Monthly Archives: November 2020

Why microlearning is the key to cybersecurity education

Cyber attacks are on the rise during this year of uncertainty and chaos. Increased working from home, online shopping, and use of social platforms to stay connected and sane during this year have provided criminals with many attack avenues to exploit. To mitigate the threat to their networks, systems and assets, many organizations perform some type of annual cybersecurity awareness education, as well as phishing simulations. Unfortunately, attackers are quick to adapt to changes while … More

The post Why microlearning is the key to cybersecurity education appeared first on Help Net Security.

Foiling RaaS attacks via active threat hunting

In this Help Net Security podcast, Jon DiMaggio, Chief Security Strategist at Analyst1, talks about the characteristic of attacks launched by Ransomware-as-a-Service (RaaS) gangs and how organizations can prevent them from succeeding. To make things interesting, Jon’s nine-year-old son is hosting the interview. Below is a transcript for your convenience. Damien: Hi, I’m Damien DiMaggio, and today I am interviewing Jon DiMaggio, Chief Security Strategist at Analyst1. Jon: Hi Damien. Thanks for talking with me … More

The post Foiling RaaS attacks via active threat hunting appeared first on Help Net Security.

Retail CISOs and the areas they must focus on

In this interview, Matt Cooke, cybersecurity strategist, EMEA at Proofpoint, discusses the cybersecurity challenges for retail organizations and the main areas CISOs need to focus on. Generally, are retailers paying enough attention to security hygiene? Our research has shown that the vast majority of retailers in the UK and Europe-wide simply aren’t doing enough to protect their customers from fraudulent and malicious emails – only 11% of UK retailers have implemented the recommended and strictest … More

The post Retail CISOs and the areas they must focus on appeared first on Help Net Security.

CEO Fraud

CEO Fraud / BEC is a type of targeted attack. It commonly involves a cyber criminally pretending to be your boss, then tricking or fooling you into sending the criminal highly sensitive information or initiating a wire transfer. Be highly suspicious of any emails demanding immediate action and/or asking you to bypass any security procedures.

Malware may trick biologists into generating dangerous toxins in their labs

An end-to-end cyber-biological attack, in which unwitting biologists may be tricked into generating dangerous toxins in their labs, has been discovered by Ben-Gurion University of the Negev researchers. Malware could replace physical contact According to a paper, it is currently believed that a criminal needs to have physical contact with a dangerous substance to produce and deliver it. However, malware could easily replace a short sub-string of the DNA on a bioengineer’s computer so that … More

The post Malware may trick biologists into generating dangerous toxins in their labs appeared first on Help Net Security.

Insider Threats: Risk Assessment Considerations for Remote Work

The outbreak of COVID-19 has led many businesses to transition a large number of employees to remote work. The shift could end up becoming a long-term trend; it’s expected to continue after the pandemic ends. Therefore, it is more important than ever to develop strategies for managing and responding to risks within your organization. Internal […]… Read More

The post Insider Threats: Risk Assessment Considerations for Remote Work appeared first on The State of Security.

Worldwide SD-WAN market to reach $43 billion by 2030

Due to the rising adoption of IoT and the growing utilization of big data, the valuation of the global SD-WAN market is predicted to increase from $1.4 billion to $43 billion from 2019 to 2030. Further, the market will demonstrate a CAGR of 38.6% between 2020 and 2030, according to ResearchAndMarkets. Big data and IoT help businesses in monitoring the utilization of their products by consumers and gaining valuable insights from the analysis of this … More

The post Worldwide SD-WAN market to reach $43 billion by 2030 appeared first on Help Net Security.

The CISO’s guide to rapid vendor due diligence

Vendors are at the heart of many companies’ processes and activities, and their numbers are increasing. But the process of onboarding vendors has become complicated because of concerns about cybersecurity. In 2019, nearly half of companies experienced a significant data breach through a third party. To prevent such incidents, security professionals demand that vendors demonstrate and maintain a strong cyber posture. Rapid vendor due diligence can be challenging. This guide explains how it can be … More

The post The CISO’s guide to rapid vendor due diligence appeared first on Help Net Security.

Computer Services and Featurespace partner to launch anti-money laundering solution

To empower its customers in the fight against financial crime, Computer Services has partnered with Featurespace to launch a holistic anti-money laundering (AML) solution: WatchDOG AML. WatchDOG AML protects against financial crime by identifying suspicious activity in real-time with an enterprise transaction monitoring system. Using customizable machine learning models that utilize Featurespace’s award-winning Adaptive Behavioral Analytics, WatchDOG AML reduces false positives while predicting and adapting to new threats through anomaly detection. This allows banks and … More

The post Computer Services and Featurespace partner to launch anti-money laundering solution appeared first on Help Net Security.

Dynatrace and SAP expand partnership to help retailers drive better business outcomes

Dynatrace announced its expanded partnership with SAP will help prepare the world’s leading retailers for a successful Cyber Monday and beyond. This multi-year agreement positions Dynatrace as a strategic observability partner for SAP Commerce Cloud. This means Dynatrace’s digital experience monitoring capabilities, including real user monitoring and synthetic monitoring, and precise answers from its AI-engine, Davis, are now available for SAP Commerce Cloud, digital experience monitoring, which customers can subscribe to via the online SAP … More

The post Dynatrace and SAP expand partnership to help retailers drive better business outcomes appeared first on Help Net Security.

Internet Society and IETF agreement ensures the continuity of critical work in creating open standards

The Internet Society and the Internet Engineering Task Force (IETF) announced a new long term strategic agreement that will ensure the continuity of the IETF’s critical work in creating open standards that make the Internet work better. The IETF has been at the center of technical innovation for the global Internet for nearly 35 years. Open standards allow devices, services, and applications to work together across the tens of thousands interconnected networks that make up … More

The post Internet Society and IETF agreement ensures the continuity of critical work in creating open standards appeared first on Help Net Security.

Fuze awarded new patent for processing heterogeneous data streams in real time

Fuze announced that it has been awarded a new patent for processing and analyzing heterogeneous streams of communications data across multiple users and mediums, in real time. The U.S. Patent and Trademark Office (USPTO) issued Fuze U.S. Patent No. 10798191B1 on October 6, 2020. The invention enables the Fuze platform to quickly and effectively analyze all voice, meeting, messaging, and email communication data and produce a single, complete view of user activity across organizations, departments, … More

The post Fuze awarded new patent for processing heterogeneous data streams in real time appeared first on Help Net Security.

