Cybercriminals have been using the COVID-19 pandemic as a central theme in all kinds of crisis-related email phishing campaigns. But because of the dramatic rise of the number of at-home workers, one method that has become increasingly common over the past few months are vishing attacks, i.e., phishing campaigns executed via phone calls. Rising success rates are the reason why vishing has become more common, and there are several factors driving this trend: People are … More
The post How to protect your business from COVID-19-themed vishing attacks appeared first on Help Net Security.
The number of vulnerabilities disclosed in Q1 2020 has decreased by 19.8% compared to Q1 2019, making this likely the only true dip observed within the last 10 years, Risk Based Security reveals. Vulnerabilities of interest disclosed in Q1 2020 Vulnerabilities disclosed in Q1 2020: What happened? Many factors have been identified as potential contributors to this decline, including the COVID-19 pandemic, though its precise impact may not be known for another year. “Although the … More
The post Despite lower number of vulnerability disclosures, security teams have their work cut out for them appeared first on Help Net Security.
Software Defined Perimeter (SDP) is the most effective architecture for adopting a zero trust strategy, an approach that is being heralded as the breakthrough technology for preventing large-scale breaches, according to the Cloud Security Alliance. “Most of the existing zero trust security measures are applied as authentication and sometimes authorization, based on policy after the termination of Transport Layer Security (TLS) certificates,” said Nya Alison Murray, senior ICT architect and co-lead author of the report. … More
The post Why is SDP the most effective architecture for zero trust strategy adoption? appeared first on Help Net Security.
48% of employees are less likely to follow safe data practices when working from home, a report from Tessian reveals. The global shift to remote working poses new security challenges for businesses and traditional security solutions are failing to curb the problem of the insider threat and accidental data loss. Remote work compounds insider threats While 91% of IT leaders trust their staff to follow best security practices when working remotely, 52% of employees believe … More
The post Employees abandoning security when working remotely appeared first on Help Net Security.
The WAN optimization market is expected to grow from $1,047.1 million in 2020 to $1,446.2 million by 2025, at a Compound Annual Growth Rate (CAGR) of 6.7% during the forecast period of 2020-2025, according to ResearchAndMarkets. Most cloud-based applications need good bandwidth and low latency for effective utilization. In large-scale WAN deployments, latency, bandwidth constraints, and packet losses are inevitable. WAN optimization enables enterprises and service providers to save money and reduce costs with reduced … More
The post Global WAN optimization market forecast to reach $1.4 billion by 2025 appeared first on Help Net Security.
AttackIQ announced the launch of AttackIQ Informed Defense, the most significant product release in the company’s history. This new offering is in direct response to the evolution of attackers and their methods in becoming more targeted, sophisticated and automated. To stay ahead of the threat, enterprise security teams need to validate and continually assess that cyber defenses are always optimally configured. The AttackIQ Informed Defense Architecture (AIDA) enables a transparent and completely manageable attacker kill … More
The post AttackIQ Informed Defense: Automated continuous security validation and remediation appeared first on Help Net Security.
Security platform provider Netography announced advanced security and enhanced data privacy capabilities with the release of two new powerful data collection agents. These agents significantly expand network visibility, enable pinpointed data access, and reduce mean time to resolution across an organization’s entire network. Netography recognizes that every enterprise network is unique, and security professionals face complex data collection challenges. Netography’s new innovative agents now allow access to terminal access points (TAPs), and port mirroring data, … More
Unravel Data announced Unravel for AWS Databricks, a solution to deliver comprehensive monitoring, troubleshooting, and application performance management for AWS Databricks environments. Unravel for AWS Databricks leverages Unravel’s AI-powered data operations platform to accelerate performance of Spark on AWS while providing unprecedented visibility into runtime behavior, resource usage, and cloud costs. “As business needs evolve, data workloads are moving to a growing variety of settings, stretching across on-prem environments, public clouds, multiple clouds and a … More
The post Unravel for AWS Databricks: Supporting big data workloads wherever they reside appeared first on Help Net Security.
Aptum, a global hybrid cloud and managed services provider, launched its Managed DevOps Service in partnership with CloudOps, a cloud consulting and professional services company specializing in DevOps. The Managed DevOps Service offers a cloud-based DevOps platform that allows customers to automate their development pipelines and reduce application delivery times. Customers are also provided with hands-on training on DevOps practices and tools so they can succeed. Through this offering, customers gain access to two highly … More
The post Aptum unveils Managed DevOps Service with CloudOps to boost speed of application delivery appeared first on Help Net Security.
Siren, the provider of Investigative Intelligence analytics, announced the release of Siren 10.5. The latest version of Siren features several notable improvements, including the ability to fuse big local data with results returned dynamically by remote web services – a capability Siren calls Knowledge Graph “augment on demand”. Dr. Giovanni Tummarello, Founder and Chief Product Officer at Siren, said: “With Siren, a data model is used to virtually connect organizational data – from DBs to … More
The post Siren 10.5: Fusing big local data with results returned dynamically by remote web services appeared first on Help Net Security.
Tufin announced a new release of Tufin SecureCloud, providing security for cloud-native, multi-cloud, and hybrid-cloud workloads and applications. The new release includes Center for Internet Security (CIS) Benchmarks for Kubernetes and public cloud environments, Kubernetes best practices and assessments, streamlined risk analysis, enhanced security policy discovery and automatic generation. With these new capabilities, companies can accelerate their digital transformation and cloud-first initiatives by securing cloud-native workloads, without compromising the speed and agility businesses have come … More
RapidAPI announced that it has added a dozen Microsoft Azure Cognitive Services to its Marketplace including APIs for Vision, Language, Web Search, and Decision. The RapidAPI Marketplace provides the connective tissue for bringing thousands of APIs and microservices together, offering APIs from providers like Microsoft, Twilio, SendGrid, Nexmo, Skyscanner, Crunchbase, and more. With the addition of the Microsoft Azure Cognitive Services APIs, it is easier than ever for the RapidAPI developer community to incorporate advanced … More
The post RapidAPI adds Microsoft Azure Cognitive Services to its Marketplace appeared first on Help Net Security.
Business transformation specialists Signavio and Deloitte have announced a new global partnership. The announcement brings together both companies to address the growing worldwide demand for solutions and services in the areas of digital transformation, process digitization, and automation. The partnership supports global users across all digital transformation projects, including the areas of process excellence, ERP transformation, RPA, risk and compliance, and customer excellence. To drive these global projects, the partnership will utilize the entire solution … More
The post Signavio and Deloitte partnership addresses areas of DX, process digitization, and automation appeared first on Help Net Security.
Upbound, the company behind open source projects Rook and Crossplane, announced Alibaba Cloud and Microsoft have joined the Crossplane project. Announcements were made from the inaugural Crossplane Community Day, attended by community members from across the ecosystem. “We launched Crossplane over a year ago to bring the same control plane-centric approach pioneered by cloud providers like AWS, Microsoft Azure, and Google Cloud to the enterprise and open source community,” said Bassam Tabbara, Founder and CEO … More
The post Microsoft and Alibaba Cloud join Crossplane project implementing the Open Application Model appeared first on Help Net Security.
Sixgill announced that users of Splunk, the Data-for-Everything platform, will have access to Sixgill’s Darkfeed, the company’s automated stream of indicators of compromise. By leveraging Darkfeed in Splunk’s analytics-driven SIEM, enterprises gain contextual and actionable insights in real-time to enhance security and proactively protect against threats. “Manual threat intelligence can take days, while criminals operate by the hour. Darkfeed delivers automated insights in real-time so security teams can react instantly and stay ahead of threats,” … More
The post Splunk users now have access to Sixgill’s Darkfeed, enhancing security and threat protection appeared first on Help Net Security.
Synack announced that it raised $52 million in Series D funding to transform security testing through its crowdsourced platform powered by the world’s most skilled ethical hackers who work with proprietary Synack technology to accelerate the hunt for critical software vulnerabilities. New investors B Capital Group and C5 Capital co-led the round, bringing total funding to $112.1 million. Previous investors GGV Capital, GV (formerly Google Ventures), Hewlett Packard Enterprise (“HPE”), Icon Ventures, Intel Capital, Kleiner … More
The post Synack raises $52M to transform security testing through its crowdsourced platform appeared first on Help Net Security.
On the heels of exiting stealth with $30 million in Series A funding from marquee investors and introducing a revolutionary, passwordless identity management solution, Beyond Identity announced the formation of an all-star technical advisory board comprising the “Father of SSL,” the co-inventor of public-key cryptography (PKC), and CISOs from two of America’s most successful companies, Koch Industries and Aflac. Dr. Taher Elgamal, Professor Dr. Martin Hellman, Jarrod Benson, and Timothy L. Callahan, respectively, have teamed … More
The post Beyond Identity forms an all-star technical advisory board appeared first on Help Net Security.
WhiteHat Security announced the appointment of Tanya Gay to Vice President of Operations and Business Strategy, and the promotion of Judy Sunblade, to Vice President of Revenue Growth and Enablement. Both Tanya and Judy will report to Chief Revenue Officer, Dave Gerry and are responsible for driving operational efficiencies and pipeline growth, respectively, to accelerate WhiteHat Security’s growth. “WhiteHat has seen tremendous success throughout the past few years, and we do not plan on slowing … More
The post WhiteHat adds two application security executives to its leadership team appeared first on Help Net Security.
Cisco discloses security breach that impacted VIRL-PE infrastructure, threat actors exploited SaltStack vulnerabilities to hack six company servers.
Cisco has disclosed a security incident that impacted part of its VIRL-PE infrastructure, threat actors exploited vulnerabilities in the SaltStack software package to breach six company servers.
These issues affect the following Cisco products running a vulnerable software release:
- Cisco Modeling Labs Corporate Edition (CML)
- Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE)
Cisco’s advisory states that the SaltStack software package is bundled with some Cisco products, hackers exploited SaltStack issues to compromise six company servers:
“Cisco infrastructure maintains the salt-master servers that are used with Cisco VIRL-PE. Those servers were upgraded on May 7, 2020. Cisco identified that the Cisco maintained salt-master servers that are servicing Cisco VIRL-PE releases 1.2 and 1.3 were compromised. The servers were remediated on May 7, 2020.” reads the advisory.
The six servers are part of the backend infrastructure for VIRL-PE (Internet Routing Lab Personal Edition), a service that allows Cisco users to model and simulate their virtual network environment.
Cisco has it fixed and remediated all breached VIRL-PE servers on May 7, when it upgraded them by applying the patches for the SaltStack software.
Cisco also confirmed that the Cisco Modeling Labs Corporate Edition (CML), a network modeling tool, is affected by the issues.
At the end of April, researchers from F-Secure disclosed a number of vulnerabilities in the “Salt” framework, including two issues that could be exploited by attackers to take over Salt installations.
The two flaws, tracked as CVE-2020-11651 and CVE-2020-11652, are a directory traversal issue and an authentication bypass vulnerability respectively. Chaining the issue, an attacker could bypass authentication and run arbitrary code on Salt master servers exposed online.
Immediately after the public disclosure of the issues. administrators of Salt servers started reporting attacks exploiting the above vulnerabilities last week, threat actors used them to deliver backdoors and miners.
Shortly after the disclosure of the flaws, threat actors exploited them in several attacks against organizations, including mobile operating system vendor LineageOS, Digicert CA, blogging platform Ghost, cloud software provider Xen Orchestra, and search provider Algolia.
(SecurityAffairs – Cisco VIRL-PE infrastructure, hacking)
The post Security breach impacted Cisco VIRL-PE infrastructure appeared first on Security Affairs.
The Russian blogging platform LiveJournal confirmed this week that it suffered several brute-force attacks in 2011 and 2012. But it insists that the 26 million usernames and passwords that are now available for sale on darknet forums came from other sources.
If you know the term ???nightly build,??? chances are you???ve been a part of that process before. A nightly build - or code compiled overnight from previously checked code - is a foundational way to find flaws or issues that arise from changes made during long build processes. But while a staple in DevOps, nightly builds also present a problem: if new bugs are discovered the following morning after the build, everything slows down. Additionally, such activity only heightens the wall between development and security by compartmentalizing the tasks developers and security professionals must undertake every day (or night).
The history of the divide between security and development doesn???t fall solely on nightly builds, of course. It comes from a place of misconception, where developers fear that security leaders are ready to stall production at every turn, and security leaders lack the knowledge to fully understand the lingo, processes, or goals of developers. Historically, both teams have worked away in their own siloed departments with little to no direction from leadership on ways to come together.
Unifying security and development
By bridging the lines of communication, both teams can start to have serious conversations about producing more secure code without sacrificing the speed needed to meet tight deadlines. At the core of the issue is education. Both development and security teams need to find a common ground for working together and take it a step further to understand exactly how the other side of the aisle works ??? and how they can plug in their own processes to make that work more effective.
On the developer side of the aisle, that comes down to appreciating the value of security and sharpening the skills they need to write code with fewer flaws and bugs. On the security side, it means understanding developer timelines, tools, and processes, then working with leadership to figure out how to integrate security tools into their existing methods for time-saving automation and valuable coding feedback.
