Monthly Archives: October 2020

Amazon Discloses Security Incident Involving Customers’ Email Addresses

Amazon informed some of its customers about a security incident that involved the unauthorized disclosure of their email addresses. News of the security incident emerged over the weekend of October 23 when multiple users took to Twitter to voice their confusion over an email they had received from Amazon. In an email notification obtained by […]… Read More

The post Amazon Discloses Security Incident Involving Customers’ Email Addresses appeared first on The State of Security.

Remote Workers Ignore Training to Open Suspicious Emails

Remote Workers Ignore Training to Open Suspicious Emails

Remote workers are increasingly putting corporate data and systems at risk by failing to follow best practice security, according to new research from Mimecast.

The email security vendor polled over 1000 global respondents working from corporate machines to compile its latest report, Company-issued computers: What are employees really doing with them?

It found a litany of risky behavior: for example, 73% of respondents frequently use their company-issued device for personal matters such as checking webmail (47%), carrying out financial transactions (38%) and online shopping (35%).

It also revealed that, although most (96%) of the respondents said they were aware of the repercussions of clicking through on malicious phishing links, nearly half (45%) open emails they consider to be suspicious.

This is despite the fact that 64% claimed to have received special security training to equip them better for the new normal of working from home.

Nearly half (45%) also admitted to not reporting such emails to their IT security teams.

Michael Madon, senior vice president of awareness training and threat intelligence at Mimecast, argued that corporate efforts to change behaviors are failing.

“With everyone’s home becoming their new office, classroom and place of residence, it’s not really a surprise that employees are using their company-issued devices for personal use. However, better training is crucial to avoid putting the company at risk,” he added.

“Employees need to be engaged, and training needs to be short, visual, relevant and include humor to make the message resonate. Awareness training can’t be just another check-the-box activity if you want a security conscious organization.”

The report’s findings chime with one from Trend Micro earlier this year which found that 39% of remote workers access corporate data on personal devices, and 36% of these devices do not even have basic password protection. It also revealed that half (52%) have IoT devices connected to their home network, which could expose it to additional security risks.

Government Threatened with Legal Action Over Track and Trace

Government Threatened with Legal Action Over Track and Trace

UK privacy campaigners have urged the government to take responsibility for ensuring its Test and Trace program is not abused or face legal action under data protection laws.

Big Brother Watch and the Open Rights Group (ORG) have told data rights agency AWO to send a pre-action letter to the government following multiple reports that data collected by hospitality venues is being misused.

ORG executive director, Jim Killock, clarified on Twitter that he wants the government to take ownership of the problem, as required by the GDPR.

“Government needs to take responsibility for the way that pubs and restaurants collect and use data. They need to make it safe for us and simple and easy for venues,” he argued.

“We believe that GDPR requires government to take responsibility, assess the risks and mitigate the risks. They are, we believe, a ‘Joint Controller.’ This means they are legally obliged to take joint responsibility for the data they compelled businesses to collect.”

Over the past few months several stories have circulated in the media about women suffering harassment by individuals who have obtained their contact details from lists maintained by pubs and bars as part of their Track and Trace obligations.

Other reports suggest that data gathered by venues for the scheme is being subsequently sold on to third parties for marketing purposes, without the data subject’s knowledge or informed consent—a key pillar of the GDPR.

Tom Chivers, digital privacy expert at ProPrivacy, welcomed the rights groups’ efforts to hold the government to account on this.

“We're delighted to see the government finally being held to account for the short-sighted decision to pass the burden of track and trace data collection onto pubs, bars, and restaurants - an industry that effectively had to learn the ins and outs of GDPR overnight,” he argued.

“While some of the blame for these issues does indeed rest with the businesses, we have to ask who is ultimately accountable for this? The government has failed to provide proper help… for these businesses.”

Experts Slam Perp and Clinic at Center of Extortion Scandal

Experts Slam Perp and Clinic at Center of Extortion Scandal

Security experts and politicians have reacted with anger and dismay at news that tens of thousands of patients at a Finnish psychotherapy clinic may be at risk of online extortion, after a cyber-criminal started leaking their records on the dark web.

As Infosecurity reported yesterday, the data was stolen from the public health sub-contractor in two raids between November 2018 and March 2019.

At least 300 records containing names and contact information have been published on a dark web site, presumably to show the hackers mean business.

Individuals are also being sent extortion messages demanding €200 in Bitcoin to keep the data private, with the amount increasing to €500 unless paid within 24 hours. The clinic itself has apparently also been on the receiving end of a ransom demand of €450,000.

“The attacker calls himself ’ransom_man’, and is running a Tor site on which he has already leaked the therapist session notes of 300 patients. This is a very sad case for the victims, some of which are underage. The attacker has no shame,” said F-Secure chief research officer (CRO), Mikko Hyppönen on Twitter.

“I’m aware of only one other patient blackmail case that would be even remotely similar: the Center for Facial Restoration incident in Florida in 2019. This was a different medical area and had a smaller number of victims, but the basic idea was the same.”

The Finnish security expert added in a statement sent to Infosecurity  that he’d like to see not only the culprit arrested but also the clinic investigated.

“I’d also like to see the Vastaamo clinic to be held responsible for failing to protect critical patient data,” he said. “The patients and the therapists did nothing wrong. They are innocent but they pay the highest price.”

Politicians queued up to slam the attacks. Interior minister Maria Ohisalo described the incident as “shocking and very serious” and said government support would be expedited to help those affected, while President Sauli Niinisto labelled it “cruel” and “repulsive.”

Warren Poschman, senior solutions architect with comforte AG, argued that the incident highlights the need for data-centric security policies backed by use of tokenization and format-preserving encryption.

“The reliance on firewalls, strong authentication, and passive database encryption to protect data is simply not enough — the data itself must be protected to ensure that when attackers gain access, customer and patient data will remain secure and privacy upheld,” he said.

Comparitech security specialist, Brian Higgins, described the perpetrator as “morally bankrupt.”

“This incident offers a sober lesson indeed that it is so very important to understand how your personal information will be used, stored and retained by any and all organizations you choose to share it with,” he added.

“The Finnish authorities are right to call this situation ‘exceptional’ and one can only hope Vastaamo will be suitably called to account once the full circumstances are established."

Google Removes 21 Malicious Android Apps from Play Store

Google has stepped in to remove several Android applications from the official Play Store following the disclosure that the apps in question were found to serve intrusive ads. The findings were reported by the Czech cybersecurity firm Avast on Monday, which said the 21 malicious apps (list here) were downloaded nearly eight million times from Google's app marketplace. The apps masqueraded as

Hashtag Trending – Samsung chairman dies; Screen time statistics; Canadians calling it quits

Samsung Chairman Lee Kun-Hee has died at the age of 78, the average American will spend three months on their phone, and nearly half of Canadian workers are strongly considering leaving their jobs.

The post Hashtag Trending - Samsung chairman dies; Screen time statistics; Canadians calling it quits first appeared on IT World Canada.

Over 100 irrigation systems left exposed online without protection

Researchers found more than 100 smart irrigation systems running ICC PRO that were left exposed online without a password last month.

Security experts from the Israeli security firm Security Joes discovered more than 100 irrigation systems running ICC PRO that were left exposed online without protection. ICC PRO is a top-shelf smart irrigation system designed by Motorola.

The ICC PRO systems were deployed with default factory settings, which don’t have a password for the default user’s account.

To worsen the situation, experts pointed out that it is quite simple to search for these devices exposed on the Internet by using IoT search engines like Shodan.

Once the attacker has gained access to the device, it can perform multiple actions from the control panel, including control the quantity and the pressure of the water delivered to the pumps, deleting users, or change settings.

irrigation systems

The experts revealed that the majority of the devices were located in Israel.

Security Joes co-founder Ido Naor reported his findings to CERT Israel last month, which notified Motorola and CERT teams in other countries. CERT Israel also contacted the companies that exposed the irrigation systems online without protection. Motorola also sent a letter to its customers about the risks of exposing irrigation systems online without protection.

The good news is that several organizations started securing their devices, the number of unsecured ICC PRO instances dropped to 78 today.

In April, an attack hit an Israeli water facility attempting to modify water chlorine levels. In June, officials from the Water Authority revealed two more cyber attacks on other facilities in the country.

Two cyber-attacks took place in June and according to the officials, they did not cause any damage to the targeted infrastructure.

One of the attacks hit agricultural water pumps in upper Galilee, while the other one hit water pumps in the central province of Mateh Yehuda.

Israel’s National Cyber Directorate announced to have received reports of cyber attacks aimed at supervisory control and data acquisition (SCADA) systems at wastewater treatment plants, pumping stations and sewage facilities.

Pierluigi Paganini

(SecurityAffairs – hacking, irrigation systems)

The post Over 100 irrigation systems left exposed online without protection appeared first on Security Affairs.

A new threat matrix outlines attacks against machine learning systems

A report published last year has noted that most attacks against artificial intelligence (AI) systems are focused on manipulating them (e.g., influencing recommendation systems to favor specific content), but that new attacks using machine learning (ML) are within attackers’ capabilities. Microsoft now says that attacks on machine learning (ML) systems are on the uptick and MITRE notes that, in the last three years, “major companies such as Google, Amazon, Microsoft, and Tesla, have had their … More

The post A new threat matrix outlines attacks against machine learning systems appeared first on Help Net Security.

Work from home strategies leave many companies in regulatory limbo

Like most American businesses, middle market companies have been forced to rapidly implement a variety of work-from-home strategies to sustain productivity and keep employees safe during the COVID-19 pandemic. This shift, in most cases, was conducted with little chance for appropriate planning and due diligence. This is especially true in regard to the security and compliance of remote work solutions, such as new cloud platforms, remote access products and outsourced third parties. Many middle market … More

The post Work from home strategies leave many companies in regulatory limbo appeared first on Help Net Security.

MDR service essentials: Market trends and what to look for

Mark Sangster, VP and Industry Security Strategist at eSentire, is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that legal firms integrate cybersecurity into their day-to-day operations. In this interview, he discusses MDR services and the MDR market. What are the essential building blocks of a robust MDR service? Managed Detection and Response (MDR) must combine two elements. The first is an aperture that can collect … More

The post MDR service essentials: Market trends and what to look for appeared first on Help Net Security.

Organizations struggle to obtain quality threat data to guide key security decisions

Organizations are often forced to make critical security decisions based on threat data that is not accurate, relevant and fresh, a Neustar report reveals. Just 60% of cybersecurity professionals surveyed indicate that the threat data they receive is both timely and actionable, and only 29% say the data they receive is both extremely accurate and relevant to the threats their organization is facing at that moment. Few orgs basing decisions on near real-time data With … More

The post Organizations struggle to obtain quality threat data to guide key security decisions appeared first on Help Net Security.

78% of Microsoft 365 admins don’t activate MFA

On average, 50% of users at enterprises running Microsoft 365 are not managed by default security policies within the platform, according to CoreView. Microsoft 365 administrators fail to implement basic security like MFA The survey research shows that approximately 78% of Microsoft 365 administrators do not have multi-factor authentication (MFA) activated. According to SANS, 99% of data breaches can be prevented using MFA. This is a huge security risk, particularly during a time when so … More

The post 78% of Microsoft 365 admins don’t activate MFA appeared first on Help Net Security.

Cyber risk literacy should be part of every defensive strategy

While almost 95 percent of cybersecurity issues can be traced back to human error, such as accidentally clicking on a malicious link, most governments have not invested enough to educate their citizens about the risks, according to a report from the Oliver Wyman Forum. Cyber risk literacy of the population Cyber literacy, along with financial literacy, is a new 21st century priority for governments, educational institutions, and businesses. “Cyberattacks are now one of the fastest … More

The post Cyber risk literacy should be part of every defensive strategy appeared first on Help Net Security.

How to Best Secure the Industrial Network for EMEA Organizations

You don’t have to search very far in the news to see stories of websites being hacked and customer details being stolen. Stories about incidents involving industrial control systems (ICSes) and operational technology (OT) environments aren’t so common. But they are prevalent. Just the other week, for example, an airline company sent out an email […]… Read More

The post How to Best Secure the Industrial Network for EMEA Organizations appeared first on The State of Security.

Imperium RelevantID helps market research and panel orgs combat synthetic identity frauds

Imperium announced the release of a significantly upgraded version of its flagship ID-validation tool RelevantID. This major release is designed to help market research and panel organizations combat the rise of highly sophisticated synthetic identity frauds that are becoming increasingly difficult to catch using conventional fraud-detection models. From today, the company’s powerful fraud-blocking tool Fraudience will be integrated into RelevantID as standard. New and existing clients will now automatically enjoy access to Fraudience, which monitors … More

The post Imperium RelevantID helps market research and panel orgs combat synthetic identity frauds appeared first on Help Net Security.

Confluera 2.0: Enhanced autonomous detection and response capabilities to protect cloud infrastructure

Confluera announced Confluera 2.0 which includes new features and capabilities that will address evolving customer needs as they battle cyberattack amid the current volatile security environment. Confluera XDR delivers a purpose-built cloud workload detection and response solution with the unique ability to deterministically track threats progressing through the environment. Confluera holistically integrates security signals from the environment to provide a complete attack narrative of a cyberattack in real-time, as opposed to showing isolated alerts. With … More

The post Confluera 2.0: Enhanced autonomous detection and response capabilities to protect cloud infrastructure appeared first on Help Net Security.

