Daily Archives: May 21, 2020

Create a safe haven for your customers to build loyalty

“The customer comes first” started out as the secret to success in business. Now it’s the secret to 21st century cybersecurity and fraud prevention, too. The phrase always seemed more like an empty platitude, but a growing number of banks and other financial institutions now understand that optimizing convenient consumer experience with risk and safety across all their channels is a strategic differentiator. Dealing with fraudulent transactions Financial institutions have been on the lookout for … More

The post Create a safe haven for your customers to build loyalty appeared first on Help Net Security.

Integrating a SIEM solution in a large enterprise with disparate global centers

Security Information and Event Management (SIEM) systems combine two critical infosec abilities – information management and event management – to identify outliers and respond with appropriate measures. While information management deals with the collection of security data from across silos in the enterprise (firewalls, antivirus tools, intrusion detection, etc.), event management focuses on incidents that can pose a threat to the system – from benign human errors to malicious code trying to break in. Having … More

The post Integrating a SIEM solution in a large enterprise with disparate global centers appeared first on Help Net Security.

The dark web is flooded with offers to purchase corporate network access

There is a flood of interest in accessing corporate networks on the dark web, according to Positive Technologies. In Q1 2020, the number of postings advertising access to these networks increased by 69 percent compared to the previous quarter. This may pose a significant risk to corporate infrastructure, especially now that many employees are working remotely. “Access for sale” on the dark web is a generic term, referring to software, exploits, credentials, or anything else … More

The post The dark web is flooded with offers to purchase corporate network access appeared first on Help Net Security.

Number of active IoT devices expected to reach 24.1 billion in 2030

At the end of 2019 there were 7.6 billion active IoT devices, a figure which will grow to 24.1 billion in 2030, a CAGR of 11%, according to a research published by Transforma Insights. Short range technologies, such as Wi-Fi, Bluetooth and Zigbee, will dominate connections, accounting for 72% in 2030, largely unchanged compared to the 74% it accounts for today. Public networks growth Public networks, which are dominated by cellular networks, will grow from … More

The post Number of active IoT devices expected to reach 24.1 billion in 2030 appeared first on Help Net Security.

Abnormal Security launches VendorBase to help orgs reduce supply chain cybersecurity risk

Abnormal Security, a leader in protecting large enterprises from Business Email Compromise (BEC) attacks, introduced VendorBase, a global, federated database that tracks the reputations of an organization’s vendors and customers, and improves detection accuracy of advanced social engineering attacks. With VendorBase, the Abnormal Cloud Email Security platform aggregates communication in one place to provide customers deeper insight and visibility into a vendor’s reputation and transactions. This unprecedented access gives organizations the ability to see detailed … More

The post Abnormal Security launches VendorBase to help orgs reduce supply chain cybersecurity risk appeared first on Help Net Security.

Intelsat CellBackhaul: Cost-efficient managed service that helps MNOs deploy 4G and 5G coverage

Intelsat, operator of the world’s largest integrated satellite and terrestrial network, launched Intelsat CellBackhaul, an end-to-end managed service that helps Mobile Network Operators (MNOs) provide cost-efficient and rapid 4G and 5G broadband coverage to Americans everywhere, including those living, working and traveling in rural areas of the United States. Much of the U.S. is rural, and there are still many areas where communities, farmers, ranchers, tourists, industrial and construction workers, and emergency personnel currently have … More

The post Intelsat CellBackhaul: Cost-efficient managed service that helps MNOs deploy 4G and 5G coverage appeared first on Help Net Security.

Code42’s risk indicators expose and prioritize the riskiest file activity among remote workers

Code42, the leader in insider risk detection, investigation and response, announced that it has enhanced its insider risk detection capabilities. New high-fidelity risk indicators filter out non-threatening activities to flag and prioritize high-risk file events that represent real threats and require security investigation. The risk indicators zero in on mismatched files types and extensions, unsanctioned file activity as well as suspicious off-hours and remote workforce activities. “Cybersecurity teams are drowning in alerts that obscure legitimate … More

The post Code42’s risk indicators expose and prioritize the riskiest file activity among remote workers appeared first on Help Net Security.

Alliant and ACA Aponix unveil a new cybersecurity risk mitigation and transfer solution offering

Alliant Insurance Services announced the launch of a new cybersecurity risk mitigation and transfer solution offering, PortCo Protect. Created in partnership with ACA Aponix, PortCo Protect is tailored to the needs of private equity managers and their portfolio companies. “Uniting ACA’s proprietary assessment risk index with our risk modeling and analytics services was a win-win,” said Sandy Crystal, Executive Vice President, Alliant Specialty. “Now, more than ever, it is imperative that firms are aware of … More

The post Alliant and ACA Aponix unveil a new cybersecurity risk mitigation and transfer solution offering appeared first on Help Net Security.

Exabeam sees more than half of new and add-on recurring revenue from cloud offering

Exabeam, the Smarter SIEM company, announced a significant performance milestone with Exabeam SaaS Cloud contributing more than half of Q1 FY21 new and add-on recurring revenue, signaling an accelerated transition of its business to the cloud. This momentum has been built on consistent improvements to Exabeam’s cloud-first product and partner strategy, including the recent announcements of the Exabeam Cloud Platform and Google Cloud Security Partner status. With organizations quickly deploying collaboration and virtual meeting apps … More

The post Exabeam sees more than half of new and add-on recurring revenue from cloud offering appeared first on Help Net Security.

CrowdStrike Falcon bolsters Linux protection with ML prevention, custom and dynamic IoAs

CrowdStrike, a leader in cloud-delivered endpoint protection, announced the CrowdStrike Falcon platform is bolstering its Linux protection capabilities with additional features, including machine learning prevention, custom Indicators of Attack (IoAs) and dynamic IoAs. CrowdStrike delivers proven breach prevention and visibility from its cloud-delivered platform via a single lightweight agent that supports endpoints and cloud workloads on all platforms including Windows, Mac, Linux and mobile devices. As one of the primary Operating Systems (OS) of business-critical … More

The post CrowdStrike Falcon bolsters Linux protection with ML prevention, custom and dynamic IoAs appeared first on Help Net Security.

Sysdig supports five AWS services to make it easier to use Prometheus with Amazon CloudWatch

Sysdig, a secure DevOps leader, announced support for five Amazon Web Service (AWS) services to make it easier to use Prometheus with Amazon CloudWatch. Sysdig added support for AWS Fargate, AWS Lambda, AWS Application Load Balancer (AWS ALB), AWS Elastic Load Balancer (AWS ELB), and Amazon Simple Storage Service (Amazon S3) to PromCat.io, the company’s free repository of curated Prometheus compatibility options. The support packages come with an exporter, documentation, dashboards, and alerts created by … More

The post Sysdig supports five AWS services to make it easier to use Prometheus with Amazon CloudWatch appeared first on Help Net Security.

VMware and Dell deliver simple, secure, and scalable cloud infrastructure to the data center and edge

VMware announced the availability of the second generation of VMware Cloud on Dell EMC, a cloud service that combines the simplicity and agility of the public cloud with the security and control of enterprise-grade on-premises infrastructure. Jointly developed with Dell Technologies, this VMware service delivers simple, more secure and scalable infrastructure as-a-service to customers’ on-premises data center and edge locations. “Today’s IT teams are under constant pressure to deliver the advantages of a cloud operating … More

The post VMware and Dell deliver simple, secure, and scalable cloud infrastructure to the data center and edge appeared first on Help Net Security.

Cymatic announces first year customer milestones

Cymatic released data marking its first year of successful customer engagements since its debut in 2019. Cymatic’s next-generation all-in-one web application defense platform, CymaticONE—the only unified web application defense that deploys at the client through a simple line of JavaScript without agents, cookies, or proxies—was released last year in the run-up to BlackHat. Since that time, the company has: Successfully completed more than two dozen installations in less than an hour Deployed 78% of those … More

The post Cymatic announces first year customer milestones appeared first on Help Net Security.

Open Systems acquires Born in the Cloud to boost its cybersecurity capabilities

Open Systems, a secure access service edge (SASE) pioneer supporting enterprises in their digital transformation journey, announced its acquisition of Born in the Cloud, a specialist in cybersecurity threat detection, prevention and response. Its “SWAT team” of architects, engineers and developers enables enterprise customers to securely achieve their cloud automation, strategy and migration goals with the Microsoft Azure cloud platform. This addition bolsters Open Systems’ ability to serve the large and expanding market for Azure … More

The post Open Systems acquires Born in the Cloud to boost its cybersecurity capabilities appeared first on Help Net Security.