According to a recent report by Securosis, this should be a top-down effort involving members from all the necessary teams. ???With DevOps you need to close the loop on issues within infrastructure, security testing as well as code. And Dev and Ops offer different possible solutions to most vulnerabilities, so the people managing security need to include operations teams as well.???
Once members of these teams come together with open dialogue about current issues and business goals, they???re on the right path to begin discussing which processes and tools will improve the health of their application security without impacting deployment speed.
Know where to start when fixing flaws
Security debt is a real problem that adds up over time and should be addressed with a plan of action to bring it down and reduce risk. But not every vulnerability is mission-critical, whether it sits in a pile of security debt or it was discovered in a batch of new flaws during a recent scan.
According to the Securosis report, deciding which vulnerabilities to tackle first is a common issue for development teams. ???During our research many security pros told us that all vulnerabilities started looking like high priorities, and it was incredibly difficult to differentiate a vulnerability with impact on the organization from one which did not,??? the report says.
Prioritization can speed up the entire development process as little time is wasted going back and forth. While helping to set priorities for developers, security leaders have an opportunity to help developers understand which flaws need to be addressed immediately during development, and which possible threats tie back to unattended vulnerabilities so that developers have a better understanding of how to prioritize flaws in the future.
Automation through integration
Automation brings rapidity and, if used long enough, consistency. With modern software development speeding up and not slowing down, it???s more important than ever that developers have the right scanning tools to plug directly into their existing processes with seamless integration. And while automated feedback and security testing alone won???t catch every flaw, error, or vulnerability, it sets a precedent for incorporating security into the development process, and a baseline for healthy code as the team moves through development.
Complete application security plans incorporate scanning and testing into every stage of the development process, from the IDE to the Pipeline and even review, staging, and production. Veracode Static Analysis has this covered, with automated security feedback in the IDE and Pipeline that alerts (and trains) developers while they work. Veracode Static Analysis conducts a full policy scan before deployment too, showing the vulnerabilities that developers should focus on, and leaving an audit trail for review.
With a tool like Veracode Static Analysis integrated into existing systems and processes, security and development teams will gain clear insight into not only which flaws to prioritize, but also areas where developers need more training and education so that they can produce more secure code in the future. This automated (and peer) feedback helps set a standard for consistency, and improves speed overall ??? those nightly builds can then turn into builds with continuous integration that facilitates faster fix rates.
eLearning tools for continuous education
Continuous education is something that both security and development should embrace if they want to help close the information and communication gaps between the two teams. Security leaders for their part should brush up on developer lingo, tools, and languages ??? especially when a new language is introduced into the development process.
For developers, boosting skills through hands-on courses, virtual workshops, and instructor-led training increases the speed at which developers work and the security of their applications. By bringing continuous education into the mix so that secure code is front of mind, security and development teams will have an easier time shifting security left with each new project. Eventually, it???ll become a regular part of the process to learn from past mistakes, grow to become more innovative and adapt to new security threats.
Tools like Veracode Security Labs take training to the next level by providing developers with real-world examples of threats that they can exploit and patch for practice. This hands-on-keyboard training is unlike cookie-cutter courses, as it is interactive and focuses on real applications with real vulnerabilities.
Security Labs helps meet training and compliance needs, too, with customized education in the languages an organization???s developers use most. That tailored experience becomes invaluable when every hour of the day is dedicated to improving the security of your applications. Developers start learning right away and plug back in when they???re ready for more; it???s a small step that has a big impact.
For more information on speeding up the development process through integration, automation, and feedback, read our eBook on how you can secure your software development pipeline with Veracode Static Analysis.
A bipartisan group of lawmakers has introduced a bill that calls for investing $100 billion in research on science and emerging technologies, including cybersecurity, quantum computing and artificial intelligence.
The U.S. NSA warns that Russia-linked APT group known as Sandworm Team have been exploiting a critical flaw in the Exim mail transfer agent (MTA).
The U.S. National Security Agency (NSA) is warning that Russia-linked APT group tracked Sandworm Team has been exploiting a critical vulnerability (CVE-2019-10149) in the Exim mail transfer agent (MTA) software since at least August 2019.
The CVE-2019-10149 flaw, aka “The Return of the WIZard,” affects versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) software. The issue could be exploited by unauthenticated remote attackers to execute arbitrary commands on mail servers for some non-default server configurations.
The flaw resides in the deliver_message() function in /src/deliver.c and it is caused by the improper validation of recipient addresses. The issue could lead to remote code execution with root privileges on the mail server.
“Russian military cyber actors, publicly known as Sandworm Team, have been exploiting a vulnerability in Exim mail transfer agent (MTA) software since at least last August.” reads the advisory published by the NSA. “The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA.”
“NSA adds its encouragement to immediately patch to mitigate against this still current threat.”
GRU Main Center for Special Technologies (GTsST) hackers of
Hackers belonging to the Unit 74455, under the Russian GRU Main Center for Special Technologies (GTsST), are exploiting the Exim issue after an update was issued in June 2019.
“The actors exploited victims using Exim software on their public facing MTAs by sending a command in the “MAIL FROM” field of an SMTP (Simple Mail Transfer Protocol) message.” states the advisory.
Below a sample “MAIL FROM” exploitation command published by the NSA:
Russian state-sponsored hackers leverage the vulnerability to download a shell script from a domain under their control and use it to “add privileged users, disable network security settings, update SSH configurations to enable additional remote access, execute an additional script to enable follow-on exploitation.”
NSA recommends patching Exim servers immediately by installing version 4.93 or newer.
“Update Exim immediately by installing version 4.93 or newer to mitigate this and other vulnerabilities. Other vulnerabilities exist and are likely to be exploited, so the latest fully patched version should be used. Using a previous version of Exim leaves a system vulnerable to exploitation. System administrators should continually check software versions and update as new versions become available.” concludes NSA. “Administrators can update Exim Mail Transfer Agent software through their Linux distribution’s package manager or by downloading the latest version from https://exim.org/mirrors.html.”
NSA’s advisory also includes Indicators of Compromise and instructions on how to detect exploit attempts and unauthorized changes.
Unfortunately, the number of vulnerable Exim installs exposed online is still high, querying Shodan for installs exposed online we can more than 2,481,000 servers, with more than 2,400,000 servers running the patched Exim 4.93 release.
(SecurityAffairs – APT, hacking)
The post NSA warns Russia-linked APT group is exploiting Exim flaw since 2019 appeared first on Security Affairs.
"Hack-for-hire" groups operating in India are spoofing World Health Organization emails to steal credentials from financial services and healthcare firms around the world, according to Google's Threat Analysis Group.
Ransomware-wielding criminals are growing increasingly ruthless, based on the size of their extortion demands, their increasing propensity to leak data in an attempt to force victims to pay and their greater focus on taking down big targets. These tactics, unfortunately, appear to be working.
In recent years, cybersecurity has been elevated to a C-suite and board-level concern. This is appropriate given the stakes. Data breaches can have significant impact on a company’s reputation and profits. But, although businesses now consider cyberattacks a business risk, management of cyber risks is still siloed in technology and often not assessed in terms of other business drivers. To properly manage cybersecurity as a business risk, we need to rethink how we define and report on them.
The blog series, “Managing cybersecurity like a business risk,” will dig into how to update the cybersecurity risk definition, reporting, and management to align with business drivers. In today’s post, I’ll talk about why we need to model both opportunities as well as threats when we evaluate cyber risks. In future blogs, I’ll dig into some reporting tools that businesses can use to keep business leaders informed.
Digital transformation brings both opportunities and threats
Technology innovations such as artificial intelligence (AI), the cloud, and the internet of things (IoT) have disrupted many industries. Much of this disruption has been positive for businesses and consumers alike. Organizations can better tailor products and services to targeted segments of the population, and businesses have seized on these opportunities to create new business categories or reinvent old ones.
These same technologies have also introduced new threats. Legacy companies risk losing loyal customers by exploiting new markets. Digital transformation can result in a financial loss if big bets don’t pay off. And of course, as those of us in cybersecurity know well, cybercriminals and other adversaries have exploited the expanded attack surface and the mountains of data we collect.
The threats and opportunities of technology decisions are intertwined, and increasingly they impact not just operations but the core business. Too often decisions about digital transformation are made without evaluating cyber risks. Security is brought in at the very end to protect assets that are exposed. Cyber risks are typically managed from a standpoint of loss aversion without accounting for the possible gains of new opportunities. This approach can result in companies being either too cautious or not cautious enough. To maximize digital transformation opportunities, companies need good information that helps them take calculated risks.
It starts with a SWOT analysis
Threats and opportunities are external forces that may be factors for a company and all its competitors. One way to determine how your company should respond is by also understanding your weaknesses and strengths, which are internal factors.
- Strengths: Characteristics or aspects of the organization or product that give it a competitive edge.
- Weaknesses: Characteristics or aspects of the organization or product that puts it at a disadvantage compared to the competition.
- Opportunities: Market conditions that could be exploited for benefit.
- Threats: Market conditions that could cause damage or harm.
To crystallize these concepts, let’s consider a hypothetical brick and mortar retailer in the U.K. that sells stylish maternity clothes at an affordable price. In Europe, online retail is big business. Companies like ASOS and Zalando are disrupting traditional fashion. If we apply a SWOT analysis to them, it might look something like this.
- Strength: Stylish maternity clothes sold at an affordable price, loyal referral-based clientele.
- Weakness: Only available through brick and mortar stores, lack technology infrastructure to quickly go online, and lack security controls.
- Opportunity: There is a market for these clothes beyond the U.K.
- Threats: Retailers are a target for cyberattacks, customers trends indicate they will shop less frequently at brick and mortar stores in the future.
For this company, there isn’t an obvious choice. The retailer needs to figure out a way to maintain the loyalty of its current customers while preparing for a world where in-person shopping decreases. Ideally the company can use its strengths to overcome its weaknesses and confront threats. For example, the company’s loyal clients that already refer a lot of business could be incented to refer business via online channels to grow business. The company may also recognize that building security controls into an online business from the ground up is critical and take advantage of its steady customer base to buy some time and do it right.
Threat modeling and opportunity modeling paired together can help better define the potential gains and losses of different approaches.
Opportunity and threat modeling
Many cybersecurity professionals are familiar with threat modeling, which essentially poses the following questions, as recommended by the Electronic Frontier Foundation.
- What do you want to protect?
- Who do you want to protect it from?
- How likely is it that you will need to protect it?
- How bad are the consequences if you fail?
- How much trouble are you willing to go through in order to try to prevent those?
But once we’ve begun to consider not just the threats but the opportunities available in each business decision, it becomes clear that this approach misses half the equation. Missed opportunity is a risk that isn’t captured in threat modeling. This is where opportunity modeling becomes valuable. Some of my thinking around opportunity modeling was inspired by a talk by John Sherwood at SABSA, and he suggested the following questions to effectively model opportunity:
- What is the value of the asset you want to protect?
- What is the potential gain of the opportunity?
- How likely is it that the opportunity will be realized?
- How likely is it that a strength be exploited?
This gives us a framework to consider the risk from both a threat and opportunity standpoint. Our hypothetical retailer knows it wants to protect the revenue generated by the current customers and referral model, which is the first question on each model. The other questions help quantify the potential loss if threats materialize and the potential gains of opportunities are realized. The company can use this information to better understand the ratio of risk to reward.
It’s never easy to make big decisions in light of potential risks, but when decisions are informed by considering both the potential gains and potential losses, you can also better define a risk management strategy, including the types of controls you will need to mitigate your risk.
In my next post in the “Managing cybersecurity like a business risk” series, I’ll review some qualitative and quantitative tools you can use to manage risk.
Read more about risk management from SABSA. To learn more about Microsoft security solutions visit our website. In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
The post Managing cybersecurity like a business risks: Part 1—Modeling opportunities and threats appeared first on Microsoft Security.
Comedian Arrested for Cybercrime over Face Swap
Tanzanian comedian Idris Sultan has been arrested after posting a face-swap photo on social media involving his president.
Earlier this month, Sultan shared images of himself and of Tanzanian president John Pombe Magufuli in which the faces of each subject had been swapped over. One of the pictures shows Sultan posing on a presidential chair with the national seal, while the other shows the president's face on the comedian's body.
Sultan's lawyer, Benedict Ishabakaki, said the comedian and radio show host was summoned by police on May 19 and questioned over a possible violation of a law against cyberbullying.
According to news agency the AFP, Sultan was subsequently charged with a lesser offense related to using a SIM card registered in someone else's name.
Sultan, a former show winner of the TV series Big Brother Africa, was released from police custody on May 27 after posting bail of 15 million Tanzanian shillings (more than $6,000).
His hearing was attended by his sister and vocalist Lulu Diva and by the singer Lady Jay Dee.
The comedian's release comes the day after opposition leaders and activists launched a Twitter campaign to demand that the case against Sultan be dismissed.
Sultan is no stranger to Tanzania's legal system. In October last year, the comedian was arrested for photoshopping President Magufuli’s face onto a picture of himself and sharing it with his 5 million followers on social media.