What is Wi-Fi sense and what can it do?

Wireless networks are typically associated with internet access in corporate networks or entertainment services like Netflix. Yet, WiFi’s application extends far beyond just streaming data to electronics. Now that a common household owns about 10 smart devices on average, it has set up WiFi sense to take the stage.

WiFi sense is a type of short-range passive radar technology, and it’s surprisingly accurate. It can easily pick up an object’s movement from room to room and zero in on gestures for activity classification. For large events, a sensor could be placed at the entrance to count visitors. Hospitals and elderly care facilities can use WiFi sensors to monitor patient movement and biometric data like heartbeats, breathing, and limb movements.

Simply put, WiFi sense measures how WiFi signals interact with movement. By pinging the environment, WiFi sense systems can easily track locations and movement based on how the signals are reflected and deflected.

WiFi sense systems communicate in either infrastructure mode or ad-hoc mode. In ad-hoc mode, each node in the sensing system communicates with a central access point (AP). In infrastructure mode, each of the nodes communicates with one another directly.

Two examples of WiFI sense configuration in a common household. Image source: Wireless Broadband Alliance

Topologies aside, WiFi sense can be active or passive. An active system sends a WiFi packet dedicated to sensing purposes. Conversely, a passive WiFi sense system appends WiFi sense data to existing WiFi traffic.

Since a passive system doesn’t send extra packets, it requires minimal processing overhead. Although active systems need higher computational power, it also has greater control over the transmission rate, bandwidth, beamforming and other environmental measurements.

Preliminary testing shows that WiFi sense performance is correlated to channel bandwidth. The larger the bandwidth, the higher the resolution. Channel bandwidth in the 2.4GHz spectrum is 20MHz, 5GHz is 160MHz, and 60GHz is 2GHz.

Benefits

Motion sensing can be achieved using infrared and radar sensors. Patient monitoring can be driven by cameras plus AI, and smartphones can already detect gestures by amalgamating a time of flight sensor (ToF) with a standard camera. These existing solutions naturally beg the question: where does WiFi sense fit in all this?

The answer is clear cut; WiFi sense has an advantage over existing solutions in that for most applications, it does not need any extra hardware. Active radar systems require dedicated antennas and transceivers that are complex and costly. On the other hand, WiFi sense uses existing devices like cell phones, PCs, and mesh WiFi systems. The user would only need to install the required software to transform their setup into a WiFi sense.

“There are about 15 billion WiFi clients devices out there,” said Taj Manku, CEO of Cognitive Systems. “With this [WiFi sense], you can now enable all these devices, which are never meant to be motion sensors, to now be motion sensors. And that can then provide the user with other capabilities going forward, whether that’s home monitoring…or IoT integration for smart homes. You are doing this simply by software.”

WiFi also penetrates through walls, enabling out of line-of-sight (LOS) operations, an important consideration for security monitoring applications. And because it doesn’t rely on image data, it retains a degree of privacy.

WiFi sense is not only useful in detecting home intrusion but can also alert the operator when someone has returned from work or have woken up. Image source: Wireless Broadband Alliance

 

For home applications, WiFi sense can be installed on virtually any WiFi device. Manku noted that the terms of motion sense, service quality doesn’t degrade much with the quality of the device.

“A lot of the very cheap devices, like the smart plugs, for example, they are just as good as a complicated device like an Alexa or Google Home,” said Manku.

Still, Manku noted that the software solution would evaluate every device to see if it has the necessary performance, but the baseline requirement is very low.

Challenges

While the idea is promising, WiFi sense isn’t without challenges. WiFi signals, like any wireless transmission, are vulnerable to interference that decreases their accuracy. And if the WiFi equipment acting as sensors come under heavy traffic, the depleted resources could reduce service quality.

Coverage and signal strength is another consideration for out of LOS applications. As previously mentioned, WiFi sense works best with high-frequency, high-bandwidth transmission. But high frequencies have trouble penetrating walls. Thus, solution designers need to balance bandwidth and accuracy, rely on more sense nodes, or consider the sensor’s proximity to the target.

In enterprise scenarios like healthcare, the high resolution demands set more stringent hardware requirements. In addition to frequency and bandwidth criteria, the devices need higher processing power for active systems with large performance overheads.

Because the WiFi standard was developed with interoperability and backwards compatibility in mind, it makes it easier to layer extra functionalities on top. With that said, WiFi equipment manufacturers need to enable lower-level access and chipset firmware access to control data flow. Similarly, the operating system may also need lower-level access to network gear to allow a standardized application interaction.

“The first hurdle is that you have to be able to work with the WiFi chipset vendors,” Manku weighed in. “And there are many different chipset vendors: there’s Qualcomm, there’s Broadcom, there’s a bunch of them. When you start, you may start working with one, but then eventually, you have to start working with all of them.”

Manku said that Cognitive Systems is working with 17 chipset vendors today.

Equally important is how these solutions are tested and verified. Manku commented that while Cognitive Systems has its own testing facilities, other manufacturers may not have the same luxury. Thus, independent third-parties need to have a standardized testing method, and the industry needs a strong push to establish them.

When will it arrive?

Although WiFi sense is just beginning to gain traction, solutions built around it are already here. Cognitive Systems already have both software and hardware products that help capture motion sensing. It hopes to work with major internet service providers in Canada to help to differentiate their service packages.

Another example comes from the School of Electrical Engineering & Computer Science (SEECS) at the National University of Sciences & Technology in Islamabad, Pakistan. The study, titled Wireless Health Monitoring using Passive WiFi Sensing published in 2017, explored the potential of using WiFi sense to track tremors, falls, and breathing rates of the elderly. The study concluded that the system, developed by the university, had an 87 per cent accuracy in measuring breathing rate, 98 per cent accuracy in detecting falls, and 93 per cent accuracy in classifying tremor. Moreover, the study argued that the WiFi sense solution is low cost and is far less “cumbersome or even demeaning” than wearing monitoring bracelets, which is even more challenging for dementia patients.

The post What is Wi-Fi sense and what can it do? first appeared on IT World Canada.

HackerOne introduces integrations and partnerships to connect and defend customers

HackerOne introduced a set of strategic integrations and partnerships that make it easy to integrate HackerOne data with existing security and development workflows. Announced at the fourth annual Security conference, the integrations seek to ensure the HackerOne platform fits into customers’ existing security workflow with minimal friction, enabling them to identify, prioritize, and respond to threats in real time. “Our mission is to empower the world to build a safer internet,” Co-founder Michiel Prins explained. … More

The post HackerOne introduces integrations and partnerships to connect and defend customers appeared first on Help Net Security.

Dropbox qualifies Western Digital Ultrastar 20TB SMR HDD to meet growing cloud storage demands

Empowering the world’s most essential data infrastructures, Western Digital announced that Dropbox is one of the first to qualify the Ultrastar DC HC650 20TB, host-managed, shingled magnetic recording (SMR) hard disk drives (HDD). With Western Digital SMR HDDs serving as the storage foundation for its custom-built, multi-exabyte storage platforms, Dropbox continues its strategic path, taking advantage of the highest storage densities with the lowest TCO without sacrificing data durability and availability for its 600 million+ … More

The post Dropbox qualifies Western Digital Ultrastar 20TB SMR HDD to meet growing cloud storage demands appeared first on Help Net Security.

Deeptree selects Stellar Cyber to deliver intelligent next generation SOC

Stellar Cyber announced that Deeptree has selected the Stellar Cyber platform as the basis of its intelligent next generation SOC. Through this partnership, Deeptree can bring tailored, enterprise-class cybersecurity services to customers of all sizes. The Stellar Cyber platform goes beyond other SOC solutions in that it tightly integrates native capabilities, such as network detection response (NDR), cloud detection response (CDR) and SIEM, while also analyzing data from existing third-party solutions to provide the most … More

The post Deeptree selects Stellar Cyber to deliver intelligent next generation SOC appeared first on Help Net Security.

Protegrity supports Amazon Redshift to provide advanced data protection

Protegrity announced support for Amazon Redshift, a fully-managed petabyte scale cloud data warehouse. Organizations with high data-security and IT requirements can now deploy Protegrity’s data de-identification technology in the Amazon Redshift environment. With its format-preserving vaultless tokenization capabilities, Protegrity goes beyond encryption to ensure data is protected at every step of the data lifecycle—from storing and moving to analyzing—no matter where it lives. By allowing protected data to be fully utilized without risk, Protegrity for … More

The post Protegrity supports Amazon Redshift to provide advanced data protection appeared first on Help Net Security.

Google Mending Another Crack in Widevine

For the second time in as many years, Google is working to fix a weakness in its Widevine digital rights management (DRM) technology used by online streaming sites like Disney, Hulu and Netflix to prevent their content from being pirated.

The latest cracks in Widevine concern the encryption technology’s protection for L3 streams, which is used for low-quality video and audio streams only. Google says the weakness does not affect L1 and L2 streams, which encompass more high-definition video and audio content.

“As code protection is always evolving to address new threats, we are currently working to update our Widevine software DRM with the latest advancements in code protection to address this issue,” Google said in a written statement provided to KrebsOnSecurity.

In January 2019, researcher David Buchanan tweeted about the L3 weakness he found, but didn’t release any proof-of-concept code that others could use to exploit it before Google fixed the problem.

This latest Widevine hack, however, has been made into an extension for Microsoft Windows users of the Google Chrome web browser and posted for download on the software development platform Github.

Tomer Hadad, the researcher who developed the browser extension, said his proof-of-concept code “was done to further show that code obfuscation, anti-debugging tricks, whitebox cryptography algorithms and other methods of security-by-obscurity will eventually by defeated anyway, and are, in a way, pointless.”

Google called the weakness a circumvention that would be fixed. But Hadad took issue with that characterization.

“It’s not a bug but an inevitable flaw because of the use of software, which is also why L3 does not offer the best quality,” Hadad wrote in an email. “L3 is usually used on desktops because of the lack of hardware trusted zones.”

Media companies that stream video online using Widevine can select different levels of protection for delivering their content, depending on the capabilities of the device requesting access. Most modern smartphones and mobile devices support much more robust L1 and L2 Widevine protections that do not rely on L3.

Further reading: Breaking Content Protection on Streaming Websites

Ontario open data portal tracking COVID sees traffic spike in October as second wave looms

A website built by volunteers monitoring Ontario’s response to COVID-19 has been the go-to source for thousands of healthcare professionals keeping a vigilant eye on the pandemic’s spread for the past six months, and according to one of its creators, it’s seen a significant spike in traffic this month as a second wave pushes through the province.

During the week of Oct. 6, more than 1,000 users were accessing the website, says Dr. Ben Fine, a physician-scientist with Trillium Health Partners, lining up with the disturbingly steady rise in daily cases since the start of October. More than 150 people have volunteered since April to work on howsmyflattening.ca, a site that visualizes the too-many sources of data feeding us information about the pandemic in Ontario and beyond. These volunteers come from the Trillium Health Partners, University of Toronto, and beyond. The problem hasn’t been a lack of information for healthcare professionals to monitor and learn from over the past six months, says Dr. Fine – it was the opposite. 

“We saw places like Italy, with a more robust healthcare system, become overwhelmed,” he told IT World Canada. “In Canada, the province is putting out its own data, and so is everyone else. But these are all disparate data sources, so what we’re doing is compiling all of that disparate data and putting all of it in one place with Red Hat’s help.”

Bringing in a technology partner was necessary with a project as complicated as this, Dr. Fine stated. There’s too much to sort through and not enough time for people to do it manually, especially as the pandemic enters a second wave. Howsmyflattening.ca relies on more than a dozen data sets.

The software giant and its cherished OpenShift platform came in early thanks to a tip from IBM, explains Claude Reeves, country manager for Canada at Red Hat. He and his team jumped in to help Dr. Fine and UoT’s Dr. Laura Rosella, director of the Population Health Analytics Lab, lay the foundation for the open data portal. The project would continue to flourish thanks to members of the university’s computer science department and a host of other volunteers teaming up on the howsmyflattening.ca’s GitLab repository.

The website itself is described as a ‘virtual war room’ gathering information about COVID-19 for Ontario decision-makers, healthcare professionals, researchers, and residents. It hit the “sweet spot” for Red Hat, says Reeves, who quickly fell in love with the project itself and Dr. Fine’s desire to build howsmyflattening.ca through a community-driven approach.

“We got some folks at Red Hat who know how to build a community,” he added.

Within days, Red Hat made OpenShift available to project volunteers, and within two to three weeks, everyone was peeling through data and posting it to the website. A month later, Reeves says members began performing deeper analytics on the collected data and building visuals for the website to help present them. More recently, the data has helped visualize how the risk of transmission of COVID from younger age groups into older age groups is high.

Getting involved was a “no-brainer,” concluded Reeves.

Dr. Fine says once he and his team had the right tools, it became an “all-consuming” task to maintain the website’s back-end and automate the process of scraping the web for the latest data. Even with the project ultimately inspiring the province to stop deleting the previous day’s information on the number of new cases from its website – a practice the province was performing back in March and April – there’s been little movement to try and combine forces and help inform the province’s response to the pandemic.

“We’d be happy to engage,” he said.