SS8 awarded two multi-million dollar Lawful Intelligence contracts

SS8 Networks has been awarded two multi-million dollar Lawful Intelligence contracts using its Intellego XT and Xcipio family of products. SS8 was awarded these contracts due to their continued effort of providing leading edge and cost-effective solutions. Intellego XT and Xcipio comprise of scalable intercept, monitoring, and data analytics solutions specifically designed for large scale national deployments. Together these platforms provide law enforcement agencies with real-time intelligence regarding criminal and terrorist activities. SS8 is constantly … More

The post SS8 awarded two multi-million dollar Lawful Intelligence contracts appeared first on Help Net Security.

Totum Labs raises $13M to drive commercialization of its DMSS technology

Satellite IoT connectivity company Totum Labs announced it has completed a $13 million Series A financing. Heroic Ventures and Space Capital co-led the investment round with participation from existing investors, including Qualcomm Co-founder Dr. Andrew Viterbi and new strategic investor Qamcom. The investment brings Totum’s total funding since launch to $15.5 million and will enable the company to accelerate the deployment and commercialization of its low power sensor to satellite network and connectivity. Totum is … More

The post Totum Labs raises $13M to drive commercialization of its DMSS technology appeared first on Help Net Security.

Exclusive: Experts from TIM’s Red Team Research (RTR) found 6 zero-days

TIM’s Red Team Research led by Massimiliano Brolli discovered 6 new zero-day vulnerabilities in Schneider Electric StruxureWare.

Today, TIM’s Red Team Research led by Massimiliano Brolli, discovered 6 new vulnerabilities in the StruxureWare product. The flaws have been addressed by the manufacturer Schneider Electric, between April and November 2020.

Schneider Electric zero-days

Schneider Electric is a vendor specialized in energy and automation products, like ICS, SCADA and IoT products. StruxureWare Building Operation is a software integrated with physical devices for integrated monitoring, control, and management of energy, lighting, fire safety, and HVAC.

Below the list of vulnerabilities discovered by the TIM’s Red Team Research team:

CVE-2020-7569:Upload of File with Dangerous Type8.8
CVE-2020-7572Improper Restriction of XML External Entity Reference8.8
CVE-2020-28209Windows Unquoted Search Path7.0
CVE-2020-7570Cross-Site Scripting Stored5.4
CVE-2020-7571Cross-Site Scripting Reflected5.4
CVE-2020-7573Improper Access Control6.5

The issues were discovered during laboratory tests, promptly managed in a CVD (Coordinated Vulnerability Disclosure) process with the vendor.

The laboratory has been active for less than a year (based on the CVE recorded on the national Vulnerability Database), the experts also discovered unknown vulnerabilities in various products, including NOKIA, Wowza, Selesta, Flexera, Oracle and Siemens.

The research team has identified a total of 31 published CVEs, an average of one CVE every 11 days and this is the result of a great job that TIM is doing, especially in the Bug Hunting activities, where the Italian cybersecurity community should do much more.

The full list of CVEs discovered by the researchers is available at the TIM Corporate websites:

TIM is a leading Italian telco carrier, it is one of the few Italian industrial realities that dedicate an important effort in conducting research of undocumented vulnerabilities, for this reason, I suggest you follow them.

Pierluigi Paganini

(SecurityAffairs – hacking, Schneider Electric)

The post Exclusive: Experts from TIM’s Red Team Research (RTR) found 6 zero-days appeared first on Security Affairs.

Threat actor leverages coin miner techniques to stay under the radar – here’s how to spot them

Cryptocurrency miners are typically associated with cybercriminal operations, not sophisticated nation state actor activity. They are not the most sophisticated type of threats, which also means that they are not among the most critical security issues that defenders address with urgency. Recent campaigns from the nation-state actor BISMUTH take advantage of the low-priority alerts coin miners cause to try and fly under the radar and establish persistence.

BISMUTH, which shares similarities with OceanLotus or APT32, has been running increasingly complex cyberespionage attacks as early as 2012, using both custom and open-source tooling to target large multinational corporations, governments, financial services, educational institutions, and human and civil rights organizations. But in campaigns from July to August 2020, the group deployed Monero coin miners in attacks that targeted both the private sector and government institutions in France and Vietnam.

Because BISMUTH’s attacks involved techniques that ranged from typical to more advanced, devices with common threat activities like phishing and coin mining should be elevated and inspected for advanced threats. More importantly, organizations should prioritize reducing attack surface and hardening networks against the full range of attacks. In this blog, we’ll provide in-depth technical details about the BISMUTH attacks in July and August 2020 and mitigation recommendations for building organizational resilience.

While this actor’s operational goals remained the same—establish continuous monitoring and espionage, exfiltrating useful information as is it surfaced—their deployment of coin miners in their recent campaigns provided another way for the attackers to monetize compromised networks. Considering some of the group’s traditional targets are human and civil rights organizations, BISMUTH attacks demonstrate how attackers give little regard to services they impact.

The use of coin miners by BISMUTH was unexpected, but it was consistent with the group’s longtime methods of blending in. This pattern of blending in is particularly evident in these recent attacks, starting from the initial access stage: spear-phishing emails that were specially crafted for one specific recipient per target organization and showed signs of prior reconnaissance. In some instances, the group even corresponded with the targets, building even more believability to convince targets to open the malicious attachment and start the infection chain.

The other way that BISMUTH attempted to blend in and hide in plain sight was the heavy use of DLL side-loading, a technique in which a legitimate DLL is replaced with a malicious one so that the latter is loaded when the associated application is run. In their recent attacks, BISMUTH utilized copies of various legitimate software to load malicious DLL files and perform tasks in the context of these legitimate applications. To perform DLL sideloading, BISMUTH introduced outdated versions of various applications, including Microsoft Defender Antivirus. They also leveraged the Sysinternals DebugView tool, the McAfee on-demand scanner, and Microsoft Word 2007.

Blending in was important for BISMUTH because the group spent long periods of time performing discovery on compromised networks until they could access and move laterally to high-value targets like servers, where they installed various tools to further propagate or perform more actions. At this point in the attack, the group relied heavily on evasive PowerShell scripts, making their activities even more covert.

The coin miners also allowed BISMUTH to hide its more nefarious activities behind threats that may be perceived to be less alarming because they’re “commodity” malware. If we learned anything from “commodity” banking trojans that bring in human-operated ransomware, we know that common malware infections can be indicators of more sophisticated cyberattacks and should be treated with urgency and investigated and resolved comprehensively.