The comedian said that he had shared the photo in good faith as a way to celebrate the president's birthday on October 29.
Sultan said: “I had no ill intentions; I was just wishing the president a happy birthday. If the president did not like my birthday message, I apologize."
Following his foray into photoshopping, Sultan was accused of violating Tanzania's Cybercrimes Act, which forbids the use of a computer to impersonate someone else. After being questioned over his alleged intent to "coerce, intimidate, harass or cause emotional distress," the comedian was eventually released without charge.
Magufuli took office in 2015 as a corruption-fighting "man of the people" but has been criticized for his authoritarian leadership style. According to Human Rights Watch and Amnesty International, there is a "shrinking space for freedom of expression" in Tanzania.
Sultan's latest case is due to be heard in court on June 9.
Voters across the country are preparing to cast their ballot for the all-important 2020 U.S. presidential elections. Whether you’re a new voter eager for your voice to be heard or a parent looking to guide your family members on exercising their right to vote, consumers can be certain about one thing: election security should be top-of-mind for everyone as Election Day creeps closer. In addition to researching the presidential candidates and deciding who to support, consumers should also educate themselves on how to vote safely and securely.
Heads Up, First-Time Voters
As a young or first-time voter, you are probably eager to have your voice finally heard. However, you should also be on high alert for digital disinformation campaigns. These scams seek to suppress or disrupt the voting process by setting up bogus websites with official-sounding domains and related email addresses. From there, hackers could use those bogus email addresses to send mass email blasts intended to feed unsuspecting voter email recipients false information on when, where, and how to vote.
According to recent McAfee survey results, the majority of election administration websites for “tossup” states lacked the official U.S. government .GOV website validation and HTTPS website security measures, which prevent hackers from launching fake websites disguised as legitimate county government sites. It is critical that before Americans cast that incredibly important ballot, they confirm the site they are visiting is a .GOV website and that HTTPS security protection is in place.
Help Protect Your Family’s Vote
Whether it’s who you’re voting for or what you think of party policy, it’s incredibly important that every voice is heard in 2020. As people across the country make their decision, you must discuss the implications of digital disinformation and illegitimate voting websites with your family. Failing to discuss these attacks with new or young voters could mean the difference between whether or not their voice is heard in the 2020 election. Consumers must take action to ensure they are staying informed on possible hacks like this and sharing it with their loved ones to ensure no voices are left unheard this year.
How to Stay Protected
Whether it’s your first or fifteenth time heading to the polls, we must all take action to ensure we’re staying informed on possible hacks, minimizing risk and not leaving this vote to chance. As you or your loved ones prepare to cast your ballots, consider these tips to help ensure that your vote is protected:
Look out for suspicious emails
Carefully scrutinize all election-related emails. An attacker seeking to misinform consumers can use phishing techniques to accomplish their objective. Beware of election emails from non-.gov addresses such as .com, .net, .org, or .us, particularly any emails sent in the final days before Election Day.
Question conflicting instructions
Question any voting instructions that appear to conflict with other guidance you’ve received from traditional sources such as the U.S. Postal Service, the primary channel state and local governments use to send out voting information.
Refer to your official State website
When in doubt, visit your state’s elections website to receive general election information on voter registration and contact information for your county’s election officials. Contact the local county officials to confirm any election instructions you receive via email, social media, or websites leading up to Election Day. Voters can find the official state election websites here.
Confirm local instructions locally
Call your county or city government officials directly to confirm any last-minute voting instruction changes to the regional or local Election Day procedures.
Ask for .gov and https on websites
Ask your county officials to use .gov validation and https protection on any government websites involved in elections. The .gov in a website name validates that the U.S. government has certified that the website truly belongs to the government entity it claims. The https indicates that any information you with the government website cannot be stolen and that voters cannot be redirected to fake government sites.
The post 2020 Voters: What You Need to Know About Election Security appeared first on McAfee Blogs.
DoD Contractors Team Up with HPE on Ransomware-Stopper
BrickStor SP is a data security software platform that boldly claims to eliminate the threat of ransomware attacks and data breaches. The platform was built by Department of Defense intelligence community veterans charged with protecting the United States’ data while meeting the nation's data security compliance regulatory requirements.
HPE plans to resell RackTop BrickStor SP software with its own ProLiant and Apollo Servers to meet the high-security file-storage needs of ]the federal government.
RackTop Systems CEO Eric Bednash said a prevailing failure to update their cybersecurity tools is making organizations in the United States vulnerable to cyber-attacks.
“Enterprises and government entities are losing the cyber-war because they are using old tools and 90’s design standards which are largely focused on stopping network infiltration, rather than protecting data," said Bednash.
"Based on our experience, most of the bad guys are already inside the network today."
Explaining how RackTop's platform works to block ransomware attacks, Bednash said: “BrickStor attacks the problem properly by securing unstructured data at its source so that it can’t be seized, maliciously encrypted, or exploited.
"Together with HPE and their world class secure and versatile hardware, for the first time, customers can achieve end-to-end infrastructure security from a single vendor without gaps or loosely coupled bolt-ons.”
Rapid and unstructured data growth can result in information's not being stored securely, making an organization vulnerable to cyber-attackers. Chris Powers, VP, Collaborative Platform Development, HPE Storage and Big Data, said RackTop tackles this issue by embedding its security and compliance software within a scalable data-storage system for unstructured files, protecting it at the source.
“BrickStor SP fills a high data security need in the storage market. We are entering a new era in IT infrastructure where security and compliance are a necessity,” said Powers.
“RackTop’s storage software and security platform is a natural fit with our ProLiant and Apollo Servers which feature silicon-anchored, cradle-to-grave security. Together we bring our Federal Government customers a complete Zero Trust data security solution.”
Israel ’s national cyber chief acknowledged the country had thwarted a major cyber attack in April against its water systems.
Israel’s national cyber chief Yigal Unna officially confirmed that the country in April had thwarted a major cyber attack against its water systems. The media, citing officials that spoke under condition of anonymity, attributed the “synchronized and organized attack” to the Government of Teheran.
Yigal Unna did not explicitly attribute the attack to Iran, he only warned of unpredictable developments of an ongoing stealth Information warfare.
“Rapid is not something that describes enough how fast and how crazy and hectic things are moving forward in cyberspace and I think we will remember this last month and May 2020 as a changing point in the history of modern cyber warfare,” he told to the audience of the virtual cyber conference CyberechLive Asia.
“If the bad guys had succeeded in their plot we would now be facing, in the middle of the Corona crisis, very big damage to the civilian population and a lack of water and even worse than that.”
Unna pointed out that the attempt to hack into Israel’s water systems marked the first time in modern history that “we can see something like this aiming to cause damage to real life and not to IT or data.”
At the end of April, the Israeli government has issued an alert to organizations in the water sector following a series of cyberattacks that targeted the water facilities.
At the time, Israel’s National Cyber Directorate announced to have received reports of cyber attacks aimed at supervisory control and data acquisition (SCADA) systems at wastewater treatment plants, pumping stations and sewage facilities.
Organizations were recommended to implement supplementary security measures to protect SCADA systems used in the water and energy sectors. The government urges to immediately change the passwords of control systems exposed online, ensure that their software is up to date, and reduce their exposure online.
The good news is that according to the report from the Israel’s Water Authority, the attacks did not impact operations at the facilities.
Intelligence experts believe that Israel and Iran are engaged in a covert cyber dispute and recently also hit critical infrastructure or both countries.
attacks. Most famously, U.S. and Israeli intelligence agencies are suspected of unleashing a computer worm called Stuxnet years ago in an attempt to disrupt Iran’s nuclear program.
Israel is suspected to be behind the recent cyberattack which disrupted some operations at Iran’s Shahid Rajaei Port, located near the Strait of Hormuz.
“It is a part of some attack over Israel and over the national security of Israel and not for financial benefit,” Unna added. “The attack happened but the damage was prevented and that is our goal and our mission. And now we are in the middle of preparing for the next phase to come because it will come eventually.”
Unna said the cyber attack marked a historic turning point in cyber warfare.
“Cyber winter is coming and coming even faster than I suspected,” he said. “We are just seeing the beginning.”
(SecurityAffairs – Israel, Iran)
The post Israel ’s national cyber chief warns of rising of cyber-warfare appeared first on Security Affairs.
Imagine sixteen paws, eight floppy ears and four wagging tails happily greeting you at the door—that’s my welcoming committee every day. Dogs have always held a special place in my heart, but it wasn’t until I added the third to my pack that I felt dogs were my passion.
I averaged 100 volunteer hours a year for an animal rescue, but with the Volunteer Time Off benefit at McAfee, I can add another 32 hours to that, which allows me even more time to support rehoming approximately 650 animals per year.
Answering the Howl
Six years ago, my calling found me when I adopted my third from Lost Paws Rescue of Texas. During my conversations with the founder and volunteers, I learned Lost Paws operated with little to no funding and they supported animals on the side of their full-time jobs! There was no shelter or storefront; it’s a foster-only rescue, which means donations directly support the animals and programs.
Impressed and inspired, something just clicked. With my hobby marketer skills and passion for animals, I could help.
Learning New Tricks
My top talent is ideation, and since my household is nearly at capacity with canine companions, I come up with other ways to volunteer. It’s my creative outlet. I take pictures of the animals, work adoption events, add story updates to the website and learned how to help with SEO as well as make crate pads and bandanas for the animals.
Helping animals find a loving home is rewarding but carving out time to make an impact is challenging. That’s why I’m so appreciative to work for a company that offers time off to volunteer. With four days off per year to volunteer, I know I’m supported in giving back to a cause that is important to me.
Most recently, I’ve used McAfee’s Volunteer Time Off benefit to expand my skill set with grant writing classes. With stronger writing skills, I could better support funding requests for Lost Paws.
Making an Impact with McAfee
Giving back in these different ways is rewarding. I’ve helped grow Lost Paws Rescue’s participation in community giving initiatives. Through our SEO efforts when DFW rescues are
Googled, Lost Paws Rescue of Texas appears on the front page (alongside some of the larger, global animal rescues!). I’m also proud to share that grant writing classes were helpful as we were awarded $26K for a couple of my successful submissions just last fall.
McAfee’s Volunteer Time Off (VTO) benefit is simply awesome. We are so lucky to have volunteer days as employees. I’m constantly trying to figure out a new way to serve this cause. It’s been a labor of love—for me, for the animals and for this organization and it’s empowering to know McAfee supports me along the way.
Here, I can bring all my passions, interests and talents through the door.
Interested in working for a company that supports giving back? Search our openings.
The post How I Use McAfee’s Volunteer Time Off to Help Lost Paws Find Homes appeared first on McAfee Blogs.
The United Kingdom’s anti-cybercrime agency is running online ads aimed at young people who search the Web for services that enable computer crimes, specifically trojan horse programs and DDoS-for-hire services. The ad campaign follows a similar initiative launched in late 2017 that academics say measurably dampened demand for such services by explaining that their use to harm others is illegal and can land potential customers in jail.
For example, search in Google for the terms “booter” or “stresser” from a U.K. Internet address, and there’s a good chance you’ll see a paid ad show up on the first page of results warning that using such services to attack others online is illegal. The ads are being paid for by the U.K.’s National Crime Agency, which saw success with a related campaign for six months starting in December 2017.
NCA Senior Manager David Cox said the agency is targeting its ads to U.K. males age 13 to 22 who are searching for booter services or different types of remote access trojans (RATs), as part of an ongoing effort to help steer young men away from cybercrime and toward using their curiosity and skills for good. The ads link to advertorials and to the U.K.’s Cybersecurity Challenge, which tries gamify computer security concepts and highlight potential careers in cybersecurity roles.
“The fact is, those standing in front of a classroom teaching children have less information about cybercrime than those they’re trying to teach,” Cox said, noting that the campaign is designed to support so-called “knock-and-talk” visits, where investigators visit the homes of young people who’ve downloaded malware or purchased DDoS-for-hire services to warn them away from such activity. “This is all about showing people there are other paths they can take.”
While it may seem obvious to the casual reader that deploying some malware-as-a-service or using a booter to knock someone or something offline can land one in legal hot water, the typical profile of those who frequent these services is young, male, impressionable and participating in online communities of like-minded people in which everyone else is already doing it.
In 2017, the NCA published “Pathways into Cyber Crime,” a report that drew upon interviews conducted with a number of young men who were visited by U.K. law enforcement agents in connection with various cybercrime investigations.
Those findings, which the NCA said came about through knock-and-talk interviews with a number of suspected offenders, found that 61 percent of suspects began engaging in criminal hacking before the age of 16, and that the average age of suspects and arrests of those involved in hacking cases was 17 years old.
The majority of those engaged in, or on the periphery of, cyber crime, told the NCA they became involved via an interest in computer gaming.
A large proportion of offenders began to participate in gaming cheat websites and “modding” forums, and later progressed to criminal hacking forums.
The NCA learned the individuals visited had just a handful of primary motivations in mind, including curiosity, overcoming a challenge, or proving oneself to a larger group of peers. According to the report, a typical offender faces a perfect storm of ill-boding circumstances, including a perceived low risk of getting caught, and a perception that their offenses in general amounted to victimless crimes.