The project is also intended to convey the importance of flattening the epidemiological curve. Ontario is currently experiencing a second wave of COVID-19 infections. On Oct. 26, the province reported 851 new cases. It experienced a disturbingly rapid increase of daily infections during October, exceeding even the highest number of daily infections recorded back in March. This coincided with a massive spike in traffic on the website early in October, says Dr. Fine.

“A lot of amazing people came together, students and professionals, all of whom had better things to do, and dedicated their time and effort to make this happen,” he said.

The post Ontario open data portal tracking COVID sees traffic spike in October as second wave looms first appeared on IT World Canada.

Nitro PDF data breach might impact major companies, including Microsoft, Google, and Apple

Nitro PDF suffered a massive data breach that impacts many major organizations, including Apple, Chase, Citibank, Google, and Microsoft.

A massive data breach suffered by the Nitro PDF might have a severe impact on well-known organizations, including Google, Apple, Microsoft, Chase, and Citibank.

Nitro Software, Inc. develops commercial software used to create, edit, sign, and secure Portable Document Format (PDF) files and digital documents. The company has over 650,000 business customers worldwide, and claims millions of users across the globe.

According to the following the security advisory issued by the software maker and unauthorized third party gained limited access to a company database.

"NITRO ADVISES OF LOW IMPACT SECURITY INCIDENT
* AN ISOLATED SECURITY INCIDENT INVOLVING LIMITED ACCESS TO NITRO DATABASE BY AN UNAUTHORISED THIRD PARTY
* DATABASE DOES NOT CONTAIN USER OR CUSTOMER DOCUMENTS.
* INCIDENT HAS HAD NO MATERIAL IMPACT ON NITRO'S ONGOING OPERATIONS.
* INVESTIGATION INTO INCIDENT REMAINS ONGOING
* NO EVIDENCE CURRENTLY THAT ANY SENSITIVE OR FINANCIAL DATA RELATING TO CUSTOMERS IMPACTED OR IF INFO MISUSED
* DOES NOT ANTICIPATE A MATERIAL FINANCIAL IMPACT TO ARISE FROM INCIDENT
* INCIDENT IS NOT EXPECTED TO IMPACT CO'S PROSPECTUS FORECAST FOR FY2020"

Cybersecurity intelligence firm Cyble came across a threat actor that was selling a database, allegedly stolen from Nitro Software’s cloud service, that includes users’ data and documents. The huge archive contains 1TB of documents, the threat actor is attempting to sell it in a private auction with the starting price of $80,000.

NITRO PDF

The database contains a table named ‘user_credential’ that contains 70 million user records, including email addresses, full names, bcrypt hashed passwords, titles, company names, IP addresses, and other system-related data.

Cyble shared the database with Bleeping Computer that was able to determine the authenticity of the database.

“From the samples of the database shared with BleepingComputer, the document titles alone disclose a great deal of information about financial reports, M&A activities, NDAs, or product releases.” states BleepingComputer.

The records in the document database contain a file’s title, whether it was created, signed, what account owns the document, and whether it’s public.

I have reached Cyber for a comment, below their statement:

“Considering the scale and extent of the breach, this is one of the worst breaches Cyble has seen in the last few years. The cybercriminals were not only able to access sensitive account details, but also the information related to shared documents as well. Majority of the Fortune 500 organizations are affected by this breach.”

The databases contain a large number of records belonging to well-known companies:

Company# of accounts# of documents
Amazon5,44217,137
Apple5846,405
Citi653137,285
Chase85177
Google3,67832,153
Microsoft3,3302,390
M&A documents
M&A documents

Cyble has added the data related to the NITRO PDF data breach to its AmIBreached.com data breach notification service.

Pierluigi Paganini

(SecurityAffairs – hacking, Nitro PDF)

The post Nitro PDF data breach might impact major companies, including Microsoft, Google, and Apple appeared first on Security Affairs.

Insider Sentenced for Sabotaging PPE Shipments

Prosecutors: Actions Disrupted Deliveries of Critical Supplies During Pandemic
A former vice president of a personal protective equipment packaging firm has been sentenced to prison and ordered to pay restitution for sabotaging the company's electronic shipping records during the COVID-19 pandemic - causing delays in deliveries - after he was terminated from his job.

Why storing data in the cloud could be your strongest security measure yet

By Frank Attaie, VP Cloud, IBM Canada Over the course of our 100+ year history IBM has put the business needs of clients first. In an era of disinformation and data breaches, this means making smart decisions to store data securely – mitigating risks, satisfying compliance requirements and most importantly – protecting our client’s personal…

The post Why storing data in the cloud could be your strongest security measure yet first appeared on IT World Canada.

Spotlighting McAfee’s Women in Technology Scholarship Recipients

Working at McAfee is so much more than fighting off cyber-attacks; it’s also about learning valuable life lessons and fostering meaningful relationships. Recipients of our Women in Technology (WIT) Scholarship learned firsthand the immeasurable growth and invaluable experience gained at McAfee through their participation in the summer internship program in Cork, Ireland.

As we accept applications for prospective scholars from now until November 20, we are reminded of the positive impact this program has had on previous participants. The program offers 3000 Euro annum for the chosen student per year of the course, a summer internship at McAfee Cork, and a mentor who offers guidance to the scholar on managing their academic career.

From building professional relationships to developing the skills needed for a successful career in STEM-related fields through mentorships and training, four Women in Technology (WIT) Scholarship winners share their unique experiences in the program:

Alison, Mathematical Sciences

The WIT Scholarship has been incredible for me in so many ways—from the practical experience of working at McAfee to the inspiration and support that I have received from my mentors and other brilliant people during my time here. I was able to put the monetary support I received towards studying at UC San Diego in 2019. The scholarship has opened so many doors for me.

The skills I have learned at McAfee have helped me with my University projects. I had the chance to improve my coding abilities, learn new languages, and use statistical tools. In an educational environment, you sometimes miss the “Why are we doing this?” aspect of learning a new skill. Through my projects at McAfee, I understood the practical implementation of coding and statistics, which gave me a greater appreciation for what I was learning in school and motivated me to further improve my skills.

Clodagh, Financial Maths and Actuarial Science

During my internship, I had the chance to work with the Database Security team. I really felt like a member of the team and was made to feel valued. Everyone in McAfee was extremely friendly and approachable.

In addition to receiving the scholarship, I was lucky enough to receive two mentors. My initial mentor Ciara was incredibly thoughtful, motivational, and truly inspiring. She encouraged me to take part in extracurricular activities, so I became a committee member of the Math society in UCC. She provided me with numerous inspirational books and was always readily available to answer any questions. At the end of my second-year scholarship, I received a new mentor: Jill. She  was incredibly helpful, kind, and a valuable resource in my career progression.

My plan for the future is to learn more coding languages and hopefully complete another internship with McAfee! It is truly an amazing experience.

Jade, Mathematical Sciences

I had the opportunity to work alongside the Applied Data Science team. They gave me lots of advice and enlightened me on their own career journeys. Their experiences gave me confidence and reassurance in my course choice and I realized that there are so many career opportunities in programming. I’ve learned so many new skills, some of which were not covered in school, and I feel like I have a true advantage in the industry.

I have learned so much about working in a multinational company. I participated in the daily stand-ups with the team. I learned about sprint demos as well as the Agile and Waterfall methods. I attended all-hands meetings, which was a brand-new experience for me. I learned how to research effectively and swiftly pass that information onto my team. I also participated in an internal dataset competition; First, learning about Machine Learning and then building my own. I managed to host my own meeting for others who wanted to get involved, which was nerve-wracking but I’m glad I did it.

Aine, Data Science & Analytics

I’m incredibly grateful for the vast support and opportunities that I have received through my learning path in STEM to date, particularly my involvement in the McAfee WIT Scholarship Program. My experience with McAfee has  further enriched my educational experience and cultivated my passion for science and technology.  As a result of receiving this scholarship, I’ve developed a particular interest in the application of data science in cyber-security. Cyber crime and cyber threats have an ever-increasing potential to cause serious harm to our society so I’m fascinated by the application of data science, machine learning and artificial intelligence in saving lives.

Want to become a 2020 WIT Scholar? Apply now!

Know any future scientists? The closing date to apply for the WIT Scholarship is Friday, November 20, 2020. For more details on applying, click here.

Search Career Opportunities with McAfee

Interested in joining our team? We’re hiring! Apply now.

Stay Connected

For more stories like this, follow @LifeAtMcAfee on Instagram and on Twitter @McAfee to see what working at McAfee is all about.

 

The post Spotlighting McAfee’s Women in Technology Scholarship Recipients appeared first on McAfee Blogs.

FBI Supports US Cyber Camp

FBI Supports US Cyber Camp

The US Space and Rocket Center and the Federal Bureau of Investigation have entered into a joint agreement in support of US Cyber Camp.

The camp is the newest of four STEM (science, technology, engineering, and mathematics) camp programs to be launched by the Rocket Center, a museum in Alabama that showcases the rockets, achievements, and artifacts of the United States program.

A memorandum of understanding (MOU) in support of the camp was jointly signed on October 21 by FBI Associate Deputy Director Paul Abbate and USSRC Executive Director and CEO Louie Ramirez.

The Rocket Center laid on its first US Cyber Camp session in July 2017 with assistance from Cyber Huntsville and the University of Alabama in Huntsville. Engaging American students in the fields of computer science and cybersecurity is the camp's mission.

Under the terms of the MOU, the FBI has agreed to assist the Rocket Center to develop a new curriculum that will feature realistic cyber-attack scenarios and real-life responses. 

Students of the US Cyber Camp will also be given the opportunity to tour the FBI facilities at Redstone Arsenal and learn directly from subject matter experts.

As part of the MOU, the FBI will share information about its cyber programs with Cyber Camp students and let them know about cyber-focused career opportunities at the bureau. The Rocket Center has agreed to support the FBI in its public outreach project and youth cyber-educational initiatives. 

"This memorandum of understanding is formalizing the FBI’s interest in Cyber Camp,” said Ramirez. “Just as our Space Camp students learn about space exploration and the careers that support it, with the FBI’s help, our cyber program will educate students about the exciting and important field of cyber security and what it takes to be part of our nation’s top cyber-crime fighting agency.”

“In today’s complex cyber environment, partnerships at every level are absolutely essential,” said Abbate. “We’re in the fight against cyber threats together and we won’t succeed without each other. We’re very pleased at this opportunity to partner with the USSRC to cultivate a new generation of cyber talent.”

KashmirBlack, a new botnet in the threat landscape that rapidly grows

Security experts spotted a new botnet, tracked as KashmirBlack botnet, that likely infected hundreds of thousands of websites since November 2019.

Security experts from Imperva have spotted a new sophisticated botnet, tracked as KashmirBlack is believed to have already infected hundreds of thousands of websites by exploiting vulnerabilities in their content management system (CMS) platforms.

The KashmirBlack botnet has been active at least since November 2019, operators leverages dozens of known vulnerabilities in the target servers.

Experts believe that the botmaster of the KashmirBlack botnet is a hacker that goes online with moniker “Exect1337,” who is a member of the Indonesian hacker crew ‘PhantomGhost’.

The experts observed millions of attacks per day on average, on thousands of victims in more than 30 different countries around the world.

“It has a complex operation managed by one C&C (Command and Control) server and uses more than 60 – mostly innocent surrogate – servers as part of its infrastructure. It handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet.” reads the first part of two reports published by the experts detailing the DevOps implementation behind the botnet.

KashmirBlack botnet

The primary purpose of the KashmirBlack botnet is to abuse resources of compromised systems for cryptocurrency mining and redirecting a site’s legitimate traffic to spam pages.

Experts observed a continuous growth of the botnet since its discovery along with an increasing level of complexity.

In May experts observed an increase in the command-and-control (C&C) infrastructure and the exploits used by botnet operators.

KashmirBlack scans the internet for sites using vulnerable CMS versions and attempting to exploit known vulnerabilities to them and take over the underlying server.

Below a list of vulnerabilities exploited by the botnet operators to compromise websites running multiple CMS platforms, including WordPress, Joomla!, PrestaShop, Magneto, Drupal, vBulletin, osCommerce, OpenCart, and Yeager:

“During our research we witnessed its evolution from a medium-volume botnet with basic abilities to a massive infrastructure that is here to stay,” Imperva concludes.

The second part of the report also includes Indicators of Compromise (IoCs) for this botnet.

Pierluigi Paganini

(SecurityAffairs – hacking, KashmirBlack botnet)

The post KashmirBlack, a new botnet in the threat landscape that rapidly grows appeared first on Security Affairs.

Finnish Patients Blackmailed After Clinic Data Breach

Finnish Patients Blackmailed After Clinic Data Breach

Patients whose data was stolen in a cyber-attack on a Finnish psychotherapy clinic are being individually blackmailed.

An attack on the Vastaamo practice in November 2018 resulted in the theft of a customer database, with a second potential breach occurring in March 2019. Vastaamo serves thousands of patients from around 20 branches at locations across Finland.

The data breach came to light in September 2020 when a blackmailer approached three Vastaamo employees. 

Patient data that was compromised appears to have included therapy session notes detailing what was discussed along with personal identification records. 

According to the Associated Press news agency, the records of around 300 Vastaamo patients have been published on the dark web. 

Vastaamo has stated that it is cooperating fully with law enforcement and has advised any patients who have been contacted individually by a blackmailer to go to the police. The clinic described the incident as "a great crisis."

