Monthly Archives: August 2020

Qualcomm and MediaTek Wi-Fi chips impacted by Kr00k-Like attacks

Wi-Fi chips manufactured by Qualcomm and MediaTek are impacted by vulnerabilities similar to the Kr00k issue disclosed early this year.

Earlier this year, experts from ESET disclosed the Kr00k, a new high-severity hardware vulnerability, that affects Wi-Fi chips manufactured by Broadcom and Cypress.

The Kr00k vulnerability, tracked as CVE-2019-15126, could be exploited by nearby remote attackers to intercept and decrypt some wireless network packets transmitted over-the-air by a vulnerable device.

The attacker could exploit the Kr00k issue even when it is not connected to the victim’s wireless network, the vulnerability works against vulnerable devices using WPA2-Personal or WPA2-Enterprise protocols, with AES-CCMP encryption.

Kr00k

An attacker could exploit the Kr00k vulnerability after forcing a device from disconnecting from a Wi-Fi network.

Experts pointed out that the vulnerability does not reside in the Wi-Fi encryption protocol, instead, the issue is related to the way some chips implemented the encryption. Researchers pointed out that communications protected by TLS cannot be recovered by exploiting this vulnerability.

The flaw doesn’t affect modern devices using the WPA3 protocol.

Both Broadcom and Cypress addressed the flaw releasing security patches. Impacted products included devices from Amazon, Apple, Asus, Huawei, Google Samsung, and Xiaomi.

Wi-Fi chips from Qualcomm, Ralink, Realtek and MediaTek are not impacted by the Kr00k issue, but unfortunately, ESET experts discovered that they are affected by similar flaws.

Qualcomm Wi-Fi chips are impacted by a vulnerability tracked as CVE-2020-3702, the attacker could steal sensitive data after triggering a disassociation. Unlike Kr00k attacks, the attacker is not able to access to all the encrypted data because the process doesn’t use a single zero key for encryption.

“One of the chips we looked at, aside from those from Broadcom and Cypress, was by Qualcomm. The vulnerability we discovered (which was assigned CVE-2020-3702) was also triggerable by a disassociation and led to undesirable disclosure of data by transmitting unencrypted data in the place of encrypted data frames – much like with KrØØk. The main difference is, however, that instead of being encrypted with an all-zero session key, the data is not encrypted at all (despite the encryption flags being set).” reads the analysis published by ESET.

The ESET researchers discovered that the issue affects some of the devices they tested, including D-Link DCH-G020 Smart Home Hub and the Turris Omnia wireless router. This means that any other unpatched devices using the vulnerable Qualcomm chipsets will also be vulnerable.

Qualcomm addressed the issue by releasing a security patch for its proprietary driver in July, but experts pointed out that some devices use open-source Linux drivers and it’s not clear if those will be patched as well.

Experts found a similar issue affecting MediaTek Wi-Fi chips that don’t use encryption at all. The impacted chips are used in Asus routers and even in the Microsoft Azure Sphere development kit.

“One of the affected devices is the ASUS RT-AC52U router. Another one is the Microsoft Azure Sphere development kit, which we looked into as part of our Azure Sphere Security Research Challenge partnership.” continues the research.

“Azure Sphere uses MediaTek’s MT3620 microcontroller and targets a wide range of IoT applications, including smart home, commercial, industrial and many other domains,”

MediaTek released patches in March and April, while the Azure Sphere OS was patched in July.

ESET experts have released a script that could allow users to determine if a device is vulnerable to Kr00k or similar attacks.

Pierluigi Paganini

(SecurityAffairs – hacking, Kr00k)

The post Qualcomm and MediaTek Wi-Fi chips impacted by Kr00k-Like attacks appeared first on Security Affairs.

Weekly Update 203

Weekly Update 203

What. A. Week. I've been absolutely non-stop publishing data breaches to HIBP whilst simultaneously putting in place the framework to start advising NordVPN on their cybers and open sourcing the HIBP code base at the same time (and a bunch of other more boring stuff that didn't make the cut). That's all explained in this week's update so I won't drill further into it here, there's obviously a couple of big announcements so if you have any questions, drop them in the comments below and I'll either them there or take them up in next week's update.

Weekly Update 203
Weekly Update 203
Weekly Update 203
Weekly Update 203

References

  1. Our state border to the south is now in a "hard" lockdown (that link is for the stats state by state)
  2. Breaches, breaches, breaches (have a look at just how much has gone into HIBP in the last couple of weeks)
  3. I'm genuinely excited about working with NordVPN as a strategic adviser (I'm still independent, I'll still be very candidly expressing my views, I just want to make a positive impact on the industry)
  4. Speaking of positive impacts, how about that HIBP open source stuff? 😎 (absolutely, emphatically, resoundingly positive feedback on this one!)
  5. Sponsored by Tines: Breaches are inevitable and early detection is crucial. Assure yourself what's next with security automation part 1.

Reddit massive hack: hackers defaced channels with pro-Trump messages

Reddit suffered a massive hack, threat actors compromised tens of Reddit channels and defaced them showing messages in support of Donald Trump’s campaign.

Reddit suffered a massive hack, threat actors defaced tens of channel to display messages in support of Donald Trump’s reelection campaign.

At the time of writing, the massive hack is still ongoing and Reddit’s security team is working to restore the operations.

Below a list containing some of the impacted subreddits, some of them having tens of millions of members:

According to Reddit, the hacker compromised several subreddit moderator accounts.

Owners of the channel that are facing security issues could report problems in this Reddit ModSupport thread, meantime they are recommended to enable two-factor authentication (2FA) on their accounts and to change their passwords.

Indicators of compromise for the Reddit moderator accounts are:

• moderator received email notification that the password and/or email address on your account changed but you didn’t request changes
• moderator notice authorized apps on your profile that you don’t recognize
• moderator notice unusual IP history on your account activity page
• moderator see votes, posts, comments, or moderation actions that you don’t remember making, or private messages that you don’t remember sending

One of the moderators who had their account compromised published the details of the actions performed by attackers on his behalf.

Help! I’ve been hacked by some bizarre pro-trump bot! It wrecked my subreddit’s style sheet, deleted all mods below me, updated the wiki… I’m in way over my head. What can I do? PSA: Change your passwords and enable 2-factor authentication!” reads the title of the discussion.

Once the attacker has taken the control of the mod’s account, he changed his subrreddit’s CSS stylesheet, deleted all mods with fewer permissions than him, and changed the community’s wiki.

Finally, the hacker published the message: “We Stand With Donal Trump #MIGA2020.”

The Twitter account https://twitter.com/advanceHCAjobs claimed responsibility for the massive Reddit hack, but currently, the account was suspended. While the hackers were targeting subreddits, they asking Twitter users to vote on them.

Source BleepingComputer

In June, Reddit has banned a channel of President Trump supporters, r/The_Donald, after he received reports of harassment, bullying, and threats of violence.

Pierluigi Paganini

(SecurityAffairs – hacking, Trump)

The post Reddit massive hack: hackers defaced channels with pro-Trump messages appeared first on Security Affairs.

Qualcomm Bugs Open 40 Percent of Android Handsets to Attack

Researchers identified serious flaws in Qualcomm’s Snapdragon SoC and the Hexagon architecture that impacts nearly half of Android handsets.

Threat Roundup for July 31 to August 7

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between July 31 and August 7. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

 

The post Threat Roundup for July 31 to August 7 appeared first on Cisco Blogs.

Friday Squid Blogging: New SQUID

There's a new SQUID:

A new device that relies on flowing clouds of ultracold atoms promises potential tests of the intersection between the weirdness of the quantum world and the familiarity of the macroscopic world we experience every day. The atomtronic Superconducting QUantum Interference Device (SQUID) is also potentially useful for ultrasensitive rotation measurements and as a component in quantum computers.

"In a conventional SQUID, the quantum interference in electron currents can be used to make one of the most sensitive magnetic field detectors," said Changhyun Ryu, a physicist with the Material Physics and Applications Quantum group at Los Alamos National Laboratory. "We use neutral atoms rather than charged electrons. Instead of responding to magnetic fields, the atomtronic version of a SQUID is sensitive to mechanical rotation."

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Persistent memory – reshaping advanced analytics to improve customer experiences

Written by Denis Gaudreault, country manager, Intel Canada   175 zettabytes…. That is IDC’s prediction for how much data will exist in the world by 2025. Millions of devices generate this data – everything from the cell phone in our pockets and PCs in our homes and offices, to computer systems and sensors integrated into…

Blackbaud Breach Impacts National Trust Volunteers

Blackbaud Breach Impacts National Trust Volunteers

Britain's National Trust has warned volunteers of a data breach linked to a cyber-attack on US cloud computing and software provider Blackbaud in May.

The charity and membership organization for heritage conservation in England, Wales, and Northern Ireland has been contacting volunteers by email to notify them of the breach.

National Trust data exposed as a result of the ransomware attack on Blackbaud belongs to past and present volunteers and applicants for the trust's volunteer program. 

Compromised information includes name, date of birth, gender, address, and contact details. The Trust assured its volunteers that while some sensitive information pertaining to equality monitoring was affected, no financial data was exposed. 

In an August 7 email to users of its volunteer program, the National Trust's CIO, Jon Townsend, wrote: "Our membership systems and data were not affected."

Townsend said Blackbaud reached out to the Trust in July to inform them about the cyber-attack. The company said that all the data stolen in the attack related to Blackbaud's systems only and has since been destroyed. 

The National Trust has reported the incident to the Information Commissioner’s Office, the UK’s regulator for data protection. The organization has set up an email address that any concerned volunteers can contact for more information about the data breach.

In the August 7 breach notification email, Townsend wrote: "On 16 July 2020 we were contacted by Blackbaud, the company that holds some of our volunteering data, to tell us that they’d been the victim of a cyber-attack."

Townsend told Trust volunteers that no action was required from them and apologized for any concern that may have been caused by the breach.

"We take data protection extremely seriously at the National Trust," wrote Townsend. "We’re looking again at the security of how data is managed and working closely with Blackbaud to discover exactly what happened."

A quick primer on graph databases

Graph databases have moved from a topic of academic study into the mainstream of information technology in the last few years. Now business analysts are confronted with the need to better understand: What business problems do graph databases address well? What advantages do graph databases offer over widely-implemented relational databases? What issues emerge as graph…

Exploring the Forgotten Roots of ‘Cyber’

Cyber Always Points to the Future, But It Has a Past
One day, you may drive your Tesla Cybertruck on Cyber Monday to your cybersecurity job, backed by a cyber insurance policy as you safeguard cyberspace against the threat of cyberwar. Or cyber whatever, since we've obviously entered the era of "maximum cyber." But what does cyber even mean?

Cybrary Releases Free Cybersecurity Courses

Cybrary Releases Free Cybersecurity Courses

The world’s largest online cybersecurity career development platform has released a second installment of free educational courses

Cybrary made a clutch of courses free in July in a bid to support people who are considering a career in cybersecurity and those impacted professionally by the ongoing COVID-19 pandemic. 

A Cybrary spokesperson said: "These free courses aim to encourage continued training and resumé building for current cyber professionals, recent graduates, and those looking to transition into the security and IT industry."

This month, a second wave of free online courses was released that will be available to users until September 1. Courses range in length from one to nine hours and cover topics ranging from cloud architecture foundations to DNSTwist fundamentals. 

Newcomers to cybersecurity are catered to with courses on command-line basics and the fundamentals of cybersecurity architecture, while the more advanced might choose to study physical penetration testing.

"As part of our mission to provide opportunity for personal and professional growth—something that has only become more important in the challenging employment landscape we are currently facing—we hope these free course offerings encourage and empower individuals to expand their cyber and IT skill set," said Cybrary co-founder and CEO Ryan Corey. 

"These additional free courses help address the current skills gap, while also providing the necessary knowledge and resources for those working toward building future careers in the cybersecurity or IT field."

The seven free courses released by Cybrary last month were Cyber Network Security, Intro to Cyber Threat Intel, Advanced Cyber Threat Intel, Web Defense Fundamentals, Kali Linux Fundamentals, CCSK, and Microsoft 365 Fundamentals.

Corey said that by making the courses free to everyone who can access the internet, Cybrary hoped "to help build a more secure digital world by providing learning opportunities available to everyone.”

Since being founded in 2015, Cybrary has attracted a community of nearly 3 million users, including multiple Fortune 100 companies. The American company is headquartered in College Park, Maryland. 

The monthly release of free courses follows the April launch of the Cybrary Scholars Program, which gives participants a free year of Cybrary’s Insider Pro membership, a CompTIA exam voucher, and a year of mentorship with an experienced Cybrary community mentor.

Pirate Subscription Services Now a Billion-Dollar Industry in US

Pirate Subscription Services Now a Billion-Dollar Industry in US

Illegal TV subscription services in the United States have grown into a billion-dollar industry, according to new research jointly released yesterday by Digital Citizens Alliance and NAGRA.

The investigative report Money for Nothing reveals the existence of a sophisticated piracy ecosystem made up of thousands of retailers and wholesalers. This nefarious network steals from creators and circumvents legitimate TV operators to provide illegal subscription services to millions of US households. 

According to the report, the most virulent and fastest-growing illegal streaming enterprise is the pirate subscription Internet Protocol Television (PS IPTV) Service. This type of service typically costs just $10 to $15 a month and mimics the practices of legitimate streaming services.

The report found that an estimated 9 million fixed broadband subscribers in the US use a pirate subscription IPTV service. However, the ecosystem relies on legitimate businesses, including hosting services, payment processors, and social media, to market their stolen content.

Researchers noted that the illegal subscription providers sell their wares via "at least 3,500 US-facing storefront websites, social media pages, and stores within online marketplaces that sell services."

Selling illegal subscriptions is highly lucrative since the providers pay nothing for the programming that makes up their core products. Researchers estimated that providers operate with estimated profit margins that range from 56% for retailers to 85% for wholesalers. 

While piracy subscriptions alone are a billion-dollar industry, researchers found criminals also make money by selling screen time to advertisers and vending stolen streaming devices used to receive the snatched content.

On the surface, consumers of illegal subscription services might think they are getting a great deal. But the report found that pirates generate revenue by partnering with hackers to install malware within free apps that expose consumers to risk of theft of their personal and financial data, cryptocurrency mining, adware, ransomware, and botnets using computers to perform distributed denial-of-service (DoS) attacks.

“When it comes to piracy, the scope of the risk to consumers, small businesses and others is in direct proportion to the size of the industry, which is why we need to stop the reach and depth of this ecosystem before it grows even bigger,” said Digital Citizens Alliance executive director Tom Galvin.

Did Maze ransomware operators steal 10 GB of data from Canon?

An internal memo confirms that the prolonged outage suffered by Canon last week was caused by a ransomware infection, Maze operators took credit for it.

According to an internal memo obtained by ZDNet, the recent outage of Canon was caused by a ransomware attack, while Maze ransomware operators are taking the credit for the incident.

The memo also reveals that the company has hired an external security firm to investigate the incident.

The problem was first reported by Bleepingcomputer, which tracked a suspicious outage on Canon’s image.canon cloud photo and video storage service. According to the media outlet, the alleged incident resulted in the loss of data for users of their free 10GB storage feature.

The image.canon site suffered an outage on July 30th, 2020, that lasted for six days, until August 4th.

At the time the company only confirmed an internal investigation on a problem related to “10GB of data storage.”

According to Canon, some of the photo and image files saved prior to June 16 were “lost,” but it pointed out that they were not exposed in a data leak.

“Currently, the still image thumbnails of these lost image files can be viewed but not downloaded or transferred,” reads the notice issued by Canon. “If a user tries to download or transfer a still image thumbnail file, an error may be received.”

At the same time, the company issued an internal memo that warned employees of “company-wide” IT issues, which also impacted email systems. 

Maze ransomware operators announced to have stolen 10TB of data as a result of a ransomware attack against the company but denied responsibility for the image.canon issues. If confirmed this means that the outage was not caused by the ransomware infection, but that anyway Maze operators have exfiltrated 10 GB of data from the company. Another memo sent to the employees specifically refers a “ransomware incident” and revealed that Canon has hired a cyber forensics firm to investigate the intrusion.

Maze ransomware operators recently published internal data from LG and Xerox after the company did not pay the ransom.

As usual, the Maze ransomware operators threaten the victims to pay the ransom to avoid their data being leaked online. 

Maze ransomware operators have also breached the systems of the Xerox Corporation and stolen files before encrypting them.

In the past months Maze Ransomware gang breached the US chipmaker MaxLinear and Threadstone Advisors LLP, a US corporate advisory firm specialising in mergers ‘n’ acquisitions.

Maze operators were very active during the past months, they have also stolen data from US military contractor Westech and the ST Engineering group, and they have released credit card data stolen from the Bank of Costa Rica (BCR) threatening to leak other lots every week.

Previous victims of the ransomware gang include IT services firms Cognizant and Conduent.

Pierluigi Paganini

(SecurityAffairs – hacking, Maze ransomware)

The post Did Maze ransomware operators steal 10 GB of data from Canon? appeared first on Security Affairs.

Preparing for the Unpredictable: Imagining a Data Security and Privacy Platform

With stricter privacy regulations, evolving customer expectations, and growing work-from-home demands, organizations need a simple way to know, see, and manage their data. Luckily, we’ve got a few ideas. 

Security is all about the data. Protecting data is the reason companies invest in security infrastructure and services like threat detection, data loss prevention, strong multi-factor authentication, etc. But where there should be a data visibility and management layer, instead there’s a gaping hole.

As a distinguished engineer working in the Security Business Group’s Office of the CTO, I’m part of a team responsible for planning the future of Cisco’s security offerings. One of our initiatives is imagining a data security and privacy platform to give organizations visibility and control of sensitive data like personally identifiable information (PII). After 32 years of working in the cybersecurity industry, this is very exciting for me.

Business and society demand trust and privacy

Privacy is very much front and center for decision makers. In the 2019 Cisco Data Privacy Benchmark Study, 87% of respondents (up from 65% in 2018) said that customer questions about data privacy delay sales. Companies face hefty fines if they don’t comply with regulations, like the EU’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). Continuing work from home means more data lives on endpoints outside an organization’s control. And increased data variety (think virtual meeting information, contact tracing, smartphone videos, etc.), volume, and velocity make it harder for chief information security officers (CISOs) to be certain of what data is stored and where it is flowing.