“Law enforcement activity does not act as a deterrent, as individuals consider cyber crime to be low risk,” the NCA report found. “Debrief subjects have stated that they did not consider law enforcement until someone they knew or had heard of was arrested. For deterrence to work, there must be a closing of the gap between offender (or potential offender) with law enforcement agencies functioning as a visible presence for these individuals.”
Cox said the NCA will continue to run the ads indefinitely, and that it is seeking funding from outside sources — including major companies in online gaming industry, whose platforms are perhaps the most targeted by DDoS-for-hire services. He called the program a “great success,” noting that in the past 30 days (13 of which the ads weren’t running for funding reasons), the ads generated some 5.32 million impressions, and more than 57,000 clicks.
FLATTENING THE CURVE
Richard Clayton is director of the University of Cambridge Cybercrime Centre, which has been monitoring DDoS attacks for several years using a variety of sensors across the Internet that pretend to be the types of systems which are typically commandeered and abused to help launch such assaults.
Last year, Clayton and fellow Cambridge researchers published a paper showing that law enforcement interventions — including the NCA’s anti-DDoS ad campaign between 2017 and 2018 — demonstrably slowed the growth in demand for DDoS-for-hire services.
“Our data shows that by running that ad campaign, the NCA managed to flatten out demand for booter services over that period,” Clayton said. “In other words, the demand for these services didn’t grow over the period as we would normally see, and we didn’t see more people doing it at the end of the period than at the beginning. When we showed this to the NCA, they were ever so pleased, because that campaign cost them less than ten thousand [pounds sterling] and it stopped this type of cybercrime from growing for six months.”
Clayton said part of the problem is that many booter/stresser providers claim they’re offering lawful services, and many of their would-be customers are all too eager to believe this is true. Also, the price point is affordable: A typical booter service will allow customers to launch fairly high-powered DDoS attacks for just a few dollars per month.
“There are legitimate companies that provide these types of services in a legal manner, but there are all types of agreements that have to be in place before this can happen,” Clayton said. “And you don’t get that for ten bucks a month.”
DON’T BE EVIL
The NCA’s ad campaign is competing directly with Google ads taken out by many of the same people running these DDoS-for-hire services. It may surprise some readers to learn that cybercrime services often advertise on Google and other search sites much like any legitimate business would — paying for leads that might attract new customers.
Several weeks back, KrebsOnSecurity noticed that searching for “booter” or “stresser” in Google turned up paid ads for booter services prominently on the first page of results. But as I noted in a tweet about the finding, this is hardly a new phenomenon.
Cambridge’s Clayton pointed me to a blog post he wrote in 2018 about the prevalence of such ads, which violate Google’s policies on acceptable advertisements via its platform. Google says it doesn’t allow ads for services that “cause damage, harm or injury,” and that they don’t allow adverts for services that “are designed to enable dishonest behavior.”
Clayton said Google eventually took down the offending ads. But as my few seconds of Googling revealed, the company appears to have decided to play wack-a-mole when people complain, instead of expressly prohibiting the placement of (and payment for) ads with these terms.
Google told KrebsOnSecurity that it relies on a combination of technology and people to enforce its policies.
“We have strict ad policies designed to protect users on our platforms,” Google said in a written statement. “We prohibit ads that enable dishonest behavior, including services that look to take advantage of or cause harm to users. When we find an ad that violates our policies we take action. In this case, we quickly removed the ads.”
Google pointed to a recent blog post detailing its enforcement efforts in this regard, which said in 2019 the company took down more than 2.7 billion ads that violated its policies — or more than 10 million ads per day — and that it removed a million advertiser accounts for the same reason.
The ad pictured above ceased to appear shortly after my outreach to them. Unfortunately, an ad for a different booter service (shown below) soon replaced the one they took down.
IT Leaders Overestimate Staff's Commitment to WFH Security
IT leaders who trust their employees to follow security best practices while working from home are sadly overoptimistic.
According to new research published today by email security firm Tessian, while 91% of IT leaders believe their staff are doing their best to work securely from home, 52% of employees believe toiling from home means they can get away with riskier behavior.
Tessian surveyed 2,000 employees across the US and the UK as well as 250 IT decision-makers to examine the state of data loss within organizations. Researchers also set out to learn how data loss is impacted by employees working remotely.
The survey revealed that 48% of employees cite “not being watched by IT” as the number one reason for not following safe data practices when working from home. The second excuse given for working on the wild side was "being distracted."
While such results might lead one to conclude that tighter controls are needed to maintain security, Tim Sadler, CEO and co-founder of Tessian, said that this tactic would not work on its own.
"Business leaders need to address security cultures and adopt advanced solutions to prevent employees from making the costly mistakes that result in data breaches and non-compliance," said Sadler.
"It’s critical these solutions do not impede employees’ productivity though. We’ve shown that people will find workarounds if security gets in the way of them doing their jobs, so data loss prevention needs to be flexible if it’s going to be effective.”
Researchers found that IT leaders in the US underestimate how many of their employees' emails are misdirected. While IT leaders in US organizations with over 1,000 employees estimate that 480 emails are sent to the wrong person every year, the real figure recorded by Tessian platform data is 1.6 times higher.
More than half of survey respondents―51%―said security policies were impeding their productivity, while 54% said that they will find workarounds if security policies stop them from doing their jobs.
Compared to the UK, workers in the US were much more likely to act in way that could jeopardize the security of their company. Employees in the US were twice as likely to send an email to the wrong person and twice as likely to take company documents home with them when they leave a job.
Intelligence Gateway Launches to Compile Malicious #COVID19 URLs
An internet intelligence gateway has been established to analyze and compile malicious URLs related to COVID-19.
With thousands of newly created COVID-19-related malicious websites launching every day, the gateway accepts submissions of suspicious URLs or emails, providing a lookup service that taps into RiskIQ’s infrastructure to analyze and compile malicious URLs related to COVID-19. Submissions are analyzed by RiskIQ’s systems and each malicious URL is added to RiskIQ blacklists through community participation.
Over a two-week period, RiskIQ noted 317,000 new websites related to COVID-19.
“Our goal with the gateway is to help the security community work together in our response to the influx of criminal activity,” said RiskIQ CEO Lou Manousos. “The COVID-19 Internet Intelligence Gateway will be a powerful resource for keeping organizations safe during this crisis.”
The gateway will also allow security teams to block blacklists of known bad infrastructure to immediately protect their organizations from new campaigns leveraging the COVID-19 crisis.
Also newly launched is a COVID-19 Chrome Extension, which allows users to submit suspect URLs, host names or domains to RiskIQ for “crawling” purposes. Reports will include detailed information from the crawl, including referenced pages, screenshots and classification of content.
In April, it was reported that 18 million malware and phishing Gmail messages related to COVID-19 were detected by Google’s Threat Analysis Group per day, in addition to more than 240 million COVID-related daily spam messages.
It detected examples including fake solicitations from charities and NGOs, messages trying to mimic employer communications and employees working from home, along with websites posing as official government pages and public health agencies.
Malware experts at Microsoft have warned businesses to be on their guard against hackers plotting to plant the PonyFinal ransomware on compromised IT systems.
Read more in my article on the Hot for Security blog.
"Hack-for-hire" groups operating in India are spoofing World Health Organization emails to steal credentials from financial services and healthcare firms around the world, according to Google's Threat Analysis Group.
At Microsoft, we are committed to driving innovation for our partnerships within the identity ecosystem. Together, we are enabling our customers, who live and work in a heterogenous world, to get secure and remote access to the apps and resources they need. In this blog, we’d like to highlight how partners can help enable secure remote access to any app, access to on-prem and legacy apps, as well as how to secure seamless access via passwordless apps. We will also touch on how you can increase security visibility and insights by leveraging Azure Active Directory (Azure AD) Identity Protection APIs.
Secure remote access to cloud apps
As organizations adopt remote work strategies in today’s environment, it’s important their workforce has access to all the applications they need. With the Azure AD app gallery, we work closely with independent software vendors (ISV) to make it easy for organizations and their employees and customers to connect to and protect the applications they use. The Azure AD app gallery consists of thousands of applications that make it easy for admins to set up single sign-on (SSO) or user provisioning for their employees and customers. You can find popular collaboration applications to work remotely such Cisco Webex, Zoom, and Workplace from Facebook or security focused applications such as Mimecast, and Jamf. And if you don’t find the application your organization needs, you can always make a nomination here.
The Azure AD Gallery.
Secure hybrid access to your on-premises and legacy apps
As organizations enable their employees to work from home, maintaining remote access to all company apps, including those on-premises and legacy, from any location and any device, is key to safeguard the productivity of their workforce. Azure AD offers several integrations for securing on-premises SaaS applications like SAP NetWeaver, SAP Fiori systems, Oracle PeopleSoft and E-Business Suite, and Atlassian JIRA and Confluence through the Azure AD App Gallery. For customers who are using Akamai Enterprise Application Access (EAA), Citrix Application Delivery Controller (ADC), F5 BIG-IP Access Policy Manager (APM), or Zscaler Private Access (ZPA), Microsoft has partnerships to provide remote access securely and help extend policies and controls that allow businesses to manage and govern on-premises legacy apps from Azure AD without having to change how the apps work.
Our integration with Zscaler allows a company’s business partners, such as suppliers and vendors, to securely access legacy, on-premises applications through the Zscaler B2B portal.
Go passwordless with FIDO2 security keys
Passwordless methods of authentication should be part of everyone’s future. Currently, Microsoft has over 100-million active passwordless end-users across consumer and enterprise customers. These passwordless options include Windows Hello for Business, Authenticator app, and FIDO2 security keys. Why are passwords falling out of favor? For them to be effective, passwords must have several characteristics, including being unique to every site. Trying to remember them all can frustrate end-users and lead to poor password hygiene.
Since Microsoft announced the public preview of Azure AD support for FIDO2 security keys in hybrid environments earlier this year, I’ve seen more organizations, especially with regulatory requirements, start to adopt FIDO2 security keys. This is another important area where we’ve worked with many FIDO2 security key partners who are helping our customers to go passwordless smoothly.
Increase security visibility and insights by leveraging Azure AD Identity Protection APIs
We know from our partners that they would like to leverage insights from the Azure AD Identity Protection with their security tools such as security information event management (SIEM) or network security. The end goal is to help them leverage all the security tools they have in an integrated way. Currently, we have the Azure AD Identity Protection API in preview that our ISVs leverage. For example, RSA announced at their 2020 conference that they are now leveraging our signals to better defend their customers.
We’re looking forward to working with many partners to complete these integrations.
If you haven’t taken advantage of any of these types of solutions, I recommend you try them out today and let us know what you think. If you have product partnership ideas with Azure AD, feel free to connect with me via LinkedIn or Twitter.
The post 4 identity partnerships to help drive better security appeared first on Microsoft Security.
C-Level Executives the Weakest Link in Organizations’ Mobile Security
C-suite executives are the people most susceptible to mobile-based cyber-attacks in businesses, according to a study from MobileIron. The report, entitled Trouble at the Top found that while these executives are highly targeted by cyber-criminals in attacks on organizations, they are also more likely than anyone else to have a relaxed attitude to mobile security.
In the analysis, research from 300 enterprise IT decision makers across Benelux, France, Germany, the UK and the US was combined with findings from 50 C-level executives from the UK and the US. It revealed that many C-level executives find mobile security protocols frustrating, with 68% feeling IT security compromises their personal privacy, 62% stating it limits the usability of their device and 58% finding it too complex to understand.
As a result of these issues, 76% of C-suite executives had asked to bypass one or more of their organization’s security protocols last year. This included requests to: gain network access to an unsupported device (47%), bypass multi-factor authentication (45%) and obtain access to business data on an unsupported app (37%).
“These findings are concerning because all of these C-suite exemptions drastically increase the risk of a data breach,” commented Brian Foster, SVP product management, MobileIron. “Accessing business data on a personal device or app takes data outside of the protected environment, leaving critical business information exposed for malicious users to take advantage of. Meanwhile, multi-factor identification – designed to protect businesses from the leading cause of data breaches, stolen credentials – is being side-stepped by C-suite execs.”
To exacerbate this issue, IT decision makers included in the study overwhelmingly stated that C-suite is the group most likely to both be targeted by (78%), and fall victim to (71%), phishing attacks.
Foster added: “These findings highlight a point of tension between business leaders and IT departments. IT views the C-suite as the weak link when it comes to cybersecurity, while execs often see themselves as above security protocols.”
Static reverse-engineering in IDA can often be problematic. Certain values are calculated at run time, which makes it difficult to understand what a certain basic block is doing. If you try to perform dynamic analysis by debugging a piece of malware, the malware will often detect it and start behaving differently. Today, Cisco Talos is releasing the 1.0 beta version of Dynamic Data Resolver (DDR) — a plugin for IDA that makes reverse-engineering malware easier. DDR is using instrumentation techniques to resolve dynamic values at runtime from the sample. For the 1.0 release, we have fixed a couple of bugs, ported it to the latest IDA version, added multiple new features, plus a new installer script that automatically resolves all dependencies.