A helpline has been set up by the clinic for victims, who are also being offered a free unrecorded therapy session.  

News site Yle reported that the Finnish government held an emergency meeting about the situation on Sunday night in which Interior Minister Maria Ohisalo dubbed the security incident and subsequent blackmailing as "exceptional."

A Vastaamo patient who was contacted by the blackmailer told the BBC that he didn't think handing over a ransom would guarantee the safety of his data. 

The victim, who asked to be referred to only by his first name, Jere, said that someone describing themselves as "the ransom guy" had contacted him to demand a payment of €200 ($236) in Bitcoin. Jere was told that he was being contacted after Vastaamo had refused to pay a ransom of 40 Bitcoin ($515,632).

The blackmailer told Jere that if he didn't pay within 24 hours, the ransom would increase to €500 ($590). If no payment had been received within 72 hours, notes from psychotherapy sessions Jere completed as a teenager would be published. 

"Those notes contain things I'm not ready to share with the world," said Jere. "And having someone threaten me with said notes certainly makes me extremely uncomfortable."

Jere, who said he could not afford to pay the ransom, added: "I feel like paying won't guarantee that my data will remain safe."

Cruel Ghouls: New Digital Scams Target Every Age Group

Halloween Scams

Cruel Ghouls: New Digital Scams Target Every Age Group

There are few situations more personal than a distressed family member calling to ask for financial help. But personal is precisely the angle bad actors are taking these days in scams that target both the young and old.

Grandparents Fall for Help!’ Scams

Called “The Grandparent Scam,” this con usually begins with a simple, “Hi, Grandma!” from a criminal posing as the victim’s grandchild who claims to be in trouble. Then comes the ask — that the loving (and worried) Grandparent wire money for bail, airfare, a collision, or some other emergency. Some scammers have even managed to spoof the incoming caller ID to read “U.S. District Court.”

Safe Family Tips: 1) Ask the caller to prove who they are and call the child’s parent or another relative to verify the situation. 2) Never wire money, gift cards, or send cash by courier. 3) Be skeptical of “urgent” requests and tearful pleas for cash or personal information.

Tricksters Target Millennials

While it’s hard to imagine being duped by this kind of phone call, you might be surprised to learn that it’s younger people falling hardest for scams. The Federal Trade Commission reports that Millennials (20-30-year-olds) are most likely to lose money to online fraud. The top 5 scams targeting Millennials include online shopping, business imposters, government imposters, fake check scams, and romance scams.

Safe Family Tips: Be skeptical when shopping online. Cybercriminals have created countless look-a-like merchant sites to gain access to your credit card and other personal information. Confirm the seller’s physical address and phone number before you make a purchase. Consider putting security software on your family’s devices that protect against malware, viruses, and provide families with Virtual Private Network (VPN) encryption for safe shopping.

Hackers Exploit Schools, Students

With many school districts operating on a hybrid virtual and in-class education model, the digital gap between teachers and remote students has given bad actors a new channel to launch ransomware, phishing, and social engineering scams against exposed IT infrastructures. According to the FBI, “cyber actors are likely to increase targeting of K-12 schools during the COVID-19 pandemic.”

Too, a recent Microsoft Security Intelligence study found that 61 percent of the 7.7 million malware over the previous month targeted education, a number far higher than other sectors. Scams include malware attacks on e-learning platform ransomware attacks on larger districts.

Safe Family Tips: Inquire about on-site security measures in place at your child’s school. Look into software to protect your home network and personal devices against cyberattacks launched through email, school networks, or social media sites.

How’s Your Cyber Hygiene?

Your best defense against a scam — should it come via phone, email, or a website — is a solid offense. Consider boosting your cyber hygiene routine by using strong passwords, a VPN, and staying informed about the latest scams. By now, we know the bad actors online don’t discriminate based on age; they are out to steal data and dollars from anyone who lets down their guard.

The post Cruel Ghouls: New Digital Scams Target Every Age Group appeared first on McAfee Blogs.

Harvest Finance Places Bounty on Hacker

Harvest Finance Places Bounty on Hacker

A decentralized finance (DeFi) protocol is offering a $100k reward for help in contacting its alleged cyber-attacker.

Reports emerged a week ago that Harvest Finance had allegedly been targeted by an unknown cyber-criminal who drained $24m in value from its pools in seven minutes. The malicious hacker allegedly cashed out the cryptocurrency into a virtual wallet via renBTC and Tornado. 

The anonymous team behind Harvest Finance said that the attacker had drained the pools by manipulating Stablecoin prices on Curve Finance, a DeFi protocol that interacts with Harvest Finance contracts.

Following the alleged attack, Harvest Finance tweeted: “We are working actively on the issue of mitigating the economic attack on the Stablecoin and BTC pools, and will update in this thread in realtime (sic) as soon as additional details are available.”

Bizarrely, the attacker returned about $2.5m to the deployer in the form of Tether (USDT) and USD Coin (USDC). 

Harvest Finance tweeted that the money that had been sent back "will be distributed to the affected depositors pro-rata using a snapshot."

Earlier today, Harvest Finance tweeted 10 BTC addresses used by the alleged hacker and asked major cryptocurrency exchanges, including Finance and Coinbase, to blacklist them. 

After claiming to have discovered some clues as to the alleged hacker's identity, the DeFi protocol then put a bounty out on them via Twitter.

The message posted earlier today via @harvest_finance read: "In addition to the BTC addresses which hold the funds, there is now a significant amount of personally identifiable information on the attacker, who is well-known in the crypto community.

"We are putting out a 100k bounty for the first person or team to reach out to the attacker and help the attacker return the funds to the deployer address."

The protocol said it was not interested in taking any kind of revenge against the alleged hacker.

In an October 26 tweet apparently directed at their digital assailant, Harvest Finance wrote: "We are not interested in doxxing the attacker, your skill and ingenuity is respected, just return the funds to the users."

Canadian steelmaker Stelco hit by cyberattack

One of Canada’s oldest steel manufacturing firms says it has been hit with an undefined cyberattack.

In a statement released Sunday afternoon, Stelco said it was “subject to a criminal attack on its information systems.”

“In response, Stelco immediately implemented countermeasures in accordance with established cybersecurity procedures and policies that have been developed in collaboration with expert external advisors,” the statement reads. “The countermeasures taken were effective and limited the scope of the attack. Certain operations, including steel production, were temporarily suspended as a precautionary measure but have since resumed operations.”

The release also said Stelco is working with police to investigate the attack.

Stelco has facilities located in Hamilton and Nanticoke, Ont. that produce high-quality value-added hot rolled, cold rolled and coated sheet steel products used in the construction, automotive and energy industries across North America. Its parent company, Stelco Holdings Inc. is listed on the Toronto Stock Exchange.

Asked for comment, vice-president of corporate affairs Trevor Harris said the company had nothing more to say beyond what was in the release.

The statement said that Stelco continues to investigate the incident and the extent of the impact on its systems. Its backup and recovery plans were being implemented Sunday to fully re-establish its systems as quickly as possible. However, it added, some business functions may be adversely affected during this recovery process.

In its annual results released Feb. 18, the parent company Stelco Holdings Inc. said for the calendar year 2019 net earnings were $10 million on $1.8 billion of revenue, compared to net earnings of $253 million for 2018. During the year it shipped 2.4 million tons of steel products compared to 2.6 million tons for 2018.

The company suffered a net loss of $24 million on revenue of $435 million in the fourth quarter of 2019, in part due to what it called “an unprecedented drop” in average steel prices. In the first quarter of this year it lost another $24 million, while net income was zero in the second quarter.

The post Canadian steelmaker Stelco hit by cyberattack first appeared on IT World Canada.

Heimdal™ Security Is a Finalist for Computing Security Awards 2020 in Eight Categories!

Thanks to you and your continuous support, our cybersecurity solutions were nominated and chosen as finalists for the Computing Security Awards 2020 edition! We are proud and excited to be chosen among the brands that enable online security to be closer to what it should be: easily achievable, easily managed, all-encompassing. We have been deemed […]

The post Heimdal™ Security Is a Finalist for Computing Security Awards 2020 in Eight Categories! appeared first on Heimdal Security Blog.

HackerOne Integrates Platform Through New Agreements

HackerOne Integrates Platform Through New Agreements

Security firm HackerOne has announced a range of new partnerships and integrations to enable its platform to fit better with existing security and development workflows.

These include agreements with ServiceNow and PagerDuty to provide real-time updates of critical vulnerabilities, enabling their customers to respond rapidly to threats.

A new class data and log aggregation tool is provided through integrations with Splunk and Sumo Logic, while customers that leverage Kenna Security and Brinqa can import their data from HackerOne into these applications.

In addition, a collaboration with interactive cybersecurity training organization HackEDU enables their developer training to be automatically adapted to the vulnerabilities found by hackers in customer programs.

HackerOne also outlined a number of further integrations in the pipeline. These include a new GitHub addition and Microsoft products such as Azure DevOps and Microsoft Teams.

Co-founder of HackerOne, Michiel Prins, said: “Our mission is to empower the world to build a safer internet. While this may start with knowing where you’re vulnerable, what happens next is vital. With best-in-class integrations, HackerOne empowers customers to increase efficiency, collaboration and scalability by bringing industry-leading tools into the HackerOne ecosystem and creating seamless workflows within those tools.”

Discussing its integration with HackerOne’s platform, Steve Gross, senior director of strategic business development at PagerDuty, commented: “Notification and communication of a vulnerability is one of the most important aspects of security teams’ workflows. The sooner the right team members are notified that a high or critical bug has been reported, the sooner they will be able to start the remediation process.

“With the potential of a delayed or missed notification being a data breach, the stakes are high. To meet these challenges, PagerDuty is excited to work with HackerOne to provide real-time updates of critical vulnerabilities being reported so customers can optimize response times and begin remediation as soon as possible.”

Automation becomes a business imperative

According to Forrester, remote work, support of remote business, recessionary pressures, new digital muscles for employees and customers, and pandemic constraints will force millions of pragmatic automations to production levels in 2021.

Best Security Practices to Protect your Web Application from Future Threats

Almost all businesses nowadays use web applications for their targeted growth, but these apps’ security is mostly compromised if proper steps are not taken. During the web application development, all other features are given time and preference, but very few pay attention to the web application security they deserve. The vulnerabilities in your web application can be easily exploited by cybercriminals who always remain in search of sites with lower security protection.

Here are one of the most important security practices that you should implement to secure your web application from the most common threats:

Install SSL Certificates

One of the most effective measures to secure your web applications from cyberattacks is through encoding all the information shared on it. SSL certificates use SSL (Secure Socket Layers) or TLS (Transport Layer Security) security protocols to protect the data from the reach of cybercriminals through encryption.

If you do not activate SSL certificates on your web applications, hackers can easily read the shared information if they somehow get access to it. SSL certificates use cryptographic keys to make it impossible for the attackers to read the data.

https://lwstatic-a.akamaihd.net/kb/wp-content/uploads/2019/07/ssl-security-plan.png

The certificate authorities ensure that data transfer is encrypted throughout the communication process. Before buying an SSL certificate for your web app make sure you are purchasing it from a trustworthy SSL Authority like a ClickSSL that provides some of the most popular SSL certificates in very reasonable price.

 

Manage User Permissions

Wisely managing user’s permissions makes your web applications more secure than before. There would be numerous employees working in your company, and you know that not every worker needs full access to the system to perform his/her job. So, it would be best to implement the “Principle of least privilege” to limit every user’s access.

If you have granted full access permissions to everyone working in your organization, it will take a single cyber-attack by the scammers to access your entire system. So, to avoid any data breaches, you should strictly implement the least privilege principle in your firm. This may be a time-consuming process, but it will save your web app from many potential threats and malicious workers too.

 

Train your Employees

If you are running an organization, you should never expect that most of your employees will have a decent knowledge of current cyber security threats. Most of your staff members would have the necessary information about these scams. This may put you and your company in hot waters, as your employees with no sound knowledge of cyberattacks can quickly become the victim of hackers.

So, to protect your web application, you need to conduct proper cybersecurity training sessions for your employees. You must hire a web application security master to train all your staff about your web app and operating environment’s potential threats.

This cyber security training will help your employees independently identify and save themselves and your business from all security threats.

Hire Professional Hackers

Ethical hackers use the same tricks and techniques applied by cybercriminals to exploit your web application’s vulnerabilities. But they do this for your benefits to understand the security risks in your web app. Professional white hackers use the following techniques to test your web app’s security:

Cross-site scripting (XSS)

Man-in-the-middle (MITM) attacks

Broken authentication

Distributed Denial-of-service (DDoS) attacks

Sensitive data exposure

SQL injection

Phishing

White hat hacking

After your web app’s penetration test (Pen-testing), you would become familiar with your website’s security weaknesses that will help you improve your web application’s security.

Secure Web App during Development

This is one of the essential security steps in protecting your web apps from the reach of hackers. This technique is all about preventing your software from security issues that occur during the development lifecycle. For this, you need to hire developers who have full knowledge of all the prevalent security problems and prevent malicious code in the actual program of the web application.

And if they find any malicious activity during the development lifecycle, they should identify and eliminate that issue.