Diagram showing BISMUTH attacker techniques across attack stages

Initial access

BISMUTH attempted to gain initial access by sending specially crafted malicious emails from a Gmail account that appears to have been made specifically for this campaign. It’s likely the group conducted reconnaissance using publicly available sources and chose individual targets based on their job function. Each email was sent to only one recipient at each target organization and used tailored subject lines and lure themes, for example:

  • Dự thảo hợp đồng (translates from Vietnamese to “Draft Contract”)
  • Ứng tuyển – Trưởng ban nghiên cứu thị trường (translates from Vietnamese to “Application form – Head of Market Research”)

Of note, the group sent several replies to one of these emails, which indicated that they corresponded with some targets before convincing them to open the malicious document attachment and inadvertently launch the payload. When opened, the malicious .doc file dropped several files in the hidden ProgramData folder: (1) MpSvc.dll, a malicious DLL with the same name as a legitimate Microsoft Defender Antivirus DLL, and (2) a copy of MsMpEng.exe the legitimate Microsoft Defender Antivirus executable.

The malicious document then added a scheduled task that launched the MsMpEng.exe copy and sideloaded the malicious MpSvc.dll. Because the latest versions of Microsoft Defender Antivirus are no longer susceptible to DLL sideloading, BISMUTH used an older copy to load the malicious DLL and establish a persistent command-and-control (C2) channel to the compromised device and consequently the network.

Using the newly established channel, the group dropped several files for the next stages of the attack, including a .7z archive, a copy of Word 2007, and another DLL, wwlib.dll. While it used the same name as a legitimate Microsoft Word DLL, wwlib.dll was a copy of KerrDown, a family of custom malware exclusive to BISMUTH. This file was subsequently sideloaded by the dropped copy of Word 2007—a technique used by BISMUTH extensively to load malicious code from a DLL file in the context of a legitimate process like winword.exe.

BISMUTH established another persistence method by dropping another copy of Word 2007 in a subfolder in ProgramData. The group then created a scheduled task that launched that copy in the same malicious manner every 60 minutes – further increasing their chances of going undetected and maintaining their presence.


Once established as a scheduled task, the co-opted Word 2007 process dropped and loaded a scanning tool popular among attackers, NbtScan.exe. BISMUTH then immediately used the scanning tool to scan an IP address range within the organization. Following this network scan, the Word 2007 process launched a malicious script using a living-off-the-land-binary, rundll32.exe, resulting in a scan on a myriad of common ports, including 21, 22, 389, 139, and 1433. BISMUTH listed devices with open ports in a .csv file.

While network scanning was underway, the group performed other reconnaissance activities. They gathered information about domain and local administrators, checked whether users had local administrative privileges, and collected device information—aggregating results in a .csv for exfiltration. In addition, the group once again used MsMpEng.exe with the malicious sideloaded DLL to connect to another device that appears to have been designated by BISMUTH at some point during the attack as an internal C2 foothold and exfiltration staging device.

Continued lateral movement, discovery, and intel gathering

After a month of continual discovery on compromised devices, the group moved laterally to a server and copied over a malicious DLL that masqueraded as the system file mpr.dll and a copy of the Sysinternals DebugView tool. They dropped the tool onto different devices using SMB remote file copy, using file names related to popular Japanese video game characters and a seemingly random word. The actors then registered and launched malicious services multiple times, launching DebugView tool to connect to multiple Yahoo websites and confirm Internet connectivity, followed by a connection to their C2 infrastructure.

At this point, BISMUTH switched to running their attacks using PowerShell, quickly launching multiple script cmdlets. First, they dumped credentials from the Security Account Manager (SAM) database using the Empire PowerDump command and then quickly deleted PowerShell event logs to erase records generated by Script Block Logging. They then continued their discovery efforts using a PowerShell script that gathered user and group information and sent the gathered data to .csv files.

The script collected the following information about each user:

description, distinguishedname, lastlogontimestamp, logoncount, mail, name, primarygroupid, pwdlastset, samaccountname, userprincipalname, whenchanged, whencreated

And the following information about each domain group:

adspath, description, distinguishedname, groupType, instancetype, mail, member, memberof, name, objectsid, samaccountname,whenchanged, whencreated

Next, the group exported directory forest and domain organizational unit (OU) information. They then started connecting to dozens of devices using WMI. Following that, they collected credentials by dumping security logs under Event ID 680, possibly targeting logs related to NTLM fallbacks. Lastly, the group used the system tool Nltest.exe to gather domain trust info and pinged multiple servers they have identified by name during reconnaissance. Some of these servers appear to be database and file servers that could have contained high-value information for espionage objectives typically pursued by BISMUTH.

BISMUTH then installed a Cobalt Strike beacon. The group dropped a .rar file and extracted its contents—McOds.exe, which is a copy of the McAfee on-demand scanner, and a malicious DLL—into the SysWOW64 folder. The group then created a scheduled task that launched the copy of the McAfee on-demand scanner with SYSTEM privileges and sideloaded the malicious DLL. This persistence mechanism established a connection to their Cobalt Strike server infrastructure. To clean up evidence, they deleted the dropped McAfee binary.

In terms of targets for this campaign, there were some commonalities among targets located in Vietnam that Microsoft has assessed to be tied to their previous designation as state-owned enterprises (SOEs). The observed BISMUTH activity in Vietnam targeted organizations that included former SOEs previously operated by the government of Vietnam, entities that have acquired a significant portion of a former SOE, and entities that conduct transactions with a Vietnamese government agency. Although the group’s specific objectives for these recent attacks cannot be defined with high confidence, BISMUTH’s past activities have included operations in support of broader espionage goals.

Coin miner deployment and credential theft

As mentioned, BISMUTH deployed coin miners during these attacks. To do this, they first dropped a .dat file and loaded the file using rundll32.exe, which in turn downloaded a copy of the 7-zip tool named 7za.exe and a ZIP file. They then used 7-Zip to extract a Monero coin miner from the ZIP file and registered the miner as a service named after a common Virtual Machine process. Each coin miner they deployed had a unique wallet address that earned over a thousand U.S. dollars combined during the attacks.

After deploying coin miners as their distraction technique, BISMUTH then focused much of its efforts on credential theft. They registered multiple malicious services that used %comspec%—a relative reference to cmd.exe commonly used by attackers—to run the renamed DebugView tool while loading a malicious DLL. The group used DebugView and the malicious DLL in a fairly unexpected fashion to launch Base64-encoded Mimikatz commands using one of several Windows processes: makecab.exe, systray.exe, w32tm.exe, bootcfg.exe, diskperf.exe, esentutl.exe, and typeperf.exe.