A Canadian maker of smart padlocks has agreed to implement a comprehensive security program and not misrepresent its privacy and security practices under an agreement with the U.S. Federal Trade Commission.
Earlier this month, the FTC gave final approval to a settlement with Tapplock Inc. of Toronto, maker of a fingerprint-enabled padlock sold to enterprises and consumers, related to allegations it falsely claimed that its internet-connected smart locks were designed to be “unbreakable” and that it took reasonable steps to secure the data collected through a mobile app.
Security researchers identified both physical and electronic vulnerabilities with Tapplock’s smart locks, according to the complaint. The FTC also alleged that Tapplock failed to implement a security program or take other steps that might have helped the company discover electronic vulnerabilities with its locks.
Under the settlement, Tapplock is required to implement a comprehensive security program and obtain independent biennial assessments of the program by an assessor that the FTC approves. The company also is prohibited from misrepresenting its privacy and security practices.
The two sides came to an agreement on a settlement of the allegations in April. That needed final approval of the commission.
Under the consent order, Tapplock agreed to not transfer, sell, share, collect, maintain, or store personal information or manufacture or sell devices unless it implements a comprehensive security program that protects the security of devices and the security, confidentiality, and integrity of personal information.
According to its website this week, the company sells two models: The Tapplock one+, described as “Sturdy” and “Secure” and stores up to 500 fingerprints per lock; and the Tapplock lite, described as having a “strong, lightweight chassis” and stores up to 100 fingerprints. Bluetooth lets users share remote access.
For organizations that issue and control multiple padlocks, the company offers an enterprise software-based management console allowing an administrator to set custom permissions for users and manage them by groups. Customers listed on the site include Bombardier, Lufthansa and Foxconn.
The FTC’s background complaint document supporting the consent order says that in 2018 “security researchers identified critical physical and electronic vulnerabilities” with Tapplock smart locks. “Some could be opened within a matter of seconds, simply by unscrewing the back panel.”
One alleged vulnerability in the API could have been exploited to bypass the account authentication process in order to gain full access to the accounts of all Tapplock users and their personal information, including usernames, email addresses, profile photos, location history, and precise geolocation of smart locks. Because the company failed to encrypt the Bluetooth communication between the lock and the app, a second vulnerability could have allowed a bad actor to lock and unlock any nearby Tapplock smart lock. Finally, a third vulnerability prevented users from effectively revoking access to their smart lock once they had provided other users access to that lock.
The second count alleges that Tapplock deceived consumers about its data security practices by falsely representing that it took reasonable precautions and followed industry best practices to protect the personal information provided by consumers.
Tapplock neither admitted nor denied any of the allegations in the complaint other than those stated in the final decision and consent order.
The company didn’t respond to an email request Wednesday for comment.
And most people don’t change their password even after hearing about a breach, a survey finds
The post People know reusing passwords is risky – then do it anyway appeared first on WeLiveSecurity
Welcome to the second installment of our look into the future of the email security market! In our previous entry, we looked at the continued relevance of the Secure Email Gateway (SEG) and discussed how Cisco’s Cloud Email Security (CES) provides our customers with versatile and comprehensive configuration and security options. This time, we’ll be exploring the simplicity and appeal of emerging cloud email security technologies.
The simplification of anything is always sensational. This was true when noted British philosopher Gilbert Chesterton wrote it in 1903 and a little over a century later, it still rings true today. Now, it’s cloud technologies that offer a way to sensationally simplify the administration and operation of key business technologies. From the office applications we all use on a daily basis, it is now a viable option for administrators to move keystone technologies such as their Identity and Access (Active Directory and LDAP) or their Email server (Exchange) to the cloud.
This allows your administrators to leverage the scale, resilience, and upgradability inherent in cloud architectures to simplify their operational practices and maximize their use of expensive skills and resources on higher-value activities. After all, it’s far more effective for your email administrator to focus on the email policies that are unique to your business instead of worrying about the availability and scale of your Exchange server — never mind the nightmare of applying the latest and greatest security patches!
However sensational this is, simply moving your Exchange server to Office 365 (O365) does not mean that all the concerns of the past are gone. Email continues to hold its title as the number one threat vector. The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) recently announced that between January 2014 and October 2019, they had received complaints totaling over $2.1 billion in actual losses from Business Email Compromise (BEC) scams targeting Microsoft Office 365 and Google G Suite. BEC, also known as Email Account Compromise (EAC), is a form of fraud in which criminals use social engineering, deception, or other intrusion techniques to conduct unauthorized transfers of funds from a business to a fictitious supplier. The cybercriminals behind this invest in developing and designing phishing kits that target these cloud platforms, and in the words of the FBI “particularly Office 365 given its dominant market share.”
So, what can be done?
Put simply, the base security in Office 365 needs some augmentation. Microsoft offers several options to enhance the base security of the product via additional Advanced Threat Protection (ATP) 1 or 2 plans, or the Enterprise E5 offer. These add additional security around areas such as Safe Attachments, Safe Links/URLs, Phishing Protection as well as reporting and visibility options. The very existence of these products from Microsoft points to the need for customers to consider their security and how best to adjust that security to fit their specific needs. Naturally, there are options available from other vendors, including Cisco, to help address this need!
In this era of APIs, Microsoft has built Office 365 from the ground up with cloud capabilities like the Graph API that allow for the enrichment of native functionality. In fact, Gartner recently created a market category to track these solutions, which they’ve dubbed the Cloud Email Security Supplements (CESS) market segment. Moreover, Gartner also recommends a CESS to address gaps in the advanced threat capabilities of existing solutions. In our next blog, we will be examining in more detail what supplementary security is and the problems it addresses.
If you would like to learn more about how Cisco Cloud Email Security can improve your approach to cloud email security, be sure to check out the following:
The post The Benefits, and Potential Challenges of, Cloud Email Platforms appeared first on Cisco Blogs.
Businesses were already undergoing hugely impactful changes as employees were increasingly working outside the office, and applications were rapidly expanding to the cloud. This transformation has recently accelerated on a massive scale – with the exodus of employees out of the office and into their homes, and a subsequent rush to push many more applications into the cloud to help facilitate a seamless remote worker experience.
In light of this, the term ‘business continuity’ has taken on a whole new meaning. We must still aim to minimize downtime in the event of an incident, but we must now do so with our workforce largely outside of the traditional confines of the office.
Business continuity now extends beyond just keeping the business running to preserving your employees’ ability to be productive no matter where they are and what they are doing. And of course, making sure their devices, applications, data, and your network remain secure in the process.
Expanding support for customers
As a leader in both networking and security, Cisco has been able to provide a significant amount of support for our customers over the past several months. For example, we quickly expanded our free Webex offerings and increased usage counts for existing customers at no extra charge.
But of course, with rising IT demands comes a greater need for security. The new normal of working from home has opened us up to many new cybersecurity concerns. So we are also offering extended free trials and expanded usage counts for several of our security technologies to help organizations safeguard their infrastructure during these unprecedented times.
Our recent work in provisioning customers to meet these new challenges has culminated in the creation of the Cisco Secure Remote Worker solution. Cisco Secure Remote Worker consists of four integrated technologies that protect your users on any device, wherever and whenever they choose to work.
Together, Cisco AnyConnect, Cisco Duo, Cisco Umbrella, and Cisco AMP for Endpoints enable organizations to: 1) grant secure access to the network, 2) verify users trying to connect to corporate applications, and 3) defend against threats across multiple devices. Today I will focus on two critical components of the Cisco Secure Remote Worker solution – secure access with Cisco AnyConnect and multi-factor authentication with Cisco Duo.
Enabling secure network access with VPN
A virtual private network (VPN) uses encryption to securely connect employees to corporate resources over public networks. The Cisco AnyConnect VPN authenticates the user trying to access the network and can assess a device’s security posture before allowing a connection.
Although it’s often viewed as a legacy security technology, the VPN is once again top of mind as organizations scramble to accommodate new remote connectivity challenges. The increased demand for network access, coupled with the complexity of delivering consistent security everywhere it’s needed, is forcing organizations to look differently at their VPN implementation. Cisco AnyConnect goes way beyond just the basic VPN functionality to serve as a vital component of an enterprise security strategy.
Cisco AnyConnect empowers remote workers with frictionless, highly secure access to the enterprise network at any time, with any device, from any location. The AnyConnect Secure Mobility Client not only provides VPN access, but also offers enhanced security through various built-in modules, including:
- Endpoint posture and compliance checks
- Web security to block users from accessing risky websites
- Visibility into endpoint flows
- Off-network roaming protection with Cisco Umbrella
Additionally, Cisco AnyConnect integrates with other technologies such as Cisco AMP for Endpoints to provide comprehensive threat protection. A complete, secure access solution like Cisco AnyConnect can go a long way in ensuring business continuity.
Bolstering security with MFA
A second critical component for business continuity today is multi-factor authentication (MFA). For optimum security, VPN and MFA should go hand in hand. We were surprised to find in our recent CISO Benchmark Study that only 27% of respondents are currently using MFA to secure their environments.
Multi-factor authentication can protect your applications by using a second factor to verify user identity before granting access. It is especially important to use if organizations have implemented single sign-on options for employees.
You can extend your business continuity and security by using the Cisco Duo MFA solution to verify users trying to connect to your environment. Duo provides an easy way for authorized users to connect using a second validation factor such as their smartphone. It can also inspect the security of the devices accessing your resources.
Layering strong MFA on top of a VPN defends against credential theft, reduces the risk of a data breach, and helps organizations meet regulatory compliance requirements. According to Tristan Hammond, IT infrastructure manager at online retailer Threadless, “Our overall experience with Duo has been extremely easy – that’s not something that always happens in the technology world.”
MFA is a key component of a zero-trust security model. It becomes even more crucial as more applications move into the cloud, since it can provide consistent, secure access across both on-premises and cloud applications.
Integration for streamlined security
Another benefit of Cisco AnyConnect and Cisco Duo is that they are integrated with each other, and with many other Cisco and third-party offerings, through our Cisco SecureX platform. Cisco SecureX makes our technologies stronger by allowing them to share intelligence and work together to provide greater visibility, threat protection, and security automation. This is critical since 42% of respondents in our 2020 CISO Benchmark Study said they are suffering from cybersecurity fatigue.
Keep your business on track
Business continuity means many things now, but having strong solutions for secure access can make a big difference in putting you on the right path to preserving the integrity and vitality of your business. Visit our business continuity and remote worker planning sites for further information on how to keep your business secure during difficult times.
For more information
The post The New Era of Business Continuity – What does it mean today? appeared first on Cisco Blogs.
By Jeff Reed, SVP of Product, Security Business Group
In partnership with Scott Harrell, SVP/GM of Cisco Intent-Based Networking Group
As leaders of Cisco’s Networking and Security organizations for the last eight years, Scott Harrell and I have had the opportunity to oversee many innovative developments from our dual perspectives. In fact, each of us has had the other’s role, which provides us with unique views into the future of secure networking. Recently we had the opportunity to rethink how networks and security will become even more intricately intertwined as organizations change the way they connect their distributed workforce to applications and data resources.
The main macro-trend we considered is the transition to multi-cloud, resulting in data and applications that are literally located everywhere. In parallel, an increasingly distributed workforce requires secure access to applications with optimal performance. The rapid adoption of SD-WAN for connecting to multi-cloud applications provides enterprises with the opportunity to rethink how access and security are managed from campus to cloud to edge. With 60% of organizations expecting the majority of applications to be in the cloud by 2021 and over 50% of the workforce to be operating remotely, new networking and security models, such as Gartner’s Secure Access Service Edge (SASE), provide a vision for managing the new normal.
The Journey to SASE
Gartner’s concept of Secure Access Service Edge provides the ability to identify end users, devices, IoT/OT systems, and edge computing locations and provide direct and secure access to applications hosted anywhere, including data centers and cloud-based services. Specifically, Gartner says that SASE “…is an emerging offering combining comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS and ZTNA) to support the dynamic secure access needs of digital enterprises.”*
The goal of SASE is to provide secure access to applications and data from your data center or cloud platforms like Azure, AWS, Google Cloud, and SaaS providers based on identities—specific individuals, groups of people at certain office locations, devices, IoT, even services. Service edge refers to global point of presence (PoP), IaaS, or colocation facilities where local traffic from branches and endpoints is secured and forwarded to the appropriate destination without first traveling to data center focal points. By delivering security and networking services together from the cloud, organizations will be able to securely connect any user or device to any application with the best experience.
Gartner considers SASE to be a vision of a future secure networking model for enterprises to strive for—it’s not currently a reality from any vendor. Cisco has been moving down this path for several years through key acquisitions in networking (Meraki, Viptela) and security (OpenDNS, CloudLock, Duo) as well as many internally developed innovations. Today, SASE is best represented by the convergence of cloud-managed SD-WAN and cloud-delivered security, two foundational capabilities that Cisco has developed extensively.
Today, more than 20,000 organizations have begun the journey to SASE by deploying Cisco SD-WAN and more than 22,000 have deployed Cisco Umbrella’s cloud security services.