Veritas Technologies expands roles for two of its senior executives

Veritas Technologies, a global leader in data protection and availability, announced new and expanded roles for two of its senior executives. Phil Brace has been named executive vice president of Worldwide Field Operations. He takes over the role from Scott Genereux, who is leaving the company to pursue other opportunities. Having previously led Veritas’ appliances and software-defined storage business, Brace will be responsible for sales, channels and sales operations for new business. Deepak Mohan, who … More

The post Veritas Technologies expands roles for two of its senior executives appeared first on Help Net Security.

Shift Technology appoints Donald Matejko as Chief Revenue Officer

Shift Technology, a provider of AI-native fraud detection and claims automation solutions, announced Donald Matejko has joined the company as Chief Revenue Officer (CRO). In this role, Matejko serves on the Executive Leadership Committee and is directly responsible for defining and executing the go-to-market (GTM) strategy for Shift’s Force and Luke solutions. Prior to Shift, Matejko served as CRO for Showpad, Executive Senior Vice President at SAP, and Senior Vice President at Adobe. “As a … More

The post Shift Technology appoints Donald Matejko as Chief Revenue Officer appeared first on Help Net Security.

Santander, one of the biggest European banks, was leaking sensitive data on their website

Santander Consumer Bank, the Belgian branch of the bank, had a misconfiguration in its blog domain that was allowing its files to be indexed.

Our new research recently discovered a security issue with Santander, the 5th largest bank in Europe and the 16th largest in the world. This Spanish multinational bank controls approximately $1.4 trillion in total assets globally, and has a $69.9 billion total market capitalization on the Euro Stoxx 50 stock market index.

Our analysts found that the Belgian branch, Santander Consumer Bank, has a misconfiguration in its blog domain, allowing its files to be indexed. 

When we looked through these files, we were able to see sensitive information, including an SQL dump and JSON file that can be used by hackers to potentially phish Santander’s bank customers.

We contacted Santander immediately when we discovered the misconfiguration on April 15.  Representatives from the leading European bank responded to our emails and seem to have fixed the issue, as we are presently unable to access the information.

A Santander Consumer spokesperson said:

“The incident highlighted relates specifically to the Santander Consumer Bank Belgium blog only. The blog contains only public information and articles, and therefore no customer data or critical information from the blog  has been compromised. Our security team has already fixed the issue to ensure the blog is secure.”

What exactly is wrong with the Santander website?

When we visited the Santander blog on its Belgian domain, we noticed that the www endpoint of the blog subdomain had a misconfiguration that allowed all of its files to be indexed by search engines

Included in these indexed files was an important info.json file that seemed to contain its Cloudfront API keys.

Cloudfront is a Content Display Network (CDN) created by Amazon. Websites use CDNs to host large files, such as videos, PDFs, large images and other static content, that would normally slow down their own websites. Because these large files are hosted on the CDNs instead, websites are faster for users.

If a hacker were to get a hold of Santander’s apparent Cloudfront API keys, they would be able to switch out the content hosted on Cloudfront with any other content

For example, if a PDF or Word document was hosted on Cloudfront, and this document contained sensitive information – such as what accounts a customer should send money to – then the hacker would be able to switch that document out with their own version. In that way, they’d be able to change the real account number to his own, and thereby steal the customer’s money.

If a static HTML file was hosted, then the hacker would be able to switch that out with an entire webpage, allowing them to create a phishing page to steal the user’s financial information, all while on Santander’s official Belgian domain.

How to protect yourself

On April 15, we notified Santander’s Belgian website of the misconfiguration, and on April 24 they responded and seem to have fixed the issue. Their CyberSecurity Team stated: “We take cyber security seriously and strive to maintain the highest security standards and best practices and welcome responsible disclosure attitudes in security researchers.”

When we checked for the misconfiguration again on April 27, we received the following message:


You don’t have permission to access this resource.

For Santander’s customers, as well as all other banking customers, we’d recommend that you always check the domain and subdomain that a suspicious bank email is sending you to. Make sure that the domain is the bank’s real domain, but also know that important financial information requests would never be hosted on the blog subdomain of a bank.

Editor’s note: this article was updated on May 19 to reflect new information in collaboration with BitSight that the keys may not have been active Cloudfront API keys at the time of our discovery.

Original post:


About the author: Bernard Meyer

Bernard Meyer is the Senior Researcher at CyberNews. He has a strong passion for security in popular software, maximizing privacy online, and keeping an eye on governments and corporations. He’s been featured in Fortune, Forbes, Wired, Mirror, TechRadar and more. You can usually find him on Twitter arguing with someone about something moderately important.

Pierluigi Paganini

(SecurityAffairs – Santander, hacking)

The post Santander, one of the biggest European banks, was leaking sensitive data on their website appeared first on Security Affairs.

Sophos blocked attacks exploiting XG Firewall zero-day to deploy Ransomware

Hackers attempted to exploit a zero-day flaw in the Sophos XG firewall to distribute ransomware to Windows machines, but the attack was blocked.

Threat actors attempted to exploit a zero-day (CVE-2020-12271) in the Sophos XG firewall to spread ransomware to Windows machines, the good news is that the attack was blocked by a hotfix issued by Sophos.

At the end of April, cybersecurity firm Sophos has released an emergency patch to address an SQL injection zero-day vulnerability affecting its XG Firewall product that has been exploited in the wild.

Sophos was informed of the attacks exploiting the zero-day issue by one of its customers on April 22. The customer noticed “a suspicious field value visible in the management interface.”

Sophos investigated the incident and determined that hackers were targeting systems configured with either the administration (HTTPS service) or the User Portal exposed on the WAN zone.

The attackers exploited an SQL injection zero-day vulnerability to gain access to exposed XG devices.

“The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices.” reads the advisory published by Sophos.

“It was designed to download payloads intended to exfiltrate XG Firewall-resident data. The data for any specific firewall depends upon the specific configuration and may include usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access.” “Passwords associated with external authentication systems such as AD or LDAP are unaffected. At this time, there is no indication that the attack accessed anything on the local networks behind any impacted XG Firewall.”

The hackers exploited the SQL injection flaw to download malicious code on the device that was designed to steal files from the XG Firewall.

Hackers exploited the issue to install the Asnarök Trojan that allowed the attackers to steal files from the XG Firewall and use the stolen info to compromise the network remotely.

The Trojan could be used to steal sensitive data including usernames and hashed passwords for the firewall device admin, and user accounts used for remote access. Login credentials associated with external authentication systems (i.e. AD, LDAP) are not impacted by the flaw.

According to a report published by Sophos at the end of April, the malware employed in the attack is able to retrieve firewall resident information, including:

  • The firewall’s license and serial number
  • A list of the email addresses of user accounts that were stored on the device, followed by the primary email belonging to the firewall’s administrator account
  • Firewall users’ names, usernames, the encrypted form of the passwords, and the salted SHA256 hash of the administrator account’s password. Passwords were not stored in plain text.
  • A list of the user IDs permitted to use the firewall for SSL VPN and accounts that were permitted to use a “clientless” VPN connection.

Below the attack scenario described by Sophos:

Sophos pushed a hotfix to the firewalls after the discovery of the attacks.

This hotfix eliminated the SQL injection vulnerability, stopped the XG Firewall from accessing any infrastructure under the control of the attacks, and cleaned up any remnants from the attack.

Sophos’s update also added a special box in the XG Firewall control panel to allow users to determine if their device has been compromised.

In the new wave of attacks, hackers exploited the issue to distribute the Ragnarok Ransomware.

“Since we published our first report, the attackers first modified their attack to attempt to use what we previously described as the “backup channel.” This was a Linux shell script that served as a dead man switch—a portion of the attack intended to trigger only under certain circumstances; in this case, if a specific file the attackers created during the attack gets deleted.” continues the report.

To deploy the Ragnarok ransomware, attackers attempted to leverage the EternalBlue and DoublePulsar exploits.

“Ragnarok is a less common threat than other ransomware, and it appears that this threat actor’s modus operandi – and the tooling they employ to deliver this ransomware—is quite different from those of many other threat actors. It was a rare and notable event to observe a Linux ELF application being used to try to spread malware across platforms to Windows computers.” concludes the report.

“This incident highlights the necessity of keeping machines inside the firewall perimeter up to date, and serves as a reminder that any IOT device could be abused as a foothold to reach Windows machines.”