Business aside, privacy and trust are essential for a functioning society. A digital economy can succeed only if it’s trusted. At Cisco we think of privacy as a fundamental human right. It’s part of our mission statement: “To inspire new possibilities by reimagining your applications, securing your data, transforming your infrastructure, and empowering your teams.”

Narrowing in on the problem

My team works with customers and our own IT organization to better understand data security and privacy challenges and imagine what a solution might look like. Our customers’ wish list can be distilled down to three requirements: awareness (know your data), visibility (see your data), and management (control your data). With that in mind, we’ve put some ideas together to help address the most critical requirements.

1. Comprehensive data map

Many CISOs say they struggle with two questions:  1. Where are the data stores? 2. What information needs to be protected? These are tough questions to answer when more than half of the data is unseen—the so-called “databerg.” If you don’t know what data you have, you don’t have a sense of the risk if data is leaked or compromised.

The data security platform we’re imagining might produce a real-time data map based on query n-tuples showing where data is stored, the sensitivities, where it’s shared, how long it’s retained, and how it’s used.  For example, a CISO might want a visual of the data centers and geographies where employee PII is stored.

2. The power of combined context

We are exploring the concept of creating multiple, rich contextual stores that include applications, users/identities, and services along with datastores and data files. Some of this rich context is already available through existing Cisco technologies such as Advanced Malware Protection, Tetration, Umbrella, and Identity Services Engine. We’re also considering plug-and-play integration with common business platforms, such as Salesforce, Microsoft Office 365, and Workday.

Going further, we are investigating the possibilities of combining rich infrastructure telemetry, applications telemetry, and file metadata to build a comprehensive visibility and control fabric. In addition to helping customers make the journey from databerg to data map, we want to give them the power to visualize risk, control access, and assure compliance. 

3. Simple user experience

The people who need to know, see, and manage data security and privacy include data stewards, data owners, and privacy ops specialist. Some are technical, some aren’t. To keep the user experience simple, we envision a single user interface, like Cisco SecureX, with different dashboards tailored to the user’s role. In our current thinking, if you’re a data steward you’d be able see a data map of where all the sensitive data is stored by region. If you’re a data owner, you’d be able to create policies on who can see data and where they can move it. If you’re in privacy operations, you’d be able to fulfill data subject access requests (DSARs) as required by GDPR and CCPA.

Bringing all privacy activities onto one platform

As I write this, we’re working to provide more visibility into metrics from our own solutions, plan new initiatives, and explore partnerships with other companies. Our end goal is bringing everything you need to know, see, and manage sensitive data onto one platform. It’s good for business, good for individuals, and good for society.

That’s a glimpse into our thinking. We’re interested in yours. What would you like to see in a privacy platform? Please let us know in the comments below.

The post Preparing for the Unpredictable: Imagining a Data Security and Privacy Platform appeared first on Cisco Blogs.

Live from Black Hat: Breaking Brains, Solving Problems with Matt Wixey

Solving Puzzles has been a very popular pastime for InfoSec professionals for decades. I couldn???t imagine a DefCon without the badge challenge. At Black Hat 2020 Matt Wixey, Research Lead at PwC UK, didn???t disappoint as he presented on parallels between puzzle-solving and addressing InfoSec problems.

Puzzle (and problem) solving can be taught

Solving a puzzle and a problem is very similar. They usually involve two primary functions, which may feed into each other in a circular fashion:

  • Understanding the problem
  • Searching for a solution

Problem-solving is always thought of as an innate ability that you cannot teach, but that???s not true. You can teach comfort level with ambiguity and feeling around the edges of the solution of a problem.

Problem-solving does not require expertise, but it can help in some circumstances. Experts tend to know more schema of problems and can more easily chunk problems into smaller, manageable parts, so they can recognize that a problem follows the same pattern as a problem they???ve solved before. However, assumptions can also lead you astray. Puzzle makers may even purposefully take you astray, playing with your assumptions.

In a test where experts and novices were pitted against each other, experts took about as much time to solve problems, but they made fewer mistakes than the novices.

The role of bias in problem-solving

Problem-solving is subject to the same kind of challenges as decision-making. Biases come in many forms, which can hinder a person from solving a problem. You should be aware of the following biases that may impact your thinking:

Problem-Solving Bias???

Problem-solving in InfoSec

Problems in InfoSec are often knowledge-rich and ill-defined. Practitioners range from experts and, because of chronic skill shortage, many novices. There are ample schemas for these problems.

Wixey asserts that even if you change the "cover story??? of the problem, the problem space remains the same. Not telling your colleague the full story may actually be useful in solving the problem in some cases. He encourages diversity in background and expertise, and of course, applying your experience in solving puzzles to real-world problems.

Designing the perfect puzzle

Designing a puzzle can be difficult and time-consuming. The perfect puzzle has an interesting premise but very little explanation. Hidden ???trap door??? functions, red herrings, and easter eggs are optional but can add variety to a puzzle. Interesting puzzles may ask something completely unconnected to the premise, but the puzzle should have internal logic, where the answer can be obtained just from the question. It should not require specialist knowledge beyond what you can get from a quick search.

A personal lesson learned after generating my first puzzle was to have it field-tested by a few people. I thought that there was a direct, linear path to the solution for a puzzle I created, but there were actually several paths that led to dead ends, which was frustrating to some puzzle solvers.

Let???s solve some puzzles!

At Veracode, we have regular puzzle challenges as part of the Veracode Hackathons. We have people from around the company provide their puzzles based on themes, and then the whole project is curated by our puzzle masters. If you???d like to dip your brain into years of Veracode internal puzzle challenges, check out Vera.codes.

Major Retailer at Risk of Attack Due to VPN Vulnerabilities

Major Retailer at Risk of Attack Due to VPN Vulnerabilities

Clothing retailer Monsoon Accessorize has been using VPN servers that have critical vulnerabilities, putting it at risk of hacking or ransomware attack, according to an analysis by VPNpro.

The researchers discovered that Monsoon has been utilizing unpatched Pulse Connect Secure VPN servers, known to contain vulnerabilities that enable cyber-criminals to see active users on the company’s VPN as well as their plaintext passwords.

This information can then be used to access the servers and attack the companies in various ways.

The biggest threat to organizations which have this vulnerability is having their servers locked down with ransomware, according to VPNpro. It is a similar vulnerability to the one that enabled the attack on global currency exchange business Travelex on New Year’s Eve, which forced the company to take its systems offline as a precautionary measure.

VPNpro said that “our researchers were able to gain access to Monsoon’s internal files, including customer information, sensitive business documents, sales and revenue numbers, and much more.”

Among the data accessed included a sample file containing 10,000 customer records including names, email addresses, phone numbers and mailing and billing addresses.

The cybersecurity firm added it has contacted Monsoon “multiple times” to inform it of the vulnerability, but have received no response as of yet and the vulnerability remains.

VPNpro recommends that Monsoon customers should monitor their data to make sure their personal information has not been leaked.

Hugo van der Toorn, manager offensive security at Outpost24, told Infosecurity: “This showcases the importance of truly understanding your network perimeter and your vulnerabilities therein. It is pivotal that organizations try to minimize their exposure to the internet and to understand and secure that what is exposed. As proven in this research, scanning the entire internet for specific vulnerabilities can be done with relative ease and happens every time a new critical vulnerability becomes known to the public. Scan everything and see where an attacker can get in, this works both defensively and offensively.

“The safest thing is to not expose anything directly to the internet, unless it is needed for performing daily business. A good example is a VPN; those are meant to allow employees to connect back to the office network and access internal resources. It is important for every device/service that is exposed to the internet to have clear visibility of this system: What software is in use, what components, which versions of those, what ports are open and on what hardware is it running.”

Javvad Malik, security awareness advocate at KnowBe4 added: "Attackers will try to leverage any way they can into organisations. In recent times, we've seen criminals try to compromise security software as part of their attack strategy. Because security tools are usually the first point of contact, they run higher privilege and have access to lots of data, they become a very rewarding target. It's why organisations should take care of their security tools, ensure they are patched, and follow the vendors recommended guidance for any known issues, or settings that could be leveraged by criminals to gain access."

NCSC Offers Seven-Question Guidance on Cyber Insurance

NCSC Offers Seven-Question Guidance on Cyber Insurance

New guidance has been produced on cyber insurance to help organizations considering investing in cover.

Published by the National Cyber Security Center (NCSC), the guidance highlights seven key cybersecurity questions for businesses to address to help them make more informed decisions around cyber insurance.

The NCSC said, after calls for expert technical advice on the growing cyber insurance market, it made the decision to offer the following questions for senior leaders within organizations:

  1. What existing cybersecurity defenses do you already have in place?
  2. How do you bring expertise together to assess a policy?
  3. Do you fully understand the potential impacts of a cyber-incident?
  4. What does the cyber insurance policy cover (or not cover)?
  5. What cybersecurity services are included in the policy, and do you need them?
  6. Does the policy include support during (or after) a cybersecurity incident?
  7. What must be in place to claim against (or renew) your cyber insurance policy?

Sarah Lyons, deputy director for economy and society engagement at the NCSC, said: “Businesses rightly want to be as informed as possible before they invest, but when it comes to cyber insurance, there simply hasn’t been enough information up to now. That’s why it’s so important for the NCSC, as the UK’s leading cyber-authority, to offer its support by providing some clarity on the key issues to consider to ensure cybersecurity.

“Cyber insurance may not be right for everyone and it can never replace basic good security practice, but I would urge businesses to consider our guidance to help make the decision that’s right for them.”

The guidance was welcomed by two UK insurance associations, the British Insurance Brokers’ Association (BIBA), and the Association of British Insurers (ABI), while Andrea García Beltrán, cyber-manager (underwriting) at the UK & International Division of RSA Commercial, said organizations are increasingly considering the purchase of cyber insurance as part of their cyber-risk management approach. 

“As a result, the NCSC is frequently asked about cyber insurance by customers, however, they cannot provide advice on insurance solutions or products, so they have decided to create guidance considering a wider approach to cyber-risk management by focusing on the cybersecurity elements of cyber insurance,” she said.

“From our perspective, we welcome the guidance specially because not all buyers are sophisticated and we cannot provide advice either.”

She said this will help organizations to have a better understanding of: 

  • Actions needed from the risk management point of view prior to transferring the risk to insurers
  • What to expect during the insurance purchase process
  • Who needs to be involved from the company side; ultimately cyber is an enterprise risk 
  • Role of the insurance broker or agent
  • Overall information needed by insurers to be able to assess the risk

“Last but not least, this guide helps to clarify that cyber insurance is part of a robust cybersecurity resilient strategy and not the only solution to the evolving risk and exposure,” she added.

Steve Durbin, managing director of the Information Security Forum, said: “Cyber-risk is a growing concern for organizations around the world, as data breaches make headlines with increasing frequency and the resulting financial and reputational costs mount. Risk management as an effective way of addressing these concerns is absolutely key for all organizations during these times of pandemic and recession – many of the secure architectures and structures previously adopted may have changed and ensuring that the way of working today has been risk assessed is a key task for security professionals.

“Increasingly we have seen companies turning to insurance as a means of mitigating costs associated with breaches and the rise in ransomware amongst other threats has pushed many boards into considering cyber insurance. However, insurance is no excuse for poor security and focus should first be on ensuring a robust security posture that reflects the needs of the organization before rushing headlong into taking out insurance as a means of mitigating risk.”

Dubrin recommended organizations adopt a robust, scalable and repeatable process to address information risk – obtaining assurance proportionate to the risk faced in which insurance may play a role. “Enterprise risk management must be extended to create risk resilience, built on a foundation of preparedness, that assesses the threat vectors from a position of business acceptability and risk profiling,” he said. 

Global Payment Stats Every Business Should Be Aware of

It is important for businesses to be aware of what is happening in the industry as they impact companies on a micro level. You cannot reach a wider market without knowing what is happening around you.

The best way to be aware is to pay attention to the facts and figures. In this article, we will highlight some payment stats to help you understand the market landscape.

We have concentrated on global stats to explain the global landscape. Since ecommerce is ‘beyond borders’, it is important for businesses to know what the international audience wants so they can continue to serve them well.

#1 Cash Is On the Decline

Many countries around the world have gone cashless.

Only 77 percent of all transactions involve cash today. The figure was 89 percent about five years ago and is expected to fall even more due to the current situation that has forced buyers to use alternative methods including no contact payment solutions.

According to this report, e-wallets will have a 28 percent market share by 2022. However, cash isn’t going away anytime soon. In fact, the value of the euro in circulation has increased in the last few years.

Some countries are taking steps to remove cash, while some are still heavily dependent on paper money.

Cash is the second most widely used form of payment in the US after debit cards. Considering New York, San Francisco, and Philadelphia recently passed laws banning merchants from not accepting cash payments, it’s safe to say that cash will continue to prevail in the US.

Still, businesses need to be proactive as users prefer merchants who offer a variety of payment options including digital coins.

#2 Electronic Payments Are Rising

The global use of debit and credit cards (combined) grew from 5 percent to 9 percent between 2012 and 2017.

In recent times, debit cards have declined in popularity but the demand for credit cards has only increased due to new entrants like Apple Pay entering the market.

Apple Pay was originally marketed as an e-payment solution but the company’s decision to issue physical cards changed the game.

Consumers have a lot of faith in credit cards as they are easy to use and come with some other benefits including rewards. However, their dominance is being challenged now thanks to electronic payment options.

The global digital payments market is growing at a rate of 12.8 percent and is expected to continue to grow at this rate for the next three years.

About 50 percent of all transactions in North America are conducted electronically making it a global leader. Europe isn’t far behind either. The use of electronic payments is very common in most European countries.

About 47 percent of all European card transactions involve NFC technology. Asian countries including China, India, and Pakistan are also making use of electronic payments.

The Chinese electronic payments market is among the fastest – it increased 10x between 2012 and 2017. The introduction of Alipay and WeChat payment options can be given credit for the huge growth in the Chinese market.

The scenario is similar in African countries as well, especially Nigeria, which is ahead in the technological race.

These figures show the importance of electronic payments. It can be hard for businesses to sustain if they do not offer e-payments. Look for a payment partner that offers third-party integrations so that you do not have to use multiple providers.

 #3 Mobile Payments For the Future

Before moving ahead, let’s be clear that there’s a difference between mobile payments and electronic payments.

Mobile payments involve the use of mobile apps, whereas electronic payments can be made via credit and debit cards without using digital wallets or apps.

The use of mobile devices is on the rise and mobile commerce accounts for about 48 percent of digital sales.

Since many people carry smartphones, they find it easier to use mobile devices to make payments.

The use of mobile devices for making payments at the point of sale is expected to increase to 28 percent by 2022.

This option is more popular among the newer generations (Gen-Z and millennials). About 28 percent of millennials have used a digital wallet at the point of sale, about 8 percent higher than the general population.

Younger people use digital wallets about five times a month, according to Billtrust. Due to an aging population, the gap is expected to increase in the future as the newer generation is used to mobile devices.

The scenario, however, is not the same all around the world as mobile payments are still not very popular in developing countries.

Only 37 percent of global merchants support mobile payments at the point of sale. On the positive side, about 31.4 percent intend to introduce this feature soon.

Businesses must provide consumers the facilities they need to prevent them from going to competitors.

Conclusion

These stats highlight the diversity in the global payments landscape. Retailers must take steps to know what their customers need so they can bring changes to the payment ecosystem.

A lack of payment options is one of the major reasons why the average cart abandonment rate is as high as 69.56 percent.

Remember that today’s customers are spoiled for choice. They will not think twice before moving to another seller if you do not have the payment option that they prefer.

Look for a payment partner who understands your requirements and can offer the services that you need.

Bio:

Lou Honick is the CEO of Host Merchant Services. Prior to founding Host Merchant Services in 2010, Lou was the founder of HostMySite.com and received numerous awards including SBA Young Entrepreneur of the Year, Inc Magazine 30 under 30, and multiple listings on the Inc 500. As a serial entrepreneur, all of his companies have operated on a singular devotion to outstanding customer service and support. Lou is a respected expert on the topics of customer service, payments and fintech, Internet technology, and entrepreneurship.

The post Global Payment Stats Every Business Should Be Aware of appeared first on Hacker Combat.

#BHUSA: Researchers Reveal Attacks Against Email Sender Authentication

#BHUSA: Researchers Reveal Attacks Against Email Sender Authentication

The ‘from’ address field in an email is supposed to identify the person that sent an email, but unfortunately that’s not always the case. In a Black Hat USA 2020 virtual conference session researchers outlined 18 different attacks against email sender authentication systems.

Jianjun Chen, postdoctoral researcher at the International Computer Science Institute (ICSI), explained that the original Simple Mail Transfer Protocol (SMTP) – which is used by the world’s email systems to send email – once had no built-in authentication mechanisms. As such, in the early days of the internet, it was trivially easy for anyone to spoof any identity for the ‘from’ address in an email.

That situation changed with the debut of a trio of sender authentication protocols that have been advanced over the past decade. Among those protocols is Sender Policy Framework (SPF) which verifies the IP address of the sending domain. DomainKeys Identified Mail (DKIM) is a standard that verifies that the email is signed by the sending domain. Finally, Domain Message Authentication, Reporting and Conformance (DMARC), brings SPF and DKIM together into a policy framework approach.

Bypassing Email Sender Authentication

However, in a series of slides revealing specific details, Chen, along with his co-presenters Jian Jiang, senior director of engineering at Shape Security and Vern Paxons, professor at UC Berkeley, outlined how it is possible to get around the enforcement that DMARC is supposed to provide for email sender authentication.

Chen noted that the key idea behind attacks of this nature is to take advantage of inconsistencies between different components of DMARC as well as Mail User Agent (MUA) software, which is what end users use to access email. In one scenario detailed by Chen, an attacker could potentially exploit how SPF and DKIM send results to DMARC, in order to trigger a ‘pass’ for email authentication.

Another scenario can exploit an ambiguity in how a receiving email server shows addresses and how the same address is displayed in an email client. For example, the RFC 5322 specification that defines how email messages should be constructed specifies that messages with multiple ‘from’ headers should be rejected. In practice, the researchers found that 19 out of 29 MUAs in fact accepted multiple ‘from’ addresses.