Challenges to Realizing SASE
Moving to a SASE model will be a gradual process as enterprise IT rethinks how to connect a remote workforce to the distributed information resources they need. Flexibility will be fundamental as IT chooses among multiple security and networking capabilities that best fit their operations, regulatory requirements, and types of applications. Security services can be predominately delivered from the cloud to provide consistent access policies across all types of endpoints. However, globally-distributed organizations may need to apply security and routing services differently according to regional requirements.
Beyond the architectural choices that enterprises will need to make, IT needs to consider how to streamline procurement of security and networking services. Today these technologies typically have separate buying cycles, which may slow SASE adoption. Secondly, licensing structures are different for networking, which are typically throughput-based, versus security services, which are based on protecting a wide variety ofusers and endpoints. As IT strives to move from on-premise towards a hybrid or cloud-first approach, there will be an increasing demand for “as-a-service” consumption models that offer more flexibility for procurement.
Between Networking, Security, and Zero Trust Network Access, Cisco is Building a Bridge
Cisco has many of the SASE capabilities already in place, with additional integration among current solution sets well underway.
Networking: Cisco SD-WAN is a cloud-delivered overlay WAN architecture with application optimization to deliver predictable application performance in multi-cloud environments. A full security stack is built in, and offers firewall, IPS/IDS, AMP and URL Filtering. Analytics and Assurance deliver the visibility and insights over any type of connectivity to deliver the best experience.
Cloud Security: Cisco Umbrella unifies secure web gateway (SWG), DNS-layer security, firewall, and cloud access security broker (CASB) functionality in one a single integrated cloud-native platform. Built as a micro-services-based architecture with dozens of points of presence around the world, Umbrella provides the scale and reliability needed to secure today’s remote workforce. Powered by threat intelligence from Cisco Talos, the largest non-governmental threat research team in the world, Umbrella was recently ranked #1 in the industry for security efficacy.
Zero Trust Network Access: To verify identity and protect access to resources, Cisco’s Duo and Software-Defined Access (SD-Access) enable a zero trust network access architecture to be extended anywhere people work. Duo provides protection for your workforce, while SD-Access protects your workplace. Ultimately, IT is less concerned about where the security functions are implemented and can focus more on the policies that they need to enable throughout the enterprise.
Foundational capabilities of this SASE model include an API-based, programmable architecture that provides flexibility to encompass many types of enterprise use cases, including support for third-party ecosystem partners.
Crossing the Bridge to SASE
Moving to a SASE model will be a gradual process as enterprise IT rethinks how to connect a remote workforce to the distributed information resources they need. Flexibility will be fundamental as IT chooses among multiple security and networking capabilities to best fit their operations, regulatory requirements, and types of applications. The bridge that enterprises choose to evolve their infrastructure to a SASE model should be structured on a cloud-native, micro-services architecture. Achieving the benefits of SASE will be more difficult to achieve if existing on-premises technology is merely shifted to virtual machines running as cloud services. Cloud security and networking services will only become more critical as enterprises cross the bridge to employ Secure Access Service Edge networking to solve disruptive information management challenges.
To learn more about how Cisco is enabling organizations to build a bridge to the SASE networking and security model, you’ll want to attend Cisco Live! June 2 – 3, 2020. To date, there are already over 80,000 registered attendees for Cisco Live! You won’t want to miss this virtual event from the comfort of your office. Register today at https://www.ciscolive.com/us.html.
*Source: Gartner, The Future of Network Security Is in the Cloud, Neil MacDonald, Lawrence Orans, et al., 30 August 2019.
The post Cisco is Building a Bridge to Secure Access Service Edge appeared first on Cisco Blogs.
Cyber-Criminals Impersonating Google to Target Remote Workers
Remote workers have been targeted by up to 65,000 Google-branded cyber-attacks during the first four months of 2020, according to a new report by Barracuda Networks. The study found that Google file sharing and storage websites were used in 65% of nearly 100,000 form-based attacks the security firm detected in this period.
According to the analysis, a number of Google-branded sites, such as storage.googleapis.com, docs.google.com, storage.cloud.google.com and drive.google.com, were used to try and trick victims into sharing login credentials. Google-branded attacks were far in excess of those impersonating Microsoft, with the sites onedrive.live.com, sway.office.com and forms.office.com making up 13% of attacks.
Other form-based sites used by attackers included sendgrid.net (10%), mailchimp.com (4%) and formcrafts.com (2%).
Overall, the use of the Google brand by cyber-criminals to trick users appears to be increasing: Barracuda Networks observed Google-brand impersonation attacks represented 4% of all spear-phishing attacks during the first four months of 2020. This figure is expected to rise, as it has proved to be successful in the harvesting of credentials.
Steve Peake, UK systems engineer manager, Barracuda Networks, outlined: “Brand-impersonation spear-phishing attacks have always been a popular and successful method of harvesting a user’s login credentials, and with more people than ever working from home, it’s no surprise that cyber-criminals are taking the opportunity to flood people’s inboxes with these scams. The sophistication of these attacks has accelerated in recent times: now, hackers can even create an online phishing form or page using the guise of legitimate services, such as forms.office.com, to trick unsuspecting users.”
There has been a substantial rise in phishing attacks recently as a result of the increase in people working from home during the COVID-19 pandemic, with security systems and practices difficult to maintain for many businesses in these circumstances.
Barracuda Networks added that security methods such as multi-factor identification and email security software are especially vital for organizations at this time.
What is NetWalker? NetWalker (also known as Mailto) is the name given to a sophisticated family of Windows ransomware that has targeted corporate computer networks, encrypting the files it finds, and demanding that a cryptocurrency payment is made for the safe recovery of the encrypted data. Ransomware is nothing new. Why should I particularly care […]… Read More
Last week, security researcher Bill Demirkapi said that Trend Micro used a trick to get one of its drivers to pass Microsoft's approval process. Trend Micro has withdrawn the driver and says it's working with Microsoft on incompatibility issues that are unrelated to the researcher's findings.
Small and midsize companies don't need to spend money on expensive security products, says cybersecurity consultant Nic Miller, but they must consider several critical factors as they devise their strategies.
At Google, we’ve always believed in the benefits and importance of using open source technologies to innovate. We enjoy being a part of the community and we want to give back in new ways. As part of this effort, we are excited to announce an expansion of our Google Vulnerability Rewards Program (VRP) to cover all the critical open-source dependencies of Google Kubernetes Engine (GKE). We have designed this expansion with the goal of incentivizing the security community to work even more closely with open source projects, supporting the maintainers whose work we all rely on.
The CNCF, in partnership with Google, recently announced a bug bounty program for Kubernetes that pays up to $10,000 for vulnerabilities discovered within the project. And today, in addition to that, we are expanding the scope of the Google VRP program to also include privilege escalation bugs in a hardened GKE lab cluster we've set up for this purpose. This will cover exploitable vulnerabilities in all dependencies that can lead to a node compromise, such as privilege escalation bugs in the Linux kernel, as well as in the underlying hardware or other components of our infrastructure that could allow for privilege escalation inside a GKE cluster.
We have set up a lab environment on GKE based on an open-source Kubernetes-based Capture-the-Flag (CTF) project called kCTF. Participants will be required to:
- Break out of a containerized environment running on a Kubernetes pod and,
- Read one of two secret flags: One flag is on the same pod, and the other one is in another Kubernetes pod in a different namespace.
- Bugs that affect the lab GKE environment that can lead to stealing both flags will be rewarded up to 10,000 USD, but we will review each report on a case-by-case basis. Any vulnerabilities are in scope, regardless of where they are: Linux, Kubernetes, kCTF, Google, or any other dependency. Instructions on how to submit the flags and exploits are available here.
- Bugs that are 100% in Google code, qualify for an additional Google VRP reward.
- Bugs that are 100% in Kubernetes code, qualify for an additional CNCF Kubernetes reward.
The GKE lab environment is built on top of a CTF infrastructure that we just open-sourced on GitHub. The infrastructure is new, and we are looking forward to receiving feedback from the community before it can be actively used in CTF competitions. By including the CTF infrastructure in the scope of the Google VRP, we want to incentivise the community to help us secure not just the CTF competitions that will use it, but also GKE and the broader Kubernetes ecosystems.
In March 2020, we announced the winner for the first Google Cloud Platform (GCP) VRP Prize and since then we have seen increased interest and research happening on Google Cloud. With this new initiative, we hope to bring even more awareness to Google Cloud by experienced security researchers, so we can all work together to secure our shared open-source foundations.
Last month, after the dust had settled from the move from office to remote work, we took a look at ways you could improve your security posture. In it, we discussed how you can shore up older and personal devices now being used for work tasks, how to reduce your security footprint with company-sanctioned software, and ways to ensure that connections back into the company network are secure.
This month, we decided to take a look at some of the trends we’ve seen in a shifting threat landscape, including attackers who are adapting their techniques to take advantage of new opportunities. When you understand what they’re doing, it’s easier to mount a better defense against new trends in the threat landscape.
The great migration
Before diving into what attackers are up to, let’s take a look at just how significant the shift to remote work has been. To do this, we took a look at traffic running through Cisco Umbrella’s DNS servers to see where it was coming from, giving us a snapshot of internet activity. In particular, we looked at distinct IP addresses, sorting them into remote and office groupings. The following chart shows the trend for the total number of IP addresses known to be remote each week.
In mid-March, we can see a marked increase in remote connections. While it’s interesting to note an inverse correlation between office-based connections to Umbrella (declining) and remote connections (increasing), even more interesting is by how much remote connections increased.
Comparing the first and last weeks of March, the number of remote workers had effectively doubled. This means that IT teams have been dealing with setting up a lot of remote workers. This can potentially spread resources thin and, given the number of new remote connections, requires attention to look out for threats in this expanded environment. (Note: new Umbrella customers who have recently signed up to our Umbrella trial have been filtered out in the above chart.)
A topical shift in spam
It’s not news that spammers leverage the latest big stories in their emails in order to help spread their wares. The pandemic has been no exception. As reported by Talos on a number of occasions, threat actors have used it in a wide variety of malicious campaigns.
Some campaigns have sent out malicious emails that appear to share government information on the pandemic, while others claim to contain information regarding government stimulus payments. This shift to pandemic-related campaigns is so pronounced that malicious spam campaigns focusing on package delivery have pivoted to claim that deliveries have been postponed due to the pandemic:
What’s interesting is not just the variety of email scams and tricks being peddled on the threat landscape, but the volume of pandemic-related spam campaigns. To determine just how much spam contained pandemic-based themes, Talos looked at distinct emails sent out that contained the terms “pandemic,” “COVID-19,” and “corona.”
While emails containing these key words first began to grow in early February, there is a clear increase in mid-March, when the pandemic was constantly in the headlines and coinciding with the migration to remote work discussed above. At its peak, more than 20 percent of all email observed by Talos referenced the pandemic. (Note: the regular dips in the chart coincide with weekends. It’s also worth noting that a portion of ham or marketing emails were also mentioning the pandemic during this time.)
In early April, researchers from Umbrella took a look at the increase in malicious domains that bad actors were leveraging to carry out attacks. According to Umbrella researchers, on March 19th, enterprise customers connected to 47,059 domains that contain “covid” or “corona” in the name. Of these, four percent were blocked as malicious.
We decided to revisit this data to see what has happened two months later. By May 19th, this number had increased to 71,286 domains, where 34 percent of them were blocked as malicious.
Despite this being a marked increase from March, late April appears to be the point where the most malicious activity took place. During this time the percentage of domains blocked as malicious frequently crossed 50 percent, even peaking as high as 75 percent. While this declined in early May, the percentage of malicious domains regularly sat between 30-40 percent in mid- to late-May.
Protect against the trends
Overall, bad actors have upped their activity with pandemic–related themes surrounding malicious spam and domains. The good news is that the systems required to protect your organization from these security risks haven’t shifted much.
For starters, Cisco Umbrella’s cloud-based services can protect users from malicious internet destinations. The malicious domains that have been registered in the last few months are all flagged as malicious within Umbrella’s DNS infrastructure, preventing users with your organizations from connecting to them and becoming compromised.
Similarly, Cisco Email Security is well equipped to identify and filter the influx of pandemic–related spam aimed at your user’s inboxes. The advanced phishing protections and machine learning capabilities within can quickly identify these malicious spam campaigns, not just by the topic, but by understanding and authenticating email identities and behavioral relationships, filtering out spam emails and prevent attacks.
Also, we discussed last month, Cisco has expanded and extended trial offerings on a number of security products. Umbrella has one such offering, as does AMP for Endpoints, which can be used to secure the additional remote desktops now on the company network. AMP can help you gain visibility and control of remote devices, allowing you to see where a threat came from, where it’s been, what it’s doing, and if necessary, isolate compromised endpoints.
Finally, to secure that remote connection back into the company network, consider using Cisco AnyConnect Secure Mobility Client with Duo Security. AnyConnect can simplify secure access to the company network, while Duo can ensure that the person logging into your network is who they say they are.