Pierluigi Paganini

(SecurityAffairs – Sophos XG firewall, hacking)

The post Sophos blocked attacks exploiting XG Firewall zero-day to deploy Ransomware appeared first on Security Affairs.

How to mitigate your business risk in the new normal

With billions around the world now in lockdown, businesses have activated sometimes dated continuity plans that never envisioned their entire staff working from home. The challenges to adjust to the so-called “new normal” of working from home has generally happened in two phases: The first phase of “getting remote and getting connected” saw companies provide…

Zoom Meetings Bombed with Child Sexual Abuse Material

Zoom Meetings Bombed with Child Sexual Abuse Material

The disruption of nearly 200 Zoom meetings with images of child sexual abuse has prompted the FBI to issue a warning.

In recent months, schools, councils, businesses, and the general public have been using the videoconferencing app to communicate after social distancing and lockdown measures introduced to slow the spread of COVID-19 made face-to-face interaction difficult.  

However, as the number of legitimate users has risen, so too has the number of Zoom-bombing incidents in which malicious users hack meetings to subject attendees to unwanted language and images. 

While some Zoom-bombings consist of little more than a schoolboy prank, others are seriously offensive, featuring lewd imagery, expletives, and racist language. According to the FBI, a growing number of these cyber-attacks now feature material depicting the sexual abuse of minors. 

"During the last few months, the FBI has received more than 195 reports of incidents throughout the United States and in other countries in which a Zoom participant was able to broadcast a video depicting child sexual abuse material (CSAM)," wrote the FBI in a statement released yesterday.

"The FBI considers this activity to be a violent crime, as every time child sexual abuse material is viewed, the depicted child is re-victimized. Furthermore, anyone who inadvertently sees child sexual abuse material depicted during a virtual event is potentially a victim as well."

The Bureau asked any Zoom hosts or administrators who have had a meeting disrupted by the broadcast of CSAM to contact the FBI and to keep a record of what occurred. 

The FBI warned Zoom users to consider the privacy of any videoconferences they schedule. 

"Links to many virtual events are being shared online, resulting in a lack of vetting of approved participants," said the FBI. "Do not make meetings or classrooms public. Do not share a link to a teleconference or classroom on an unrestricted, publicly available social media post. Provide the link directly to specific attendees." 

The Bureau advised users to make their Zoom meetings private either by requiring attendees to enter a meeting password or by using the waiting room feature to control the admittance of guests.

To limit the risk of abusive content being shown, hosts can change the screen-sharing options to "Host Only." 

Raytheon’s Board Takes Voluntary Pay Cut

Raytheon's Board Takes Voluntary Pay Cut

Raytheon Technologies’ board of directors is taking a voluntary pay cut as the United States continues to be impacted by COVID-19. 

The board has reduced non-employee director compensation by an amount equal to 20% of the director cash retainer. The pay cut will apply for the annual term ending at the 2021 Annual Meeting of Shareowners.

The defense giant, which is headquartered in Waltham, Massachusetts, announced the board's gesture on May 14. 

News of the resolution follows a decision by CEO Greg Hayes to institute a temporary 10% base pay reduction for all salaried employees across the company's Pratt & Whitney and Collins Aerospace Systems businesses as well as its corporate offices. 

Raytheon employs 195,000 people across four industry-leading businesses―Collins Aerospace Systems, Pratt & Whitney, Raytheon Intelligence & Space, and Raytheon Missiles & Defense. 

Temporary reductions in pay announced by Raytheon last month will go into effect from June and remain in place until the end of the year. 

Previously, CEO Greg Hayes and executive chairman Tom Kennedy had volunteered to slash their salaries by 20% for the same period.

In a statement released May 14, Raytheon said: "Raytheon Technologies continues to monitor the crisis and is responding as needed to ensure the wellbeing of its employees, customers and suppliers, while protecting the long-term financial strength of the business."

Raytheon Technologies Corporation was formed in 2020 through the combination of Raytheon Company and the United Technologies Corporation aerospace businesses. 

This week, the company confirmed that it is closing an office in Albuquerque, New Mexico, where 200 people are currently employed. 

Raytheon spokeswoman Heather Uberuaga said the company is seeking to streamline its capabilities and relocate support for key capabilities and customer programs to alternative facilities elsewhere in the United States.

"We think this move is in the best interest of our customers as we look to further integrate and streamline our capabilities with pursuits and programs located at other sites while working with employees on a case-by-case basis to explore their individual employment options going forward,” Uberuaga wrote in an email to the Albuquerque Journal.

Hot Offering on Darknet: Access to Corporate Networks

More Ads Offer Access for a Substantial Price: Positive Technologies
The number of darknet forum ads offering full access to corporate networks jumped almost 70% during the first quarter of 2020, compared to the previous quarter, posing a significant potential risk to corporations and their now remote workforces, according to security firm Positive Technologies.

Meal delivery service Home Chef discloses data breach

Meal delivery service Home Chef has confirmed that it recently suffered a security breach that exposed its customer information.

Meal delivery service Home Chef has disclosed a data breach that exposed its customer information. Home Chef also explained that only a portion ot its customers were impacted in the security incident.

In early May, Shiny Hunters hacking group started offering for sale the databases containing tens of millions from user records from over 11 companies.

Below the complete list published by BleepingComputer:

CompanyUser RecordsPrice
Tokopedia91 million$5,000
Home Chef8 million$2,500
Bhinneka1.2 million$1,200
Minted5 million$2,500
Styleshare6 million$2,700
Ggumim2 million$1,300
Mindful2 million$1,300
StarTribune1 million$1,100
ChatBooks15 million$3,500
The Chronicle Of Higher Education3 million$1,500
Zoosk30 million$500

At the time, the Shiny Hunters were offering more than 8 million records for $2500.

Now the company confirmed the data breach, saying that the incident has impacted select customer information.

Exposed data includes email addresses, names, phone numbers, hashed passwords, and the last four digits of credit card numbers.

“Was My Credit Card Information Compromised? Home Chef does not store complete credit or debit card information” reads the FAQ published by the company.

“Information such as frequency of deliveries and mailing address may also have been compromised,”.

Home Chef also underlined the fact that it does not store complete credit or debit card information. The company is investigating the incident and announced that it is taking action to strengthen its security defenses and prevent similar incidents in the future.

Although the company stores passwords in encrypted format, it recommends users to change the password in an abundance of caution following these process:

  1. Visit www.homechef.com
  2. Click on “Log in”
  3. Click on “Account Information”, which is located under the “Account” dropdown menu
  4. Complete the “Change Your Password” section and click “Save your settings.” There’s no need to adjust the other sections on the Account page (e.g. “Subscription”)

Home Chef users should remain vigilant against phishing attacks and suspicious activity in their accounts.

The company is notifying the incident to the impacted users.

Pierluigi Paganini

(SecurityAffairs – HomeChef, hacking)

The post Meal delivery service Home Chef discloses data breach appeared first on Security Affairs.

BlockFi Hacked Following SIM Swap Attack, But Says No Funds Lost

For just under 90 minutes last Thursday, hackers were able to compromise the systems of cryptocurrency lending platform BlockFi, and gain unauthorised access to users’ names, email addresses, dates of birth, address and activity history. In an incident report published on its website, BlockFi was keen to stress that the hacker’s activity had been logged […]… Read More

The post BlockFi Hacked Following SIM Swap Attack, But Says No Funds Lost appeared first on The State of Security.

Attackers still exploiting old vulnerabilities, says NTT report

Failure to patch old vulnerabilities is still a leading cause of breaches of security controls, says a new report.

In its annual Global Threat Intelligence Report released this week, global services company NTT Ltd. said threat actors continue to focus on vulnerabilities that are several years old with apparent success.

“In our first report [seven years ago] we mentioned one of the problems is vulnerabilities 10 years or older represent 22 per cent of all breaches in our client base,” Matthew Gyde, CEO of NTT Ltd.’s security division, noted in an interview.

“While that’s got a little bit better, many organizations are still not maintaining their systems to prevent people from going after old vulnerabilities … Old school attacks are still strong.”

The report, which uses data from the company’s customers collected between October 2018 and September 2019, noted that during the period organizations continued to experience high levels of malicious scanning focused on identifying the six-year-old Shellshock (CVE-2014-6271) vulnerabilities. Continued attacks against vulnerabilities such as the six-year-old HeartBleed (CVE-2014-0160) helped make OpenSSL the second most targeted software technology with 19 per cent of hostile activity globally. Seventeen vulnerabilities in OpenSSL identified in the last two years contributed to a constant focus of attacks against vulnerable implementations.