They ran the following Mimikatz commands that require SYSTEM or Debug privileges:

  • sekurlsa::logonpasswords full–lists all account and user password hashes, typically user and computer credentials for recently logged on users
  • lsadump::lsa /inject—injects LSASS to retrieve credentials and request the LSA Server to grab credentials from the Security Account Manager (SAM) database and Active Directory (AD)

After running these commands, the co-opted DebugView tool connected to multiple attacker-controlled domains, likely to exfiltrate stolen credentials.

As the affected organizations worked to evict BISMUTH from their networks, Microsoft security researchers saw continued activity involving lateral movement to other devices, credential dumping, and planting of multiple persistence methods. This highlights the complexity of responding to a full-blown intrusion and the significance of taking quick action to resolve alerts that flag initial stages of an attack.

Building organizational resilience against attacks that blend in

BISMUTH attacks put strong emphasis on hiding in plain sight by blending in with normal network activity or common threats that attackers anticipate will get low-priority attention. The combination of social engineering and use of legitimate applications to sideload malicious DLLs entail multiple layers of protection focused on stopping threats at the earliest possible stage and mitigating the progression of attacks if they manage to slip through. Here are mitigation recommendations that organizations can implement to limit exposure:

Limit the attack surface that attackers can leverage for initial access:

  • Educate end users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing email, and reporting of reconnaissance attempts and other suspicious activity.
  • Configure Office 365 email filtering settings to ensure blocking of phishing & spoofed emails, spam, and emails with malware. Set Office 365 to recheck links on click and delete sent mail to benefit from newly acquired threat intelligence.
  • Turn on attack surface reduction rules, including rules that can block advanced macro activity, executable content, process creation, and process injection initiated by Office applications.
  • Disallow macros or allow only macros from trusted locations. See the latest security baselines for Office and Office 365.
  • Check perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet to browse or download files. Such restrictions help inhibit malware downloads and command-and-control activity.

Build credential hygiene to reduce risk during discovery stage:

  • Enforce strong, randomized local administrator passwords. Use tools like LAPS.
  • Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts.
  • Require multi-factor authentication through Windows Hello.

Stop attack sprawl and contain attacker movement:

  • Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
  • Turn on tamper protection features to prevent attackers from stopping security services.
  • Monitor for clearing of event logs. Windows generates security event ID 1102 when this occurs.
  • Determine where highly privileged accounts are logging on and exposing credentials. Monitor and investigate logon events (event ID 4624) for logon type attributes. Highly privileged accounts should not be present on workstations.
  • Utilize the Microsoft Defender Firewall, intrusion prevention devices, and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.

To better defend organizations against attacks that do everything to blend in once they gain access to a network, organizations can build defenses for preventing and blocking attacks at the initial access stage. Microsoft Defender for Office 365 provides defense capabilities that protect organizations from threats like credential phishing, business email compromise, and cyberattacks that begin with spear-phishing emails. Safe attachments and Safe links provide real-time protection using a combination of detonation, automated analysis, and machine learning, which are especially useful for highly targeted, specially crafted emails. Campaign views show the complete picture of email campaigns, including timelines, sending patterns, impact to the organization, and details like IP addresses, senders, URLs.

The broader Microsoft 365 Defender presents cross-domain threat intelligence and actionable information in consolidated incidents view, empowering security operations teams to comprehensively respond to attacks. For critical threats like BISMUTH campaigns, Microsoft researchers publish threat analytics reports that contain technical details, detection info, and mitigation status. Investigation tools like advanced hunting allow security teams to perform additional inspection of the environment for related or similar threats. Threat and vulnerability management data show mitigation recommendations, including enabling relevant attack surface reduction rules, that organizations can take to reduce risks.

These industry-leading capabilities in Microsoft 365 Defender are backed by Microsoft’s network of researchers and security experts who monitor the threat landscape and track threat actors like BISMUTH. Through Microsoft 365 Defender, we transform threat intelligence into protections and rich investigation tools that organizations can use to build organizational resilience. Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.


Justin Carroll and Emily Hacker, Microsoft 365 Defender Threat Intelligence Team

with Microsoft Threat Intelligence Center (MSTIC)


MITRE ATT&CK techniques observed

Initial access



Privilege escalation

Defense evasion

Credential access



Data exfiltration

The post Threat actor leverages coin miner techniques to stay under the radar – here’s how to spot them appeared first on Microsoft Security.

Sizing Up Synthetic DNA Hacking Risks

Study Describes How a Supply Chain Attack Might Work
Could hackers inject malicious code that compromises the synthetic DNA supply chain and ultimately tricks bioengineers into inadvertently developing dangerous viruses or toxins? A new research report says that's a growing concern and calls for robust security measures.

Exploring malware to bypass DNA screening and lead to ‘biohacking’ attacks

Boffins from the Ben-Gurion University of the Negev described a new cyberattack on DNA scientists that could open to biological warfare.

A team of researchers from the Ben-Gurion University of the Negev described a new cyberattack on DNA scientists that could open to biological warfare.

Scientists play a crucial role in modern society, especially during the COVID-19 pandemic.

A research paper titled “Cyberbiosecurity: Remote DNA Injection Threat in Synthetic Biology” published in the academic journal Nature Biotechnology documented how to use malware to compromise a biologist’s computer to replace sub-strings in DNA sequencing.

Threat actors could exploit bugs in the Screening Framework Guidance for Providers of Synthetic Double-Stranded DNA and Harmonized Screening Protocol v2.0 systems to circumvent protocols.

The experts explained that every time a DNA order is made by biologists to synthetic gene providers, the US Department of Health and Human Services (HHS) guidance requires the adoption of screening protocols to scan for potentially harmful DeoxyriboNucleic Acid.

The researchers used a malicious code to circumvent these protocols through obfuscation. The tests demonstrated that 16 out of 50 obfuscated DNA samples were able to bypass the DeoxyriboNucleic Acid screening. 

“Eve is a cyber-criminal targeting Alice. Eve can easily infect Alice’s vulnerable computers with malware. Eve replaces all or part of Alice’s order with a malicious sequence (Fig. 1). Eve employs DNA obfuscation — inspired by cyber-hacking malicious code obfuscation — to camouflage fragments of the pathogenic DNA in the hijacked order.” reads the research paper. “Bob will not detect the malicious DeoxyriboNucleic Acid; with obfuscation, best-match-based screening procedures will return legitimate matches for any 200 bp subsequence. Eve’s sequences can contain all of the necessary constituents to subsequently deobfuscate themselves in vivo via CRISPR–Cas9-mediated deletion and homology-directed repair.”

The researchers also explained that threat actors could carry out man-in-the-browser attacks against software used to design and manage synthetic DNA projects to inject arbitrary DNA strings into genetic orders.