Free and expanded offerings for Umbrella, AMP, AnyConnect, and Duo are all available through our Cisco Secure Remote Worker page.
Enjoyed reading this Threat of the Month? Subscribe to the Threat of the Month blog series and get alerted when new blogs are published.
Google Threat Analysis Group (TAG) has published today its first TAG quarterly report that analyzes rising trends in nation-state and financially motivated attacks.
Google also discloses seven coordinated political influence campaigns that took place on its platforms during Q1 2020.
The Google Threat Analysis Group (TAG) is a group inside the Google’s security team that tracks operations conducted by nation-state actors and cybercrime groups. Google TAG has published today its first TAG quarterly report, the Q1 2020 TAG Bulletin, that provides insights on the campaigns monitored in the first quarter of 2020.
The report includes recent findings on government-backed phishing, threats, and disinformation campaigns, as well as information about actions the tech giant has taken against accounts coordinated influence campaigns.
A first scaring trend reported by Google is the rising of hack-for-fire companies currently operating out of India.
Another trend was the rising number of political influence campaigns carried out by nation-state actors worldwide.
Experts confirm that threat actor continues to use COVID-19 lures, the pandemic has taken center stage in the world of government-backed hacking. Google continues to uncover COVID-19 themed attacks, groups like Iran-linked Charming Kitten focuses on medical and healthcare professionals, including World Health Organization (WHO) employees.
Experts reported new activity from “hack-for-hire” firms, many based in India, that are using Gmail accounts spoofing the WHO to target business leaders in financial services, consulting, and healthcare corporations within numerous countries including, the U.S., Slovenia, Canada, India, Bahrain, Cyprus, and the UK.
The lures are designed to trick victims into signing up for direct notifications from the WHO to stay informed of COVID-19 related announcements, and link to websites under the control of the attackers that clone the official WHO website.
“We’ve seen new activity from “hack-for-hire” firms, many based in India, that have been creating Gmail accounts spoofing the WHO,” said Shane Huntley, head of Google TAG.
“The accounts have largely targeted business leaders in financial services, consulting, and healthcare corporations within numerous countries including, the US, Slovenia, Canada, India, Bahrain, Cyprus, and the UK.”
While there have been many hack-for-hire companies around the world, most are located in the UE, Israel, and some Arab countries.
This is the first time that a report references the activity of hack-for-hire Indian companies.
The Google TAG also investigated groups that have also engaged in coordinated social and political influence campaigns.
The TAG team tracked a total of seven influence operations in Q1 2020.
In January Google terminated three YouTube channels as part of a coordinated influence operation linked to Iranian state-sponsored International Union of Virtual Media (IUVM) news organization.
In February, the company terminated one advertising account and 82 YouTube channels that were employed in a coordinated influence operation linked to Egypt.
The campaign was sharing political content in Arabic that was supportive of Saudi Arabia, the UAE, Egypt, and Bahrain and was critical of Iran and Qatar. The campaign being tied to the digital marketing firm New Waves based in Cairo.
In March, TAG terminated five different influence operations.
- Three advertising accounts, one AdSense account, and 11 YouTube channels part of a coordinated influence operation linked to India sharing pro-Qatar messages.
- Google banned one Play Store developer and terminated 68 YouTube channels as part of a coordinated influence operation sharing political content in Arabic supportive of Turkey and critical of the UAE and Yemen.
- Google also terminated one advertising account, one AdSense account, 17 YouTube channels, and banned one Play developer involved in a coordinated influence operation linked to Egypt supporting of Saudi Arabia, the UAE, Egypt, and Bahrain and critical of Iran and Qatar.
- Google also banned one Play developer and terminated 78 YouTube channels used in a coordinated influence operation linked to Serbia.
- Google also shut down 18 YouTube channels that were part of a coordinated influence operation linked to Indonesia.
“Since March, we’ve removed more than a thousand YouTube channels that we believe to be part of a large campaign and that were behaving in a coordinated manner. These channels were mostly uploading spammy, non-political content, but a small subset posted primarily Chinese-language political content similar to the findings of a recent Graphika report. We’ll also share additional removal actions from April and May in the Q2 Bulletin.” concludes Google.
(SecurityAffairs – Google TAG, nation-state acting)
The post Google TAG report Q1 details about nation-state hacking and disinformation appeared first on Security Affairs.
Security researchers witnessed the deployment of PonyFinal ransomware at the end of extended human-operated attack campaigns. In a series of tweets, Microsoft Security Intelligence revealed it had observed human-operated campaigns laying in wait for the right moment to deploy PonyFinal ransomware as their final payload. In their operations, the attackers used brute force attacks against […]… Read More
The post PonyFinal Ransomware Delivered by Extended Human-Operated Attacks appeared first on The State of Security.
Cybercrime is any criminal activity where the object as a target and/or tool is a computer or network device. Some cyber crimes directly attack computers or other devices to disable them. In others, computers are used for their purposes by cyber criminals to distribute malicious program codes, obtain illegal information, or to obtain cryptocurrency. Dividing cybercrimes into separate categories is not easy as there are many of them. That’s why students often ask professional help from a paper writing service when they need to write about cyber crimes.
Hacker attacks have long ceased to be the intellectual fun of the sophisticated IT singles. Today there are many specialists who perform various types of cyberattacks. The cyberattack itself is only a means for the achievement of a certain goal. In such a situation, economic and political goals prevail: money and power are powerful incentives for resorting to cybercrime methods. Therefore, organizations with developed online businesses that actively use electronic payment systems, network resources of political parties, movements are the first goals of cyber criminals with a different level of intelligence. The foregoing does not exclude one-time shares of individuals or just their own criminal business, which can adversely affect each of us.
How Do Cybercriminals Commit Their Crimes?
There are four of the most common ways that cybercriminals use the Internet opportunities.
- The first one that many people fear is the use of malware. You probably understand that there are many methods of operating critical systems, and how important it is to use various security measures, for example, set long passwords and make regular file updates. This type of attack is based on the abuse of computers, DNS servers, networks, domain and subdomain. Take into account that Windows is more vulnerable than a Linux system.
- The second way is DDOS attacks when an attacker uses a communication network protocol to create a huge number of requests to a server or service. In this type of attack, the main goal is to disable the target.
- The third way is a combination of social engineering and malicious code. The most famous form of this type of attack is phishing when a victim is forced to take certain actions (clicking on a link in an email, image, visiting a site, etc.), which subsequently leads to infection of the system using the first method.
- The fourth way is illegal activity: harassment, record, and distribution of illegal content, grooming, etc. In this case, the attackers hide their traces through anonymous profiles, encrypted messages, and other similar technologies.
What Are the Steps of Cyber Crime Investigation?
In the very beginning, law enforcement officials should assess the current situation with the goal to have a clear understanding of what had happened, what illegal information was accessed by law, what solid facts can prove signs of illegal activity. Officials should have technical evidence and legal facts to have the right to collect a sufficient amount of information. Then at the next stage, a decision can be made to initiate a criminal case. Other qualified experts will investigate it using the support of qualified specialists in the sphere of computer-technical research and cybersecurity. In order for a court to pronounce a sentence on the basis of the current criminal procedure legislation, authorities should make certain steps. Check what they are:
- Find solid evidence that the crime took place and determine when, where, and how exactly it was committed;
- Find those who are guilty of the crime and provide solid arguments proving the guilt of one person or a group of people;
- Define the circumstances that can prove the identity of the guilty person;
- Determine the negative consequences of the crime that took place;
- Find out what factors led to the crime.
Today, one can find a good private agency that will make all the above-listed steps.
Why Is the Computer-Technical Expertise a Must?
The purpose of computer-technical expertise is to determine the digital traces that can be connected with certain people. Another goal is to evaluate the conformity of these traces to a definite situation and to select significant activities in terms of forensic cases. It’s necessary to identify what traces can serve as the foundation of the investigation. A vital issue is the presentation of the results of the study so that even a specialist without solid knowledge in the IT industry has a clear understanding of the situation. These are lawyers, judges, and all the specialists who are involved in the legal proceedings.
Generally accepted models of digital data analysis for judicial purposes:
- The model of providing the maximum speed of digital data processing and focused on solving typical (standard) tasks;
- An individual approach, “thorough” and focused on rare or simply unique tasks.
The first uses professional digital equipment, specialized expert programs such as Encase, but practically does not allow taking into account an individual technique for the preparation and commission of cybercrimes. The individual approach model, on the contrary, takes into account all the individual characteristics mentioned above, since the expert selects specialized programs and the technology for the production of expertise in general, based on the informational and technological laws of a particular crime known to him/her. In general, one can say that this method allows finding rare, unusual traces in the information environment that may be used as evidence in a criminal case.
The post The Process of Investigating Cyber Crimes appeared first on .
With a new fuzzing tool created specifically for testing the security of USB drivers, researchers have discovered more than two dozen vulnerabilities in a variety of operating systems. “USBFuzz discovered a total of 26 new bugs, including 16 memory bugs of high security impact in various Linux subsystems (USB core, USB sound, and network), one bug in FreeBSD, three in macOS (two resulting in an unplanned reboot and one freezing the system), and four in … More
The post New fuzzing tool for USB drivers uncovers bugs in Linux, macOS, Windows appeared first on Help Net Security.
Microsoft has recently come up with a new update for Windows 10 PCs, called Windows 10 May 2020 Update -Vibranium (Build version 2004) Here we will list down some of the highlights of this update and see how Quick Heal is compatible with this OS. Few Highlights of Windows 10…
Seems like thermal imaging is the security theater technology of today.
These features are so tempting that thermal cameras are being installed at an increasing pace. They're used in airports and other public transportation centers to screen travelers, increasingly used by companies to screen employees and by businesses to screen customers, and even used in health care facilities to screen patients. Despite their prevalence, thermal cameras have many fatal limitations when used to screen for the coronavirus.
- They are not intended for medical purposes.
- Their accuracy can be reduced by their distance from the people being inspected.
- They are "an imprecise method for scanning crowds" now put into a context where precision is critical.
- They will create false positives, leaving people stigmatized, harassed, unfairly quarantined, and denied rightful opportunities to work, travel, shop, or seek medical help.
- They will create false negatives, which, perhaps most significantly for public health purposes, "could miss many of the up to one-quarter or more people infected with the virus who do not exhibit symptoms," as the New York Times recently put it. Thus they will abjectly fail at the core task of slowing or preventing the further spread of the virus.
Valak malware has rapidly changed over the past six months, it was initially designed as a loader, but now it implemented infostealer capabilities.
The Valak malware completely changed over the past six months, it was first developed to act as a loader, but now it implements also infostealer capabilities.
The malicious code fist appeared in the threat landscape in late 2019, over the past six months experts observed more than 20 versions that finally changing the malware from a loader to an infostealer used in attacks against individuals and enterprise.
“The Valak Malware is a sophisticated malware previously classified as a malware loader. Though it was first observed in late 2019, the Cybereason Nocturnus team has investigated a series of dramatic changes, an evolution of over 30 different versions in less than six months.” reads the analysis published by Cybereason. “This research shows that Valak is more than just a loader for other malware, and can also be used independently as an information stealer to target individuals and enterprises. “
The attack chain starts with phishing messages using a weaponized Microsoft Word documents containing malicious macros. Upon enabling the macros, a .DLL file named “U.tmp” is downloaded and saved to a temporary folder.
“In the first stage, Valak laid the foundation for the attack. In the second stage, it downloads additional modules for reconnaissance activity and to steal sensitive information.” continues the post.
Valak uses two main payloads, project.aspx and a.aspx, the former ( the second stage JS) manages registry keys, task scheduling for malicious activities, and persistence, whereas the latter, named PluginHost.exe, named “PluginHost.exe”, is an executable file used to manage additional components.
The Valak’s Program class contains the main function of the file main(), which executes the function GetPluginBytes() to download the module components with type “ManagedPlugin”. These components will be loaded reflectively to the executable’s memory and allow the malware to add plugin capabilities.
PluginHost.exe implements multiple functions by loading the specific modules, below a list of modules observed by the experts:
- Systeminfo: responsible for extensive reconnaissance;targets local and domain admins
- Exchgrabber: aims to steal Microsoft Exchange data and infiltrates the enterprises mail system
- IPGeo: verifies the geolocation of the target
- Procinfo: collects information about the infected machine’s running processes
- Netrecon: perform performs network reconnaissance
- Screencap: captures screenshots from the infected machine
The Systeminfo module contains several reconnaissance functions that allow gathering information about the user, the machine, and existing AV products.
Recent Valak variants have been employed in attacks against Microsoft Exchange servers, likely as part of attacks against enterprises.
“More recent versions of Valak target Microsoft Exchange servers to steal enterprise mailing information and passwords along with the enterprise certificate. This has the potential to access critical enterprise accounts, causing damage to organizations, brand degradation, and ultimately a loss of consumer trust.” concludes the post.
“The extended malware capabilities suggest that Valak can be used independently with or without teaming up with other malware. That being said, it seems as though the threat actor behind Valak is collaborating with other threat actors across the E-Crime ecosystem to create an even more dangerous piece of malware.”