Ironically, response to the current COVID-19 pandemic may change that, Gyde said, as CIOs shift from on-premise to cloud-based applications, which get regular updates from their developers.

NTT Ltd. is a subsidiary of Japanese telecom giant NTT Corp. which includes well-known units as Dimension Data and White Hat Security. NTT Ltd. operates in 31 countries outside of Japan. It has a staff of 60 in Canada, including 12 focusing on cybersecurity solutions.

The finding that threat actors continue to leverage old vulnerabilities in 2019 was one of six trends identified in the 73-page report. Others include the increased use of machine learning and artificial intelligence tools by threat actors to automate attacks; the weaponization of infected Internet of Things devices; increased attacks on content management systems; the tightening by governments and regulators of governance and privacy laws; and the increasing targeting by attackers of technology firms and governments.

The attack data indicates that over half (55 per cent) of all attacks in the study period were a combination of web-application and application-specific attacks, up from 32 per cent the year before. Twenty per cent of attacks targeted CMS suites and more than 28 per cent targeted technologies that support websites. For organizations that are relying more on their web presence during COVID-19, such as customer portals, retail sites, and supported web applications, they risk exposing themselves through systems and applications that cybercriminals are already targeting heavily.

The trends analysis is broken down geographically and by five industry sectors.

Among the recommendations for IT leaders:

  • Mature your organization’s approach to be secure by design. Understanding your organization’s goals, identifying acceptable risk, and building cyber-resilient capabilities are essential to navigating the threat landscape. An entire section of the report deals with cyber-resiliency.
  • Pursue intelligence-driven cybersecurity. Cybersecurity and business leadership must change the way they think and apply security, and must transform from a reactive mindset, to a more effective, proactive, intelligence-driven approach.
  • Monitor the threat environment. Leverage intelligent cybersecurity to guide decisions, support business agility, and maintain an acceptable risk level for the organization is essential to success.
  • Focus on standardization of controls. Cybersecurity defenders should focus on leveraging standards, knowledgebases, and frameworks such as the MITRE ATT&CK and NIST Cybersecurity Framework. These will help organizations mitigate risks and provide excellent information to help organizations assess organizational risk.

The report can be downloaded here. Registration required.

Cybersecurity Company Sues Private Equity Firm for Backing Out of Buyout

Cybersecurity Company Sues Private Equity Firm for Backing Out of Buyout

Cybersecurity firm Forescout Technologies Inc. yesterday sued a private equity firm for backing out of a $1.9bn buyout.

Advent International Corporation agreed to buy Forescout back in February 2020, but four days before the takeover was due to be completed, the firm announced it would no longer be closing the deal. 

According to California company Forescout, Advent said it was reneging on the deal because of the impact of the global outbreak of COVID-19. 

The takeover had been scheduled to go ahead on Monday, May 18. On May 20, Forescout filed a lawsuit in the Delaware Court of Chancery requesting that Advent be ordered to complete the buyout.

In a statement released yesterday, Forescout accused Advent of violating the terms of their merger agreement.

A spokesperson for the aggrieved cybersecurity company said: "Advent’s purported excuse for its wrongful conduct is that a closing condition to the transaction has not been satisfied because a 'material adverse effect' has occurred at Forescout.

"Forescout believes that no material adverse effect has occurred, that all closing conditions are satisfied, and that Advent is obligated to close the transaction."

The cybersecurity company said that the effects of COVID-19 had been factored into negotiations and that Advent "has relied on meritless excuses" to wriggle out of the deal.

"The merger agreement explicitly allocated the risk of any impacts from COVID-19 to Advent," said Forescout.

Theresia Gouw, chair of the Forescout board, described Advent's getting cold feet over the planned buyout as highly disappointing. 

“The only change since the merger agreement was jointly executed in February is the deepening of the COVID-19 pandemic, which has significantly impacted global macro-economic conditions," said Gouw. 

"All companies have been challenged by this pandemic, and it is highly disappointing that Advent would attempt to exploit market volatility to renege on its contractual obligations, particularly when the merger agreement explicitly excludes the effects of a pandemic as a material adverse event."

The surprising turn of events sent Forescout's shares tumbling to an all-time low yesterday. Shares were at just $18.33 when trading opened. Advent International agreed on February 6 to pay $33 a share to take Forescout private.

Google’s New Ad Policy Overlooks A Bigger Threat

Google has announced that advertisers on its platforms will have to verify their identities and their businesses. They will have 30 days to comply. 

On its face, this seems like common sense and a good idea. The Internet has been rife with fraudulent Covid-19 schemes targeting stimulus checks, selling snake oil cures and price gouging on hard to acquire products. The reality is less clearcut.

Where’s The Data?

The first issue here is Google’s track record when it comes to data mining and privacy. The company is the most successful, and also one of the most appetitive compilers of personal information in digital media. 

While it’s fairly common knowledge that Google’s Chrome browser is no stranger to controversy when it comes to tracking users and collecting data, there is more worrisome activity that gets far less attention. The company aggregates data from its phones, tablets, home media devices, personal assistants, website searches, analytics platform, and even offline credit card transactions. To say that it already has access to data about businesses and individuals would be an understatement and only serves to underscore what’s wrong with this latest initiative. 

There has been plenty of opportunity for Google put its vast stores of data to use in the identification of bad actors on its platforms with a greater level of sophistication than anything that could be gleaned from digital copies of personal and employee identification numbers or business incorporation documents. They already have everything they need to determine if someone is from the U.S. or Uzbekistan. 

Occam’s Razor points to two explanations. First, Google is doing what it does best: collecting more information. Two, Google is doing what it does best: using information to solve an information problem. Either way, it’s not a very memorable solution.  

Ignoring the Realities of Business Identity Theft

it seems naive to take the position that the submission of digital copies of documents can provide a reliable way to establish the identity of a particular business. In an era where Social Security numbers and tax IDs can be bought by the millions on the dark web and computers are capable of rendering real-time deepfakes on video conference calls, faking a document or credentials is child’s play for any scammer worth his or her Bitcoin. 

For starters, this easily flouted protocol engenders a false sense of security for internet users who assume Google’s verification process works. If this sounds cynical, remember that Facebook tried something like this following the widespread manipulation of its platform during the 2016 election. It failed.

This practice also puts a target on businesses. At a minimum, it will require the widespread transmission of digital copies of potentially sensitive business documents, which opens the door to scammers trying to intercept that data. Business identity theft is a very real threat, and access to a business’s credentials can leave it vulnerable to data breaches, fraud, cyberattacks, and worse. At a maximum, it could actually boost the market for illicit or compromised information on businesses as a means of supplying fake credentials to Google. 

We’ve seen time and again that scammers are creative and extremely persistent when it comes to gaining access to sensitive data, and we can only assume any ill-considered move to protect data will be viewed as a growth opportunity for cybercriminals.

Security Theater

The term “security theater” gained popularity after the implementation of TSA security measures in the wake of the 9/11 attacks, and it seems applicable here. 

Google’s new policies seem like marketing more than security. While it’s likely to make customers and businesses that use its online advertising platform feel more safer, it could easily have the opposite effect. 

A company with Google’s reach, resources, and oftentimes incredibly granular data isn’t likely to be made any more secure by collecting and gathering digital documents from its clients. It might, however, be putting businesses at greater risk of fraud and data compromise. 

The post Google’s New Ad Policy Overlooks A Bigger Threat appeared first on Adam Levin.

Vulnerability Spotlight: Memory Corruption Vulnerability in GNU Glibc Leaves Smart Vehicles Open to Attack

By Sam Dytrych and Jason Royes.

Executive summary

Modern automobiles are complex machines, merging both mechanical and computer systems under one roof. As automobiles become more advanced, additional sensors and devices are added to help the vehicle understand its internal and external environments. These sensors provide drivers with real-time information, connect the vehicle to the global fleet network and, in some cases, actively use and interpret this telemetry data to drive the vehicle.

 These vehicles also frequently integrate both mobile and cloud components to improve the end-user experience. Functionality such as vehicle monitoring, remote start/stop, over-the-air-updates and roadside assistance are offered to the end-user as additional services and quality of life improvements.

