – WP Product Review Lite, hacking)
The post Stored XSS in WP Product Review Lite plugin allows for automated takeovers appeared first on Security Affairs.