Regular Updates

With multiple network security threats, it is essential to release regular updates for your web apps security. Outdated software lacks recent security features and can easily be manipulated by malicious hackers. Depending on your web app’s infrastructure, you need to update your web app’s components. Keeping your web application up to date will protect it from the known attacks by hackers.

update key

 

Keep Monitoring your App Regularly

To stay on the safe side, you should regularly keep looking for security vulnerabilities in your web app. It would help if you used different techniques for testing your mobile app security level. You can use dynamic and static application security testing tools to monitor your web app’s performance and security level. Regular testing of your system will help you know the vulnerabilities and implement new protection schemes to protect your web application.

Backup all Data

With an increase in the number of cyberattacks in today’s world, your web app data remains under threat every time. Hackers may get full access to your web app data that will put you in serious trouble. To avoid such a situation, you need to store all your web app data at another location. It may be a good idea to replicate the archives of all your information in multiple places to protect you from heavy losses in case your primary backup location is damaged or compromised.

The 3-2-1 backup rule diagram

Employ Security Experts

You need to invest more in security services to protect your web application from cybercriminals. Hiring security experts is a wise step towards improving your web app security. A security specialist or security service company uses specialized tools to monitor the security level of your website. The scanning results show the vulnerabilities present in your site. They then help you implement new security techniques to protect your web applications.

Before hiring anyone for security improvements, do complete research and check the individual’s reputation or the firm to validate their competence and authenticity.

Conclusion

Cybercriminals are finding new ways to take advantage of the weaknesses in your web applications. They always remain searching for websites that have poor web application security to launch an attack on them. To protect your web applications, you need to stay updated about all the known security threats. For organizations, dealing with malicious attacks is dependent on all employees. If any of your workers make a mistake in handling the potential cyberattack, it can put all your firm’s data in danger.

Cybersecurity protection starts with training your employees and implementing the right security techniques to secure your web applications. Implementing the above-listed best security practices will keep your web applications safe from all types of cyberattacks.

The post Best Security Practices to Protect your Web Application from Future Threats appeared first on CyberDB.

Everything You Need to Know About JavaScript Security

These days, JavaScript is one of the more well-known and established programming languages around. JavaScript is mostly found in the code of dynamic web pages that allow for extended JavaScript functionalities. These functionalities include useful operations such as interactivity, tracking user activities, and form submission or validation. Although JavaScript is generally regarded as a reasonably safe coding language, many users are growing skeptical about certain aspects of JavaScript security.

Many well-known JavaScript vulnerabilities can affect both the server-side and client-side. Malicious hackers can utilize these vulnerabilities by traversing a number of open paths through your application. When utilizing JavaScript in your application, it is critical to evaluate all JavaScript Security threats seriously and  implement an open source vulnerability scanner to find these threats. 

This article will detail two of the most severe potential JavaScript security vulnerabilities and how to deal with them appropriately. 

Cross-Site Scripting (XSS) Attacks: What Are They?

One of the most common browser-side vulnerabilities is called “Cross-Site Scripting.” Also known as XSS, Cross-Site Scripting attacks happen in client-side scripting languages such as JavaScript or HTML and manipulate an internet security weak spot. When performing an XSS attack, hackers can use legitimate web applications to perform malicious tasks by harnessing a vulnerability.  

XSS attacks are, unfortunately, all too common and can result in the theft of one’s data or identity. These attacks can also result in the spread of the virus across the network by gaining control of the user’s browser. 

Hackers and malicious actors are able to manipulate insecurities on a website. This attack is performed by injecting JavaScript code into the parameters of the site, then using this exploit to gain access to the user’s data. Essentially, this code allows the hacker to transfer ownership of the victim’s session ID to that of the hacker to take control of the browser. 

How can it be prevented? 

There are several ways to ensure that your JavaScript is safe and secure:

  • First, you must filter all input as it arrives. This means that whenever a user provides input, there needs to be a strict filter to compare it to what is generally assumed to be valid input.
  • Utilize appropriate and effective response headers. In order to prevent an XSS attack from HTTP from responses that are supposed to contain any HTML, it is possible to use X-Content-Type-Options or Content-Type option in the headers. These headers will make sure that the browser is responding in the way that it was intended to and is not being exploited. 
  • You should also encode your data when it is being outputted. When a user’s data is outputted in an HTTP response, the output should be encoded to prevent it from being identified as active content.
  • Lastly, be sure to use a Content Security Policy. If you have a CSP set up to the right set of rules, you will be able to prevent the browser from executing any unwanted operations or any JavaScript code that may come from an untrusted source.

Cross-Site Request Forgery (CSRF) Attacks: What Are They?

An XSRF or CSRF is a well-known attack in which the hacker attempts to impersonate or completely take over the identity of the victim by hijacking their active session cookie. This attack is possible when the target site attempts to authenticate a request by only using cookies, which will allow the hacker to gain access or hijack the functional cookies, to appear to be a legitimate user. 

This attack can be very harmful to the victim and can lead to fraud, account tampering, or data theft. The most common targets are popular web applications such as social media, web interfaces, online banking, and in-browser email clients. 

Let us use the online banking situation as an example. 

Most banking websites use active session cookies in order to authenticate any user requests. These cookies then follow the order of events to log into the banking account, enter the valid details needed, then click on the transfer button. 

When a user logs into the account, the banking website will store a session cookie that it will refer back to in order to authorize the transactions. 

The Hack

In order to initiate the hack itself, the hacker would need to create a website that looks legitimate but has an underlying agenda. For this example, we will use a blogging website. If the user logs in and wants to create a new blog post, the malicious application running in the background will then send a “GET” request out to the banking website. This hack is only useful when the user is also logged into the banking site. If they are, the session tokens will be active and in place.

The hacker will then manipulate the “GET” request in order to operate the banking site stealthily. Once the user clicks on the button to add a blog post, they will also unwittingly transfer money to the hacker’s account.

How can it be prevented?

  • You must always utilize SameSite Cookie Attribution when working with session cookies. 
  • The site must also verify both the Referrer Header or Origin.
  • Try to implement any user interaction that is based on protection, especially for highly sensitive procedures like banking. User interaction based on protection should include a re-authentication (usually a password), a CAPTCHA, or even a one-time token. These steps can be strong defenses against a CSRF attack if they are used correctly. 

JavaScript security is a topic that is not often talked about; however, it is highly essential to many professions. Learning to execute JavaScript safely and correctly is not something that most people are able to learn overnight. 

When you are looking to test or upgrade your JavaScript security, it is highly recommended to seek the help of a certified professional or cyber security specialist. These professionals will give you a better and more detailed understanding of your security risks and what actions you can take to correct them. Taking the security of your website seriously is no easy task and requires constant maintenance. However, if you take precautions, your users will be able to browse knowing they are using a safe and secure site. 

The post Everything You Need to Know About JavaScript Security appeared first on CyberDB.

Experts Warn of Privacy Risks Caused by Link Previews in Messaging Apps

Cybersecurity researchers over the weekend disclosed new security risks associated with link previews in popular messaging apps that cause the services to leak IP addresses, expose links sent via end-to-end encrypted chats, and even unnecessarily download gigabytes of data stealthily in the background. "Links shared in chats may contain private information intended only for the recipients,"

Webcast: The SOC Age Or, A Young SOC Analyst’s Illustrated Primer

Many people get started in security as a Security Operations Center (SOC) analyst. In this Black Hills Information Security (BHIS) webcast we discuss the core skills that a SOC analyst needs in order to be successful. Trust us, these skills are more than just watching the SIEM and letting the SOAR platform handle everything through […]

The post Webcast: The SOC Age Or, A Young SOC Analyst’s Illustrated Primer appeared first on Black Hills Information Security.

Attacks Exploiting Digital Certs Soar by 700% in Five Years

Attacks Exploiting Digital Certs Soar by 700% in Five Years

The number of cyber-attacks exploiting “machine identities” has soared by more than 700% over the past five years, according to new data from Venafi.

The security vendor made the claims in its latest report, Machine Identities Drive Rapid Expansion of Enterprise Attack Surface.

It also revealed that this type of attack has surged by 433% from 2018 to 2019 alone, whilst the use of commodity malware that abuses machine identities doubled.

Machine identity refers to the use of digital certificates and cryptographic keys (ie SSL/TLS, SSH) to authenticate and secure computers and devices that connect with each other.

While IoT and digital transformation have led to an explosion in the use of such machines in the enterprise over recent years, security has failed to catch-up.

As many CISOs are unaware how many machines they have to manage, they’re unclear about the size of the attack surface, which could lead to unplanned outages as certificates expire. Attackers are increasingly also adding machine identity components to commodity malware so that attackers can hide in encrypted traffic, Venafi has warned in the past.

From 2015 to 2019, the number of vulnerabilities involving machine identities grew by 260%, while the number of reported advanced persistent threats (APTs) using these techniques grew by 400%, Venafi claimed.

“As our use of cloud, hybrid, open source and microservices use increases, there are many more machine identities on enterprise networks—and this rising number correlates with the accelerated number of threats,” said Yana Blachman, threat intelligence researcher at Venafi.

“As a result, every organization’s machine identity attack surface is getting much bigger. Although many threats or security incidents frequently involve a machine identity component, too often these details do not receive enough attention and aren’t highlighted in public reports.”

Finnish psychotherapy center Vastaamo suffered a shocking security breach

Private Finnish psychotherapy center Vastaamo suffered a security breach, hackers are now demanding ransom to avoid the leak of sensitive data they have stolen.

Finland’s interior minister summoned an emergency meeting Sunday after the private Finnish psychotherapy center Vastaamo suffered a security breach that caused the exposure of patient records. To worse the situation the hackers now demanding ransoms threatening to leak the stolen data.

Vastaamo operates as a sub-contractor for Finland’s public health system, according to the authorities, the hackers have stolen patient sensitive data during two attacks that started almost two years ago.

Finnish Interior Minister Maria Ohisalo tweeted that authorities would “provide speedy crisis help to victims” of the security breach at the Vastaamo psychotherapy center, an incident she called “shocking and very serious.”

The Finnish Interior Minister Ohisalo defined the attack “shocking and very serious” and expressed the commitment of the authorities in providing “speedy crisis help to victims.”

President Sauli Niinisto called the blackmailing “cruel” and “repulsive,” while Prime Minister Sanna Marin added that such kind of attacks is “shocking in many ways.”

The attacker that goes online with the moniker ’ransom_man’ has already leaked 300 patient records containing names and contact information and is blackmailing the victims that received emails from the hackers.

“It was not immediately clear if the stolen information included diagnoses, notes from therapy sessions or other potentially damaging information. Also, it wasn’t clear why the information was surfacing only now.” reported the Associated Press.

According to a statement published by Vastaamo on Saturday, the first attack likely took place between the end of November 2018 and March 2019.

The National Bureau of Investigation is investigating the incident and revealed that the data breach may have impacted up to “tens of thousands” of the Vastaamo clients.

“What makes this case exceptional is the contents of the stolen material,” Marko Leponen, the National Bureau of Investigation’s chief investigator assigned to the case, told reporters.

Vastaamo urged clients who were contacted by the intruders to immediately contact Finnish police.

Finnish media reported that crooks are demanding ransoms of 200 euros worth of Bitcoin, the ransom amount will increase up to 500 euros if the victim will not pay it within 24 hours. Crooks also attempted to directly blackmail Vastaamo asking for a 450,000 euros ransom.

Pierluigi Paganini

(SecurityAffairs – hacking, Vastaamo)

The post Finnish psychotherapy center Vastaamo suffered a shocking security breach appeared first on Security Affairs.

IMSI-Catchers from Canada

Gizmodo is reporting that Harris Corp. is no longer selling Stingray IMSI-catchers (and, presumably, its follow-on models Hailstorm and Crossbow) to local governments:

L3Harris Technologies, formerly known as the Harris Corporation, notified police agencies last year that it planned to discontinue sales of its surveillance boxes at the local level, according to government records. Additionally, the company would no longer offer access to software upgrades or replacement parts, effectively slapping an expiration date on boxes currently in use. Any advancements in cellular technology, such as the rollout of 5G networks in most major U.S. cities, would render them obsolete.

The article goes on to talk about replacement surveillance systems from the Canadian company Octasic.

Octasic’s Nyxcell V800 can target most modern phones while maintaining the ability to capture older GSM devices. Florida’s state police agency described the device, made for in-vehicle use, as capable of targeting eight frequency bands including GSM (2G), CDMA2000 (3G), and LTE (4G).

[…]

A 2018 patent assigned to Octasic claims that Nyxcell forces a connection with nearby mobile devices when its signal is stronger than the nearest legitimate cellular tower. Once connected, Nyxcell prompts devices to divulge information about its signal strength relative to nearby cell towers. These reported signal strengths (intra-frequency measurement reports) are then used to triangulate the position of a phone.

Octasic appears to lean heavily on the work of Indian engineers and scientists overseas. A self-published biography of the company notes that while the company is headquartered in Montreal, it has “R&D facilities in India,” as well as a “worldwide sales support network.” Nyxcell’s website, which is only a single page requesting contact information, does not mention Octasic by name. Gizmodo was, however, able to recover domain records identifying Octasic as the owner.