 All these electronic and computer systems introduce a lot of different attack vectors in connected vehicles – Bluetooth, Digital Radio (HD Radio/DAB), USB, CAN bus, Wi-Fi and, in some cases, cellular. However, like any other embedded system, connected vehicles are exposed to cyber attacks and security threats. Some of the threats that connected vehicles face include software vulnerabilities, hardware-based attacks and even remote control of the vehicle. During some recent research, Cisco’s Customer Experience Assessment & Penetration Team (CX APT) discovered a memory corruption vulnerability in GNU libc for ARMv7, which leaves Linux ARMv7 systems open to exploitation. This vulnerability is identified as TALOS-2020-1019/CVE-2020-6096.


The post Vulnerability Spotlight: Memory Corruption Vulnerability in GNU Glibc Leaves Smart Vehicles Open to Attack appeared first on Cisco Blogs.

Remote Workforce Security – the Long Game

"Risk acceptance" was the operative term as organizations quickly deployed remote workforces in response to the global crisis. But now, as this deployment becomes a long-term option, enterprises need to take a future-focused view toward identity, cloud, and the attack surface. Forcepoint's Homayun Yaqub offers tips.

Realigning Priorities and Building a Bridge Between Security and Development

It???s a common conundrum for application security (AppSec) teams??ヲhow can developers and security professionals work together to release software faster? It takes a working relationship, good communication, and the right tools, which most teams don???t have.

Even more discouraging, stigmas follow both teams around the office; developers often worry that security is there to slow down or halt their projects while security is concerned that developers aren???t prioritizing secure code. As modern software development becomes faster with tighter deadlines and an array of cyberthreats awaiting vulnerable code, there???s little room for misalignment.

It???s a multifaceted issue that should be understood from both angles. Misaligned business priorities and processes can create an array of problems, from a lack of innovation for fear of increased risk to unforeseen vulnerabilities falling through the cracks during the development process. And when developers aren???t empowered to improve their skills with educational tools like Security Labs, there???s less of a chance that they???ll feel prepared or appreciated when security comes knocking.

To begin addressing these concerns, changes must come from the top-down, trickling through each team to impact their goals and methods for an overall healthier AppSec program. When they have direction, developers and security leaders can find a common ground by building a working relationship that benefits both teams (and ultimately, the entire organization). Three key steps to fixing the misalignment between security and development include:

  1. Shifting to a security-focused mindset across the business.
  2. Implementing a security champions program to encourage developer participation.
  3. Making it easier for the development team to write secure code.

Once security leaders understand the tools and methodologies developers are most comfortable with, and developers have the opportunity to learn more about security practices, closing the gap between these two otherwise siloed teams isn???t as daunting. With the right tools, processes, and communication methods in place, security and development will have an easier time falling into the right working cadence to produce more secure applications. ツ?

Watch our video "Tips for Unifying the Security Professional and Developer Roles" below to hear from Veracode???s Chief Technical Officer Chris Wysopal and Chief Product Officer Ian McLeod on how these roles became misaligned, and how organizations can tackle the problem head-on.

Your Network Has Left the Building – How do you secure it?

Your network has left the building. It’s no longer sitting in the server room down the hall where you can keep an eye on it. And it’s no longer safely tucked behind your corporate firewall. Instead, it’s in the cloud. It’s inside your users’ smartphones. And especially now, your corporate network is in people’s homes.

Today’s security teams have to mind various areas of their network and cloud infrastructure, remote users and endpoints, and applications running everywhere in order to remain secure. And as soon as new technology is developed or widely used, attackers find ways to take advantage of it – making security vigilance even more critical.

In our recent 2020 CISO Benchmark Study, we asked security professionals which areas of their environment they find most challenging to defend. According to the study:

  • 52% find mobile devices and data stored in the public cloud very or extremely challenging to defend
  • 50% find private cloud infrastructure very or extremely difficult to defend
  • 41% find data centers and network infrastructure very or extremely difficult to defend
  • 39% say they are really struggling to secure applications

While the moves to mobile and cloud seem to pose the biggest challenges, the data shows that the rest of your security concerns haven’t gone away either.

So how do you do it all?

How do you protect some of the newer technologies that have become part of your environment while still paying attention to things like your traditional data center and network infrastructure to make sure they are not breached? And how do you do this amidst unprecedented remote worker hurdles and a dramatic shortage of skilled cybersecurity professionals? Here are some examples of how Cisco can help you protect the challenge areas outlined above.


In order for security to work, it has to work across all the devices your employees are using. Cisco’s endpoint security combines a variety of security technologies to make sure your users’ mobile devices are protected, and in turn, do not compromise the corporate network. For example, Cisco AnyConnect and Cisco Duo enable users to securely access your network or applications using managed or unmanaged, mobile or traditional devices. And Cisco Umbrella and Cisco AMP for Endpoints defend these devices against threats from the first line to the last line of defense.

In response to current challenges, we have also launched the Cisco Secure Remote Worker solution to help organizations address the recent rise in remote and mobile workers. The intent is to better enable IT and security teams to quickly provision remote workers without sacrificing cybersecurity. The offering includes extended free trials and expanded usage counts to help alleviate today’s tremendous IT and security demands. Learn more about how this offering can enable secure access for a distributed workforce and help you defend against malware across the network, endpoints, cloud, and applications.


Cisco’s cloud security protects your assets and data in the cloud from multiple angles. It helps secure private, public, and hybrid clouds to facilitate your transition to a multicloud environment. With Cisco’s cloud edge security, you can: 1) secure cloud access, 2) protect cloud users, data, and applications, and 3) extend in-depth visibility and threat detection into the cloud.

Data Center

Today’s application workloads are more dynamic, moving across on-prem and multicloud environments. This requires a new strategy for data center security that can protect workloads wherever they go. The Cisco Secure Data Center solution provides several layers of security through in-depth visibility, segmentation, and threat protection. The solution brings together key technologies that let you see, segment, and secure your data as it travels across your environment and into the cloud.


Related to data center security is application security. Cisco’s application security brings continuous, adaptive protection closer to your applications to give you greater insight and control over what is running in your environment. The security follows your applications to ensure protection without hindering productivity and innovation. This allows you to understand application behaviors, automate micro-segmentation, and use security analytics to speed detection.


Perhaps the trickiest area to summarize is network security due to the ever-expanding components that make up today’s “network.” You need a next-generation firewall that can keep up with your expanding infrastructure and sophisticated attackers. You need a way for authorized users to securely connect to the network. And once they’re logged in, you need multiple layers of protection to prevent them from abusing their privileges or being compromised by malware.

Bringing it all together

While we secure many areas of the corporate environment, we don’t do so in silos. Our security products all work together – and with the customer’s infrastructure, including third-party technologies – to provide more cohesive, automated defenses. By taking a platform approach to security, Cisco SecureX results in greater visibility, collaboration, and protection across all threat vectors, access points, and areas of your infrastructure. This reduces complexity while enabling a zero-trust security strategy.

For more information

Explore our entire security portfolio and review the 2020 CISO Benchmark Report for more information on how to protect various areas of your environment.

This post is part of a series covering topics and data from our 2020 CISO Benchmark Report. Read previous posts here, and be sure to check back soon for more!

The post Your Network Has Left the Building – How do you secure it? appeared first on Cisco Blogs.

The Future of the Email Security Market: The Importance of the Secure Email Gateway

Welcome to the first in a series of blogs on the future of the email security market and how you can leverage the latest technologies to secure your cloud email deployments. Our goal is to make these blogs easy to consume and publish them on a regular basis.

While much of the content we will cover here will be about new and emerging ways to protect cloud mailboxes, it’s important to start with a view of the continued relevance of the Secure Email Gateway (SEG). The SEG technology space, and Cisco’s Cloud Email Security (CES) in particular, is still a valuable part of the enterprise content security strategy. It’s strength lies in its versatility and comprehensive configuration options that can produce unparalleled efficacy when tuned by knowledgeable administrators and engineers.

Cisco Email Security: Strengthening the Email Pipeline


The graphic above illustrates just how comprehensive Cisco’s gateway offering is. In the top left, we can see connection-time protections that are only possible with SEG products. Administrators have long accepted that essential mail server hardening was not sufficient to protect their environments from attacks like directory harvesting. With the move to O365 administrators no longer have to perform infrastructure maintenance like patching, but well-resourced security organizations still value granular connection time controls to defeat complex attacks that target the infrastructure rather than user’s mailboxes. The Connection and Content Filtering engines referenced in the graphic above when correctly configured are well-positioned to mitigate this kind of attack.