In summing up the different attacks, Jiang noted that when there are multiple identifiers in the email protocol it is easy to have discrepancies and inconsistencies about which identifier to use. He added that email messages are processed by multiple components and all of the components need to have some kind of agreement on the recognized identifiers in order to accurately enforce email sender authorization policies.

How to Defend Against Email Authentication Bypass

Jiang noted that, generally speaking, when the email authentication protocols are parsing emails they should be set up for strict compliance and reject any kind of suspicious formats.

For end users, Jiang suggested to never blindly trust the email address displayed in an email client, even though it’s typically difficult to verify trust. Jiang commented that the researchers overall found that the user interface of email clients is not sufficient to provide any kind of real security assurance about the authenticity of an email.

“So even for a security professional, it’s not easy for them to use any kind of security indicators to show if an email is trustable or not,” Jiang said. “So there is plenty of space to improve in that direction.”

Quick Heal Total Security certified as Top Product by AV-TEST

AV-TEST Product Review and Certification Report for May-June 2020 has recognized Quick Heal Total Security as a Top product for Windows with an outstanding rating of 17.5/18 in its latest evaluation. View results. The AV-Test is an independent research institute for IT security from Germany that evaluates and rates antivirus…

Capital One Fined $80 Million for 2019 Data Breach Affecting 106 Million Users

A United States regulator has fined the credit card provider Capital One Financial Corp with $80 million over last year's data breach that exposed the personal information of more than 100 million credit card applicants of Americans. The fine was imposed by the Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury that

This Week in Security News: Robots Running the Industrial World Are Open to Cyber Attacks and Industrial Protocol Translation Gone Wrong

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. Based on research that Trend Micro released during Black Hat USA this past week, read about how some industrial robots have flaws that could make them vulnerable to advanced hackers, as well as the risks related to protocol gateways and how to secure these devices.

 

Read on:

Unveiling the Hidden Risks of Industrial Automation Programming

The legacy programming environments of widely used industrial machines could harbor virtually undetectable vulnerabilities and malware. Trend Micro’s recent security analysis of these environments, presented at Black Hat USA 2020 this week, reveals critical flaws and their repercussions for smart factories.

Top 6 Cybersecurity Trends to Watch for at Black Hat USA 2020

At this year’s Black Hat USA 2020 conference, some of the top trends expected to surface include ransomware, election security and how to protect a remote workforce. Trend Micro’s vice president of cybersecurity, Greg Young, said, “Cybercrime increased rather than slowed down due to the pandemic, as we saw 1 billion more threats blocked in the first half of 2020 compared to 2019.”

Lost in Translation: When Industrial Protocol Translation Goes Wrong

Also presented this week at Black Hat USA, this recent research from Trend Micro examines the risks related to protocol gateways, the possible impact of an attack or wrong translation, and ways to secure these devices.

‘Alarming’ Rate of Cyberattacks Aimed at Major Corporations, Governments and Critical Infrastructure Amid COVID-19: Report

As COVID-19 cases around the U.S. continue to rise, the International Criminal Police Organization (INTERPOL) says that governments are seeing an “alarming” rate of cyberattacks aimed at major corporations, governments and critical infrastructure.

Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

A series of ongoing business email compromise (BEC) campaigns that uses spear-phishing schemes on Office 365 accounts has been seen targeting business executives of more than 1,000 companies globally since March. The campaigns target senior positions in the United States and Canada, and the fraudsters, dubbed “Water Nue” by Trend Micro, primarily target accounts of financial executives to obtain credentials for further financial fraud.

Robots Running the Industrial World Are Open to Cyber Attacks

Industrial robots are now being used to assemble everything from airplanes to smartphones, using human-like arms to mechanically repeat the same processes over and over, thousands of times a day with nanometric precision. But according to a new report from Trend Micro, some robots have flaws that could make them vulnerable to advanced hackers, who could steal data or alter a robot’s movements remotely.

Patch Fail Led to Password Leak of 900 VPN Enterprise Servers

Applying a security update to a CVE released more than a year ago could have prevented a hacker from publishing plaintext usernames and passwords as well as IP addresses for more than 900 Pulse Secure VPN enterprise servers. This vulnerability, CVE 2019-11510, was one of the several recently exploited vulnerabilities by Russia’s Cozy Bear, APT29, in an attempt to steal COVID-19 vaccine research.

U.S. Offers Reward of $10M for Info Leading to Discovery of Election Meddling

The U.S. government is concerned about foreign interference in the 2020 election, so much so that it will offer a reward of up to $10 million for anyone providing information that could lead to tracking down potential cybercriminals aiming to sabotage the November vote.

TeamViewer Flaw Could be Exploited to Crack Users’ Password

A high-risk vulnerability in TeamViewer for Windows could be exploited by remote attackers to crack users’ password and, consequently, lead to further system exploitation. CVE-2020-13699 is a security weakness arising from an unquoted search path or element – more specifically, it’s due to the application not properly quoting its custom URI handlers – and could be exploited when the system with a vulnerable version of TeamViewer installed visits a maliciously crafted website.

Black Hat: How Your Pacemaker Could Become an Insider Threat to National Security

Implanted medical devices are an overlooked security challenge that is only going to increase over time. The emerging problem of vulnerabilities and avenues for attack in IMDs was first highlighted by the 2017 case of St. Jude (now under the Abbott umbrella), in which the US Food and Drug Administration (FDA) issued a voluntary recall of 465,000 pacemakers due to vulnerabilities that could be remotely exploited to tamper with the life-saving equipment.

What was your favorite session from Black Hat USA this week? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Robots Running the Industrial World Are Open to Cyber Attacks and Industrial Protocol Translation Gone Wrong appeared first on .

Researchers flag two zero-days in Windows Print Spooler

In May 2020, Microsoft patched CVE-2020-1048, a privilege escalation vulnerability in the Windows Print Spooler service discovered by Peleg Hadar and Tomer Bar from SafeBreach Labs. A month later, the two researchers found a way to bypass the patch and re-exploit the vulnerability on the latest Windows version. Microsoft assigned this vulnerability a new identification number – CVE-2020-1337 – and will patch it on August 2020 Patch Tuesday. They’ve also discovered a DoS flaw affecting … More

The post Researchers flag two zero-days in Windows Print Spooler appeared first on Help Net Security.

Evasive Credit Card Skimmers Using Homograph Domains and Infected Favicon

Cybersecurity researchers today highlighted an evasive phishing technique that attackers are exploiting in the wild to target visitors of several sites with a quirk in domain names, and leverage modified favicons to inject e-skimmers and steal payment card information covertly. "The idea is simple and consists of using characters that look the same in order to dupe users," Malwarebytes

Cyber Security Roundup for August 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, July 2020.

The standout hack of July 2020, and possibly of the year, was the takeover of 45 celebrity Twitter accounts, in a bid to scam their millions of followers by requesting Bitcoin in tweets. 
Twitter confirms internal tools used in bitcoin-promoting attack ...
Scam Tweet
The high-profile Twitter accounts compromised included Barack Obama, Elon Musk, Kanye West, Bill Gates, Jeff Bezos, Warren Buffett, Kim Kardashian, and Joe Biden. Around £80,000 of Bitcoin was sent to the scammer's Bitcoin account before Twitter swiftly took action by deleting the scam tweets and blocking every 'blue tick' verified Twitter user from tweeting, including me

While the Twitter hack and scam dominated media headlines around the world, the attack was not the 'highly sophisticated cyber-attack' as reported by many media outlets, but it was certainly bold and clever. The attackers phoned Twitter administrative staff and blagged (socially engineered) their Twitter privilege account credentials out of them, which in turn gave the attackers access to Twitter's backend administrative system and to any Twitter account they desired. It is understood this Twitter account access was sold by a hacker on the dark web to a scammer in the days before the attack, that scammer(s) orchestrated a near-simultaneous Bitcoin scam tweets to be posted from the high profile accounts. On 31st July, law enforcement authorities charged three men for the attack, with one of the suspects disclosed as a 19-year British man from Bognor Regis.

There was a very serious critical Windows vulnerability disclosed as part the July 2020 Microsoft 'Patch Tuesday' security update release. Dubbed "SIGRed", it is a 17-year-old Remote Code Execution (RCE) vulnerability in Windows Domain Name System (DNS), a component commonly present in Microsoft Windows Server 2008, 2012, 2012R2, 2016 and 2019. Disclosed as CVE-2020-1350 it was given the highest possible CVSS score of 10.0, which basically means the vulnerability is “easy to attack” and “likely to be exploited”, although Microsoft said they hadn't seen any evidence of its exploitation at the time of their patch release.

Given SIGRed is a wormable vulnerability, it makes it particularly dangerous, as wormable malware could exploit the vulnerability to rapidly spread itself over flat networks without any user interaction, as per the WannaCry attack on the NHS and other large organisations. Secondly, it could be used to exploit privilege level accounts (i.e. admin accounts found on Servers).  The Microsoft CVE-2020-1350 vulnerability can be mitigated on effected systems by either applying the Microsoft Windows DNS Server Microsoft released patch (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350 or by applying a Registry Workaround (https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability)

At least 10 universities in the UK had student data stolen after hackers attacked Blackbaud, an education-focused cloud service provider. UK universities impacted included York, Loughborough, Leeds, London, Reading, Exeter and Oxford. According to the BBC News website, Blackbaud said "In May of 2020, we discovered and stopped a ransomware attack. Prior to our locking the cyber-criminal out, the cyber-criminal removed a copy of a subset of data from our self-hosted environment."

As expected, the UK Government ordered UK mobile network operators to remove all Huawei 5G equipment by 2027, and banning their purchase of Huawei 5G network equipment after 31st December 2020.  Digital Secretary Oliver Dowden said it follows sanctions imposed by the United States, which claims the Chinese firm poses a national security threat, which Huawei continues to resolutely deny. The ban is expected to delay the UK's 5G rollout by a year. "This has not been an easy decision, but it is the right one for the UK telecoms networks, for our national security and our economy, both now and indeed in the long run," he said. 
In some media quarters, it was suggested the UK u-turn on Huawei could lead to cyberattack repercussions after Reuter's said its sources confirmed China was behind cyberattacks on Australia's critical national infrastructure and government institutions following their trade dispute with China.

Russian Hacking Group (APT 29) was jointly accused of targeting the theft of coronavirus vaccine research by the UK NCSC, the Canadian Communication Security Establishment (CSE), United States Department for Homeland Security (DHS), Cyber-security Infrastructure Security Agency (CISA) and the US National Security Agency (NSA). The UK's National Cyber Security Centre (NCSC) said the hackers "almost certainly" operated as "part of Russian intelligence services". It did not specify which research organisations had been targeted, or whether any coronavirus vaccine research data was taken, but it did say vaccine research was not hindered by the hackers. Russia's ambassador to the UK has rejected allegations, "I don't believe in this story at all, there is no sense in it," Andrei Kelin told the BBC's Andrew Marr Show. While Foreign Secretary Dominic Raab said it is "very clear Russia did this", adding that it is important to call out this "pariah-type behaviour". 

UK sport said hackers tried to steal a £1 million club transfer fee and froze turnstiles at a football game. Cybercriminals hacked a Premier League club managing director's email account during a player transfer negotiation, the million-pound theft was only thwarted by a last-minute intervention by a bank.  Another English football club was targeted by a ransomware attack which stopped its turnstiles and CCTV systems from working, which nearly resulted in a football match being postponed. Common tactics used by hackers to attack football clubs include compromising emails, cyber-enabled fraud and ransomware to shutting down digital systems. For further information on this subject, see my extensive blog post on football club hacking, The Billion Pound Manchester City Hack.

Smartwatch maker Garmin, had their website, mobile app and customer service call centres taken down by ransomware on 23rd July 2020. Reports suggest the fitness brand had been hit by the WastedLocker ransomware strain, which is said to have been developed by individuals linked to a Russia-based hacking group called 'Evil Corp'.  According to Bleeping Computer, Garmin paid $10 million to cybercriminals to receive decryption keys for the malware on 24th or 25th July 2020.

Yet another big data exposure caused by a misconfigured AWS S3 bucket was found by security researchers, one million files of Fitness Brand 'V Shred' was discovered exposed to the world, including the personal data of 99,000 V Shred customers. Interestingly V Shred defended the researcher findings by claiming it was necessary for user files to be publicly available and denied that any PII data had been exposed.

BLOG

NEWS
VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Emotet Botnet Named ‘Most Wanted Malware’ for July 2020

The Emotet botnet earned the title of “most wanted” malware family for the month of July 2020 following a period of inactivity. Check Point revealed that Emotet threat activity had affected 5% of organizations worldwide in July 2020, thereby earning the malware the top spot in the security firm’s Global Threat Index for that month. […]… Read More

The post Emotet Botnet Named ‘Most Wanted Malware’ for July 2020 appeared first on The State of Security.

#BHUSA: Lack of Electronic Medical Record Security Amplified Opioid Crisis

#BHUSA: Lack of Electronic Medical Record Security Amplified Opioid Crisis

The opioid crisis in the US has had a devastating toll, impacting tens of thousands of families.

According to Mitchell Parker, CISO at Indiana University Health, a small part of the human suffering could have potentially been alleviated, if there was better control and security for Electronic Medical Record (EMR) systems. Parker presented his views during a session at the Black Hat USA 2020 virtual conference, where he outlined what has gone wrong with EMR systems and what can be done to make them more secure.

One of the drivers of the opioid crisis was the underhanded manipulation of an EMR system, that is intended to be used to assist physicians in prescribing medications. In January 2020, EMR vendor Practice Fusion was fined $145m by the US Department of Justice for receiving kickback cash payments from an opioid vendor to influence physician prescription activities. Practice Fusion provides a cloud-based EMR that is advertisement supported.

“People died and became addicted because of this manipulation and this subversive manipulation we’re talking about is a security issue,” Parker said.

How EMRs Work

Parker explained that an EMR is essentially a digital version of the paper charts found in a doctor’s office, including a patient’s medical treatment history. An EMR allows doctors to track data over time and the system can also be used to identify when preventive screenings and checkups are needed.

In the Practice Fusion case, opioid vendors were buying advertisements to influence physicians, but that’s not the limit of the security risk that exists with EMR systems. Parker noted that while EMR systems need to be certified for use to store patient record data, there are a variety of security holes that certification doesn’t consider.

One risk comes from pretexting attacks, where a criminal claims to be a government regulatory agency or a professional association and calls up medical offices asking staff for information.

“It's not difficult to get personal information using this method,” Parker said.

Parker noted that in his experience many vendors and service providers are doing a reasonably good job protecting against malware and ransomware, but are not protecting against identity theft and manipulation.

How to Improve EMR Security

Among the recommendations that Parker shared to help improve EMR systems is for vendors and users to deploy and enforce two-factor authentication methods for authentication, as well as for prescriptions.

Parker also suggested that medical offices limit access overall to a minimal number of users that can make changes of any type in the EMR. On top of that, he advised EMR vendors to make it easier to provide change reports when changes are made.

Parker noted that smaller medical groups are likely more susceptible to electronic subversion of their critical systems because of a lack of resources. He stated that he wanted to see those smaller groups partner with larger health systems to help manage EMR systems with the right governance and cybersecurity procedures.

“This [Practise Fusion] was a case of a company taking advantage of the fact they knew no one was looking and well, they did what they did with tragic consequences,” Parker said.

Capital One Fined $80m for 2019 Breach

Capital One Fined $80m for 2019 Breach

Capital One has been fined $80m following its breach last year.

According to a statement from the Office of the Comptroller of the Currency (OCC), these actions were taken against Capital One “based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner”.

The breach occurred in March 2019, when a former employee of Capital One named Paige Thomson exfiltrated the data of 100 million people in the US and six million in Canada, exploiting a weakness in the configuration of perimeter security controls to gain access to sensitive files housed in its cloud storage.

Capital One blamed a “configuration vulnerability” as the customer data was exfiltrated from an AWS S3 data storage service and moved to a Github site. At the time, Capital One said the breached information “included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income.”

In taking the financial action, the OCC said it considered the bank’s customer notification and remediation efforts, and while it “encourages responsible innovation” in all banks it supervises, “sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers.”

Stuart Reed, UK director, Orange Cyberdefense, said: “The fine handed out to Capital One yesterday is another stark reminder of the financial implication of failing to fully assess cybersecurity risk. It is also a reminder of the potential challenges of migrating data from physical IT to the cloud, something that more and more organizations are seeking to do.”

Reed said the case against Capital One “underlines the expectation that organizations demonstrate best security practice at all times” and it is imperative that organizations recognize that the onus is on them to make sure they have done everything they can to protect customer data. “Otherwise, the consequences can be complex and extremely costly,” he said.

Mark Bower, senior vice-president at data security specialist comforte AG, said the fine “mirrors how we’ve seen industry regulators rip into ineffective controls over data protection.

“The signal is very clear: the often referenced shared responsibility cloud model means naught when it’s your data,” he added. “What’s very surprising about this breach is, per Capital One’s prior announcements, only a fraction of the regulated data was properly tokenized (credit card and SSN data), and the rest accessible under attack. Had tokenization been applied across the full regulated data set, this breach would have been a non-event.”

#BHUSA: How Nation States Hack Public Opinion

#BHUSA: How Nation States Hack Public Opinion

Nation state threat actors, including Russia and China, are using multiple techniques to effectively ‘hack’ public opinion around the world, according to Renée DiResta. DiResta expressed her views in a keynote session at the Black Hat USA 2020 virtual conference.

DiResta works at the Stanford Internet Observatory and has been actively researching how different nation states have attempted to influence policies and individuals. She explained how, over the last decade, state actors have recognized that they can advance their geopolitical goals with different types of misinformation, propaganda and influence campaigns that make use of social media platforms.

“As we move from just the idea of influence to the idea of information operations specifically, what you start to see is it goes from shaping public opinion to what we’re going to call hacking public opinion – using manipulative, misleading tactics,” DiResta said.

Distract, Persuade, Entrench and Divide

There are four primary approaches that nation state threat actors typically take to hack public opinion efforts including distraction, persuasion, entrenchment and division.

DiResta said a common goal is to have a distraction campaign, which is trying to make a target audience pay attention to something else. Another model is a persuasion campaign, which is trying to convince people to believe a certain fact, or feel a certain way. Entrenchment is another approach, and it is where the attackers create groups dedicated to particular types of identities in an attempt to advance a given position. Nation states are also often trying to highlight divisions between different groups of people, amplifying existing social fissures.