Hackers breach psychotherapy center, use stolen health data to blackmail patients

News of an unusual data breach at a psychotherapy center in Finland broke over the weekend, after affected patients began receiving emails telling them to pay up or risk their personal and health data being publicly released. Therapist session notes of some 300 patients have already been published on a Tor-accessible site on the dark web. Among the victims are Finnish politicians (e.g., Member of Parliament Eeva-Johanna Eloranta) and minors. What is known about the … More

The post Hackers breach psychotherapy center, use stolen health data to blackmail patients appeared first on Help Net Security.

Hashtag Trending – Right to repair movement swells; #CoronaVirusHiring; Cleaning up your digital history

The right to repair movement gains momentum in the U.S. and beyond, LinkedIn has a long-list of companies that are hiring right now and they include several tech companies, and a story about maintaining your digital history catches fire.

The post Hashtag Trending - Right to repair movement swells; #CoronaVirusHiring; Cleaning up your digital history first appeared on IT World Canada.

Sopra Steria Hit by New Ryuk Variant

Sopra Steria Hit by New Ryuk Variant

French IT services giant Sopra Steria has said it will take weeks to return to normal after a serious ransomware attack forced key systems offline.

The group posted a very brief message on its website last week claiming to have discovered the attack on Tuesday evening.

However, its fintech business Sopra Banking Software confirmed in an update today that the incident was a ransomware attack.

“The virus has been identified: it is a new version of the Ryuk ransomware, previously unknown to anti-virus software providers and security agencies,” it claimed.

“Sopra Steria’s investigation teams immediately provided the competent authorities with all information required. The group was able to quickly make this new version’s virus signature available to all anti-virus software providers, in order for them to update their anti-virus software.”

The statement claimed that Sopra Steria had managed to catch the attack after a “few days” and confine it to “a limited part” of its IT infrastructure.

“At this stage, and following in-depth investigation, Sopra Steria has not identified any leaked data or damage caused to its customers’ information systems,” it added.

“Having analyzed the attack and established a remediation plan, the group is starting to reboot its information system and operations progressively and securely, as of today.”

However, it will take “a few weeks for a return to normal” across the business, it warned.

Ryuk is one of the most prolific ransomware strains out there, having targeted organizations as diverse as US defense contractor EWA and Spanish logistics firm Prosegur.

Sopra Steria, which operates the NHS Shared Business Service joint venture, is certainly not the first IT services company to be caught out by ransomware. After being hit by the Maze group earlier this year, Cognizant admitted that the incident may end up costing it as much as $70m in Q2 alone.

Nando’s Customers Hit by Credential Stuffing Attacks

Nando’s Customers Hit by Credential Stuffing Attacks

Some customers of popular high street eatery Nando’s have been left hundreds of pounds poorer after cyber-attackers hijacked their online accounts to place large orders.

Reports in UK media revealed that multiple customers of the peri-peri chicken chain have had their accounts compromised. Due to COVID-19 restrictions, customers must now scan a QR code in store and order online to get their food.

However, that has left the door open to attackers trying previously breached log-ins from other sites to hijack their accounts, when those credentials are reused by the victims.

According to one report, a group of young people fraudulently placed two large orders in-store, after trying and failing several times to use hijacked accounts.

Nando’s said it would reimburse any customers scammed in this way, and promised to get better at spotting fraudulent account activity.

“We can confirm that while our systems have not been hacked, unfortunately some individual Nando customer accounts have been accessed by a party or parties using a technique called ‘credential-stuffing,’ whereby the customer's email address and password have been stolen from somewhere else and, if they use the same details with us, used to access their Nando’s accounts,” it added in a statement.

There were 64 billion such credential stuffing attempts between July 2018 and June 2020, in the retail, hospitality and travel sectors, according to Akamai data released last week.

Brian Higgins, security specialist at Comparitech, argued that this kind of fraud has become more common during the pandemic as hospitality venues implement online ordering platforms to help protect staff and customers.

“The security of these platforms is always going to be questionable and it is absolutely vital that customers take their own security measures seriously. Never use the same password for more than one application, whether it’s your bank account, your Facebook page, your Deliveroo account or anything else,” he continued.

“If attackers, as in this case, can steal the password to one app, they will have access to them all. Password management is a pain but feeding someone else’s friends at Nando’s is worse."

Ransomware attack disabled Georgia County Election database

A ransomware attack recently hit Georgia county government and reportedly disabled a database used to verify voter signatures.

A ransomware attack hit a Georgia county government early this month and disabled a database used to verify voter signatures in the authentication of absentee ballots. It is a common process to validate absentee ballots sent by mail by analyzing signatures.

The media pointed out that this is the first reported case of a ransomware attack against a system used in the incoming 2020 Presidential election.

Ransomware attacks could have a dramatic impact on the elections, they could disrupt voting systems and raise doubts about the validity of the vote.

The attack took place on October 7, it hit Hall County, in the northern part of the state and it disabled the county’s voter signature database.

“One of the databases the county uses to verify voter signatures on absentee ballots is not working after some county network outages due to a ransomware attack on Oct. 7.” reported the Gainesville Times. “Registration Coordinator Kay Wimpye with the county elections office said employees can still verify voter signatures by manually pulling hard copies of voter registration cards, which is more time-consuming. Most voter signatures can be verified using a state database that has been unaffected by the outages, she said.”

The media reported that the Hall County attack was carried out by Doppelpaymer ransomware operators that also leaked stolen data on their dark web leak site to force the organization to pay the ransom.

The county website published an update to announce that the attack did not impact the voting process for citizens, a situation that is differed from the scenario reported by the Times.

Pierluigi Paganini

(SecurityAffairs – hacking, Georgia county)

The post Ransomware attack disabled Georgia County Election database appeared first on Security Affairs.

COVID-19 vaccine manufacturer suffers a data breach

Dr. Reddy’s, the Indian contractor for Russia’s “Sputinik V” COVID-19 vaccine was hit with a cyber-attack that forced the company to close its plants.

Indian COVID-19 vaccine manufacturer Dr. Reddy’s Laboratories was hit with a cyber attack that forced it to shut down its plants in Brazil, India, Russia, the U.K., and the U.S..

According to The Economic Times the company suffered a data breach.

The Indian company is the contractor for Russia’s “Sputinik V” COVID-19 vaccine, recently the Drug Control General of India (DCGI) gave it the authorization to enter Phase 2 human trials.

According to the BBC, the phone lines at the company’s UK sites in Cambridgeshire and Yorkshire were down.

In response to the security breach, the COVID-19 vaccine manufacturer has isolated all data center services.

“In the wake of a detected cyber-attack, we have isolated all data center services to take required preventive actions,” CIO Mukesh Rathi said in a media statement. “We are anticipating all services to be up within 24 hours, and we do not foresee any major impact on our operations due to this incident.”

According to the media, the attack is likely the result of a cyber espionage operation aimed at stealing info on the COVID-19 vaccine development.

At the time it is not clear whether the attack was carried out by a nation-state actor or a cyber crime gang.

In July, the British National Cyber Security Centre revealed that Russia-linked group APT29 is conducting cyberespionage campaigns targeting UK, US, and Canadian organizations working of the development of a COVID-19 vaccine.

In the same period, the US Justice Department accused two Chinese hackers of stealing trade secrets from companies worldwide and recently involved in attacks against firms developing a vaccine for the COVID-19.

In September, the El Pais newspaper reported that Chinese hackers have stolen information from Spanish laboratories working on a vaccine for COVID19.

Pierluigi Paganini

(SecurityAffairs – hacking, COVID-19)

The post COVID-19 vaccine manufacturer suffers a data breach appeared first on Security Affairs.

Attackers finding new ways to exploit and bypass Office 365 defenses

Over the six-month period from March to August 2020, over 925,000 malicious emails managed to bypass Office 365 defenses and well-known secure email gateways (SEGs), an Area 1 Security study reveals. How criminals bypass Office 365 defenses Attackers increasingly use highly sophisticated, targeted campaigns like business email compromise​ to evade traditional email defenses, which are based on already-known threats. Attackers also often​ ​use Microsoft’s own tools and branding to bypass legacy defenses and email authentication … More

The post Attackers finding new ways to exploit and bypass Office 365 defenses appeared first on Help Net Security.

DNS attacks increasingly target service providers

The telecommunications and media sector is the most frequent victim of DNS attacks, according to EfficientIP. DNS attacks on service providers According to the IDC 2020 Global DNS Threat Report, organizations in the sector experienced an average of 11.4 attacks last year, compared to 9.5 attacks across industries. Overall, 83% of service provider organizations experienced a DNS attack. In addition to being well above the overall average of 79%, a successful attack on telecommunications providers … More

The post DNS attacks increasingly target service providers appeared first on Help Net Security.

Adapt cybersecurity programs to protect remote work environments

Earlier this year, businesses across the globe transitioned to a remote work environment almost overnight at unprecedented scale and speed. Security teams worked around the clock to empower and protect their newly distributed teams. Protect and support a remote workforce Cisco’s report found the majority of organizations around the world were at best only somewhat prepared in supporting their remote workforce. But, it has accelerated the adoption of technologies that enable employees to work securely … More

The post Adapt cybersecurity programs to protect remote work environments appeared first on Help Net Security.

Organizations need to understand risks and ethics related to AI

Despite highly publicized risks of data-sharing and AI, from facial recognition to political deepfakes, leadership at many organizations seems to be vastly underestimating the ethical challenges of the technology, NTT DATA Services reveals. Just 12% of executives and 15% of employees say they believe AI will collect consumer data in unethical ways, and only 13% of executives and 19% of employees say AI will discriminate against minority groups. Surveying 1,000 executive-level and non-executive employees across … More

The post Organizations need to understand risks and ethics related to AI appeared first on Help Net Security.

Enterprises should strive for composability to be resilient during uncertainty

CIOs and IT leaders who use composability to deal with continuing business disruption due to the COVID-19 pandemic and other factors will make their enterprises more resilient, more sustainable and make more meaningful contributions, according to Gartner. Analysts said that composable business means architecting for resilience and accepting that disruptive change is the norm. It supports a business that exploits the disruptions digital technology brings by making things modular – mixing and matching business functions … More

The post Enterprises should strive for composability to be resilient during uncertainty appeared first on Help Net Security.

HITBSecTrain: Cutting-edge virtual cyber security trainings on a monthly basis

For better or for worse, the global COVID-19 pandemic has confined most of us to our own countries (our houses and apartments, even), has changed how and from where we do our work, and has restricted our social lives. The distractions and tools still available to help us battle our growing anxiety and sadness are few, but some of them, such as learning new things, are very powerful. Happily for all of us, many courses … More

The post HITBSecTrain: Cutting-edge virtual cyber security trainings on a monthly basis appeared first on Help Net Security.

HIPAA Breach Notification – What you need to know

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that was established to transform the security landscape of the healthcare industry. Businesses that are found guilty of a breach or violation of HIPAA rules will have to face repercussions. Part of the HIPAA law includes the HIPAA Breach Notification Rule, which […]… Read More

The post HIPAA Breach Notification – What you need to know appeared first on The State of Security.

Australia Proposes Security Law to Protect Critical Infrastructure Against Cyber Attacks

The Australian Government is committed to protecting the essential services all Australians rely on by uplifting the security and resilience of critical infrastructure. Increasingly interconnected and interdependent critical infrastructure is delivering efficiencies and economic benefits to operations. However, connectivity without proper safeguards creates vulnerabilities that can deliberately or inadvertently cause disruption resulting in cascading consequences […]… Read More

The post Australia Proposes Security Law to Protect Critical Infrastructure Against Cyber Attacks appeared first on The State of Security.

CrowdStrike Falcon X Recon: Enabling orgs to get ahead of nation-state, eCrime, hacktivist attacks

CrowdStrike announced the new CrowdStrike Falcon X Recon module that will provide customers an increased level of situational awareness through the deep, broad collection of data from digital sources. Falcon X Recon will help uncover potential malicious activity so security teams can better protect their brand, employees and sensitive data. CrowdStrike Falcon X Recon is designed to go beyond the dark web to include forums with restricted access on the deep web, breach data, source … More

The post CrowdStrike Falcon X Recon: Enabling orgs to get ahead of nation-state, eCrime, hacktivist attacks appeared first on Help Net Security.

Protegrity Data Protection Platform enhancements help secure sensitive data across cloud environments

Protegrity announced a significantly transformed Protegrity Data Protection Platform, offering enterprises the flexibility to easily secure sensitive data across cloud environments from a single platform. Built for hybrid-cloud and multi-cloud serverless computing, Protegrity’s latest platform enhancements allow companies to deploy and update customized policies across geographies, departments, and digital transformation programs. Protegrity enables businesses to quickly and safely turn sensitive data – wherever it resides – into intelligence-driven insights to deliver better customer experiences, monetize … More

The post Protegrity Data Protection Platform enhancements help secure sensitive data across cloud environments appeared first on Help Net Security.

Alcide integrates with AWS Security Hub to send alerts on risks to Kubernetes deployments

Alcide announced the company’s security solutions are now integrated with AWS Security Hub, sending real-time threat intelligence and compliance information to Amazon Web Services (AWS) for easy consumption by Security and DevSecOps teams. Alcide’s SaaS and container-based solutions for Kubernetes security are available in AWS Marketplace. AWS Security Hub gives AWS customers a comprehensive view of security posture across all their AWS accounts. As a single place that aggregates, organizes, and prioritizes security information from … More

The post Alcide integrates with AWS Security Hub to send alerts on risks to Kubernetes deployments appeared first on Help Net Security.