This is just one example of the kind of protection that Cisco’s Cloud Email Security (CES) allows customers to bring with them when they migrate away from on-premises email servers. Experienced CES administrators are adept at crafting message filters to deal with targeted campaigns and emerging threats that have not yet been identified up by research groups or content scanning engines. The ability to narrow these rules to groups and individual users is powerful in the hands of security operations engineers who require scalpels to meet the varying demands of their departments. These often require specialized policies that address particular needs while maintaining the integrity of their email communications. The availability of multiple quarantines addresses shortcoming of the junk folder-centric Microsoft approach for those who need a more nuanced set of tools.

These examples do not cover all of the use-cases and benefits of CES for cloud email customers (for that, you can explore the user guides and product video), but they do illustrate a key message. The SEG space offers granular, customizable controls that are incredibly powerful in the hands of well-trained administrators and engineers.

If yours is one of the organizations who don’t require the granular controls and customization of SEG and simplicity is the most appealing aspect of moving to the cloud, then follow us as we continue this series by examining emerging cloud email security technologies.

In the meantime, read more about the layered approach to email security that makes Cisco Email Security an industry leader.

The post The Future of the Email Security Market: The Importance of the Secure Email Gateway appeared first on Cisco Blogs.

My Flight Path: From the Royal Air Force to McAfee

By: Gareth, Technical Support Engineer, UK

Where do you see yourself in five years? This well-known question is the crux of any career planning. Your answer may take self-reflection with twists and turns or it may be a more obvious, straightforward path. My answer was the latter—or so I thought.

Just last year, my answer was serving in the Royal Air Force (RAF). But here I am, at McAfee as a veteran through McAfee’s Return to Workplace program. I’m thankful my career took a few twists.

Change in Flight Path

For nearly two decades, serving in the RAF was all I knew. I carried out ceremonial duties in the Queen’s Colour Squadron, deployed airfield communication systems and served as an instructor for several certification courses. The RAF was my second home. I imagined my career beginning and ending with a commitment to serve and protect.

Last year, my career veered left. After a severe injury, I was medically discharged. The surgery and rehabilitation proved a challenge, but the loss of what felt like my lifelong purpose was another shock to my system that took time to accept.

In a way, I felt prepared. Flight paths change. I refocused this as an unexpected opportunity to reinvent myself in the civilian world.

Finding Flight Instructions

I asked myself the infamous question, “Where do you see yourself in five years?” I landed in the technology sector as a logical next step, given my background. My answer didn’t include belonging—I doubted I would find a sense of purpose the RAF offered.

All too quickly, I learned military certifications don’t hold much value to corporations. Prospective employers informed me I didn’t have the right education or the right experience.

I needed flying instructions to support my entry into seemingly foreign territory.

I stood on the edge of defeat when I stumbled upon McAfee’s Return to Workplace program—for veterans! This 12-week program would provide classroom and on-the-job training I could add to my resume. Here were my flying instructions.

A New Squadron at McAfee

My fingers couldn’t click apply fast enough. I was the first veteran accepted into the program. Though newly established, my experience was second to none. The stand-out training and customer work rebuilt my confidence.

I even found belonging and purpose. The team environment is not unlike the military. Team members willingly supported me in solving problems or directing me to someone who could help. Although how I protect my family, community and government looks different from military to McAfee, my purpose remains.

I’m thrilled to continue my work with McAfee after the 12-week period. I plan to support other veterans through McAfee’s Return to Workplace program. Even though I’m qualified and capable, my difficulty in finding civilian work is not a unique experience for veterans. I’m hopeful I can make a difference for veterans looking to reenter civilian life and help others realize the value veteran experience offers.

I’m confident I now have the skills needed for takeoff and where do I see myself in five years? At McAfee.

Join a company that values all experiences. Search our openings.

The post My Flight Path: From the Royal Air Force to McAfee appeared first on McAfee Blogs.

Tens of thousands Israeli websites defaced

Thousands of Israeli websites have been defaced earlier today, hackers published an anti-Israeli message on their homepage and attempted to implant malicious code.

A massive hacking campaign defaced thousands of Israeli websites, attackers published an anti-Israeli message on their homepage and attempted to inject a malware seeking permission to access visitors’ webcams.

“Be ready for a big surprise” “The countdown of Israel destruction has begun since a long time ago,” reads the message published in in Hebrew and English on the defaced Israeli websites.

A video published by the hackers shows explosions in Tel Aviv and a battered and bloodied Prime Minister Benjamin Netanyahu swimming away from a burning city.

The hackers also added a link on some websites, asking users to click on the link and activate their camera

The list of hacked websites belong to local municipalities, several NGOs, popular restaurant chains, and a left-wing Member of parliament.

The attacks were carried out by a group calling itself the “Hackers of Saviour” most of the hacked websites were hosted on the Israeli WordPress hosting service uPress. The hacker group’s YouTube channel describes the crew as collective seeking on avenging Israel’s policy on the Palestinian situation.

“Early this morning we detected a widespread cyber attack against many websites stored on our servers. It is a case of a malicious and far-ranging attack carried out by anti-Israel (Iranian) sources. We detected a weakness in a WordPress add on that enabled the hack and are working closely with the National Cyber Bureau to research the breach and fix the affected sites.” reads a statement from the company sent to Ynet News.

The hosting provider confirmed the attack and revealed that the hackers exploited a vulnerability in a WordPress plugin to compromise the Israeli websites. Below the message published by the company on Facebook:

הודעת עדכון: לקוחות יקרים, היום בשעה מוקדמת זיהנו מתקפת סייבר רחבת היקף על אתרים רבים שמאוחסנים אצלנו. מדובר במתקפה…

Gepostet von ‎אחסון וורדפרס – uPress‎ am Donnerstag, 21. Mai 2020

The company said it was working with Israeli authorities to investigate the hack. uPress also took down all defaced websites and pulled the file hackers were exploiting. The company is working to restore all the defaced websites.

“The Israel National Cyber Bureau, the government agency tasked with protecting Israel from hacking attacks confirmed that “a host of Israeli websites were hacked in the morning hours in a suspected Iranian cyber-attack.”” reported the website Calcalistech.

“The matter is being handled by the Bureau. We recommend users refrain from pressing any links on compromised sites,”.

The hosting provider reported the incident to the authorities that launched an investigation into the attacks.

The Israeli National Cyber-Directorate (INCD), the Israeli cyber-security agency, warned users against visiting and interacting with the hacked websites.

Israeli press outlets blame Iranian hackers for the attacks, but at the time there is no concrete evidence to support this attribution.

Pierluigi Paganini

(SecurityAffairs – Israeli websites, hacking)

The post Tens of thousands Israeli websites defaced appeared first on Security Affairs.

Signal fixes location-revealing flaw, introduces Signal PINs

Signal has fixed a vulnerability affecting its popular eponymous secure communications app that allowed bad actors to discover and track a user’s location. The non profit organization has also announced on Tuesday a new mechanism – Signal PINs – that will, eventually, allow users not to use their phone number as their user ID. About the vulnerability The vulnerability, discovered by Tenable researcher David Wells, stems from the fact that the WebRTC fork used by … More

The post Signal fixes location-revealing flaw, introduces Signal PINs appeared first on Help Net Security.

Winnti Group Targets Video Game Developers with New Backdoor Malware

Winnti Group Targets Video Game Developers with New Backdoor Malware

Researchers from ESET have discovered a new modular backdoor used by the Winnti Group to target several video game companies that develop MMO (massively multiplayer online) games.

As explained in a blog post, the malware, dubbed ‘PipeMon’ by ESET, targeted companies in South Korea and Taiwan. The video games developed by these companies are distributed all around the world, are available on popular gaming platforms and have thousands of simultaneous players.

According to researchers, the new modular backdoor is signed with a code-signing certificate likely stolen during a previous campaign and shares similarities with the PortReuse backdoor.

In at least one case, the attackers compromised a company’s build orchestration server, allowing them to take control of the victim’s automated build systems. This could have allowed the attackers to Trojanize video game executables, although there’s no current evidence that has occurred. In another case, attackers compromised a company’s game servers. With this attack, it would be possible to manipulate in-game currencies for financial gain, ESET explained.

“Multiple indicators led us to attribute this campaign to the Winnti Group. Some of the command and control domains used by PipeMon were used by Winnti malware in previous campaigns,” said Mathieu Tartare, malware researcher at ESET. “Furthermore, in 2019, other Winnti malware was found at some of the same companies that were later discovered to be compromised with PipeMon in 2020.”