The process by which nation states achieve their public opinion influencing goals is relatively well-understood. DiResta explained that the first step is often just the creation of personas; that is fake social media profiles for different types of individuals. Those fake personas then create content, designed to achieve a particular goal. The content is then posted to various social media platforms and promoted to a target audience, via different means. The most successful efforts end up being shared organically by real users that unknowingly share messages created by the fake personas.

China and COVID-19

DiResta specifically outlined how China has attempted to hack public opinion, on a number of issues, including the democracy protests in Hong Kong as well as the COVID-19 pandemic. In August 2019, Twitter and Facebook suspended nearly 1000 user accounts that were associated with nation state sponsored disinformation campaigns.

“The Hong Kong protests attracted worldwide attention, and what you began to see was as Western media and others began to talk about them, these Twitter accounts would kind of come out of the woodwork to respond to the journalists to tell them they had it wrong,” DiResta said.

She noted that the same type of activities have now been happening in 2020 with China attempting to influence global opinion on its role in the COVID-19 pandemic. DiResta said that it’s clear that China has a committed strategy to influencing opinion online and it will continue to evolve its tactics.

Russia and the Hack and Leak Model

Russia has also been particularly effective in its attempts to hack public opinion, according to DiResta. One of the approaches that has worked well for Russia is a hack and leak approach, that makes use of network intrusion techniques as well social media influencing tactics.

“The hack and leak operations provide extraordinary collateral for driving the influence operations,” DiResta said.

Agents working on behalf of the Russian government hack into a site with confidential information and then transmit the collateral to one of their fake personas. The fake persona in turn pitches the leak to journalists, who then are used to help spread the information. That’s what happened in the Guccifer case back in 2016 that was tied to emails connected to the Democratic and Republican political parties in the US.

DiResta suggested that there are a variety of actions that can be taken to help mitigate the risk of nation state public opinion hacking. For one, she said that security professionals should be proactively thinking about the social medial ecosystem to identify what types of manipulation is possible.

“We need to increase communication between infosec professionals and information operations researchers with the goal of developing better understanding of how social network manipulation intersects with network infiltration,” she concluded.

Substantial Rise in Attacks on Orgs’ Web Apps Last Year

Substantial Rise in Attacks on Orgs' Web Apps Last Year

More than half (55%) of all cyber-attacks targeted organizations’ applications in 2019, which is a substantial increase compared to the previous few years, when these types of attacks made up around 30% of the total number.

This is according to data outlined in NTT’s Monthly Threat Report for August, which found that the apps most attacked globally in 2019 primarily related to supporting organizations’ web presence. About a third (33%) of all attacks were aimed at Joomla! (17%) and Apache products (16%) while 19% targeted other content management systems and supporting technologies.

Speaking to Infosecurity , Matt Gyde, CEO of the Security Division at NTT, said: “Since late 2018, there have been a number of significant vulnerabilities exposed in popular web frameworks and applications commonly used to develop and support an organization’s web presence. There was not a significant increase of new vulnerabilities, but there were new, exploitable vulnerabilities (we are seeing the re-activation of vulnerabilities that we thought were no longer in use), in some popular content management systems and related supporting technology.”

The report also revealed that in June 2020, attacks against networking products, such as Zyxel, Netis, Netcore, Netgear, Linksys, D-link and Cisco, accounted for 32% of all attacks, many of which were brute force or authentication attacks.

Another finding was that the amount of actual vulnerabilities being actively exploited is quite narrow, with the top 10 most attacked vulnerabilities in 2019 making up 84% of all attacks observed, while the top 20 most attacked vulnerabilities accounted for nearly 91% of all attacks. This indicates that threat actors are focusing on vulnerabilities that are known to give them success.

Additionally, just eight technologies made 41% of all attacks in June 2020, according to the report. These findings suggest that by focusing on the patching of a fairly narrow range of vulnerabilities, organizations can significantly lower the risk of attack.

Gyde added: “Many organizations simply do not have the appropriate infrastructure to track and manage vulnerabilities in an efficient manner, and are struggling to identify what priorities have the largest return on investment for their efforts.

“While many organizations would like to have an active patch management program, operational concerns, staff skills and priorities end up meaning that not everything gets patched all the time. The transitioning of security away from hardware to as-a-service and cloud-enabled has the potential to modernize systems which will allow for more consistent patching.”

A report published yesterday by Synopsys found that nearly half (48%) of organizations regularly push vulnerable code into production in their application security programs due to time pressures.

How COVID-19 Has Changed Business Cybersecurity Priorities Forever

For much of this year, IT professionals all over the globe have had their hands full, finding ways to help businesses cope with the fallout of the coronavirus (COVID-19) pandemic. In many cases, it involved a rapid rollout of significant remote work infrastructure. That infrastructure was called into service with little to no warning and even less opportunity for testing. Needless to say, the

Intel investigates security breach after the leak of 20GB of internal documents

Intel is investigating reports of an alleged hack that resulted in the theft and leak of 20GB of data coming from the chip giant.

Intel is investigating reports that an alleged hacker has leaked 20GB of exfiltrated from its systems. The stolen data includes source code and developer documents and tools, some documents are labeled as “confidential” or “restricted secret.”

The hackers shared the documents on the file-sharing site MEGA.

The leak was first published by Till Kottmann, a Swiss software engineer, who manage a very popular Telegram channel on data leak. In the past, he shared data on several leaks from major companies including Microsoft, Adobe, GE, Disney, AMD, Lenovo, Motorola, Qualcomm, Mediatek, and Nintendo.

The engineering received the files from an anonymous hacker who claimed to have hacked the company earlier this year, the experts believe that this leak is just a first lot on a larger collection.

Several media outlets independently analyzed the data leak and verified the authenticity of the data.

“Per our analysis, the leaked files contained Intel intellectual property respective to the internal design of various chipsets. The files contained technical specs, product guides, and manuals for CPUs dating back to 2016.” reported ZDNet.

A company spokesperson told SecurityWeek that the data appears to come from the Intel Resource and Design Center. The Center manages information for use by our customers, partners and other external parties.

Below a list of the content included in the leak:

  • Intel ME Bringup guides + (flash) tooling + samples for various platforms
  • Kabylake (Purley Platform) BIOS Reference Code and Sample Code + Initialization code (some of it as exported git repos with full history)
  • Intel CEFDK (Consumer Electronics Firmware Development Kit (Bootloader stuff)) SOURCES
  • Silicon / FSP source code packages for various platforms
  • Various Development and Debugging Tools
  • Simics Simulation for Rocket Lake S and potentially other platforms
  • Various roadmaps and other documents
  • Binaries for Camera drivers Intel made for SpaceX
  • Schematics, Docs, Tools + Firmware for the unreleased Tiger Lake platform
  • Kabylake FDK training videos
  • Intel Trace Hub + decoder files for various Intel ME versions
  • Elkhart Lake Silicon Reference and Platform Sample Code
  • Debug BIOS/TXE builds for various Platforms
  • Bootguard SDK (encrypted zip)
  • Intel Snowridge / Snowfish Process Simulator ADK
  • Various schematics
  • Intel Marketing Material Templates (InDesign)

The good news is that the leaked files doesn’t contain sensitive data about customers or employees of the chip maker.

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

The post Intel investigates security breach after the leak of 20GB of internal documents appeared first on Security Affairs.

I’m Open Sourcing the Have I Been Pwned Code Base

I'm Open Sourcing the Have I Been Pwned Code Base

Let me just cut straight to it: I'm going to open source the Have I Been Pwned code base. The decision has been a while coming and it took a failed M&A process to get here, but the code will be turned over to the public for the betterment of the project and frankly, for the betterment of everyone who uses it. Let me explain why and how.

HIBP is a Community Project

I've been giving a great deal of thought to how I want this project to evolve lately, especially in the wake of the M&A process that ended earlier this year right back where I'd started: with me being solely responsible for everything. The single most important objective of that process was to seek a more sustainable future for HIBP and that desire hasn't changed; the project cannot be solely dependent on me. Yet that's where we are today and if I disappear, HIBP quickly withers and dies.

As I've given further thought to the future since the M&A process, the significance of community contributions has really hit home. Every single byte of data that's been loaded into the system in recent years has come from someone who freely offered it in order to improve the security landscape for everyone. Many of the services that HIBP runs on are provided free by the likes of Cloudflare. Much of the code that's been written has drawn on community contributions either by virtue of content people have published publicly or support that's been provided to me directly.

I was reminded of this just yesterday when my friend from Cloudflare, Junade Ali, posted this:

This tweet isn't entirely accurate; it was all Junade's idea and he designed the k-anonymity implementation for HIBP's Pwned Passwords. For free, because he's a good bloke and Cloudflare supported him. LastPass has now employed that same model and they follow the other notable names Junade mentioned. I'm sure I speak for him as well when I say we couldn't be happier that other companies have taken the model we pioneered and applied it to their own services too because at the end of the day, that's in everyone's best interests.

The philosophy of HIBP has always been to support the community, now I want the community to help support HIBP.

Open sourcing the code base is the most obvious way to do this. It takes the nuts and bolts of HIBP and puts them in the hands of people who can help sustain the service regardless of what happens to me. But this isn't just a philosophical decision based on a desire to offload work, it's also common sense for a number of reasons. Let me explain:

HIBP Has Always Been Open in Spirit

I've already written extensively about the architecture of the system across many of the 128 previous blog posts tagged as Have I Been Pwned. The very second blog post on that tag was about how I used Azure Table Storage to make it so fast and so cheap. As soon as it got popular, I wrote about how I optimised it for performance. When I started using Azure Functions, I wrote about the joy of serverless computing and how I'd implemented it in HIBP. I levelled that up even further when I wrote about using Cloudflare Workers to further optimise performance and drive down cost.

The point is that it was always the intention to be completely open about the design of HIBP, it's not like there's any proprietary secret sauce I've been trying to protect here.

Open Source is Everywhere

A heap of really amazing projects are open source these days. Visual Studio Code, for example, is open source. The platform this very blog runs on, Ghost, is open source. Most of the libraries HIBP uses are open source. And I'm not just talking open source in the "source open" kind of way where other people are free to read it, but I'm talking open source in terms of taking contributions as well.

It actually got me thinking - how many of the products and services I use every day are open source? I asked on Twitter earlier today, and it's, well, extensive:

I love also that Microsoft remains one of the largest corporate contributors to open source, maybe even the largest depending on how you want to define the metric. Open source is in the DNA of everything that HIBP is built on.

Because Transparency

Putting the code out there in public goes a long way to addressing concerns people have about the way the service operates. For example, people have often questioned whether I'm logging searches in order to build up a new list of email addresses. No, I'm not, but at present that assertion effectively just boils down to "trust me". Showing the code - the actual code - and demonstrating that things aren't logged is a very different proposition.

Transparency of code mirrors the ethos I've applied time and time again to the way I run HIBP. I'm transparent about how I verify data. I'm transparent about government usage of the service. I'm transparent when I screw up and have system outages. Being transparent with the code feels like the most natural thing ever!

It's (Almost) All About the Contributions

Open sourcing the HIBP code base gives me the opportunity to address that original problem I set out to solve with the M&A process: finding other people that can help sustain the project. All that backlog, all those bugs, all the great new ideas people have but I simply can't implement myself can, if the community is willing, finally be contributed back into the project.

And that's something that I'm adamant about; the goal here isn't just to say "hey, look at the code, it's not logging your searches", it's fundamentally about making HIBP a more sustainable, more robustly featured community service. Frankly, I can't think of a single good reason why I wouldn't do this. But that said, it's also not as trivial as it sounds so let me talk about the practicalities of the whole thing.

Practically, There's Work to be Done

I started writing HIBP on a plane to the Philippines in 2013 and finished up a bunch of it in a hotel room once I landed. In the near 7 years since then, I've chipped away at it in little bits and pieces, frequently from a laptop while travelling, jet lagged and preoccupied. I've taken shortcuts. I've hacked together some pretty messy stuff. I've probably checked in secrets before and when you're the only person touching a project you can get away with all that stuff, but not once you start opening up source.

HIBP isn't in a state to simply flick the visibility of it in GitHub, but it needs to get to that point. Instead, I need to choose the right parts of the project to open up in the right way at the right time. That exercise alone requires help and for a while now, I've been talking to some of the smartest people I know in this space. People who live and breathe open source, people who understand .NET and Azure inside and out, people who know HIBP well and above all, people I trust to expose my own shortcomings so that they can help me make this thing more sustainable. With their support, the transition from completely closed to completely open will happen incrementally, bit by bit and in a fashion that's both manageable and responsible. Let me be clear: I don't have a timeline for each step along the way yet as HIBP remains something I do in my spare time and I've always got a bunch of other stuff on my plate, but the process has already begun and I'll be sharing more on that as soon as I can.

I want to get to a point where everything possible is open. I want the infrastructure configuration to be open too and I want the whole thing to be self-sustaining by the community such that I make myself redundant. That's not to say I'm planning an exit (far from it), but it's not good for HIBP that I can't exit right now and frankly, it's not good for me either.

The point is that the goals outlined in this blog post will take time to reach and they're not as trivial as they may sound at face value. HIBP remains a pet project run when I have the chance and somewhere within there I need to make the commitment to get it to the point I'm aiming for in this blog post.

What About the Data?

I need to really clearly break this part of the discussion out because whilst open sourcing the code base is one thing, how the data is handled is quite another. There's no way to sugar coat this so I'll just lay it out bluntly: HIBP only exists due to a whole bunch of criminal activity resulting in data that's ultimately ended up in my possession. Of course, the situation is a bit more nuanced than that with the vast bulk of data in HIBP already being in broad public circulation and passing through many hands. But be that as it may, even the legality of possessing it remains grey and whilst there are many internet armchair experts chiming in with their own opinions on the topic, here's what the legal guidance I've consistently been given boils down to:

We invite parties to form their own views on the legality of the data

Great, nice lawyer speak there guys. (And seriously, yes, that's what the KPMG lawyers from the M&A process I paid an eye-watering amount to advised.) Yet clearly, many of the world's largest companies do see value in it and conclude that holding the data is acceptable. Big tech companies, for example, pull down precisely the same breaches that go into HIBP and use them to identify credential reuse across their own platforms:

Then there's the privacy side of it all: my own personal data is in those breaches and your data almost certainly is too because there are literally billions of people that have been impacted by data breaches. Regardless of how broadly that information is circling, I still need to ensure the same privacy controls prevail across the breach data itself even as the code base becomes more transparent. That's non-trivial. Doable, but non-trivial.

Summary

This is something I've given a lot of thought to for a long time now. The concept of open sourcing HIBP has been floated over and over again and it's taken a failed M&A process to help me realise that this was the best path forward, but now here we are.

I've used the word "community" a lot throughout this post and I can't understate the importance of the role other people have played in the project's success. Just to really drive that point home, look at how many breaches have gone into HIBP in the last two weeks. At the time of writing, that's 16 breaches encompassing 95,850,490 records and every single one of those has been a community contribution; someone selflessly standing up and trusting me to handle the data in the best interest of others. I focus on that short time frame in particular here because it also demonstrates the constant flood of data and the need to scale myself more efficiently.

So that's where HIBP is heading. I know this blog post will be met with much enthusiasm because that's what many of you have been telling me to do for a long time. I've listened, now it's time to make it a reality 😊

Google Threat Analysis Group took down ten influence operations in Q2 2020

Google published its second Threat Analysis Group (TAG) report which reveals the company has taken down ten coordinated operations in Q2 2020.

Google has published its second Threat Analysis Group (TAG) report, a bulletin that includes coordinated influence operation campaigns tracked in Q2 of 2020.

Google revealed to have taken down ten coordinated operations in Q2 2020 (between April and June 2020), the campaigns were traced back to China, Russia, Iran, and Tunisia.

The report is based on the investigations conducted by the Threat Analysis Group (TAG) and third-parties’ contributions (i.e. social media analysis firm Graphika, cyber-security firm FireEye, the Atlantic Council investigation unit).

The latest TAG Bulletin covers influence ops takedowns that have taken place in the second quarter of this year, between April and June 2020.

In April, as part of a campaign carried out by Iran-linked threat actors, Google closed 16 YouTube channels, 1 advertising account and 1 AdSense account. The accounts were linked to the Iranian state-sponsored International Union of Virtual Media (IUVM) network, which also shared content in Arabic related to the US’ response to COVID-19 and the relationship of the US with Saudi Arabia.

Google also terminated 15 YouTube channels and 3 blogs as part of a campaign carried out by Russia-linked threat actors, which posted content in English and Russian about the EU, Lithuania, Ukraine, and the US

The Threat Analysis Group terminated another campaign from Russia, the IT giant closed 7 YouTube channels used to share content in Russian, German, and Farsi about Russian and Syrian politics and the U.S. response to COVID-19.

The TAG team also dismantled another campaign conducted by China-linked attackers. The experts terminated 186 YouTube channels, but only a subset was used to post political content primarily in Chinese, criticizing the response of the US government to the COVID-19 pandemic.

Another campaign blocked by Google leveraged 3 YouTube channels used by Iran-linked hackers to publish content in Bosnian and Arabic that was critical of the U.S. and the People’s Mujahedin Organization of Iran (PMOI), a militant organization fighting against the official Iranian government.

In May the TAG blocked 1,098 YouTube channels used by China-linked hackers to criticize the US’ response to the COVID-19 pandemic.

Google also terminated 47 YouTube channels and 1 AdSense account linked to Russia and used to spread into about domestic Russian and international policy issues.

In June, Google terminated 1,312 YouTube channels used by China-linked threat actors for the same purposes of campaigns reported in April and May.

In the same month, Google terminated 17 YouTube channels linked to Russia 3 Google Play developers and 1 advertising account linked to Tunisian PR company Ureputation.

Pierluigi Paganini

(SecurityAffairs – hacking, Google Threat Analysis Group)

The post Google Threat Analysis Group took down ten influence operations in Q2 2020 appeared first on Security Affairs.

August 2020 Patch Tuesday forecast: Planning for the end?

There doesn’t seem to be an end in sight to the COVID-19 crisis, but there are some important end-of-life/end-of-support dates we should be aware of when it comes to software. Before we dig into this month’s forecast of updates, I want to spend a little time on the importance of planning ahead to avoid the high costs associated with extended support contracts, or sometimes worse, modifying your network environment to mitigate risks. Remember when Windows … More

The post August 2020 Patch Tuesday forecast: Planning for the end? appeared first on Help Net Security.