Malicious DNA injection performed by a remote cyber-criminal

The researchers explained that malware could manipulate the residue Cas9 protein transforming this sequence into pathogens.

“If Alice or her clients insert the plasmid containing the obfuscated agent into Cas9-expressing cells, the DeoxyriboNucleic Acid, deobfuscated by CRISPR–Cas9, will allow the expression of the gene encoding a noxious agent. This threat is real” continues the paper.

“To regulate both intentional and unintentional generation of dangerous substances, most synthetic gene providers screen DNA orders which is currently the most effective line of defense against such attacks,” states Rami Puzis, head of the BGU Complex Networks Analysis Lab. “Unfortunately, the screening guidelines have not been adapted to reflect recent developments in synthetic biology and cyberwarfare.”

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post Exploring malware to bypass DNA screening and lead to ‘biohacking’ attacks appeared first on Security Affairs.

The Multi-Million Pound Manchester United Hack

Earlier this year I wrote a blog post about the Manchester City Billion Pound Hack, which explored cyberattacks within elite football. Now it is the turn of City big rivals Manchester United, after they reported their IT systems had been impacted by a cyber-attack, widely reported in the UK media as a cyber-extortion attack.

In the last couple of years, cybercriminals have significantly ramped up efforts in targeting UK businesses with cyber extortion attacks, using ransomware malware and confidential data theft to leverage their victims into paying large ransom payments anonymously in Bitcoin. Many businesses have been quick to pay out ransoms after their operations ground to halt due to their IT systems being rendered unusable due to ransomware, and also to avoid dumping their confidential data on the internet by the cybercriminals.  

In July 2020 the UK National Cyber Security Centre (NCSC) specially warned that cybercriminals were targeting UK sports teams with ransomware attacks in a report. This NCSC report cited a ransomware attack against an unnamed English Football League club, which crippled their  IT systems to the extent it stopped their turnstiles from working and almost led to the cancellation of the league fixture, which would have cost the club hundreds of thousands of pounds in lost income. NCSC reported it suspected cyber attackers gained access to the football club's network either by a phishing email or by remote access system connected to the club's CCTV system. That access was used to spread ransomware across the entire football club IT network.  It is understood the cybercriminals behind the attack demanded 400 bitcoin (over £300,000), which was not paid.  It seems Manchester United have been targeted similarly

In a statement on 20th November 2020, Manchester United stated, 

'Manchester United can confirm that the club has experienced a cyber attack on its systems. The club has taken swift actions to contain the attack and is currently working with expert advisers to investigate the incident and minimize the ongoing IT disruption.

Although this is a sophisticated operation by organized cyber criminals, the club has extensive protocols and procedures in place for such an event and had rehearsed for this risk. Our cyber defenses identified the attack and shut down affected systems to contain the damage and protect data.'

Despite the assurances in the statement the cyber-attack does appear to be contained and recovered from as yet, as both the Daily Mirror and the Daily Mail reported on 28th and 29th November 2020 respectively, that hackers had accessed the clubs scouting system's 'confidential information on targets and scouting missions'.  Several UK newspapers also reported the club's email system remains disabled.

As yet, no details have been released about the cyberattack ingress method, the malware used or the suspected perpetrators behind the attack, when asked for details Man Utd stated 'The club will not be commenting on speculation regarding who may have been responsible for this attack or the motives behind it.'  Without any details of the cyberattack released by the club or leaked, at this stage it's difficult to draw any conclusions, but we can speculate.  

The likely suspect is a variant of the Ryuk ransomware, possibly orchestrated by Ryuk criminal group, together with the recently reported resurgence of the Emote trojan last month, Emote is a common dropper of ransomware. It was a new variant of the Ryuk ransomware that was behind a cyberattack on digital services firm Sopra Steria in October 2020. Another common ransomware culprit is Trickbot, however, Microsoft and their partners took action last month to disrupt Trickbot botnet.

No details have been released on how much this incident is costing Manchester United nor the ransom fee being demanded.  The media have speculated the ransom fee to be in the millions, likely based on that recent NCSC report, which stated an EFL club faced a £5 million ransom from cyber attackers.

If this attack is found to have breached Manchester United fans data protection rights under the UK Data Protection Act (GDPR), the club could face a fine of up to £18m or 2% of their total annual worldwide turnover by the UK Information Commissioner's Office.  Further, given Manchester United are listed on New York Stock Exchange, the club could face additional US legislation if they decide to pay the ransomware fee, that fine could be up to £15m ($20m).

The US Office of Foreign Assets Control (OFAC) warned that paying the ransom demand would only boost the criminals’ finances and encourage them to strike again elsewhere, stating, 

‘Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.

Ransomware payments may also embolden cyber actors to engage in future attacks'

The last sentence of the OFAC statement is an essential point, given many organisations are giving in to cyber-extortion demands and paying up, it is fuelling further attacks.  

If it was made illegal in the UK to pay a cyber extortion payment, that law would both remove the temptation of giving up on recovery and paying ransoms, but also push UK organisations into investing and deploying the appropriate level of cybersecurity controls to counter the risk, as there are simple security controls which can adequately thwart the risk of successful ransomware and data theft attacks. The simple truth is most ransomware and data theft attacks aren't really 'sophisticated', successful attacks can be prevented applying security control basics, such as continually patching IT systems (esp. internet-facing remote access VPN appliances), deploying and keeping anti-virus up-to-date, blocking external suspicious emails, and ensuring staff have a good level of security awareness, particularly in their ability to spotting phishing emails.

Without pushing down global criminal threat actors 'Reward Vs Effort' reasoning, we can expect to see further high-profile businesses like Manchester United targeted with cyber extortion attacks, which ultimately causes significant reputational and financial damage on their organisation.

Denmark News Agency Refuses to Pay Hacker’s Ransom

Denmark News Agency Refuses to Pay Hacker's Ransom

Denmark’s largest news agency has refused to pay a ransom to cyber-criminals who attacked its computer system with ransomware. 

Wire service Ritzau was knocked offline following an attack that occurred early last week. The incident infected roughly a quarter of the agency's 100 servers with malware, causing editorial systems to be shut down.

Copenhagen-based Ritzau, which has been providing the Danish media, organizations, and companies with text and images since 1866, said it had been forced to transfer its emergency distribution to clients to six live blogs “which provide a better overview.”

CEO of Ritzau, Lars Vesterloekke, revealed that the agency had no clear idea of how much the attackers were demanding in return for the restoration of Ritzau's encrypted files. Vesterloekke said that the agency had been instructed by its advisers not to open "a file with a message" left behind by whoever was responsible for the "professional attack."