(SecurityAffairs – Valak, malware)
The post Valak a sophisticated malware that completely changed in 6 months appeared first on Security Affairs.
Google has released a patch for CVE-2020-0096, a critical escalation of privilege vulnerability in Android that allows attackers to hijack apps (tasks) on the victim’s device and steal data. Dubbed StrandHogg 2.0 because its similar to the StrandHogg vulnerability exploited by hackers in late 2019, it affects all but the latest version of Android. The good news is, though, that there is no indication it is being actively used by attackers. About StrandHogg 2.0 (CVE-2020-0096) … More
The post StrandHogg 2.0: Critical Android flaw allows app hijacking, data theft appeared first on Help Net Security.
Check Point Unmasks Hacktivist Who Defaced Nearly 5000 Sites
Security researchers are claiming victory after unmasking an infamous hacktivist who defaced nearly 5000 websites in more than 40 countries over the past few years.
The individual, known online as “VandaTheGod” on Twitter, took to social media to publicize his exploits, sometimes under aliases such as “Vanda de Assis” and “SH1N1NG4M3,” according to Check Point.
This activity first alerted the security firm to his presence, and also provided a trail of clues which ultimately led them to his real identity: an individual living in the south-eastern Brazilian municipality of Uberlandia.
Active since 2013, the hacktivist never reached his stated personal goal of compromising over 5000 websites. However, thousands of government, academic and corporate sites were apparently defaced with anti-government and social justice messages thanks to his work.
In the last year, over half (57%) were located in the US — where victims included the official website of the state of Rhode Island and the city of Philadelphia — while Australia and the Netherlands rounded out the top three targeted countries.
VandaTheGod was also active in his home country, defacing a Brazilian government website with the hashtag #PrayforAmazonia, in response to the increase in rainforest clearing approved by right-wing President Bolsonaro.
However, his motives weren’t always so altruistic, and occasionally strayed into theft of credit card details and log-ins. VandaTheGod is said to have attempted to breach details from public figures, universities and even hospitals — one on occasion offering to sell the medical records of one million New Zealand patients for $200 per record.
“This case highlights the level of disruption that a single, determined individual can cause internationally. Although ‘VandaTheGod’s’ motive originally seemed to be protesting against perceived injustices, the line between hacktivism and cybercrime is thin,” argued Check Point manager of threat intelligence, Lotem Finkelsteen.
“We often see hackers taking a similar path from digital vandalism to credentials and money theft as they develop their techniques. Revealing the person’s true identity and disclosing it to law enforcement should put an end to their extensive disruptive and criminal activities.”
HackerOne announced that hackers have earned $100 million in bug bounties on the HackerOne platform. From $30,000 paid to hackers across the globe in October 2013 — the first month of bounty payments on HackerOne — to $5.9 million paid to hackers in April 2020, working with hackers has proven to be both a powerful way to pinpoint vulnerabilities across digital assets and more than just a past-time. It’s a career. “We started out as … More
The post Hackers awarded $100 million in bug bounties on the HackerOne platform appeared first on Help Net Security.
On this special splinter episode of the podcast, we’re joined by actor and comedian Clare Blackwood in the hope of convincing her that cybersecurity is no laughing matter.
Hear what happens in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.
Scanning your networks and software for security vulnerabilities is essential for keeping your organisation secure, but it’s not a perfect solution.
It will help you identify weaknesses in your system – with new ones being discovered all the time or introduced as a result of system changes – but it only works when combined with other practices and when you have a solid understanding of the information security landscape.
Let’s take a deeper look into the advantages and disadvantages of vulnerability scanning.
Identify vulnerabilities before cyber criminals do
Many cyber attacks are automated, and involve criminals searching for and exploiting known vulnerabilities.
In other words, they’re not creating a vulnerability or finding an obscure weakness through their expert hacking skills. They’re simply looking for vulnerabilities in the same way as anyone with the right scanning software could.
So when organisations use the same tools, they are able to discover weaknesses and fix them before anyone has a chance to exploit them.
Define the level of risk on your systems
Conducting regular vulnerability scans will help you determine the overall effectiveness of your security measures.
If you’re inundated with vulnerabilities, that’s a sign that your systems or software are severely flawed and need to be rethought.
Save time and money
Automated scans are easy to repeat and will save you money in the long term.
That’s because vulnerability scanning mitigates the risks of a data breach, which will come with a range of costs, including remediation, the loss of customers as a result of reputational damage and fines.
Likewise, if you have cyber insurance, you will need to conduct regular vulnerability scans to prove that you were addressing your cyber security responsibilities and to receive your pay-out.
Meet data protection requirements
Vulnerability scanning is not explicitly required by the GDPR (General Data Protection Regulation), but the Regulation does require organisations that process personal data to ensure that they have implemented appropriate technical and organisational security measures – which includes identifying vulnerabilities.
The international standard for information security, ISO 27001, also requires organisations to take similar steps, and the PCI DSS (Payment Card Industry Data Security Standard) includes vulnerability scanning in its list of requirements.
You won’t find every vulnerability
Vulnerability scans aren’t perfect. Like antivirus software, they rely on a database of known weaknesses and are only as good as the latest update.
Conducting scans using outdated or inferior tools therefore means you are liable to miss vulnerabilities and get a false sense of security.
Even with the latest technology, there will almost certainly be weaknesses that the scanner won’t pick up. This might be because it’s newly discovered or because the vulnerability is too complex to be exploited – and thus detected – by an automated tool.
It’s not always easy to work out what the results of a vulnerability scan mean. For example, the tool might mistakenly flag something that looks suspicious as a vulnerability when it isn’t.
As such, without someone with the expertise to interpret the results, it will take a lot longer to determine the true nature of your security posture. Likewise, if you’re unable to filter out false positives, the tool will continue to generate inaccurate results.
Make the most of vulnerability scanning
Although vulnerability scanning is never a perfect solution, it’s an essential process – and there are ways of maximising the benefits while minimising the drawbacks.
For example, our Vulnerability Scan service contains the benefits of an automated tool and the expertise of security professional.
The tool will scan for thousands of weaknesses each month, and you’ll receive a detailed vulnerability assessment that gives you a breakdown of the weak spots that you must address.
Ransomware Demands Soared 950% in 2019
Ransomware operators had another standout year in 2019, with attacks and ransom demands soaring according to new data from Group-IB.
The Singapore-based security vendor claimed that, after a relatively quiet 2018, ransomware was back with a vengeance last year, as attack volumes climbed by 40%.
As large enterprises became an increasing focus for attacks, ransom demands also soared: from $8,000 in 2018 to $84,000 last year. That’s a 950% increase.
The “greediest ransomware families with highest pay-off” were apparently Ryuk, DoppelPaymer and REvil, the latter on occasion demanding $800,000.
As mentioned, last year saw an increasing number of attackers focus their efforts on larger targets, often using sophisticated APT-style tactics, according to Group-IB. This included trojans such as Dridex, Emotet, SDBBot, and Trickbot to compromise victims and post-exploitation frameworks such as Cobalt Strike, CrackMapExec , PowerShell Empire, PoshC2, Metasploit, and Koadic to gather info on the targeted network. Data theft also became a popular way to force payment.
Phishing emails continued to be the number one initial threat vector, alongside RDP compromise and websites infected with exploit kits, the security vendor added.
“The year of 2019 was marked by ransomware operators enhancing their positions, shifting to larger targets and increasing their revenues, and we have good reason to believe that this year they will celebrate with even greater achievements,” said Group-IB senior digital forensics specialist, Oleg Skulkin.
“Ransomware operators are likely to continue expanding their victim pool, focusing on key industries, which have enough resources to satisfy their appetites. The time has come for each company to decide whether to invest money in boosting their cybersecurity to make their networks inaccessible to threat actors or risk being approached with ransom demand and go down for their security flaws.”
Ransomware operators have indeed picked up where they left off at the end of 2019, launching a blizzard of attacks against firms struggling to adapt to mass remote working, as well as hospitals fighting COVID-19.
According to Coveware, the average ransom paid in the first three months of the year surged by 33% quarter-on-quarter. However, contrary to Group-IB’s analysis, it claimed that despite the “big game hunting” narrative, most victims are likely to be SMBs.
The average number of employees in ransomware victims was 625 in Q1, with the median a much smaller 62.
#COVID19 Drives Dealers Online as Drugs Supply Soars
The supply of dark web drugs soared nearly 500% over the first few months of this year as dealers took to the internet to continue trading, according to new data from Sixgill.
The cyber-intelligence company monitors multiple underground sites and forums for its customers.
It reported that although the supply of malware, phishing kits, and stolen accounts has been pretty steady over the past 12 months, that of illegal drugs has spiked recently as government lockdowns forced individuals off the streets.
The firm claimed that the number of items for sale in December 2019 stood at 4154, but this had risen to 24,719 by April 2020 — an increase of 495%.
MDMA postings apparently grew 224%, cannabis postings were up 555%, and cocaine posts spiked 1000% over the period.
“Feedback, while an imperfect metric for purchase volume, is a reliable indicator of the rate of transactions,” Sixgill explained. “Feedback volume for cannabis, cocaine, and MDMA all nearly doubled over the past half year.”
However, despite this surge in online supply and a likely uptick in sales, the underground market was not immune to the same dynamics as legitimate economic sectors.
“As with all online shopping, shipping delays occurred, with dark web chatter suggesting that slower delivery times dinged the reputations of vendors among a cynical customer base that’s always vigilant for scammers. Though the rise in chatter and concerns was temporary, it did make both vendors and consumers more conscious of the risks of international shipping for illegal goods,” the security firm explained.
“While supply surged, demand lagged and never caught up, rising later and at a slower pace. That led to a 10-fold surge in mentions of ‘bargains’ and ‘discounts’ in early 2020. That’s not only a response to oversupply, but a reaction to consumers’ precarious economic situation during the economic freeze.”
The Ke3chang hacking group added a new malware dubbed Ketrum to its arsenal, it borrows portions of code and features from older backdoors.
The Ke3chang hacking group (aka APT15, Vixen Panda, Playful Dragon, and Royal APT) has developed new malware dubbed Ketrum by borrowing parts of the source code and features from their older Ketrican and Okrum backdoors.
“In mid May, we identified three recently uploaded samples from VirusTotal that share code with older APT15 implants. We named this new family of samples, “Ketrum”, due to the merger of features in the documented backdoor families “Ketrican” and “Okrum”.” reads the report published by the security firm Intezer.
“We believe the operation was conducted very recently.”
Back in 2013, the security researchers at FireEye spotted a group of China-Linked hackers that conducted an espionage campaign on foreign affairs ministries in Europe. The campaign was named ‘Operation Ke3chang,’ now threat actors behind the attacks were spotted targeting personnel at Indian embassies across the world.
In May 2016, researchers from Palo Alto found evidence that the threat actors behind the Operation Ke3chang had been active since at least 2010.
The cyber-espionage group is believed to be operating out of China, it also targeted military and oil industry entities, government contractors and European diplomatic missions and organizations.
Intezer researchers recently discovered three Ketrum backdoor samples that were uploaded to the VirusTotal platform, they noticed the samples reused part of the source code and features from Ke3chang’s Ketrican and Okrum backdoors.
“Both Ketrum samples resemble a similar layout to previous Ke3chang tools, apart from low-level implementation and use of system APIs,” continues the analysis. “Even in the two Ketrum samples, there are differences between the low-level APIs used to achieve the same functionality.”
The three Ketrum samples connected to the same Chinese-based command and control server and have been used in two different time periods.
The command and control (C2) server was shut down during mid-May after the Ketrum samples were spotted.
Below the differences between the backdoors:
|Identify installed proxy servers and use them |
for HTTP requests
|Special folder retrieval using registry key[HKEY_CURRENT_USER\Software\|
|The response from the server |
is an HTTP page with backdoor commands
and arguments included in the HTML fields
|Backdoor commands are determined by a hashing value received from C2|
|Communication with the C&C server is hidden in the Cookie and Set-Cookie headers of HTTP requests|
|Impersonate a logged in user’s security context|
|Create a copy of cmd.exe in their working directory and use it to interpret backdoor commands|
|Usual Ke3chang backdoor functionalities – download, upload, execute files/shell commands and configure sleep time|
The Ketrum 1 sample was uploaded to VirusTotal in December 2019 and has a fake January 7, 2010, timestamp, It implements many features from Okrumand abandons more advanced Okrum features
Thee newer Ketrum 2 seems to have been built for minimalism, it drops most of the useless features of the Ke3chang backdoors.
“Unlike the Ketrican variant, Ketrum implants no longer try to weaken the system’s security configurations. In previous implants, Powershell was used for this end.” states the report.
“The group continues to morph its code and switch basic functionalities in their various backdoors. This strategy has been working for the group for years and there is no indication yet that it will deviate from this modus operandi.”
The Intezer’s report includes Indicators of compromised (IOCs) and additional details regarding the new Ketrum malware.
(SecurityAffairs – Ke3chang, hacking)
The post Ke3chang hacking group adds new Ketrum malware to its arsenal appeared first on Security Affairs.