New infosec products of the week: August 7, 2020

Radiflow launches CIARA, a ROI-driven risk assessment and management platform for industrial organizations CIARA is a fully automated tool for assets data collection, data-driven analysis and transparent risk metrics calculation including risk scoring per zone and business process based on business impact. The new platform is a response to the growing digitization of the production floor that has led to rising tide of cyber threats. Fortinet unveiled the FortiGate 4400F, a firewall capable of securing … More

The post New infosec products of the week: August 7, 2020 appeared first on Help Net Security.

Digital Inheritance

What happens to our digital presence when we die or become incapacitated? Many of us have or know we should have a will and checklists of what loved ones need to know in the event of our passing. But what about all of our digital data and online accounts? Consider creating some type of digital will, often called a "Digital Inheritance" plan.

Open source tool Infection Monkey allows security pros to test their network like never before

Guardicore unveiled new capabilities for Infection Monkey, its free, open source breach and attack simulation (BAS) tool that maps to the MITRE ATT&CK knowledge base and tests network adherence to the Forrester Zero Trust framework. Infection Monkey is a self-propagating testing tool that hundreds of information technology teams from across the world use to test network adherence to the zero trust framework, and find weaknesses in their on-premises and cloud-based data centers. Over the past … More

The post Open source tool Infection Monkey allows security pros to test their network like never before appeared first on Help Net Security.

Intel, ARM, IBM, AMD Processors Vulnerable to New Side-Channel Attacks

It turns out that the root cause behind several previously disclosed speculative execution attacks against modern processors, such as Meltdown and Foreshadow, was misattributed to 'prefetching effect,' resulting in hardware vendors releasing incomplete mitigations and countermeasures. Sharing its findings with The Hacker News, a group of academics from the Graz University of Technology and

DDoS attacks in April, May and June 2020 double compared to Q2 2019

Findings from Link11’s H1 2020 DDoS Report reveal a resurgence in DDoS attacks during the global COVID-19 related lockdowns. In April, May and June 2020, the number of attacks registered by Link11’s Security Operations Center (LSOC) averaged 97% higher than the during the same period in 2019, peaking at a 108% increase in May 2020. Key findings from the annual report include: Multivector attacks on the rise: 52% of attacks combined several methods of attack, … More

The post DDoS attacks in April, May and June 2020 double compared to Q2 2019 appeared first on Help Net Security.

‘Crypto’ Scammers Weren’t the First to Crack Twitter

Nation-States Pay Insiders Handsomely for Long-Term, Stealthy Access
Following Twitter's admission that cryptocurrency scammers socially engineered its employees to gain control of 45 high-profile accounts, one reaction has been: Why didn't anyone crack Twitter sooner? Unfortunately, the answer is that they have, especially if you count nation-states bribing insiders.

An Attacker’s IoT Paradise: Billions of Insecure Devices

Trend Micro Envisions Maturing IoT Attacker Business Models
The speed at which IoT is enabling innovation is far outpacing the ability of the security custodians to implement appropriate controls before these devices hit the market. That creates a classic target-rich environment for the bad guys - one that will require vigorous defense and oversight.

Blackbaud’s Bizarre Ransomware Attack Notification

Software Vendor 'Normalizes Hacking,' Fails to Account for Notification Delay
How many different shades of bizarre is the data breach notification issued by software vendor Blackbaud? Over the course of three paragraphs, Blackbaud normalizes hacking, congratulates its amazing cybersecurity team, and says it cares so much for its customers that it paid a ransom to attackers.

Twitter Rushes to Fix Flaw in Android Version

Vulnerability Could Enable Hackers to Access User Data, Including Direct Messages
Twitter rushed out a fix for a flaw in the Android version of its social media platform that could have allowed hackers to access user data, including within the direct message feature. The news comes as more details have emerged about a recent Twitter hacking incident.

Global Cybercrime Surging During Pandemic

Interpol: Fraudsters Shifting Focus to Governments, Health Infrastructure, Corporations
Cybercriminals have shifted their focus from individuals and smaller businesses to target governments, critical health infrastructure and major corporations to maximize their profits and disruption during the COVID-19 pandemic, a new Interpol report warns.

Election Security: A Harsh Assessment

Security Researcher, CISA Director Raise Serious Concerns
A security researcher says voting equipment in the U.S. is still riddled with security flaws that opportunistic foreign adversaries could use to pose a threat to the November election. Meanwhile, the director of CISA calls Russian ransomware attacks one of the biggest threats to the election.

Applied Category Theory Workshop (POSTPONED)

The focus of this workshop in on fostering the development of tooling and use-cases supporting the applied category theory community. We are particularly interested in bringing together practitioners who are engaged with susceptible domains as well as those involved in the implementation, support, and utilization of software and other tools. There will be a number of talks/demos showcasing existing approaches as well as ample time for discussion Confirmed Speakers John C. Baez, University of California, Riverside Arquimedes Canedo, Siemens Daniel Cicala, New Haven University James Fairbanks

What are the benefits of automated, cloud-native patch management?

Could organizations recoup their share of more than $1 billion per quarter by moving away from legacy solutions to cloud-native patch management and endpoint hardening? A new report from Sedulo Group says yes. The 2020 TCO Study of Microsoft WSUS & SCCM report shows organizations using Microsoft endpoint management for patching and hardening spend nearly 2x as much as organizations using SaaS-based patch management platforms. Microsoft System Center Configuration Manager (SCCM) and Microsoft Windows Server … More

The post What are the benefits of automated, cloud-native patch management? appeared first on Help Net Security.

The Center for Internet Security (CIS) Use Cases and Cost Justification

Vince Lombardi, the famous football coach, used to start his training camp each season with a talk about doing the basics. He’d tell the players that they start with the basics, then he’d take a football and hold it up and tell them, “This is a football.”  In football, as in life and IT Security, […]… Read More

The post The Center for Internet Security (CIS) Use Cases and Cost Justification appeared first on The State of Security.

Consumers don’t entirely trust smart home tech

Smart home tech is marketed to enhance your home and make life easier. However, UK consumers are not convinced that they can trust the privacy and security of these technologies. To better understand consumers perceptions of the desirability of the smart home, researchers from WMG and Computer Science, University of Warwick have carried out a nationally representative survey of UK consumers designed to measure adoption and acceptability, focusing on awareness, ownership, experience, trust, satisfaction and … More

The post Consumers don’t entirely trust smart home tech appeared first on Help Net Security.

Fortinet unveiled the FortiGate 4400F, a firewall capable of securing 5G networks

Fortinet announced the FortiGate 4400F, a hyperscale firewall, setting new milestones for Security Compute Ratings to deliver performance, scalability and security in a single appliance to meet escalating business needs. FortiGate 4400F is powered by Fortinet’s latest seventh generation network processor (NP7) to offer hardware-acceleration, making it the only network firewall that is fast enough to secure hyperscale data centers and 5G networks. Today’s most digitally innovative organizations face escalating and often unpredictable capacity needs … More

The post Fortinet unveiled the FortiGate 4400F, a firewall capable of securing 5G networks appeared first on Help Net Security.

Windstream Enterprise fortifies SD-WAN with virtual NGFW

Windstream Enterprise released a new security feature to protect businesses from increasingly sophisticated threats to their network and their data. Offered as part of its managed SD-WAN service, Windstream Enterprise’s new Virtual Network Function (VNF) Next-Generation Firewall (NGFW) gives businesses peace of mind that their networks are safe from attacks, out to the network edge, while also reducing the complexity associated with implementing a large-scale network security solution. The VNF Firewall service expands upon Windstream … More

The post Windstream Enterprise fortifies SD-WAN with virtual NGFW appeared first on Help Net Security.

Push Technology releases Diffusion Kafka Adapter

Push Technology launched a new Kafka Adapter for their Diffusion Intelligent Data Mesh. With the Diffusion Kafka Adapter, organizations can now securely extend Kafka solutions over the Internet, streaming real-time data to millions of end-user applications. In addition, customers can easily manage the high-volume of data across geographically dispersed regions. Kafka has proven capability for high-throughput data handling within the data center. When dealing with potentially hundreds of thousands of topics and concurrent connections in … More

The post Push Technology releases Diffusion Kafka Adapter appeared first on Help Net Security.

SimIQ: Efficient GNSS testing during product development

Spirent Communications released SimIQ. From software-in-the-loop through to final form testing, SimIQ enables developers to collaborate across the full design lifecycle through the creation, sharing and replay of I/Q data files. SimIQ has been developed to meet the growing need to test GNSS capabilities earlier to accelerate product development, while simultaneously reducing costs by identifying issues prior to the purchase of hardware components. For developers using Spirent’s market-leading GSS7000 and GSS9000 simulators, SimIQ extends multi-frequency, … More

The post SimIQ: Efficient GNSS testing during product development appeared first on Help Net Security.

HPE and SAP partner to deliver SAP HANA Enterprise Cloud with HPE GreenLake

HPE announced plans to partner with SAP to deliver the customer edition of SAP HANA Enterprise Cloud with HPE GreenLake, as a fully managed service at the edge, in the customer’s data center or colocation facility of their choice. Customers will be able to keep their SAP software landscape and data on-premises while gaining the benefits of a subscription-based, agile, elastic, and consistent cloud experience from SAP with HPE GreenLake. The new offering SAP HANA … More

The post HPE and SAP partner to deliver SAP HANA Enterprise Cloud with HPE GreenLake appeared first on Help Net Security.

Balbix BreachControl added to Ingram Micro Cloud Marketplace

Balbix announced a global cloud distribution agreement with Ingram Micro that brings its award-winning Balbix BreachControl solution to the Ingram Micro Cloud Marketplace, a marketplace of cloud solutions and services for the channel. This solution enables CISOs to gain real-time visibility into their breach risk and reduce cyber-risk by 95% or more, while making security teams 10x more efficient. “Pandemic-induced shifts in work patterns over the past few months have brought about an unprecedented expansion … More

The post Balbix BreachControl added to Ingram Micro Cloud Marketplace appeared first on Help Net Security.

Cyber News Rundown: Twitter Hack Arrests

Reading Time: ~ 2 min.

Multiple Individuals Charged for Twitter Hack

Three people were charged with last month’s Twitter hack, which generated over $100,000 in bitcoin by hijacking high-profile accounts. Of the 130 accounts used to spread the Bitcoin scam, major names included Elon Musk and Bill Gates, who have been portrayed in similar past scams. The FBI was apparently able to identify the perpetrators through a known hacking forum offering Twitter account hacking services for a fee.

Kentucky Unemployment Faces Second Breach in 2020

Kentucky’s unemployment system suffered its second data breach of the year last week. The breach came to light after a user reported being able to view another’s sensitive information while attempting to review their own. Officials are still uncertain how the breach occurred or the exact contents of the information available to the person who reported the incident.

Canon Suffers Ransomware Attack

Several services related to Canon, including its cloud storage systems, fell victim to a ransomware attack that knocked them offline for nearly a week. In addition to the offline systems, more than 10TB of customer data were allegedly stolen and a ransom note pertaining to the Maze Ransomware variant was identified. A large number of Canon’s website domains were also taken offline, with an internal server error being displayed to site visitors.

Havenly Interior Design Breach

A data trove containing roughly 1.4 million Havenly user accounts were posted for sale on a Dark Web marketplace last week. It included personally identifiable information of customers including names, physical addresses and emails. The company’s official statement stated no financial information was lost in the breach. While Havenly has recommended all customers update their login credentials, the breach occurred well over a month ago, enough time for affected customers to be subjected to identity theft or attacks aimed at compromising further accounts.

Massive VPN Server Password Leak

The credentials for over 900 enterprise-level VPN servers from Pulse Secure recently appeared on a hacker forum known to be frequented by ransomware groups. The plain-text information contains enough information to take full control of the servers that are currently running a firmware with known critical vulnerabilities identified within the past two months. The vulnerability that allowed this breach, CVE-2019-11510, was identified and a patch was released late last year. Many of the attack’s victims had neglected to implement the patch.

The post Cyber News Rundown: Twitter Hack Arrests appeared first on Webroot Blog.

Where Dark Reading Goes Next

Dark Reading Editor-in-Chief gives a complete rundown of all the Dark Reading projects you might not even know about, his insight into the future of the security industry, and how we plan to cover it.

I’m Partnering with NordVPN as a Strategic Advisor

I'm Partnering with NordVPN as a Strategic Advisor

I love security. I love privacy. Consequently, it will come as no surprise that I love tools that help people achieve those objectives. Equally, I have no patience for false promises, and I've been very vocal about my feelings there:

VPNs are a great example of where a tool can be used to enhance security and privacy but often, they fall short of delivering on the promise. When you use a VPN, you're trusting a third party with your traffic and even in an increasingly "encrypted by default" web, you're taking a leap of faith with who you choose to route your bytes.

A few months ago, NordVPN sponsored this blog and we got to chatting. I had a long call with Tom Okman (that link is a good read on their background) who co-founded the company in 2012 and I expressed my dismay at the trustworthiness (or lack thereof) of so many VPNs in the market. This was before the embedded tweet above but well after I'd written about dodgy VPNs:

Whoever can see your traffic - be that your local ISP or the VPN provider you decide to use - has an enormous responsibility and you're placing a huge amount of trust in them

I really pressed Tom on the trust piece - why should people trust NordVPN? The promise of "no logs" in particular is a favourite of VPN providers yet evidently, the reality doesn't always meet the promise. Turns out they'd just had their second PWC audit to verify their claims and came out clean which is a pretty solid way of demonstrating their commitment to privacy. Having a Big Four do any sort of formal audit wouldn't have been a cheap experience and the fact Tom and co recognised the value, not just in making claims but proving them too, carries a lot of weight.

But there were also aspects of NordVPN I told Tom needed work, especially around their messaging in marketing material. Look, I get it, marketing people like to embellish but, in my view, there were occasions where that went beyond what you could reasonably expect a VPN to do. You can't on the one hand put all this work into trust and transparency and then on the other hand convey messaging that impacts trust and transparency! And yes, I have strong views on these things 😊

So Tom asked me if I'd like to become an adviser to NordVPN and invest a bit more time than just a telephone call sharing these ideas. I thought about it for a while, kept using the product, liked it, realised it's not like I'm travelling anywhere anytime soon so I've got the time and gave him a thumbs up. So here we are. I'll be devoting some cycles each month to work with NordVPN on their tools and messaging with a view to helping them make a great product even better. Yes, it's a commercial relationship but no, I won't be employed by them, will remain independent and will continue to do all the things I usually do anyway (except travel, of course).

NordVPN has done a great job getting their product out to 14 million people worldwide and frankly, that's a pretty impressive number for a tool your average consumer has no idea about. I'm looking forward to working with them on the product, reaching more people and having a greater positive impact on digital privacy.

Live from Black Hat: Hacking Public Opinion with Renée DiResta 

Psychological operations, orツ?PsyOps, is a topic I???ve been interested in for a while. It???s aツ?blend of social engineering and marketing, both passions of mine. That's why I found the keynote byツ?Renテゥeツ?DiResta,ツ?Research Managerツ?at theツ?Stanford Internet Observatory, particularly interesting.ツ?

The Internet Makes Spreading Information Cheap & Easyツ?

Disinformation and propaganda areツ?oldツ?phenomenaツ?that can be traced back to the invention of the printing press ??? and arguably before then.ツ?With the advent of theツ?Internet, the cost of publishing dropped to zero. There are no hosting costs on certain platforms, butツ?especially in the beginning, theツ?blogosphere was veryツ?decentralized,ツ?and it was hard to get people to read your content.ツ?With theツ?rise of social media,ツ?you can share your content and it can become viral. At the same time, content creation becomes easier.ツ?All of thisツ?eliminates cost barriers andツ?gatekeepers.ツ?ツ?

State Actors ???Hack??? Our Opinionsツ?

As social media platforms matured, the algorithms that curate content become more and more sophisticated. They are trying to group people and deliver personalized targeting of content, which allows adversaries to analyze and game the algorithms.ツ?ツ?

Renee

State actors don???t just influence, they start hacking public opinion, which involves fake content producers and fake accounts. They can do this more effectively because they understand the ecosystem extremely well, typically applying one of four tactics, sometimes in combination:ツ?ツ?ツ?

  • Distract:ツ?Taking attention away from news stories that are detrimental to the state actor
  • Persuade:ツ?Providing convincing content to sway a target???s opinion
  • Entrench:ツ?Getting individuals to identify with their peer groups and dig their heels in
  • Divide:ツ?Pitting groups against each other to spread dissentツ?

Architecture of a Modern Information Operationツ?ツ?

Architecture of a Modern Information Operation

Information operations often create fake public personas, such as journalists, to create content. They then seed it to social media and amplify it through bot accounts to get organic shares among the population. Theツ?ultimateツ?goalツ?is to have mass media pick up the stories and amplify even further.ツ?ツ?

Many of these campaigns use algorithmic manipulation. The Russian disinformation campaign around the 2016 election only spent $100,000 in advertising, but their real lift came from creating compelling content that people shared organically.ツ?ツ?

From a defensive perspective, you can look at these operations as a kill chain. You should ask yourself: Which part of the chain can I disrupt to slow or stop the campaign? The last hop to mass media is particularly important.ツ?ツ?

Telling a Positive Story About Chinaツ?ツ?

China isツ?aツ?powerful player in informationツ?operations,ツ?but we???ll see in a moment that their operations have less impact than Russia???s.ツ?However, their network infiltrationツ?operations, which can be related to information operations, areツ?alreadyツ?very advanced.ツ?ツ?

In a nutshell, the goal of China???s information operations is to ???Tell China???s Story Well???. They are primarily concerned with persuasion, sometimes distraction.ツ?For example, during the COVID-19 crisis, China first controlledツ?domestic perception, then put out English language posts about WHO praising the Chinese response. They pushed this out on Facebook to ensure they reached large global audiences.ツ?They flip back and forth between funny things that people retweet and more aggressive messages.ツ?

A Lookツ?Intoツ?Chinese Information Operationsツ?ツ?

China has decades of experience inツ?bothツ?covert and overtツ?domesticツ?information management.ツ?They're now taking these inward-facing capabilities and employing them outside of their borders.ツ?ツ?

We can classify their content sources into three categories:ツ?ツ?