Reciprocity ZenGRC Risk Management helps manage risk posture and increase overall security

Reciprocity announced new capabilities within ZenGRC Risk Management. When it comes to risk management, remediating and controlling vulnerabilities proactively is a great way to reduce the likelihood that risks will occur in the first place. ZenGRC combines risk and compliance management to allow customers to identify, monitor, and mitigate risks. Expanding on the ZenGRC core risk functionality, customers now gain a powerful new set of tools in their efforts to manage risks and mitigate business … More

The post Reciprocity ZenGRC Risk Management helps manage risk posture and increase overall security appeared first on Help Net Security.

Dynatrace and ServiceNow allow customers to increase efficiency, reduce risk, and digitally transform faster

Dynatrace announced an enhanced, bi-directional, and automatic integration between the Dynatrace Software Intelligence Platform and the ServiceNow Platform. With precise topology and service mapping for dynamic multicloud environments, joint customers can increase efficiency through intelligent automation and reduce the risk of disruptions with predictive problem identification and automatic remediation, giving BizDevOps teams more time to innovate and accelerate digital transformation. By combining automatic and intelligent observability from Dynatrace with the intelligent automation capabilities of the … More

The post Dynatrace and ServiceNow allow customers to increase efficiency, reduce risk, and digitally transform faster appeared first on Help Net Security.

Securonix and Opora deliver automated action to prevent adversary attacks and contain threats

Securonix announced it signed an OEM agreement with Opora, a next-generation cybersecurity provider that uses pre-attack adversary behavior analytics to protect organizations from emerging threats. The partnership provides customers Securonix Adversary Behavior Analytics (ABA), an advanced capability that helps organizations protect mission critical assets by monitoring adversary behavior and delivering automated, preemptive actions that prevent attacks and help contain adversary threats. Securonix’s Next-Gen SIEM combines log management, user and entity behavior analytics (UEBA) and security … More

The post Securonix and Opora deliver automated action to prevent adversary attacks and contain threats appeared first on Help Net Security.

Is the Abaddon RAT the first malware using Discord as C&C?

Abaddon is the first RAT that uses the freeware instant messaging and VoIP app and digital distribution platform Discord as a command & control server.

Researchers from MalwareHunterTeam have spotted a new piece of remote access trojan (RAT) dubbed ‘Abaddon’ that is likely the first malware using the Discord platform as command and control. The Abaddon malware connects to the Discord command and control server to check for new commands to execute.

Experts also warn that the author of the malware also developed a malware feature.

In the past, other threat actors already abused the Discord platform for different purposes, such as using it as a stolen data drop.

“In the past, we have reported on how threat actors use Discord as a stolen data drop or have created malware that modifies the Discord client to have it steal credentials and other information.” reported Bleeping Computer that first reported the news.

Abaddon implements data-stealing feature, it was designed to steal multiple data from the infected host, including Chrome cookies, saved credit cards, and credentials, Steam credentials, Discord tokens and MFA information.

The malware also collects system information such as country, IP address, and hardware information.

According to Bleeping Computer the malware supports the following commands:

  • Steal a file or entire directories from the computer
  • Get a list of drives
  • Open a reverse shell that allows the attacker to execute commands on the infected PC.
  • Launch in-development ransomware (more later on this).
  • Send back any collected information and clear the existing collection of data.

The malicious code connects to the Command & Control every ten seconds for new tasks to execute.

Experts pointed out that the malware also implements the commands to encrypt files of the infected system and decrypt them.

The ransomware feature appears to be under development.

Pierluigi Paganini

(SecurityAffairs – hacking, Abaddon)

The post Is the Abaddon RAT the first malware using Discord as C&C? appeared first on Security Affairs.

HPE addresses critical auth bypass issue in SSMC console

HPE fixed a remote authentication bypass vulnerability in HPE StoreServ Management Console (SSMC) data center storage management solution.

Hewlett Packard Enterprise (HPE) has addressed a maximum severity (rated 10/10) remote authentication bypass vulnerability, tracked as CVE-2020-7197, affecting the HPE StoreServ Management Console (SSMC) data center storage management solution.

HPE SSMC is a management and reporting console for HPE Primera (data storage for mission-critical apps) and HPE 3PAR StoreServ systems (AI-powered storage cloud service providers) data center arrays.

The CVE-2020-7197 flaw is a remote authentication bypass vulnerability that affects HPE 3PAR StoreServ Management and Core Software Media prior to 3.7.0.0.

“HPE StoreServ Management Console 3.7.0.0 is an off node multiarray manager web application and remains isolated from data on the managed arrays. SSMC is vulnerable to remote authentication bypass.” reads the advisory.

The flaw can be exploited by threat actors with no privileges and doesn’t require user interaction.

HPE has addressed the issue with the release of the HPE 3PAR StoreServ Management Console 3.7.1.1.

“This SSMC release includes important security and quality improvement defect fixes that strengthen the security posture of SSMC appliances,” reads the changelog.

Hewlett Packard Enterprise acknowledged the researchers Elwood Buck from MindPoint Group for reporting the flaw.

Pierluigi Paganini

(SecurityAffairs – hacking, StoreServ Management Console)

The post HPE addresses critical auth bypass issue in SSMC console appeared first on Security Affairs.

Trick or Treat: Avoid These Spooky Threats This Halloween

Halloween scams

Trick or Treat: Avoid These Spooky Threats This Halloween

Spooky season is among us, and ghosts and goblins aren’t the only things hiding in the shadows. Online threats are also lurking in the darkness, preparing to haunt devices and cause some hocus pocus for unsuspecting users. This Halloween season, researchers have found virtual zombies and witches among us – a new trojan that rises from the dead no matter how many times it’s deleted and malicious code that casts an evil spell to steal users’ credit card data.

Let’s unlock the mystery of these threats so you can avoid cyber-scares and continue to live your online life free from worry.

Zombie Malware Hides in the Shadows

Just like zombies, malware can be a challenge to destroy. Oftentimes, it requires a user to completely wipe their device by backing up files, reinstalling the operating system, and starting from scratch. But what if this isn’t enough to stop the digital walking dead from wreaking havoc on your device?

Recently, a new type of Trojan has risen from the dead to haunt users no matter how many times it’s deleted. This zombie-like malware attaches itself to a user’s Windows 10 startup system, making it immune to system wipes since the malware can’t be found on the device’s hard drive. This stealthy malware hides on the device’s motherboard and creates a Trojan file that reinstalls the malware if the user tries to remove it. Once it sets itself up in the darkness, the malware scans for users’ private documents and sends them to an unknown host, leaving the user’s device in a ghoulish state.

Cybercriminals Leave Credit Card Users Spellbound

A malware misfortune isn’t the only thing that users should beware of this Halloween. Cybercriminals have also managed to inject malicious code into a wireless provider’s web platform, casting an evil spell to steal users’ credit card data. The witches and warlocks allegedly responsible for casting this evil spell are part of a Magecart spin-off group that’s known for its phishing prowess.  To pull off this attack, they plated a credit card skimmer onto the wireless provider’s checkout page. This allowed the hackers to exfiltrate users’ credit card data whenever they made a purchase – a spell that’s difficult to break.

Why These Cyberspooks Are Emerging

While these threats might seem like just another Halloween trick, there are other forces at play. According to McAfee’s Quarterly Threats Report from July 2020, threats like malware phishing and trojans have proven opportunistic for cybercriminals as users spend more and more time online – whether it be working from home, distance learning, or connecting with friends and loved ones. In fact, McAfee Labs observed 375 threats per minute in Q1 2020 alone.

So, as hackers continue to adapt their techniques to take advantage of users spending more time online, it’s important that people educate themselves on emerging threats so they can take necessary precautions and live their digital lives free from worry.

How to Stay Protected

Fortunately, there are a number of steps you can take to prevent these threats from haunting your digital life. Follow these tips to keep cybersecurity tricks at bay this spooky season:

Beware of emails from unknown senders

Zombie malware is easily spread by phishing, which is when scammers try to trick you out of your private information or money. If you receive an email from an unknown user, it’s best to proceed with caution. Don’t click on any links or open any attachments in the email and delete the message altogether.

Review your accounts

Look over your credit card accounts and bank statements often to check whether someone is fraudulently using your financial data – you can even sign up for transaction alerts that your bank or credit card company may provide. If you see any charges that you did not make, report it to the authorities immediately.

Use a comprehensive security solution

Add an extra layer of protection with a security solution like McAfee® Total Protection to help safeguard your digital life from malware and other threats. McAfee Total Protection also includes McAfee® WebAdvisor – web protection that enables users to sidestep attacks before they happen with clear warnings of risky websites, links, and files.

Stay updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Trick or Treat: Avoid These Spooky Threats This Halloween appeared first on McAfee Blogs.

Security Affairs newsletter Round 286

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

FIN11 gang started deploying ransomware to monetize its operations
Iran-linked Silent Librarian APT targets universities again
Microsoft released out-of-band Windows fixes for 2 RCE issues
QQAAZZ crime gang charged for laundering money stolen by malware gangs
Alexander Vinnik, the popular cyber criminal goes on trial in Paris
Fooling self-driving cars by displaying virtual objects
GravityRAT malware also targets Android and macOS
Hackers claim to have compromised 50,000 home cameras and posted footage online
New Emotet campaign uses a new ‘Windows Update attachment
The forum of the popular Albion Online game was hacked
How Automation can help you in Managing Data Privacy
MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability
Nefilim ransomware gang published Luxottica data on its leak site
NSA details top 25 flaws exploited by China-linked hackers
Pay it safe: Group-IB aids Paxful in repelling a series of web-bot attacks
U.S. Charges Russia GRU Intelligence Officers for notorious attacks, including NotPetya
Adobe releases a new set of out-of-band patches for its products
Chrome 86.0.4240.111 fixes actively exploited CVE-2020-15999 zero-day
Hackers are targeting CVE-2020-3118 flaw in Cisco devices
Microsoft took down 120 of 128 Trickbot servers in recent takedown
Sweden bans Huawei and ZTE from building its 5G infrastructure
Cisco addresses 17 high-severity flaws in security appliances
ENISA Threat Landscape Report 2020
EU Council sanctions two Russian military intelligence officers over 2015 Bundestag hack
Taiwanese vendor QNAP issues advisory on Zerologon flaw
VMware fixes several flaws in its ESXi, Workstation, Fusion and NSX-T
FBI and CISA joint alert blames Russias Energetic Bear APT for US government networks hack
Iran-Linked Seedworm APT target orgs in the Middle East
Sopra Steria hit by the Ryuk ransomware gang
US whistleblower Edward Snowden received permanent residency by Russian authorities
US Treasury imposes sanctions on a Russian research institute behind Triton malware

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 286 appeared first on Security Affairs.

New Emotet attacks use a new template urging recipients to upgrade Microsoft Word

Emotet operators have started using a new template this week that pretends to be a Microsoft Office message urging a Microsoft Word update.

Researchers this week observed Emotet attacks employing a new template that pretends to be a Microsoft Office message urging the recipient to update their Microsoft Word to add a new feature.

Source Bleeping Computer

Emotet spam messages leverage templates to trick the victims into enabling macros to start the infection.

Upon installing the malware, Emotet will download additional payloads on the machine, including ransomware, and use it to send spam emails.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. In the middle-August, the malware was employed in fresh COVID19-themed spam campaign

Recent spam campaigns used messages with malicious Word documents, or links to them, pretending to be an invoice, shipping information, COVID-19 information, resumes, financial documents, or scanned documents.

The infamous banking trojan is also used to deliver other malicious code, such as Trickbot and QBot trojan or ransomware such as Conti (TrickBot) or ProLock (QBot).

Emotet is a modular malware, its operators could develop new Dynamic Link Libraries to update its capabilities.

Recently, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to warn of a surge of Emotet attacks that have targeted multiple state and local governments in the U.S. since August.

During that time, the agency’s EINSTEIN Intrusion Detection System has detected roughly 16,000 alerts related to Emotet activity.

In a recent campaign observed on October 14th, the attackers are using multiple lures, including invoices, purchase orders, shipping information, COVID-19 information, and information about President Trump’s health.

The spam messages come with malicious Word (.doc) attachments or include links to download the bait document.

“Emotet switched to a new template this week that pretends to be a Microsoft Office message stating that Microsoft Word needs to be updated to add a new feature.” reported BleepingComputer.

Below the messages displayed to the recipient to trick him into opening enabling the macros.

Upgrade your edition of Microsoft WordUpgrading your edition will add new feature to Microsoft Word.
Please click Enable Editing and then click
Enable Content.

Upon enabling the macros, the Emotet malware is downloaded and installed into the victim’s %LocalAppData% folder, as shown below.

“Due to this, it is important that all email users recognize malicious document templates used by Emotet so that you do not accidentally become infected.” concludes Bleeping computer.

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post New Emotet attacks use a new template urging recipients to upgrade Microsoft Word appeared first on Security Affairs.