Iran-linked Chafer APT group targets governments in Kuwait and Saudi Arabia

Cybersecurity researchers uncovered an Iranian cyber espionage campaign conducted by Chafer APT and aimed at critical infrastructures in Kuwait and Saudi Arabia.

Cybersecurity researchers from Bitdefender published a detailed report on an Iranian cyber espionage campaign directed against critical infrastructures in Kuwait and Saudi Arabia.

The cyber espionage campaigns were carried out by Iran-linked Chafer APT (also known as APT39 or Remix Kitten).

The Chafer APT group has distributed data stealer malware since at least mid-2014, it was focused on surveillance operations and the tracking of individuals.

The APT group targets telecommunication and travel industries in the Middle East to gather intelligence on Iran’s geopolitical interests.

“Victims of the analyzed campaigns fit into the pattern preferred by this actor, such as air transport and government sectors in the Middle East,” reads the researcher paper published by the experts.

“Some traces indicate that the goal of the attack was data exploration and exfiltration (on some of the victim’s tools such as Navicat, Winscp, found in an unusual location, namely “%WINDOWS%\ime\en-us-ime”, or
SmartFtpPasswordDecryptor were present on their systems).”

The attackers used several tools, including ‘living off the land’ tools, making it hard to attribute the attack to specific threat actors, as well as a custom-built backdoor.

The attacks against entities in Kuwait and Saudi Arabia have multiple similarities and shares some common stages, but experts noticed that the attacks seem more focused and sophisticated on victims from Kuwait.

Chafer APT launched spear-phishing attacks, the messages were used to deliver multiple backdoors that allowed them to gain a foothold, elevate their privileges, conduct internal reconnaissance, and establish persistence in the victim environment.

“Once the victims were compromised, attackers started to bring reconnaissance tools for network scanning (“xnet.exe”, “shareo.exe”) and credential gathering (as “mnl.exe” or “mimi32.exe”) or tools with multiple functionalities, such as CrackMapExec (for users’ enumeration, share listing, credentials harvesting and so on).” continues the report.

“During our investigation, on some of the compromised stations we observed some unusual behavior performed under a certain user account, leading us to believe the attackers managed to create a user account on the victims’ machine and performed several malicious actions inside the network, using that account.”

The attacks against entities in Kuwait appeared more sophisticated, attackers were creating a user account on the compromised machines and performed malicious actions inside the network, including credential harvesting with Mimikatz and lateral movements using multiple hacking tools from their arsenal.

Most of the hacking activity occurs on Friday and Saturday, coinciding with the weekend in the Middle East.

The campaign against a Saudi Arabian entity was characterized by the large use of social engineering attacks to trick the victim into executing a remote administration tool (RAT), The RAT employed in the attacks shares similarities with those used against Kuwait and Turkey.

“The case investigated in Saudi Arabia was not as elaborate, either because the attackers did not manage to further exploit the victim, or because the reconnaissance revealed no information of interest.” continues the report.

“While this attack was not as extensive as the one in Kuwait, some forensic evidence suggests that the same attackers might have orchestrated it. Despite the evidence for network discovery, we were not able to find any traces for lateral movement, most probably because threat actors were not able to find any vulnerable machines.”

The campaigns against Kuwait and Saudi Arabia demonstrate the intense cyberespionage activity carried out by Iran-linked APT groups in the Middle East. Anyway we cannot underestimate that these hacking groups are extending their range of action targeting government and organizations worldwide.

Pierluigi Paganini

(SecurityAffairs – Chafer APT, hacking)

The post Iran-linked Chafer APT group targets governments in Kuwait and Saudi Arabia appeared first on Security Affairs.

How Cybersecurity Enables Government, Health, EduTech Cope With COVID-19

The advent of the Covid-19 pandemic and the impact on our society has resulted in many dramatic changes to how people are traveling, interacting with each other, and collaborating at work. There are several trends taking place as a consequence of the outbreak, which has only continued to heighten the need for the tightest possible cybersecurity. Tools for Collaboration There has been a

Scattered Canary Behind Hundreds of Fraudulent Unemployment Claims

Security researchers discovered that the Scattered Canary group had filed hundreds of fraudulent unemployment claims in the wake of COVID-19. According to Agari Cyber Intelligence Division, at least some of the threat actors who took part in a large-scale fraud campaign targeting dozens of states’ unemployment insurance programs belonged to a Nigerian digital crime group […]… Read More

The post Scattered Canary Behind Hundreds of Fraudulent Unemployment Claims appeared first on The State of Security.

Flight Risk Employees Account for Most Insider Threats

Flight Risk Employees Account for Most Insider Threats

Employees or contractors identified as a “flight risk” are linked to 60% of insider threat cases, increasing the likelihood that such incidents will involve theft of sensitive corporate data, according to Securonix.

The vendor’s 2020 Securonix Insider Threat Report was distilled from over 300 real-life insider incidents across multiple sectors.

It revealed that over 80% of staff members deemed likely to terminate their employment will take data with them, anywhere between two weeks and two months prior to them leaving. Flight risk can be determined from web browsing and email behavior, Securonix said.

Unsurprisingly, therefore, data exfiltration is the number one insider threat, with email the most popular vector for data loss, followed by web uploads and cloud storage sites.

Account sharing and shadow IT, especially the prevalence of cloud collaboration tools, are compounding the problem for IT security operations teams, the report claimed.

“Data aggregation and snooping of sensitive data is still prominent in most organizations, however tools to detect such behavior still lag behind. This is primarily due to organizations struggling to classify data that is deemed sensitive, combined with data being vastly distributed across networks and systems,” it explained.

“The circumvention of IT controls is prevalent across all organizations. IT security operations teams, especially ones from large enterprises, are finding it difficult to draw conclusions about such incidents mostly due to lack of, or differences between, policies and procedures for each line of business.”

Pharmaceutical firms accounted for the largest number of data exfiltration incidents analyzed by Securonix, which is understandable considering the highly sensitive IP handled by these organizations.

Behavioral analytics were used most often to detect abnormal user behavior and flag violations.

However, data theft is only one of many risks posed by employees. Many of these stem from negligence rather than deliberate malice. Human error, including misconfiguration of cloud systems and misdelivery of emails, accounted for 22% of breaches analyzed by Verizon in its latest report.

Smashing Security podcast #179: Deepfake Jay-Z, and beer apps spilling your data

Apps that belch out sensitive military information, what could the world learn from South Korea’s digital response to the Coronavirus pandemic, and who has been deepfaking Bill Clinton, Jay-Z, and Donald Trump… and why?

All this and much much more is discussed in the latest episode by computer security veterans Graham Cluley and Carole Theriault, joined this week by Brian Klaas of the “Power Corrupts” podcast.

IT Asset Management Forum Launches to Enhance Sector

IT Asset Management Forum Launches to Enhance Sector

A not-for-profit body for the asset management sector has been established to advance the overall reputation and recognition of the IT Asset ManagEment (ITAM) industry while providing a collaborative space for ITAM leaders to come together.

The ITAM Forum launches with a board of 15 trustees from across the ITAM industry – representing IT end users, resellers, tool providers and independent consultants, with two objectives:

  • To educate and evangelize – to encourage more companies to practice ITAM and to attract new professionals into the industry
  • To promote best practice – provide a collaborative, global forum for ITAM leaders to come together and share ideas for the advancement of the ITAM industry (eventually establishing a globally-recognized Organizational certification for ITAM)

Founder Martin Thompson said that with more focus on asset management, due to the COVID-19 pandemic driving more employees to work remotely, “IT Asset Managers have a huge role to play in documenting and unpicking this rapid and unplanned investment. 

“The smart management of assets is a shrewd business practice which delivers benefits far beyond IT. ITAM therefore has a rightful place outside of the niche IT/ITSM domain from where it started, and as a boardroom priority in its own right. The ITAM Forum is here to help it achieve this goal, by raising the profile of the ITAM discipline as much more than a compliance exercise and demonstrating its value to every organization looking to better manage its assets.”

In an email to Infosecurity, Lenny Zeltser, CISO of asset management vendor Axonius, said it was encouraging to see the increasing importance that cybersecurity professionals have been assigning to IT asset management in recent years.