  • Light:ツ?Official state news outlets
  • Grey:ツ?Content farms thatツ?are not easily attributable to the state andツ?push outツ?fake political storiesツ?
  • Dark:ツ?Purely online properties that spread disinformationツ?

Even though Facebook is banned in China, its content platforms haveツ?more than 220 million followers. Theyツ?have alsoツ?expanded to troll accounts and covert strategies, which have been taken down from Facebook and Twitter in some occasions.ツ?ツ?

Asツ?Western media began to talk about Hong Kong protests,ツ?Chineseツ?troll accountsツ?surfaced, pretending to be Hong Kong citizens,ツ?andツ?toldツ?theツ?journalists that they gotツ?theツ?storyツ?completelyツ?wrong.ツ?However, China lost its Hong Kong bots early in the protests because they were shut down.ツ?Research showed that most accounts were not createdツ?pre-emptivelyツ?butツ?as a reaction to aツ?crisis.ツ?ツ?

China

China is Struggling to Have Real Impact, But They???ll Get Betterツ?ツ?

The surprising thing was that 92 percentツ?of accounts had less than 10 followers.ツ?Most tweets didn???t even have aツ????like,??? and maximum tweetツ?engagement was 3,700.ツ?In other words, Chinaツ?did a very poor jobツ?of getting real people to pick up their content.ツ?ツ?

While China is good at creating content, they are sloppy at their social media game.ツ?China is well resourced, and they???reツ?committedツ?to improving.ツ?At the same time, we shouldn???t overemphasize the impact of the efforts.ツ?ツ?

Russia???s Game: Entrench and Divideツ?ツ?

By comparison,ツ?Russia is best in classツ?when it comes to information operations.ツ?They excel at creating agents of influence and manipulating media. They are using network infiltration as one of their tactics, both to hack public influencers and by leaking data to the media.ツ?ツ?

Russia has the same set of overt and covert media, ranging from light to dark, but it spends a fraction of China???s budget. One example of a covert content source isツ?BlackMattersUS, which is officially operated by an American activist but isツ?actually runツ?by a Russian contractor in St. Petersburg.ツ?

Its media outlets have fewer Facebook followers, only in the range of 39 million, but they have a lot more engagement. Russia is much better at segmenting their audience and creating custom content that plays into their narratives, entrenching and dividing their audiences. They are also better at picking the right types of media for the audience and social network, e.g. videos for young millennials.ツ?ツ?

Russian Memes vs. Chinese Narrativesツ?ツ?

While China is focusing mainly on creating a certain narrative, Russia focuses much more on memes that convey feelings or a point of view.ツ?Much of this content is generated by theツ?Internet Research Agency,ツ?a Russian content farm that is not officially associated with the governmentツ?to create plausible deniability. They focus on social content first, whichツ?lends itself to certain types of media.ツ?ツ?

Russian meme

Memes look at how people feel. They areツ?identity-focusedツ?andツ?entrench people inツ?their groups. Contentツ?isツ?createdツ?to reinforceツ?their beliefs.ツ?By sharing the content, individuals areツ?signalingツ?membership in their group. Interestingly, theツ?IRA does this both on theツ?politicalツ?left and on the right, splitting the country in two.ツ?ツ?

Creatingツ?Agents of Influenceツ?ツ?

Russia doesn???t stop with online engagement and shaping opinions. It wants to create agents of influence that go out on the street and conduct activism.ツ?When you follow the Internet Research Agency page or like a piece of content, you give the IRA a signal that you???re sympathetic to aツ?particular pointツ?of view.ツ?

What DiResta hasツ?observedツ?is attempts to recruitツ?these peopleツ?through a constant outreach, more than you???d typically see from a media outlet.ツ?Theyツ?offer financial resources and logistical support to turn people into agents of influence, mobilizing them, getting them out into the streets as activists.ツ?This happens behind the scenes, in direct messages, not visible if you???re simply looking at the memesツ?on social media.ツ?ツ?

Throwing Hacked Dataツ?intoツ?the Mixツ?

Russia goes one step further, engaging GRU hacking operations in its information campaigns.ツ?APT28,ツ?also known asツ?Fancy Bear, began creating fake Facebook pages years ago when the GRU was experimenting withツ?these tactics.ツ?ツ?

Hacked data

The green circles represent fake public personas, often journalists, that put out geopolitical content on their own fake media sites. They share the content with Western and regional blogs to gain wider distribution. However, the GRU did not have a lot of success with this tactic.ツ?ツ?

They since modified their tactics.ツ?Public officials or agencies are hacked,ツ?then the material is offered to journalists through fake personas, such asツ?Gucciferツ?2.0.ツ?Theツ?Internet Research Agencyツ?then createsツ?memesツ?based on the content to amplify on social media.ツ?Finally,ツ?RT and Sputnik,ツ?Russia???sツ?state news outlets,ツ?talk about the substance of hack while denyingツ?their state???s involvement.ツ?ツ?

While China is focused on telling a positive story about their country, Russia is more interested in exploiting divisions in our society and using vulnerabilities in our information ecosystem.ツ?ツ?

Russia Will Use the Same Methods in the 2020 Electionsツ?

We should expect Russia to employツ?similarツ?tactics in the 2020 U.S. presidential elections:ツ?ツ?

  • Hackingツ?&ツ?leakingツ?operationsツ?
  • Hackingvotingツ?machinesツ?
  • Infiltratinggroupsツ?
  • Amplifyingnarrativesツ?ツ?

Even if Russiaツ?doesn'tツ?hack the voting machines, just claimingツ?they'veツ?beenツ?successfulツ?will cause mistrust in the elections. And that is theirツ?goal: undermining confidence in our political system.ツ?ツ?

The Effects Will Outlast Active Operationsツ?ツ?

You can???t hack a social system if the system is resistant to the attack, but our country is divided and very vulnerable. DiResta found an activist???s page on Facebook that contained 40 percent IRA content. However, the person behind the page was real, not a bot. They were sharing the content because the IRA had created messages that resonated extremely well.ツ?ツ?ツ?

People internalizeツ?opinionsツ?based on repetition. False stories areツ?memorizedツ?by real people and spread long after activeツ?operationsツ?have ceased. We???re all more instrumented than ever before.ツ?ツ?

The challenge for scientific research is:ツ?We canツ?easilyツ?quantify likes and retweets and see how they are reacting, butツ?it???s hard toツ?see if it changed hearts and minds.ツ?ツ?

What Does This Mean for Corporate Information Security?ツ?ツ?

If you???re a CISO in a company with international competitors,ツ?you'reツ?just as much at risk. Companiesツ?with geopolitical aspects such asツ?fracking for oilツ?andツ?agricultural firms likeツ?Monsanto haveツ?alreadyツ?been targets.ツ?Companiesツ?taking part in social issuesツ?have seenツ?contentツ?against them amplified on social media.ツ?ツ?

However, most companies don???t have a position on the org chart to deal with adversarial information operations. As aツ?CISO, you probably need to start thinking about how you would respond.ツ?But the question isn???t purelyツ?technical. It's not a social media analysis problem.ツ?Youツ?need toツ?conduct red teamingツ?exercisesツ?that involve people from both technical teams and corporate communications.ツ?ツ?

ツ?

If you found this post interesting and would like an overview of additional Black Hat sessions, visit the Veracode blog.

ツ?

Return of the sovereign cloud

There is increasing interest in national cybersecurity as the line between military, economic, and diplomatic conflict blurs. The role that cloud computing plays as part of every nation’s critical infrastructure is once again under scrutiny.

Hacked Data Broker Accounts Fueled Phony COVID Loans, Unemployment Claims

A group of thieves thought to be responsible for collecting millions in fraudulent small business loans and unemployment insurance benefits from COVID-19 economic relief efforts gathered personal data on people and businesses they were impersonating by leveraging several compromised accounts at a little-known U.S. consumer data broker, KrebsOnSecurity has learned.

In June, KrebsOnSecurity was contacted by a cybersecurity researcher who discovered that a group of scammers was sharing highly detailed personal and financial records on Americans via a free web-based email service that allows anyone who knows an account’s username to view all email sent to that account — without the need of a password.

The source, who asked not to be identified in this story, said he’s been monitoring the group’s communications for several weeks and sharing the information with state and federal authorities in a bid to disrupt their fraudulent activity.

The source said the group appears to consist of several hundred individuals who collectively have stolen tens of millions of dollars from U.S. state and federal treasuries via phony loan applications with the U.S. Small Business Administration (SBA) and through fraudulent unemployment insurance claims made against several states.

KrebsOnSecurity reviewed dozens of emails the fraud group exchanged, and noticed that a great many consumer records they shared carried a notation indicating they were cut and pasted from the output of queries made at Interactive Data LLC, a Florida-based data analytics company.

Interactive Data, also known as IDIdata.com, markets access to a “massive data repository” on U.S. consumers to a range of clients, including law enforcement officials, debt recovery professionals, and anti-fraud and compliance personnel at a variety of organizations.

The consumer dossiers obtained from IDI and shared by the fraudsters include a staggering amount of sensitive data, including:

-full Social Security number and date of birth;
-current and all known previous physical addresses;
-all known current and past mobile and home phone numbers;
-the names of any relatives and known associates;
-all known associated email addresses
-IP addresses and dates tied to the consumer’s online activities;
-vehicle registration, and property ownership information
-available lines of credit and amounts, and dates they were opened
-bankruptcies, liens, judgments, foreclosures and business affiliations

Reached via phone, IDI Holdings CEO Derek Dubner acknowledged that a review of the consumer records sampled from the fraud group’s shared communications indicates “a handful” of authorized IDI customer accounts had been compromised.

“We identified a handful of legitimate businesses who are customers that may have experienced a breach,” Dubner said.

Dubner said all customers are required to use multi-factor authentication, and that everyone applying for access to its services undergoes a rigorous vetting process.

“We absolutely credential businesses and have several ways do that and exceed the gold standard, which is following some of the credit bureau guidelines,” he said. “We validate the identity of those applying [for access], check with the applicant’s state licensor and individual licenses.”

Citing an ongoing law enforcement investigation into the matter, Dubner declined to say if the company knew for how long the handful of customer accounts were compromised, or how many consumer records were looked up via those stolen accounts.

“We are communicating with law enforcement about it,” he said. “There isn’t much more I can share because we don’t want to impede the investigation.”

The source told KrebsOnSecurity he’s identified more than 2,000 people whose SSNs, DoBs and other data were used by the fraud gang to file for unemployment insurance benefits and SBA loans, and that a single payday can land the thieves $20,000 or more. In addition, he said, it seems clear that the fraudsters are recycling stolen identities to file phony unemployment insurance claims in multiple states.

ANALYSIS

Hacked or ill-gotten accounts at consumer data brokers have fueled ID theft and identity theft services of various sorts for years. In 2013, KrebsOnSecurity broke the news that the U.S. Secret Service had arrested a 24-year-old man named Hieu Minh Ngo for running an identity theft service out of his home in Vietnam.

Ngo’s service, variously named superget[.]info and findget[.]me, gave customers access to personal and financial data on more than 200 million Americans. He gained that access by posing as a private investigator to a data broker subsidiary acquired by Experian, one of the three major credit bureaus in the United States.

Ngo’s ID theft service superget.info

Experian was hauled before Congress to account for the lapse, and assured lawmakers there was no evidence that consumers had been harmed by Ngo’s access. But as follow-up reporting showed, Ngo’s service was frequented by ID thieves who specialized in filing fraudulent tax refund requests with the Internal Revenue Service, and was relied upon heavily by an identity theft ring operating in the New York-New Jersey region.

Also in 2013, KrebsOnSecurity broke the news that ssndob[.]ms, then a major identity theft service in the cybercrime underground, had infiltrated computers at some of America’s large consumer and business data aggregators, including LexisNexis Inc., Dun & Bradstreet, and Kroll Background America Inc.

The now defunct SSNDOB identity theft service.

In 2006, The Washington Post reported that a group of five men used stolen or illegally created accounts at LexisNexis subsidiaries to lookup SSNs and other personal information more than 310,000 individuals. And in 2004, it emerged that identity thieves masquerading as customers of data broker Choicepoint had stolen the personal and financial records of more than 145,000 Americans.

Those compromises were noteworthy because the consumer information warehoused by these data brokers can be used to find the answers to so-called knowledge-based authentication (KBA) questions used by companies seeking to validate the financial history of people applying for new lines of credit.

In that sense, thieves involved in ID theft may be better off targeting data brokers like IDI and their customers than the major credit bureaus, said Nicholas Weaver, a researcher at the International Computer Science Institute and lecturer at UC Berkeley.

“This means you have access not only to the consumer’s SSN and other static information, but everything you need for knowledge-based authentication because these are the types of companies that are providing KBA data.”

The fraud group communications reviewed by this author suggest they are cashing out primarily through financial instruments like prepaid cards and a small number of online-only banks that allow consumers to establish accounts and move money just by providing a name and associated date of birth and SSN.

While most of these instruments place daily or monthly limits on the amount of money users can deposit into and withdraw from the accounts, some of the more popular instruments for ID thieves appear to be those that allow spending, sending or withdrawal of between $5,000 to $7,000 per transaction, with high limits on the overall number or dollar value of transactions allowed in a given time period.

KrebsOnSecurity is investigating the extent to which a small number of these financial instruments may be massively over-represented in the incidence of unemployment insurance benefit fraud at the state level, and in SBA loan fraud at the federal level. Anyone in the financial sector or state agencies with information about these apparent trends may confidentially contact this author at krebsonsecurity @ gmail dot com, or via the encrypted message service Wickr at “krebswickr“.

The looting of state unemployment insurance programs by identity thieves has been well documented of late, but far less public attention has centered on fraud targeting Economic Injury Disaster Loan (EIDL) and advance grant programs run by the U.S. Small Business Administration in response to the COVID-19 crisis.

Late last month, the SBA Office of Inspector General (OIG) released a scathing report (PDF) saying it has been inundated with complaints from financial institutions reporting suspected fraudulent EIDL transactions, and that it has so far identified $250 million in loans given to “potentially ineligible recipients.” The OIG said many of the complaints were about credit inquiries for individuals who had never applied for an economic injury loan or grant.

The figures released by the SBA OIG suggest the financial impact of the fraud may be severely under-reported at the moment. For example, the OIG said nearly 3,800 of the 5,000 complaints it received came from just six financial institutions (out of several thousand across the United States). One credit union reportedly told the U.S. Justice Department that 59 out of 60 SBA deposits it received appeared to be fraudulent.

Black Hat 2020: Satellite Comms Globally Open to $300 Eavesdropping Hack

Attackers can listen in on internet traffic for high-value targets a continent away, like shipping fleets and oil installations, using some basic home-television gear.

Broadcom: Staying Safe with WastedLocker Ransomware Variant on the Prowl

SPONSORED CONTENT: Stealthier and more patient than some predecessors, WastedLocker lingers surreptitiously for as long as it needs to for maximum payoff, says Jon DiMaggio with Broadcom's Symantec division. He explains how Windows servers are at a different risk level than their open-source counterparts, and how WastedLocker identifies "valuable" targets.

Bypassing MassLogger Anti-Analysis — a Man-in-the-Middle Approach

The FireEye Front Line Applied Research & Expertise (FLARE) Team attempts to always stay on top of the most current and emerging threats. As a member of the FLARE Reverse Engineer team, I recently received a request to analyze a fairly new credential stealer identified as MassLogger. Despite the lack of novel functionalities and features, this sample employs a sophisticated technique that replaces the Microsoft Intermediate Language (MSIL) at run time to hinder static analysis. At the time of this writing, there is only one publication discussing the MassLogger obfuscation technique in some detail. Therefore, I decided to share my research and tools to help analyze MassLogger and other malware using a similar technique. Let us take a deep technical dive into the MassLogger credential stealer and the .NET runtime.

Triage

MassLogger is a .NET credential stealer. It starts with a launcher (6b975fd7e3eb0d30b6dbe71b8004b06de6bba4d0870e165de4bde7ab82154871) that uses simple anti-debugging techniques which can be easily bypassed when identified. This first stage loader eventually XOR-decrypts the second stage assembly which then decrypts, loads and executes the final MassLogger payload (bc07c3090befb5e94624ca4a49ee88b3265a3d1d288f79588be7bb356a0f9fae) named Bin-123.exe. The final payload can be easily extracted and executed independently. Therefore, we will focus exclusively on this final payload where the main anti analysis technique is used.

Basic static analysis doesn’t reveal anything too exciting. We notice some interesting strings, but they are not enough to give us any hints about the malware’s capabilities. Executing the payload in a controlled environment shows that the sample drops a log file that identifies the malware family, its version, and most importantly some configuration options. A sample log file is described in Figure 1. We can also extract some interesting strings from memory as the sample runs. However, basic dynamic analysis is not sufficient to extract all host-based indicators (HBIs), network-based indicators (NBIs) and complete malware functionality. We must perform a deeper analysis to better understand the sample and its capabilities.

User Name: user
IP: 127.0.0.1
Location: United States
OS: Microsoft Windows 7 Ultimate 32bit
CPU: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
GPU: VMware SVGA 3D
AV: NA
Screen Resolution: 1438x2460
Current Time: 6/17/2020 1:23:30 PM
MassLogger Started: 6/17/2020 1:23:21 PM
Interval: 2 hour
MassLogger Process: C:\Users\user\Desktop\Bin-123.exe
MassLogger Melt: false
MassLogger Exit after delivery: false
As Administrator: False
Processes:
Name:cmd, Title:Administrator: FakeNet-NG - fakenet
Name:iexplore, Title:FakeNet-NG - Internet Explorer
Name:dnSpy-x86, Title:dnSpy v6.0.5 (32-bit)
Name:cmd, Title:Administrator: C:\Windows\System32\cmd.exe
Name:ProcessHacker, Title:Process Hacker [WIN-R23GG4KO4SD\user]+ (Administrator)

### WD Exclusion ###
Disabled

### USB Spread ###
Disabled

### Binder ###
Disabled

### Window Searcher ###
Disabled

### Downloader ###
Disabled

### Bot Killer ###
Disabled

### Search And Upload ###
Disabled

### Telegram Desktop ###
Not Installed

### Pidgin ###
Not Installed

### FileZilla ###
Not Installed

### Discord Tokken ###
Not Installed

### NordVPN ###
Not Installed

### Outlook ###
Not Installed

### FoxMail ###
Not Installed

### Thunderbird ###
Not Installed

### QQ Browser ###
Not Installed

### FireFox ###
Not Installed

### Chromium Recovery ###
Not Installed

### Keylogger And Clipboard ###

 

[20/06/17]  [Welcome to Chrome - Google Chrome]
[ESC]

[20/06/17]  [Clipboard]
Vewgbprxvhvjktmyxofjvpzgazqszaoo

Figure 1: Sample MassLogger log

Just Decompile It

Like many other .NET malwares, MassLogger obfuscates all of its methods names and even the method control flow. We can use de4dot to automatically deobfuscate the MassLogger payload. However, looking at the deobfuscated payload, we quickly identify a major issue: Most of the methods contain almost no logic as shown in Figure 2.