The news agency said that it was "hit by a serious hacker attack on Tuesday." The attack's instigators are yet to be identified.

An external computer forensics company has been hired by Ritzau to assist the company's own IT department with recovering from the disruption caused by the attack. 

"Ritzau's web service with distribution of news to media customers is now up and online again," the news agency said in a statement published on its restored website. "The web service is in its first version without images and other associated formats.”

The news service said that it is still working toward a full technical recovery and added that its news app is not yet back up and running. 

“As soon as there is a known time horizon for when the news app will be up again, we will announce it,” said Ritzau.

"All resources are still being put into getting the systems back in operation, and we very much regret the inconvenience that the hacker attack has caused our customers due to lack of distribution and deliveries.”

Throughout its long history, the Danish news service has been quick to embrace new technology, including the telephone that came to Copenhagen in 1881, the cable remote printer that came to Denmark in the 1930s, and the internet, which took the country by storm in the late 1990s. 

Ransomware Attack on Baltimore County Schools

Ransomware Attack on Baltimore County Schools

A ransomware attack orchestrated two days before Thanksgiving has forced the Baltimore County Public School System to be shut down.

Online classes for 115,000 students were disrupted as a result of what school officials are calling a “catastrophic attack on our technology system.”

While specific details of the attack have not yet been shared, The Baltimore Sun reports that the school board meeting video stream dropped out suddenly toward the end of Tuesday night. 

Teachers entering grades into the school system's computer system said on social media that they began experiencing technical difficulties at around 11:30 pm Tuesday.

The district's website, email system, and grading system have all been impacted by the incident. It is not yet clear whether any student data was exposed to unauthorized third parties.

School officials said on social media that files that were encrypted in the incident have a .ryuk extension, suggesting that Ryuk ransomware has been used by the attackers. This suggestion has not been confirmed by authorities or local officials. 

Officials kept their comments on the incident to a minimum, confirming that an attack took place, that an investigation has been launched into it, and that the school system is working with state and federal law enforcement and the Maryland Emergency Management Agency.

Baltimore County Police Chief Melissa Hyatt told the Baltimore Sun simply that "we are in the preliminary steps of that investigation."

Schools in the county were closed for students today and will remain so tomorrow. However, school offices are being kept open to help staff find a way to keep teaching students whose education has already been fundamentally altered by the outbreak of COVID-19.

In a tweet, the school system said that keeping offices open will provide "much-needed time for our staff to continue working to set up the instructional platform and to communicate next steps regarding devices."

Superintendent Darryl L. Williams was unable to confirm when online classes will be able to resume.

The incident follows a number of ransomware attacks on school systems in the United States, including a September attack on the Fairfax County Public School System in Virginia. 

Data Stolen from America’s Largest Fertility Clinic Operator

Data Stolen from America's Largest Fertility Clinic Operator

Data including Social Security numbers has been stolen from the largest fertility clinic operator in the United States in a cyber-attack. 

US Fertility runs 55 clinics at various locations in 10 of America's 50 states. The company, established in May 2020, is the result of a partnership between private equity firm Amulet Capital Partners and Shady Grove Fertility

Cyber-criminals attacked US Fertility's network with ransomware in September, impacting almost half of its locations. The company responded by taking a number of its servers and workstations offline, launching an investigation into the incident, and notifying federal law enforcement.

The company provided notice of the incident on November 25, stating: "On September 14, 2020, USF experienced an IT security event (the "Incident") that involved the inaccessibility of certain computer systems on our network as a result of a malware infection. We responded to the Incident immediately and retained third-party computer forensic specialists to assist in our investigation.

"Through our immediate investigation and response, we determined that data on a number of servers and workstations connected to our domain had been encrypted by ransomware."

Digital forensic specialists found that although the ransomware had been triggered on September 14, the attackers had first gained access to US Fertility's network a month earlier, on August 12. 

During the weeks they spent inside the network, the attackers had access to files that contained patient data. Sensitive information accessed included names, addresses, dates of birth, MPI numbers, and Social Security numbers. 

US Fertility confirmed that the attackers acquired "a limited number of files" during the period of unauthorized access. 

"Please also note that we have no evidence of actual misuse of any individual's information as a result of the Incident," said the company. 

Following the attack, US Fertility fortified the security of its firewall and engaged digital forensic specialists to monitor network activity and remediate any suspicious activity.

"We take this incident very seriously and are committed to protecting the security and confidentiality of health information we gather in providing services to individuals," said Mark Segal, chief executive officer of USF.

Zerologon is now detected by Microsoft Defender for Identity

There has been a huge focus on the recently patched CVE-2020-1472 Netlogon Elevation of Privilege vulnerability, widely known as ZeroLogon. While Microsoft strongly recommends that you deploy the latest security updates to your servers and devices, we also want to provide you with the best detection coverage possible for your domain controllers. Microsoft Defender for Identity along with other Microsoft 365 Defender solutions detect adversaries as they try to exploit this vulnerability against your domain controllers.

Here is a sneak peek into our detection lifecycle

Whenever a vulnerability or attack surface is disclosed, our research teams immediately investigate exploits and produce various methods for detecting attacks. This is highlighted in our response to suspected WannaCry attacks and with the alert for Suspected SMB (Small and Medium Businesses) packet manipulation (CVE-2020-0796 exploitation). These detection methods are tested in our lab environment, and experimental detectors are deployed to Microsoft Defender for Identity to assess performance and accuracy and find possible attacker activity.

Over the past two months since CVE-2020-1472 was first disclosed, interest in this detection rapidly increased. This happened even if we did not observe any activity matching exploitation of this vulnerability in the initial weeks after the August security updates. It generally takes a while before disclosed vulnerabilities are successfully reverse-engineered and corresponding mechanisms are built.

This lack of activity changed on September 13, when we triggered a surge in alerts. Simultaneously, this increase in activity was followed by the publication of several proof-of-concept tools and demo exploits that can leverage the vulnerability.

Orgs with ZeroLogon exploitation attempts by red teams and real attackers starting September 13, 2020

Figure 1: Orgs with ZeroLogon exploitation attempts by red teams and real attackers starting September 13, 2020

Microsoft Defender for Identity can detect this vulnerability early on. It covers both the aspects of exploitation and traffic inspection of the Netlogon channel.

Alert page experience

Figure 2: Alert page experience

With this Microsoft Defender for Identity alert, you will be able to identify:

  • The device that attempted the impersonation.
  • The domain controller.
  • The targeted asset.
  • Whether the impersonation attempts were successful.