“Security teams recognize that ITAM is a foundational aspect of a security program,” Zeltser said. “We need to know what devices, systems, users and applications we have, so we can implement the appropriate safeguards for them. Industry frameworks such as ISO 27001, CIS Critical Controls and NIST Cybersecurity Frameworks have included the need for ITAM for years. In recent years I've seen security professionals pay much closer attention to this requirement.”

Zeltser also noted that more and more enterprises are recognizing that they don't need yet another source of asset data, and instead look for ways to gather information about IT assets from the various IT data silos, such as the CMDB, network scanners, cloud instrumentation tools, Active Directory and so on. “Each of these sources of data has partial visibility into the organization's assets. By combining this data, organizations are able to get a comprehensive view into their ITAM posture.” 

The ITAM Forum also announced a longer term objective to create a new certification program for ITAM, based on the global ISO standard for the ITAM industry – ISO19770 – which was first published in 2006. 

“By certifying organizations against the ISO standard, the ITAM Forum will look to provide the highest measure of quality to demonstrate the competence of an ITAM department in the face of increasing board level scrutiny,” Thompson said.

“By benchmarking an ITAM department output against recognized ISO standards, stakeholders in the ITAM lifecycle (in particular those not fully versed in the complexity of IT assets) will be assured of quality. While our current priority is to establish the ITAM Forum as the credible voice of the ITAM industry, we look forward to eventually establishing the ITAM Forum certification as the globally-recognized ‘Kitemark’ for ITAM quality.”

Home Chef Breach May Affect Millions of Customers

Home Chef Breach May Affect Millions of Customers

Home Chef has confirmed a major breach of customers’ personal information, potentially affecting millions of users.

The Chicago-headquartered meal delivery service revealed in a notice on its website that email addresses, encrypted passwords, last four digits of credit card numbers and “other account information such as frequency of deliveries and mailing address” were among the compromised details.

“We are taking action to investigate this situation and to strengthen our information security defenses to prevent similar incidents from happening in the future,” it said.

Although passwords were scrambled, the firm urged customers to reset their credentials anyway. Its encryption of passwords and only partial storage of credit card details will limit the risk exposure to customers, but other personal details could be used to craft convincing phishing attacks spoofing the brand.

“You should also remain vigilant against phishing attacks and monitor your accounts for any suspicious activity,” said Home Chef. “Remember that we will never ask you to send sensitive information over email, and you can make any necessary changes to your accounts by logging into your account directly on our website.”

Although the firm claimed that only “select customer information” was taken, a dark web trader claims to have as many as eight million records up for sale.

Boris Cipot, senior security engineer at Synopsys, argued that even Home Chef’s efforts to minimize risk exposure may be undone.

"Passwords — even encrypted passwords — can be cracked. If a hacker succeeds in accessing password data, it could be a key element in carrying out additional attacks. When we add email addresses to those cracked passwords, attackers may now be able to enter other services such as bank accounts, e-commerce sites, among many others,” he argued.

“With regards to the last four digits of your credit card number, if you believe this is useless data without the full number, think again. Some services require you to only enter the last four numbers to confirm your identity. As such this data can be of use to attackers with the knowledge of how to make the most of such information."

Microsoft Warns of “Massive” #COVID19 RAT

Microsoft Warns of “Massive” #COVID19 RAT

Microsoft is warning of a major new COVID-19 phishing campaign using malicious Excel macros to achieve remote access of victims’ machines via a legitimate support tool.

Microsoft Security Intelligence revealed the news in a series of tweets, claiming the campaign began on May 12.

“The emails purport to come from Johns Hopkins Center bearing ‘WHO COVID-19 SITUATION REPORT.’ The Excel files open w/ security warning & show a graph of supposed coronavirus cases in the US. If allowed to run, the malicious Excel 4.0 macro downloads & runs NetSupport Manager RAT,” it explained.

“For several months now, we’ve been seeing a steady increase in the use of malicious Excel 4.0 macros in malware campaigns. In April, these Excel 4.0 campaigns jumped on the bandwagon and started using COVID-19 themed lures.”

In this respect, the campaign is similar to many others that have been launched over recent weeks and months, with cyber-criminals effectively rebranding existing content with COVID-19 themes to increase success rates.

Google claimed it has been blocking over 240 million COVID-themed spam messages each day, and 18 million malware and phishing emails.

“The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload. NetSupport Manager is known for being abused by attackers to gain remote access to and run commands on compromised machines,” Microsoft said of the latest RAT campaign.

“The NetSupport RAT used in this campaign further drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It connects to a C2 server, allowing attackers to send further commands.”

In the UK, these kinds of emails should be reported to the National Cyber Security Centre’s Suspicious Email Reporting Service, but this first requires the presence-of-mind to do so from employees.

“The advice for organizations and employees is to remain vigilant to this new kind of threat, and to deploy training as regularly as possible to make sure individuals remain aware,” advised DomainTools malware researcher, Tarik Saleh. “Phishing is at its core an attack on people, and people remain the best defense against it, in addition to ensuring proper processes remain in place.”

Beware of phishing emails urging for a LogMeIn security update

LogMeIn users are being targeted with fake security update requests, which lead to a spoofed phishing page. “Should recipients fall victim to this attack, their login credentials to their LogMeIn account would be compromised. Additionally, since LogMeIn has SSO with Lastpass as LogMeIn is the parent company, it is possible the attacker may be attempting to obtain access to this user’s password manager,” Abnormal Security noted. The fake LogMeIn security update request The phishing email … More

The post Beware of phishing emails urging for a LogMeIn security update appeared first on Help Net Security.

Japan suspects HGV missile data leak in Mitsubishi security breach

Japan continues to investigate a cyberattack that hit this year Mitsubishi Electric Corp., it suspects a possible leak of data including details of a prototype missile.

Japan is still investigating a cyberattack that was disclosed by Mitsubishi Electric Corp. early this year.

In January, the company disclosed a security breach that might have exposed personal and confidential corporate data, at the time, it claimed that attackers did not obtain sensitive information about defense contracts.

Mitsubishi revealed that personal data on some 8,000 people also might have been leaked.

The breach was detected almost eight months ago, on June 28, 2019, with the delay being attributed to the increased complexity of the investigation caused by the attackers deleting activity logs.

The intrusion took place on June 28, 2019, and the company launched an investigation in September 2019. Mitsubishi Electric disclosed the security incident only after two local newspapers, the Asahi Shimbun and Nikkei, reported the security breach.

Mitsubishi Electric had also already notified members of the Japanese government and the Ministry of Defense.

Now, the authorities suspect a data leak that could have exposed details of a prototype missile.

“The suspected leak involves sensitive information about a prototype of a cutting-edge high speed gliding missile intended for deployment for the defense of Japan’s remote islands amid China’s military assertiveness in the region.” states the AP press agency.

“The ministry suspects the information might have been stolen from documents sent from several defense equipment makers as part of a bidding process for the project, Mitsubishi Electric did not win the bid, Japanese media reports said.”

The advanced prototype missile was designed to be deployed in Japan’s remote islands as a deterrence to military activities conducted by China in the area.

Chief Cabinet Secretary Yoshihide Suga announced that the Defense Ministry is investigating “the possible impact of the information leak on national security.”

Mitsubishi Electric

The Defense Ministry was working on a prototype of supersonic missile known as HGV, a technology also being studied by the U.S., China, and Russia.

In January, the two media outlets attributed the cyber attack to a China-linked cyber espionage group tracked as Tick (aka Bronze Butler).

The hacker group has been targeting Japanese heavy industry, manufacturing and international relations at least since 2012,

According to the experts, the group is linked to the People’s Republic of China and is focused on exfiltrating confidential data.

The ministry suspects the information might have been stolen from documents sent from several defense equipment makers as part of a bidding process for the project, Mitsubishi Electric did not win the bid, Japanese media reports said.

Other Japanese defense contractors were hit by cyber attacks, including NEC Corp. , Pasco Corp. and Kobe Steel Ltd.

Pierluigi Paganini

(SecurityAffairs – Mitsubishi, hacking)

The post Japan suspects HGV missile data leak in Mitsubishi security breach appeared first on Security Affairs.

Iranian APT Group Targets Governments in Kuwait and Saudi Arabia

Today, cybersecurity researchers shed light on an Iranian cyber espionage campaign directed against critical infrastructures in Kuwait and Saudi Arabia. Bitdefender said the intelligence-gathering operations were conducted by Chafer APT (also known as APT39 or Remix Kitten), a threat actor known for its attacks on telecommunication and travel industries in the Middle East to collect personal