Figure 2: dnSpy showing empty methods

Looking at the original MassLogger payload in dnSpy’s Intermediate Language (IL) view confirms that most methods do not contain any logic and simply return nothing. This is obviously not the real malware since we already observed with dynamic analysis that the sample indeed performs malicious activities and logging to a log file. We are left with a few methods, most notably the method with the token 0x0600049D called first thing in the main module constructor.


Figure 3: dnSpy IL view showing the method's details

Method 0x0600049D control flow has been obfuscated into a series of switch statements. We can still somewhat follow the method’s high-level logic with the help of dnSpy as a debugger. However, fully analyzing the method would be very time consuming. Instead, when first analyzing this payload, I chose to quickly scan over the entire module to look for hints. Luckily, I spot a few interesting strings I missed during basic static analysis: clrjit.dll, VirtualAlloc, VirtualProtect and WriteProcessMemory as seen in Figure 4.


Figure 4: Interesting strings scattered throughout the module

A quick internet search for “clrjit.dll” and “VirtualProtect” quickly takes us to a few publications describing a technique commonly referred to as Just-In-Time Hooking. In essence, JIT Hooking involves installing a hook at the compileMethod() function where the JIT compiler is about to compile the MSIL into assembly (x86, x64, etc). With the hook in place, the malware can easily replace each method body with the real MSIL that contains the original malware logic. To fully understand this process, let’s explore the .NET executable, the .NET methods, and how MSIL turns into x86 or x64 assembly.

.NET Executable Methods

A .NET executable is just another binary following the Portable Executable (PE) format. There are plenty of resources describing the PE file format, the .NET metadata and the .NET token tables in detail. I recommend our readers to take a quick detour and refresh their memory on those topics before continuing. This post won’t go into further details but will focus on the .NET methods instead.

Each .NET method in a .NET assembly is identified by a token. In fact, everything in a .NET assembly, whether it’s a module, a class, a method prototype, or a string, is identified by a token. Let’s look at method identified by the token 0x0600049D, as shown in Figure 5. The most-significant byte (0x06) tells us that this token is a method token (type 0x06) instead of a module token (type 0x00), a TypeDef token (type 0x02), or a LocalVarSig token (type 0x11), for example. The three least significant bytes tell us the ID of the method, in this case it’s 0x49D (1181 in decimal). This ID is also referred to as the Method ID (MID) or the Row ID of the method.


Figure 5: Method details for method 0x0600049D

To find out more information about this method, we look within the tables of the “#~” stream of the .NET metadata streams in the .NET metadata directory as show in Figure 6. We traverse to the entry number 1181 or 0x49D of the Method table to find the method metadata which includes the Relative Virtual Address (RVA) of the method body, various flags, a pointer to the name of the method, a pointer to the method signature, and finally, an pointer to the parameters specification for this method. Please note that the MID starts at 1 instead of 0.


Figure 6: Method details from the PE file header

For method 0x0600049D, the RVA of the method body is 0xB690. This RVA belongs to the .text section whose RVA is 0x2000. Therefore, this method body begins at 0x9690 (0xB6900x2000) bytes into the .text section. The .text section starts at 0x200 bytes into the file according to the section header. As a result, we can find the method body at 0x9890 (0x9690 + 0x200) bytes offset into the file. We can see the method body in Figure 7.


Figure 7: Method 0x0600049D body in a hex editor

.NET Method Body

The .NET method body starts with a method body header, followed by the MSIL bytes. There are two types of .NET methods: a tiny method and a fat method. Looking at the first byte of the method body header, the two least-significant bits tell us if the method is tiny (where the last two bits are 10) or fat (where the last two bits are 11).

.NET Tiny Method

Let’s look at method 0x06000495. Following the same steps described earlier, we check the row number 0x495 (1173 in decimal) of the Method table to find the method body RVA is 0x7A7C which translates to 0x5C7C as the offset into the file. At this offset, the first byte of the method body is 0x0A (0000 1010 in binary).


Figure 8: Method 0x06000495 metadata and body

Since the two least-significant bits are 10, we know that 0x06000495 is a tiny method. For a tiny method, the method body header is one byte long. The two least-significant bits are 10 to indicate that this is the tiny method, and the six most-significant bits tell us the size of the MSIL to follow (i.e. how long the MSIL is). In this case, the six most-significant bits are 000010, which tells us the method body is two bytes long. The entire method body for 0x06000495 is 0A 16 2A, followed by a NULL byte, which has been disassembled by dnSpy as shown in Figure 9.


Figure 9: Method 0x06000495 in dnSpy IL view

.NET Fat Method

Coming back to method 0x0600049D (entry number 1181) at offset 0x9890 into the file (RVA 0xB690), the first byte of the method body is 0x1B (or 0001 1011 in binary). The two least-significant bits are 11, indicating that 0x0600049D is a fat method. The fat method body header is 12-byte long whose structure is beyond the scope of this blog post. The field we really care about is a four-byte field at offset 0x04 byte into this fat header. This field specifies the length of the MSIL that follows this method body header. For method 0x0600049D, the entire method body header is “1B 30 08 00 A8 61 00 00 75 00 00 11” and the length of the MSIL to follow is “A8 61 00 00” or 0x61A8 (25000 in decimal) bytes.


Figure 10: Method 0x0600049D body in a hex editor

JIT Compilation

Whether a method is tiny or fat, it does not execute as is. When the .NET runtime needs to execute a method, it follows exactly the process described earlier to find the method body which includes the method body header and the MSIL bytes. If this is the first time the method needs to run, the .NET runtime invokes the Just-In-Time compiler which takes the MSIL bytes and compiles them into x86 or x64 assembly depending on whether the current process is 32- or 64-bit. After some preparation, the JIT compiler eventually calls the compileMethod() function. The entire .NET runtime project is open-sourced and available on GitHub. We can easily find out that the compileMethod() function has the following prototype (Figure 11):

CorJitResult __stdcall compileMethod (
    ICorJitInfo                       *comp,               /* IN */
    CORINFO_METHOD_INFO               *info,               /* IN */
    unsigned /* code:CorJitFlag */    flags,               /* IN */
    BYTE                              **nativeEntry,       /* OUT */
    ULONG                             *nativeSizeOfCode    /* OUT */
);

Figure 11: compileMethod() function protype

Figure 12 shows the CORINFO_METHOD_INFO structure.

struct CORINFO_METHOD_INFO
{
      CORINFO_METHOD_HANDLE       ftn;
      CORINFO_MODULE_HANDLE       scope;
      BYTE *                      ILCode;
      unsigned                    ILCodeSize;
      unsigned                    maxStack;
      unsigned                    EHcount;
      CorInfoOptions              options;
      CorInfoRegionKind           regionKind;
      CORINFO_SIG_INFO            args;
      CORINFO_SIG_INFO            locals;
};

Figure 12: CORINFO_METHOD_INFO structure

The ILCode is a pointer to the MSIL of the method to compile, and the ILCodeSize tells us how long the MSIL is. The return value of compileMethod() is an error code indicating success or failure. In case of success, the nativeEntry pointer is populated with the address of the executable memory region containing the x86 or the x64 instruction that is compiled from the MSIL.

MassLogger JIT Hooking

Let’s come back to MassLogger. As soon as the main module initialization runs, it first decrypts MSIL of the other methods. It then installs a hook to execute its own version of compileMethod() (method 0x06000499). This method replaces the ILCode and ILCodeSize fields of the info argument to the original compileMethod() with the real malware’s MSIL bytes.

In addition to replacing the MSIL bytes, MassLogger also patches the method body header at module initialization time. As seen from Figure 13, the method body header of method 0x060003DD on disk (at file offset 0x3CE0) is different from the header in memory (at RVA 0x5AE0). The only two things remaining quite consistent are the least significant two bits indicating whether the method is tiny or fat. To successfully defeat this anti-analysis technique, we must recover the real MSIL bytes as well as the correct method body header.


Figure 13: Same method body with different headers when resting on disk vs. loaded in memory

Defeating JIT Method Body Replacement With JITM

To automatically recover the MSIL and the method body header, one possible approach suggested by another FLARE team member is to install our own hook at compileMethod() function before loading and allowing the MassLogger module constructor to run.  There are multiple tutorials and open-sourced projects on hooking compileMethod() using both managed hooks (the new compileMethod() is a managed method written in C#) and native hooks (the new compileMethod() is native and written in C or C++). However, due to the unique way MassLogger hooks compileMethod(), we cannot use the vtable hooking technique implemented by many of the aforementioned projects. Therefore, I’d like to share the following project: JITM, which is designed use inline hooking implemented by PolyHook library. JITM comes with a wrapper for compileMethod() which will logs all the method body headers and MSIL bytes to a JSON file before calling the original compileMethod().

In addition to the hook, JITM also includes a .NET loader. This loader first loads the native hook DLL (jitmhook.dll) and installs the hook. The loader then loads the MassLogger payload and executes its entry point. This causes MassLogger’s module initialization code to execute and install its own hook, but hooking jitmhook.dll code instead of the original compileMethod(). An alternative approach to executing MassLogger’s entry point is to call the RuntimeHelpers.PrepareMethod() API to force the JIT compiler to run on all methods. This approach is better because it avoids running the malware, and it potentially can recover methods not called in the sample’s natural code path. However, it requires additional work to force all methods to be compiled properly.

To load and recover MassLogger methods, run the following command (Figure 14):

jitm.exe Bin-123.exe [optional_timeout]

Figure 14: Command to run jitm

Once the timeout expires, you should see the files jitm.log and jitm.json created in the current directory. jitm.json contains the method token, method body header and MSIL of all method recovered from Bin-123.exe. The only thing left to do is to rebuild the .NET metadata so we can perform static analysis.


Figure 15: Sample jitm.json

Rebuilding the Assembly

Since the decrypted method body header and MSIL may not fit in the original .NET assembly properly, the easiest thing to do is to add a new section and a section header to MassLogger. There are plenty of resources on how to add a PE section header and data, none of which is trivial or easy to automate. Therefore, JITM also include the following Python 2.7 helper script to automate this process: Scripts\addsection.py.

With the method body header and MSIL of each method added to a new PE section as shown in XXX, we can easily parse the .NET metadata and fix each method’s RVA to point to the correct method body within the new section. Unfortunately, I did not find any Python library to easily parse the .NET metadata and the MethodDef table. Therefore, JITM also includes a partially implemented .NET metadata parser: Script\pydnet.py. This script uses pefile and vivisect modules and parses the PE file up to the Method table to extract all methods and its associated RVAs.


Figure 16: Bin-123.exe before and after adding an additional section named FLARE

Finally, to tie everything together, JITM provides Script\fix_assembly.py to perform the following tasks:

  1. Write the method body header and MSIL of each method recovered in jitm.json into a temporary binary file named “section.bin” while at the same time remember the associated method token and the offset into section.bin.
  2. Use addsection.py to add section.bin into Bin-123.exe and save the data into a new file, e.g. Bin-123.fixed.exe.
  3. Use pydnet.py to parse Bin-123.fixed.exe and update the RVA field of each method entry in the MethodDef table to point to the correct RVA into the new section.

The final result is a partially reconstructed .NET assembly. Although additional work is necessary to get this assembly to run correctly, it is good enough to perform static analysis to understand the malware’s high-level functionalities.

Let’s look at the reconstructed method 0x0600043E that implements the decryption logic for the malware configuration. Compared to the original MSIL, the reconstructed MSIL now shows that the malware uses AES-256 in CBC mode with PKCS7 padding. With a combination of dynamic analysis and static analysis, we can also easily identify the key to be “Vewgbprxvhvjktmyxofjvpzgazqszaoo” and the IV to be part of the Base64-encoded buffer passed in as its argument.


Figure 17: Method 0x0600043 before and after fixing the assembly

Armed with that knowledge, we can write a simple tool to decrypt the malware configuration and recover all HBIs and NBIs (Figure 18).

                              BinderBytes: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                BinderName: Mzvmy_Nyrrd
                BinderOnce: false
        DownloaderFilename: Hrebxs
            DownloaderOnce: false
             DownloaderUrl: Vrwus
              EmailAddress: appfoil@outlook.com
               EmailClient: smtp.outlook.com
               EmailEnable: true
                 EmailPass: services000
                 EmailPort: 587
               EmailSendTo: appfoil@outlook.com
                  EmailSsl: True
        EnableAntiDebugger: false
        EnableAntiHoneypot: false
       EnableAntiSandboxie: false
          EnableAntiVMware: false
              EnableBinder: false
           EnableBotKiller: false                               
     EnableBrowserRecovery: true
EnableDeleteZoneIdentifier: false
          EnableDownloader: false
            EnableForceUac: false
             EnableInstall: false
           EnableKeylogger: true
          EnableMemoryScan: false
               EnableMutex: false
          EnableScreenshot: false
     EnableSearchAndUpload: false
           EnableSpreadUsb: false
         EnableWDExclusion: false
      EnableWindowSearcher: false
             ExectionDelay: 6
         ExitAfterDelivery: false
                 FtpEnable: false
                   FtpHost: ftp://127.0.0.1
                   FtpPass:
                   FtpPort: 21
                   FtpUser: Foo
               InstallFile: Pkkbdphw
             InstallFolder: %AppData%
       InstallSecondFolder: Eqrzwmf
                       Key:
                     Mutex: Ysjqh
               PanelEnable: false
                 PanelHost: http://example.com/panel/upload.php
 SearchAndUploadExtensions: .jpeg, .txt, .docx, .doc,
  SearchAndUploadSizeLimit: 500000
    SearchAndUploadZipSize: 5000000
              SelfDestruct: false
           SendingInterval: 2
                   Version: MassLogger v1.3.4.0
    WindowSearcherKeywords: youtube, facebook, amazon,

Figure 18: Decrypted configuration

Conclusion

Using a JIT compiler hook to replace the MSIL is a powerful technique that makes static analysis almost impossible. Although this technique is not new, I haven’t seen many .NET malwares making use of it, let alone trying to implement their own adaptation instead of using widely available protectors like ConfuserEx. Hopefully, with this blog post and JITM, analysts will now have the tools and knowledge to defeat MassLogger or any future variants that use a similar technique.

If this is the type of work that excites you; and, if you thrive to push the state of the art when it comes to malware analysis and reverse engineering, the Front Line Applied Research and Expertise (FLARE) team may be a good place for you. The FLARE team faces fun and exciting challenges on a daily basis; and we are constantly looking for more team members to tackle these challenges head on. Check out FireEye’s career page to see if any of our opportunities would be a good fit for you.

Contributors (Listed Alphabetically)

  • Tyler Dean (@spresec): Technical review of the post
  • Michael Durakovich: Technical review of the post
  • Stephen Eckels (@stevemk14ebr): Help with porting JITM to use PolyHook
  • Jon Erickson (@evil-e): Technical review of the post
  • Moritz Raabe (@m_r_tz): Technical review of the post

Platform Security: Intel Pushes to Reduce Supply Chain Attacks

SPONSORED CONTENT: Attacks on supply chains involve lots of players and companies, not to mention an exponential amount of data for the stealing, notes Intel's Tom Garrison. Notoriously difficult to detect and mitigate, Garrison discusses new approaches to securing an individual company's computing platforms, including Compute Lifecycle Assurance.

Louisiana Judicial Candidate Charged with Hacking

Louisiana Judicial Candidate Charged with Hacking

A judicial candidate in Louisiana has been charged with hacking into state computers and sharing confidential court documents with a friend.

Attorney Trina Chu allegedly committed the offenses while working as a law clerk to now retired Chief Judge Henry Brown in 2018. 

According to a statement released by Caddo Parish sheriff Steve Prator, Chu copied sensitive court documents from the Louisiana 2nd Circuit Court of Appeals onto a USB flash drive. 

Chu allegedly sent three confidential documents relating to a judgement made against her friend Hanh Williams from the drive to her own personal email account in July 2018. These documents were then forwarded directly to Williams. 

At the time of the alleged crimes, three judges were considering Williams' appeal from a district court's ruling against her.

"The documents concerned a case under consideration by the 2nd Circuit involving a judgement against her close friend Hanh Williams for over $460,000," said Prator. 

The court had ruled that financial adviser Williams owed $460,605 to the estate of a Caddo Parish man to whom she had been a financial adviser. 

In his will, Williams' client, Fred Houston, had named her as his executor. Williams' administration of the Fred L. Houston Inter Vivos Trust was then challenged by the will's chief beneficiary, Louisiana State University's veterinary school.

“The jury charged Ms. Williams with $1.1 million in damages for breach of duty to the Trust and determined she was liable to the Estate for $460,605,” according to the 2nd Circuit opinion handed down August 15, 2018.

The sheriff said that Chu's alleged criminal activity was exposed "after a thorough investigation involving search warrants served to email providers, digital forensic examinations, and in person interviews."

Forty-six-year-old Chu was arrested on Tuesday by members of the CPSO Warrants Unit on two felony charges—offense against intellectual property and trespass against state computers. She was released the same day after paying bonds of $10,000 issued for each count.

According to online records for Louisiana's secretary of state, Chu is currently challenging 2nd Circuit Court of Appeal Judge Jeanette Garrett in an election scheduled to take place on November 3.

On election campaign website chuforjudge.com, Chu is touted as a “hardworking” person who stands for “fairness, equality and justice for all.” Chu had pledged to donate 75% of her judicial salary to four Louisiana nonprofit groups if elected.  