Week in review: Confidential computing, data protection predictions, Sandworm hackers charged

Here’s an overview of some of last week’s most interesting news, reviews and articles: What is confidential computing? How can you use it? What is confidential computing? Can it strengthen enterprise security? Nelly Porter, Senior Product Manager, Google Cloud and Sam Lugani, Lead Security PMM, Google Workspace & GCP, answer these and other questions in this Help Net Security interview. Cybersecurity is failing due to ineffective technology Based on over 100 comprehensive interviews with business … More

The post Week in review: Confidential computing, data protection predictions, Sandworm hackers charged appeared first on Help Net Security.

Microsoft Teams phishing campaign targeted up to 50,000 Office 365 users

Experts warn of a phishing campaign that already targeted up to 50,000 Office 365 users with a fake automated message from Microsoft Teams.

Secruity researchers reported that up to 50,000 Office 365 users have been targeted by a phishing campaign that pretends to be automated message from Microsoft Teams. The bait message uses fake notifications of a “missed chat” from Microsoft Teams, the campaigns aims at stealing Office 365 recipients’ login credentials.

Like other collaboration and communications platforms, the popularity of Microsoft Teams has risen since the beginning of the Covid-19 pandemic because a growing number of organizations started using the remote working model. Threat actors are adapting their attack techniques to exploit the ongoing situation, researchers from Abnormal Security observed campaign that hit between 15,000 to 50,000 Office 365 users.

“This attack impersonates an automated message from Microsoft Teams in order to steal recipient’s login credentials.” reads the report published by Abnormal Security. “The email is sent from the display name, ‘There’s new activity in Teams’, making it appear like an automated notification from Microsoft Teams. It appears to notify the recipient that their teammates are trying to reach them and urges the recipient to click on ‘Reply in Teams’. However, this leads to a phishing page.”

The bait email displays the name “There’s new activity in Teams” to trick the victims into believing that it is an automated notification from Microsoft Teams.

The email tells the recipient that they have missed Microsoft Team chats and show an example of a teammate chat that asks them to submit something by Wednesday of next week.

The researchers that the campaing is not targeted in nature as the employee referenced in the chats doesn’t appear to be an employee of the company that was targeted by the attackers.

Recipient could respond to the email by click on the “Reply in Teams” button that is present in the content of the message, but as a consequence of this action, the victim is redirected to a phishing page.

“Within the body of the email, there are three links appearing as ‘Microsoft Teams’, ‘(contact) sent a message in instant messenger’, and ‘Reply in Teams’,” continues the analysis. “Clicking on any of these leads to a fake website that impersonates the Microsoft login page. The phishing page asks the recipient to enter their email and password.”

The phishing landing looks like a Microsoft login page, its URL begins with the “microsftteams” to appear as legitimate.

“The attacker spoofed employee emails and also impersonated Microsoft Teams. The recipient is more likely to fall prey to an attack when it is believed to originate from within the company and also from a trusted brand.” concludes the report.

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Team)

The post Microsoft Teams phishing campaign targeted up to 50,000 Office 365 users appeared first on Security Affairs.

US Treasury Sanctions Russian Entity Over Triton Malware

Officials Have Also Slapped Sanctions on Iran Over Disinformation
The Treasury Department has issued sanctions against a Russian research institute that U.S. officials now claim helped deploy Triton, a destructive malware designed to damage industrial control systems. The announcement follows other economic penalties levied against Iran in the same week.

Boyne Resorts ski and golf resort operator hit with WastedLocker ransomware

The systems at the US-based ski and golf resort operator were infected with the WastedLocker ransomware, the incident impacted reservation systems.

Boyne Resorts is a collection of mountain and lakeside resorts, ski areas, and attractions spanning from British Columbia to Maine.  The company owns and operates eleven properties and an outdoor lifestyle equipment/apparel retail division with stores in cities throughout Michigan.  An industry leader in multiple U.S. regions, operations include snowsports and year-round mountain recreation, golf, an indoor waterpark, spas, food and beverage, lodging and real estate development.

Boyne Resorts was the victim of WastedLocker ransomware attack, the incident has impacted reservation systems.

According to BleepingComputer, the ransomware initially breached the corporate offices and then moved laterally targeting the IT systems of the resorts they operate. As result of the attack the company was forced to shut down portions of its network to prevent the ransomware from spreading.

Customers of the company were not able to make reservations at the resorts operated by the company. .

The ransomware encrypted files and renamed their filenames by adding the “.easy2lock” extension, this extension was previously associated with recent WastedLocker ransomware infections.

In July, Smartwatch and wearable device maker Garmin had to shut down some of its connected services and call centers following a WastedLocker Ransomware attack.

In June, security experts from Symantec reported that at least 31 organizations in the United States have been targeted with the recently discovered WastedLocker ransomware.

Researchers from the NCC Group’s report and later Symantec confirmed that malware was developed by the Russian cybercrime crew known as Evil Corp, which was behind the Dridex Trojan, and multiple ransomware like Locky , Bart, Jaff, and BitPaymer.

Most of the victims belong to the manufacturing industry, followed by IT and media and telecommunications sectors.

This group has been active since at least 2007, in December 2019, the U.S. Treasury Department imposed sanctioned on Evil Corp for causing more than $100 million in financial damages.

The U.S. Department of Justice (DoJ) has charged Russian citizens Maksim V. (32) and Igor Turashev (38) for distributing the infamous Dridex banking Trojan, and for their involvement in international bank fraud and computer hacking schemes.

Ransom payments to WastedLocker is not allowed by US authorities, this means that Boyne Resorts could face severe sanctions if it will pay the ransom.

Pierluigi Paganini

(SecurityAffairs – hacking, WastedLocker)

The post Boyne Resorts ski and golf resort operator hit with WastedLocker ransomware appeared first on Security Affairs.

US Treasury imposes sanctions on a Russian research institute behind Triton malware

US Treasury Department announced sanctions against Russia’s Central Scientific Research Institute of Chemistry and Mechanics behind Triton malware.

The US Treasury Department announced sanctions against a Russian research institute for its alleged role in the development of the Triton malware.

“Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated, pursuant to Section 224 of the Countering America’s Adversaries Through Sanctions Act (CAATSA), a Russian government research institution that is connected to the destructive Triton malware.” reads a press release published by the Department of the Treasury.

Triton is a strain of malware specifically designed to target industrial control systems (ICS) system that has been spotted by researchers at FireEye in December 2017.

The malware was first spotted after it was employed in 2017 in an attack against a Saudi petrochemical plant owned by the privately-owned Saudi company Tasnee. According to the experts, the infection caused an explosion.

“In August 2017, a petrochemical facility in the Middle East was the target of a cyber-attack involving the Triton malware. This cyber-attack was supported by the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), a Russian government-controlled research institution that is responsible for building customized tools that enabled the attack.” continues the press release.

The Triton malware is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

“Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes.” reads the analysis published by FireEye in 2017.

“We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.”

Triton malware

Once gained access to the SIS system, the threat actor deployed the TRITON malware, a circumstance that indicates that attackers had a knowledge of such systems. According to FireEye the attackers pre-built and tested the tool which would require access to hardware and software that is not widely available. TRITON is also designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.

The Triton malware interacts with Triconex SIS controllers., it is able to read and write programs and functions to and from the controller.

Triton Malware Triconex

The hackers deployed the Triton malware on a Windows-based engineering workstation, the malicious code added its own programs to the execution table. In case of a failure, the malware attempts to return the controller to a running state, it also overwrites the malicious program with junk data if the attempt fails, likely to delete any track of the attack.

The US Treasury Department imposed sanctions on the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (also known as CNIIHM or TsNIIKhM).

In October 2018, FireEye experts discovered a link between the Triton malware, tracked by the company as TEMP.Veles, and the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a Russian government research institute in Moscow.

FireEye collected strong evidence suggesting that the Russian CNIIHM institute has been involved in the development of some of the tools used in the Triton attack.

“FireEye Intelligence assesses with high confidence that intrusion activity that led to deployment of TRITON was supported by the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM; a.k.a. ЦНИИХМ), a Russian government-owned technical research institution located in Moscow. The following factors supporting this assessment are further detailed in this post.” reads the analysis published by FireEye.

  1. FireEye uncovered malware development activity that is very likely supporting TEMP.Veles activity. This includes testing multiple versions of malicious software, some of which were used by TEMP.Veles during the TRITON intrusion.
  2. Investigation of this testing activity reveals multiple independent ties to Russia, CNIIHM, and a specific person in Moscow. This person’s online activity shows significant links to CNIIHM.
  3. An IP address registered to CNIIHM has been employed by TEMP.Veles for multiple purposes, including monitoring open-source coverage of TRITON, network reconnaissance, and malicious activity in support of the TRITON intrusion.
  4. Behavior patterns observed in TEMP.Veles activity are consistent with the Moscow time zone, where CNIIHM is located.
  5. We judge that CNIIHM likely possesses the necessary institutional knowledge and personnel to assist in the orchestration and development of TRITON and TEMP.Veles operations.” 

Experts pointed out that Triton is linked to Russia, the CNIIHM, and an individual located in Moscow. Some of the TEMP.Veles hacking tools were tested using an unnamed online scan service. A specific user of the service who has been active since 2013 has tested various tools across the time.

The user also tested several customized versions of widely available tools, including Metasploit, Cobalt Strike, PowerSploit, the PowerShell-based WMImplant, and cryptcat.

In many cases, the custom versions of the tools were used in TEMP.Veles attacks just days after being submitted to the testing environment.

The experts discovered that a PDB path contained in a tested file included a string that appears to be an online moniker associated with a Russia-based individual active in Russian information security communities since at least 2011.

According to a now-defunct social media profile, the individual was a professor at CNIIHM.

FireEye also discovered that one IP address registered to the Russian research institute was involved in the Triton attacks.

The sanctions prohibit US entities from engaging with CNIIHM and also seize any asset on the US soil belonging to the research institute.

“The Russian Government continues to engage in dangerous cyber activities aimed at the United States and our allies,” said Secretary Steven T. Mnuchin. “This Administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it.”

TsNIIKhM is being designated pursuant to Section 224 of CAATSA for knowingly engaging in significant activities undermining cybersecurity against any person, including a democratic institution, or government on behalf of the Government of the Russian Federation.” concludes the press release.

“As a result of today’s designation, all property and interests in property of TsNIIKhM that are in or come within the possession of U.S. persons are blocked, and U.S. persons are generally prohibited from engaging in transactions with them. Additionally, any entities 50 percent or more owned by one or more designated persons are also blocked. Moreover, non-U.S. persons who engage in certain transactions with TsNIIKhM may themselves be exposed to sanctions.”

On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint report that provides details about a hacking campaign of a Russian hacking group known as Energetic Bear.

The EU Council also imposed sanctions on two Russian intelligence officers for their role in the 2015 Bundestag hack.

Pierluigi Paganini

(SecurityAffairs – hacking, Triton)

The post US Treasury imposes sanctions on a Russian research institute behind Triton malware appeared first on Security Affairs.

Flare-On 7 Challenge Solutions

We are thrilled to announce the conclusion of the seventh annual Flare-On challenge. This year proved to be the most difficult challenge we’ve produced, with the lowest rate of finishers. This year’s winners are truly the elite of the elite! Lucky for them, all 260 winners will receive this cyberpunk metal key.

We would like to thank the challenge authors individually for their great puzzles and solutions:

  1. fidler – Nick Harbour (@nickharbour)
  2. garbage – Jon Erickson
  3. Wednesday – Blaine Stancill (@MalwareMechanic)
  4. report – Moritz Raabe (@m_r_tz)
  5. TKApp – Moritz Raabe (@m_r_tz)
  6. CodeIt – Mike Hunhoff (@mehunhoff)
  7. re_crowd – Chris Gardner, Moritz Raabe, Blaine Stancill
  8. Aardvark – Jacob Thompson
  9. crackinstaller – Paul Tarter (@Hefrpidge)
  10. break – Chris Gardner
  11. Rabbit Hole – Sandor Nemes (@sandornemes)

This year’s Flare-On challenge was the first to feature a live public scoreboard, so players could track their progress and the progress of previous Flare-On challenge champions. Despite this increased data at your fingertips, we are still going to bring you even more stats. As of 11:00am ET, participation was near record setting levels at 5,648 players registered. 3,574 of those players finished at least one challenge.

The U.S. reclaimed the top spot for total finishers with 22. Singapore was once again in second place, but in uncontested first place per capita, with one Flare-On finisher for every 296,000 living persons in Singapore. This is the first year we have included a per capita finishers by country chart, and we did it to highlight just what a remarkable concentration of talent exists in some corners of the world. Consistent top finisher Russia took third place, and a growing player base in Germany and Israel came into full bloom this year, with those countries edging out other frequent top five countries such as China, India and Vietnam.

All the binaries from this year’s challenge are now posted on the Flare-On website. Here are the solutions written by each challenge author:

  1. SOLUTION #1
  2. SOLUTION #2
  3. SOLUTION #3
  4. SOLUTION #4
  5. SOLUTION #5
  6. SOLUTION #6
  7. SOLUTION #7
  8. SOLUTION #8
  9. SOLUTION #9
  10. SOLUTION #10
  11. SOLUTION #11

Threat Roundup for October 16 to October 23

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between October 16 and October 23. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference

20201023-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The post Threat Roundup for October 16 to October 23 appeared first on Cisco Blogs.

IoT Device Takeovers Surge 100 Percent in 2020

The COVID-19 pandemic, coupled with an explosion in the number of connected devices, have led to a swelling in IoT infections observed on wireless networks.