Finally, customers using Microsoft 365 Defender can take full advantage of the power of the signals and alerts from Microsoft Defender for Identity, combined with behavioral events and detections from Microsoft Defender for Endpoint. This coordinated protection enables you not just to observe Netlogon exploitation attempts over network protocols, but also to see device process and file activity associated with the exploitation.

A close look at some of the earliest ZeroLogon attacks

ZeroLogon is a powerful vulnerability for attackers to leverage, but in a normal attack scenario, it will require an initial entry vector inside an organization to facilitate exploitation against domain controllers. During initial monitoring of security signals, Microsoft Threat Experts observed ZeroLogon exploitation activity in multiple organizations. In many cases, it was clear that the activity was originated from red teams or pen testers using automated vulnerability scanners to locate vulnerable servers. However, Microsoft researchers were also able to identify a few limited cases of real attackers jumping on the ZeroLogon train to expand their perimeter into organizations that, after a month of a patch being available, were still running unpatched domain controllers.

Typical Zerologon exploitation activity generated by a vulnerability scanner or a red team testing domain controller at scale

Figure 3: Typical Zerologon exploitation activity generated by a vulnerability scanner or a red team testing domain controller at scale

One of the adversaries noticed by our analysts was interesting because the attacker leveraged an older vulnerability for SharePoint (CVE-2019-0604) to exploit remotely unpatched servers (typically Windows Server 2008 and Windows Server 2012) and then implant a web shell to gain persistent access and code execution. Following the web shell installation, this attacker quickly deployed a Cobalt Strike based payload and immediately started exploring the network perimeter and targeting domain controllers found with the ZeroLogon exploit.

Using the @MsftSecIntel Twitter handle, we publicly shared some file indicators used during the attack. We also shared the variations of the ZeroLogon exploits we detected, many of which were recompiled versions of well-known, publicly available proof-of-concept code. Microsoft Defender for Endpoint can also detect certain file-based versions of the CVE-2020-1472 exploit when executed on devices protected by Microsoft Defender for Endpoints.


Hunting for ZeroLogon in Microsoft 365 Defender

Combining signals from Microsoft Defender for Endpoint with the ZeroLogon alerts from Microsoft Defender for Identity can help assess the nature of the alert quickly. Microsoft 365 Defender automatically leverages signals from both products. It has logic that constantly attempts to combine alerts and events using a variety of correlation logic based on knowledge of cause-effect attack flows, the MITRE ATT&CK framework, and machine learning models.

In this section, we provide an example (in the simplified form of an advanced hunting query) of how Microsoft 365 Defender correlation logic operates behind-the-scenes to combine alerts, reducing Security Operations Centers (SOC) fatigue and facilitating investigation.

The following Microsoft 365 Defender advanced hunting queries identify process and network connection details from the source device suspected to have launched the NetLogon exploit.


First, we gather the relevant details on recent Netlogon exploit attempts from Microsoft Defender for Identity alerts. This will help populate the AlertId for the second query.

// Find all Netlogon exploit attempt alerts containing source devices
let queryWindow = 3d;
| where Timestamp > ago(queryWindow)
| where ServiceSource == "Azure ATP"
| where Title == "Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation)"
| join (AlertEvidence
| where Timestamp > ago(queryWindow)
| where EntityType == "Machine"
| where EvidenceDirection == "Source"
| where isnotempty(DeviceId)
) on AlertId
| summarize by AlertId, DeviceId, Timestamp

Next, populate one AlertId from the prior query into NLAlertId in the next query to hunt for the likely process that launched the exploit and its network connection to the domain controller:

// Find potential endpoint Netlogon exploit evidence from AlertId
let NLAlertId = "insert alert ID here";
let lookAhead = 1m;
let lookBehind = 6m;
let NLEvidence = AlertEvidence
| where AlertId == NLAlertId
| where EntityType == "Machine"
| where EvidenceDirection == "Source"
| where isnotempty(DeviceId)
| summarize Timestamp=arg_min(Timestamp, *) by DeviceId;
let sourceMachine = NLEvidence | distinct DeviceId;
let alertTime = todatetime(toscalar(ZLEvidence | distinct Timestamp));
| where Timestamp between ((alertTime - lookBehind) .. (alertTime + lookAhead))
| where DeviceId in (sourceMachine)
| where RemotePort == 135 or RemotePort between (49670 .. 49680)
| summarize (Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid)=arg_min(ReportId, Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid), TargetDevicePorts=make_set(RemotePort) by DeviceId, DeviceName, RemoteIP, RemoteUrl
| project-rename SourceComputerName=DeviceName, SourceDeviceId=DeviceId, TargetDeviceIP=RemoteIP, TargetComputerName=RemoteUrl

This query can return a result that looks like this:

Tying Microsoft Defender for Endpoint data together with the original Microsoft Defender for Identity alert can give a clearer picture as to what happened on the device suspected of launching the exploit. This could save SOC analysts time when investigating alerts, because the relevant details are there to determine if it was caused by a curious researcher or from an actual attack.

Defend against ZeroLogon

Learn more about the alert here, along with information on all the alerts Defender for Identity uses to help you stay protected from identity-based attacks.

Also, feel free to review our guidance on managing changes in Netlogon secure channel connections and how you can prevent this vulnerability

Customers with Microsoft Defender for Endpoint can get additional guidance from the threat analytics article available in Microsoft Defender Security Center.

Get started today

Are you just starting your Microsoft Defender for Identity journey? Begin a trial of Microsoft 365 Defender to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for your organization.

Join the Microsoft Defender for Identity Tech Community for the latest updates and news about Identity Security Posture Management assessments, detections, and other updates.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zerologon is now detected by Microsoft Defender for Identity appeared first on Microsoft Security.

AppDynamics offers visibility plus at a time of rising complexity

Business leaders in 2020 forced to adopt a more digitally-driven model to compete in the changing marketplace have had a bumpy ride. While some companies have deftly transitioned, findings presented in AppDynamics’ Agents of Transformation Report 2020 indicate the road has been rocky for others: Over 80 per cent of technologists say they’re facing technology…

The post AppDynamics offers visibility plus at a time of rising complexity first appeared on IT World Canada.

Embedding Trust at the Core of Critical Infrastructure

November marks National Critical Infrastructure Security and Resilience Month and is a timely reminder to keep this conversation at the forefront. Global critical infrastructure speaks to a common theme: sectors that are vital to security, economic security, public health, or safety. The pandemic has reshaped the landscape of critical infrastructure with a new generation of organizations now deemed as ‘critical.’ Most would consider hospital emergency rooms as traditional critical infrastructure, but what about medical research labs? Now that the world anxiously awaits a vaccine to end this pandemic, it’s clear these services are now even more critical than ever to our collective health, society, and economy. Adversaries know this too and continue to target the supply chains and assets of these critical systems, taking advantage of our heightened technology dependence.