All those Zoom meetings and hangouts are impacting your brain, experts say – Yahoo

Mental health experts say constant video chat and Zoom meetings are draining users more than in-person conversations, and Zoom fatigue is setting in.  “Zoom fatigue is a unique kind of exhaustion that occurs when people participate in teleconferencing calls for an extended time period,” says Savitri Dixon-Saxon, Ph.D., the vice provost for Walden University’s College…

Online Exam Tool Suffers Data Breach

Online Exam Tool Suffers Data Breach

An investigation is under way into a data breach that impacted an online examination tool used by educational establishments around the world.

The breach affected users of software made by American company ProctorU to provide live and automated online proctoring services for academic institutions and professional organizations. 

According to Honi Soit, a database of 440,000 ProctorU user records was published by hacker group ShinyHunters over the past week along with hundreds of millions of other user records. ProctorU user data exposed includes usernames, unencrypted passwords, legal names, and full residential addresses. 

Among the records are email addresses belonging to the University of Sydney, the University of New South Wales, the University of Melbourne, the University of Queensland, the University of Tasmania, James Cook University, Swinburne University of Technology, the University of Western Australia, Curtin University, and Adelaide University.

A spokesperson for the University of Sydney said that ProctorU had confirmed on Thursday that an investigation into the confidential data breach had been launched.

According to the spokesperson, the data exposed relates to ProctorU users who registered on or before 2014. 

"We met with ProctorU’s CEO and compliance officer today, who confirmed they are investigating a breach of confidential data relating to users of their service," said the spokesperson. 

"Any breach of security and privacy of this type is of course deeply concerning, and we will continue to work with ProctorU to understand the circumstances of the breach and determine whether any follow-up actions are required on our part."

The University of Sydney doesn't believe any current students are affected by the data breach, as the university only began using ProctorU's services in 2020 in response to the COVID-19 pandemic. However, after learning about the breach, the establishment will be "reviewing our experience of online exams and proctoring this year to inform our approach to assessments in 2021."

A spokesperson for Swinburne University of Technology in Victoria said that it has launched its own investigation into the breach, which has impacted a small number of its students.

The NSA on the Risks of Exposing Location Data

The NSA has issued an advisory on the risks of location data.

Mitigations reduce, but do not eliminate, location tracking risks in mobile devices. Most users rely on features disabled by such mitigations, making such safeguards impractical. Users should be aware of these risks and take action based on their specific situation and risk tolerance. When location exposure could be detrimental to a mission, users should prioritize mission risk and apply location tracking mitigations to the greatest extent possible. While the guidance in this document may be useful to a wide range of users, it is intended primarily for NSS/DoD system users.

The document provides a list of mitigation strategies, including turning things off:

If it is critical that location is not revealed for a particular mission, consider the following recommendations:

  • Determine a non-sensitive location where devices with wireless capabilities can be secured prior to the start of any activities. Ensure that the mission site cannot be predicted from this location.
  • Leave all devices with any wireless capabilities (including personal devices) at this non-sensitive location. Turning off the device may not be sufficient if a device has been compromised.
  • For mission transportation, use vehicles without built-in wireless communication capabilities, or turn off the capabilities, if possible.

Of course, turning off your wireless devices is itself a signal that something is going on. It's hard to be clandestine in our always connected world.

News articles.

US Cybersecurity Firms Partner to Protect Healthcare

US Cybersecurity Firms Partner to Protect Healthcare

Two California cybersecurity companies have joined forces to help protect healthcare networks from cyber-threats. 

CynergisTek and Awake Security announced yesterday that they are pooling resources to develop an online threat assessment program that healthcare organizations can use to identify attacker activity. 

Ben Denkers, CynergisTek SVP of security and privacy services, said the partnership was conceived after the outbreak of COVID-19 changed the medical world's working practices.

“As America’s hospitals scrambled to respond to the pandemic, the entire threat landscape and the associated attack surface completely changed, placing America’s hospitals squarely in the cross hairs for adversarial activity," said Denkers. 

"New vulnerabilities from telemedicine combined with an increased network footprint due to work-from-home employees means we have a perfect storm for increased cyber-attacks."

As part of the partnership, both companies are "assembling the best minds in networking, machine learning, data science, cybersecurity, privacy, and compliance to help healthcare organizations get a more complete view and understanding of their potential attack surface, including every user, medical device, and application on the network." 

The aim is to enable hospitals to track every asset in their network, whether it's moved on-premises or by remote users working in the cloud. Assistance will be given to help healthcare organizations identify high-risk incidents and compromised entities without the need for agents, manual configuration, or complex integrations.

"This partnership allows us to identify adversarial activity including reconnaissance in its early stages, allowing organizations to re-baseline their security posture as they return to normal operations,” said Denkers.

The new compromise assessment will be powered by Awake Security's network detection and response technology and offered to CynergisTek's customer base of more than 1,000 healthcare organizations. 

“Sensitive healthcare data is extremely valuable to hackers, and we know they aren’t sitting on the sidelines during the pandemic but are in fact attacking both hospitals and pharmaceutical companies during this volatile time,” said Rahul Kashyap, CEO of Awake Security. 

"In times like this, we’re excited to help healthcare entities for this ‘all-hands-on-deck’ moment to bolster their defenses and prevent crises from emerging and impacting patients.”

Zoom Bug Allowed Snoopers Crack Private Meeting Passwords in Minutes

Popular video conferencing app Zoom recently fixed a new security flaw that could have allowed potential attackers to crack the numeric passcode used to secure private meetings on the platform and snoop on participants. Zoom meetings are by default protected by a six-digit numeric password, but according to Tom Anthony, VP Product at SearchPilot who identified the issue, the lack of rate

Live from Black Hat: Practical Defenses Against Adversarial Machine Learning with Ariel Herbert-Voss

Adversarial machine learning (ML) is a hot new topic that I now understand much better thanks to this talk at Black Hat USA 2020. Ariel Herbert-Voss, Senior Research Scientist at OpenAI, walked us through the current attack landscape. Her talk clearly outlined how current attacks work and how you can mitigate against them. She skipped right over some of the more theoretical approaches that don???t really work in real life and went straight to real-life examples.

Ariel Herbert-Voss???

Bad inputs vs. model leakage

Herbert-Voss broke down attacks into two main categories:

  • Bad Inputs:ツ?In this category, the attacker feeds the ML algorithm bad data so that it makes its decisions based on that data. The form of the input can be varied; for example, using stickers on the road to confuse a Tesla???s autopilot, deploying Twitter bots to send messages that influence cryptocurrency trading systems, or using click farms to boost product ratings.ツ?
  • Model Leakage:ツ?This attack interacts with the algorithm to reverse-engineer it, which in turn provides a blueprint on how to attack the system. One example I loved involved a team of attackers who published fake apps on an Android store to observe user behavior so that it could train its own model to mimic user behavior for monetized applications, avoiding fraud detection.

Defending against adversarial machine learningツ?

The defenses against these attacks turned out to be easier than I had thought:ツ?

  1. Use blocklists:ツ?Either explicitly allow input or block bad input. In the case of the Twitter bot influencing cryptocurrency trading, the company switched to an allow list.ツ?
  2. Verify data accuracy with multiple signals:ツ?Two data sources are better than one. For example, Herbert-Voss saw a ~75% reduction in face recognition false positives when using two cameras. The percentage increased as cameras were placed further apart.ツ?
  3. Resist the urge to expose raw statistics to users:ツ?The more precise the data is that you expose to users, the simpler it is for them to analyze the model. Rounding your outputs is an easy and effective way to obfuscate your model. In one example, this helped reduce the ability to reverse-engineer the model by 60%.ツ?

Based on her research, Herbert-Voss sees an ~85% reduction in attacks by following these three simple recommendations.

If you???d like to stay up to date on the latest trends in security, subscribe to our blog and follow us on Twitter, Facebook, and LinkedIn.ツ?

How to organize your security team: The evolution of cybersecurity roles and responsibilities

Digital transformation, cloud computing, and a sophisticated threat landscape are forcing everyone to rethink the functions of each role on their security teams, from Chief Information Security Officers (CISOs) to practitioners.

With billions of people around the globe working from home, changes to the daily practice of cybersecurity are accelerating. Organizations are shifting from defending a traditional network perimeter (keeping business assets in a safe place) to more effective zero trust strategies (protect users, data, and business assets where they are). This transformation brings technology changes and also opens up questions of what people’s roles and responsibilities will look like in this new world.

At the same time, continuous delivery models are requiring security teams to engage more closely during business planning and application development to effectively manage cyber risks (vs. the traditional ‘arms-length’ security approaches). This requires security professionals to better understand the business context and to collaborate more closely with stakeholders outside of security.

In this new world, traditional job descriptions and security tools won’t set your team up for success. Leaders must create role clarity in this transformation to help their teams navigate uncertainty. This will reduce distractions and stress, as well as help people focus on the important tasks that make the whole team shine.

While each organization and each person will have a unique journey, we have seen common patterns for successfully transforming roles and responsibilities. To help security leaders and practitioners plan for this transformation, Microsoft has defined common security functions, how they are evolving, and key relationships. In this blog, we’ll provide a summary of our recommendations to help you get started.

Security roles must evolve to confront today’s challenges

Security functions represent the human portion of a cybersecurity system. They are the tasks and duties that members of your team perform to help secure the organization. Depending on your company size and culture, individuals may be responsible for a single function or multiple functions; in some cases, multiple people might be assigned to a single function as a team.

High performing security teams understand their individual roles, but also see themselves as a larger team working together to defend against adversaries (see Figure 1). The following functions represent a fully populated enterprise security team, which may be aspirational for some organizations. Organizations often need to prioritize where to invest first based on their risk profile, available resources, and needs.

An image showing each function works as part of a whole security team, within the organization, which is part of a larger security community defending against the same adversaries.

Figure 1: Each function works as part of a whole security team within the organization, which is part of a larger security community defending against the same adversaries.

Policy and standards

This team develops, approves, and publishes security policy and standards to guide security decisions within the organization and inspire change. This team must take into account cloud platforms, DevOps processes and tools, and relevant regulations, among other factors. Read more about security policy and standards function.

Security operations center (SOC)

A security operations center (SOC) detects, responds to, and remediates active attacks on enterprise assets. SOCs are currently undergoing significant change, including an elevation of the function to business risk management, changes in the types of metrics tracked, new technologies, and a greater emphasis on threat hunting. Read more about the SOC function.

Security architecture

Security architecture translates the organization’s business and assurance goals into a security vision, providing documentation and diagrams to guide technical security decisions. A modern architecture function needs to consider continuous delivery, identity-centric security solutions for cloud assets, cloud-based security solutions, and more. Read more about the security architecture function.

Security compliance management

The objective of cloud security compliance management is to ensure that the organization is compliant with regulatory requirements and internal policies. As you modernize this function, consider the role that cloud providers play in compliance status, how you link compliance to risk management, and cloud-based compliance tools. Read more about the security compliance management function.

People security

People security protects the organization from inadvertent human mistakes and malicious insider actions. The cloud and changing threat landscape require this function to consider how to effectively engage employees in security, organizational culture change, and identification of insider threats. Read more about the people security function.

Application security and DevSecOps

The objective of application security and DevSecOps is to integrate security assurances into development processes and custom line of business applications.

Cloud services and APIs have enabled a faster delivery cadence and influenced the creation of the DevOps team model, driving a number of changes. The biggest change we see is the integration of security into the development process, which requires culture and process adjustments as each specialty adopt the best of each other’s culture. This function must also adopt an agile mindset and stay up to date on new tools and technologies. Read more about the application security and DevSecOps function.

Data security

The main objective for a data security team is to provide security protections and monitoring for sensitive enterprise data in any format or location. New regulations and data loss prevention models are influencing the evolution of this function, and the sheer volume of data being stored on numerous devices and cloud services has also had a significant impact. Read more about the data security function.

Infrastructure and endpoint security

The infrastructure and endpoint security function is responsible for security protection to the data center infrastructure, network components, and user endpoint devices. Software-defined datacenters and other cloud technologies are helping solve longstanding data center security challenges, and cloud services are transforming the security of user endpoint devices. Read more about the infrastructure and endpoint security function.

Identity and keys

The main objective of a security team working on identity management, is to provide authentication and authorization of humans, services, devices, and applications. Key and certification management provides secure distribution and access to key material for cryptographic operations (which often support similar outcomes as identity management).

One of the big changes is that identity and key/certification management disciplines are coming closer together as they both provide assurances on the identity of entities and enable secure communications. This function also plays a significant role in modernizing security by establishing an identity-based perimeter that is a keystone of a zero-trust access control strategy. Read more about the identity and keys function.

Threat intelligence

Security threat intelligence provides context and actionable insights on active attacks and potential threats to empower organizational leaders and security teams to make better (data-driven) decisions. Threat intelligence usually grows from a technical scope into servicing the larger organization with strategic, tactical, and operational (technical) threat intelligence. Read more about the threat intelligence function.

Posture management

Posture management builds on existing functions like vulnerability management and focuses on continuously monitoring and improving the security posture of the organization. Posture management is typically one of the largest changes because it supports decisions in many other functions using information that only recently became available because of the heavy instrumentation of cloud technology. This function includes zero-trust based access controls, real-time risk scoring, threat and vulnerability management, and threat modeling, among others. Read more about the posture management function.

Incident preparation

The primary objective for the incident preparation function is to build process maturity and muscle memory for responding to major incidents throughout the organization, including security teams, executive leadership, and many others outside of security. These practice exercises have become powerful tools to ensure stakeholders are informed and familiar with their role in a major security incident. Read more about the incident preparation function.

Looking forward

In the beginning of the journey, clarity is critical to shine a light on the path forward and the journey ahead. As you walk the path, healthy doses of empathy and continuous learning are key to maintaining forward momentum. Organizations should invest in both formal training and supporting self-directed exploration to ensure people get the knowledge they need and have the confidence to take the risks required to transform.

In addition to the cloud security functions guidance, Microsoft has also invested in training and documentation to help with your journey—see the CISO Workshop, Microsoft Security Best Practices,  recommendations for defining a security strategy, and security documentation site.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to organize your security team: The evolution of cybersecurity roles and responsibilities appeared first on Microsoft Security.

Zero Trust: From security option to business imperative overnight

Not long ago when I spoke with customers about Zero Trust, our conversations focused on discussing the principles, defining scope, or sharing our own IT organization’s journey. Zero Trust was something interesting to learn about, and most organizations were very much in the exploratory phase. As COVID-19 forced organizations across the world to send their workforce home, organizations rapidly focused on Zero Trust approaches to alleviate challenges of enabling and securing remote work. Using Zero Trust to secure users, data, and devices (wherever they may be) has changed from optional to a business imperative overnight.

Companies found that traditional security models required bringing users and data to ‘safe’ network places, which doesn’t scale and doesn’t provide the needed visibility. Employees are getting their work done any way they can– using personal devices, sharing data through new services, and collaborating outside the confines of traditional protections of the corporate network. Earlier adopters of Zero Trust approaches were able to adapt quickly, but many others instantly faced an expanded attack surface area and new security challenges they were not fully prepared for.

At Microsoft, we have been helping customers navigate these challenges by sharing our learnings and building controls, tools, and practices to enable daily application of Zero Trust principles. We have been focusing on providing organization quick wins that close critical gaps today and laying a strong foundation of Zero Trust expertise and technology to build on in the future.

Today and in my presentation at Blackhat 2020, I’d like to share some insights we’ve learned through this journey to help you with yours:

1. Start with strong authentication

Many customers I meet with share that trying to figure out where to start their Zero Trust journey is a major challenge. I always recommend starting with multi-factor authentication (MFA). Verifying a user’s identity with strong authentication before granting them access to corporate resources is the most effective step to quickly improve security. Our studies have shown that accounts secured with MFA are 99.9% less likely to be compromised. Strong authentication not strengthens your overall security posture and minimizes risk, it lays a strong foundation to build on—such as securely connecting employees to apps with single sign-on (SSO) experiences, controlling access to resources with adaptive access policies, and more.

2. Endpoint visibility is critical and getting more challenging

In a Zero Trust security model, we want to have visibility into any and all endpoints accessing the corporate network so we can only allow healthy and compliant devices to access corporate resources. Device security posture and compliance should be used in your access policies to restrict access from vulnerable and compromised devices. This not only helps strengthen security and minimize risk, but also enables you to improve your employees’ productivity by supporting more device types and experiences. In a recent Microsoft study, more than 50% of organizations reported seeing a greater variety of endpoint platforms because of supporting remote work.

3. Apps and data are primary attack surfaces

With employees increasingly accessing corporate data on new devices and collaborating in new ways, most security teams are seeing that their application and data security tools aren’t giving them the visibility and control they need. This de facto expansion of the enterprise attack surface makes it critical to discover the cloud apps in use, assess them for risk, and apply policy controls to ensure that data isn’t leaking through these applications. Finally, make sure the sensitive data in these apps is protected wherever it travels or lives by automatically classifying, labeling, and applying protection to files.

3. Integrated solutions are more critical than ever

CISOs reported in a recent Microsoft study that Threat Protection is now a higher priority for them. With an increasing attack surface area and velocity, integrated threat protection solutions can now share signals across detection, prevention, investigation, and response. While most organizations already use threat protection tools, most don’t share signals or support end-to-end workflows. Because most attacks involve multiple users, endpoints, app, data, and networks, it’s imperative for tools to work together to deliver streamlined experience and end-to-end automation. Look for opportunities to integrate your threat protection solutions to remove manual tasks, process friction, and the morael issues they generate.

5. Zero Trust improves end-user experience

Security leaders are often challenged to balance security and a more streamlined end-user experience. Fortunately, Zero Trust enables both at the same time because security is built around the users and business assets, rather than the other way around. Instead of users signing in multiple times, dealing with VPN bandwidth constraints, and working only from corporate devices, Zero Trust enables users to access their content and apps from virtually any device and location securely.

To listen to my presentation on Zero Trust at Blackhat register here. Check out the Microsoft Zero Trust Maturity Model vision paper (click to download) detailing the core principles of Zero Trust, and our maturity model, which breaks down the top-level requirements across each of the six foundational elements.

We’re also publishing deployment guides for each of the foundational elements.  Read the latest guides for IdentitiesDevices, and Networking. Look out for additional guides in the Microsoft Security blog.

Learn more about Zero Trust and Microsoft Security.

Also, bookmark the Security blog to keep up with our expert coverage on security matters. And follow us at @MSFTSecurityfor the latest news and updates on cybersecurity.

 

The post Zero Trust: From security option to business imperative overnight appeared first on Microsoft Security.