Embedding trust and resilience into critical infrastructure continues to be a moving target. We used to focus purely within enterprises and businesses, but today the interconnectivity of cloud and third-party delivered services have completely upended how we assess risk. Regardless of the challenges – new or old – the focus must be on the trustworthiness and integrity of the technology and processes, ensuring we embed trust and resilience into the core of critical infrastructure.

Building in Trust at the Network

Technology is no longer an extension of critical infrastructure, but rather at the core of it. The network sits between critical data, assets, and systems, and the users and services that leverage or operate them. It is uniquely positioned not only to add essential visibility and controls for resiliency, but also a well-placed and high-value target for attackers. Resiliency of the network infrastructure itself is crucial.

Resilience is only achieved by building in steps to verify integrity with technical features embedded in hardware and software. Secure boot ensures a network device boots using only software that is trusted by the Original Equipment Manufacturer. Image signing allows a user to add a digital fingerprint to an image to verify that the software running on the network has not been modified. Runtime defenses protect against the injection of malicious code into running network software, making it very difficult for attackers to exploit known vulnerabilities in software and hardware configurations. Equally important, vendors must use a Secure Development Lifecycle to enhance security, reduce vulnerabilities, and promote consistent security policy across solutions.

All of this might sound like geek mumbo-jumbo, but these are non-negotiables in today’s world. Whether it is a critical robot on a manufacturing line, a connected valve at a water treatment plant, or the network infrastructure that keeps them all connected and running – without verification check points along the way, you have no idea if your underlying technology is authentic, unmodified, and ultimately up to your standards.

Securing the Supply Chain

Suppliers are being targeted as a route into our critical systems. The premise behind Zero Trust applies here too and dictates that we must verify the security of all who connecting into those critical systems. That includes the complex web of vendors that make the technology we ultimately sell or consume. How does the vendor secure their own network, and the data of many? As we dive deeper into it, we can see that the security of our suppliers and their own supply chain increasingly becomes complicated, especially when intellectual property (IP) is involved, and implemented across a massive network of global suppliers of hardware, software, and cloud-based services. Geopolitical, cyber, and continuity risks can translate into the misuse, tamper, and even counterfeit of IP and solutions.

We must take a layered approach, using a combination of security technology (e.g. technical innovation to enhance counterfeit detection or to identify non-authorized components or users), physical security (e.g. camera monitoring, security checkpoints), logical (e.g. multi-factor authentication for workers), and information security (e.g. network segmentation). These security and privacy foundational requirements must be applied to the end-to-end lifecycle of solutions in the supply chain, from design to decommission, across collaborative partnerships. It’s beyond geography-based security and privacy, it must be steeped in the supply chain process and in the technology itself. Everyone has a stake in the game, and all suppliers must be held accountable and to the same high standard.

Operations that Move at a Digital Pace

The increase of remote working, and therefore remote access, has heightened the importance of monitoring regular versus abnormal activity across all both the traditional enterprise as well as the vastly distributed cloud services. Migration to digital capabilities requires critical infrastructure providers to keep pace with the latest threat monitoring and detection technologies. It requires machine speed capabilities of visibility and control. It takes an integrated, holistic architecture of solutions that work together, communicate, and automate actions to make it easier to address incidents faster and less complex, relying less on human actions. To achieve this, we must look end-to-end across our systems, avoiding piecemeal projects and solutions, to ensure consistent security capabilities that are scalable, agile, and fast.

Security capabilities are ever-evolving. Machine learning algorithms can help detect anomalies from normal network and user behavior. That data can then be used for informing control-based policies to mitigate attacks. Application, network, and endpoint security must work together, and as we look to deploying solutions, we need to look at the integration and consistency of those capabilities.

Traditional or new, critical infrastructure is made up of complex networks and systems that sustain our global society and economy, a disruption to one can cause a ripple effect of consequences beyond borders. Regardless of a global pandemic, natural disaster, social unrest or even when it operates like clockwork, trust and resilience must be built in at every step.

To learn more about how Cisco embeds trust into everything we do, visit our Trust Center.

Check Washing

I can’t believe that check washing is still a thing:

“Check washing” is a practice where thieves break into mailboxes (or otherwise steal mail), find envelopes with checks, then use special solvents to remove the information on that check (except for the signature) and then change the payee and the amount to a bank account under their control so that it could be deposited at out-state-banks and oftentimes by a mobile phone.

The article suggests a solution: stop using paper checks.

IBM offers quantum-safe cryptography support for key management and app transactions in the cloud

IBM announced a series of cloud services and technologies designed to help clients maintain the highest available level of cryptographic key encryption protection to help protect existing data in the cloud and prepare for future threats that could evolve with advances in quantum computing. Pioneered by IBM Research scientists, the company is now offering quantum-safe cryptography support for key management and application transactions in IBM Cloud, making it the industry’s most holistic quantum-safe cryptography approach … More

The post IBM offers quantum-safe cryptography support for key management and app transactions in the cloud appeared first on Help Net Security.

ServiceNow is acquiring Canadian AI services startup Element AI

After launching in 2016, raising US$102 million in Seris A funding and opening offices across five cities in North America, Europe, and Asia, one of Canada’s superstar startups has been scooped up by American software giant ServiceNow.

The post ServiceNow is acquiring Canadian AI services startup Element AI first appeared on IT World Canada.

Conti ransomware attack demands $14 million from industrial IoT firm Advantech

The world's largest maker of industrial computers, Taiwan's Advantech, has reportedly been hit by a ransomware attack - with cybercriminals demanding a ransom worth approximately US $14 million for a decryption key, and to prevent the public leaking of stolen data. Read more in my article on the Hot for Security blog.

Digital ID needs be ‘as easy as Uber’ says Ontario Digital Service deputy minister

Ontario is the latest province to signal its intent to allow citizens to prove their identity with the help of a digital wallet, but experts say a lot of work remains before the service can be widely used.

The post Digital ID needs be 'as easy as Uber' says Ontario Digital Service deputy minister first appeared on IT World Canada.

Quick Guide — How to Troubleshoot Active Directory Account Lockouts

Active Directory account lockouts can be hugely problematic for organizations. There have been documented instances of attackers leveraging the account lockout feature in a type of denial of service attack. By intentionally entering numerous bad passwords, attackers can theoretically lock all of the users out of their accounts. But what do you do if you are experiencing problems with account

Cyber Security Today – Executives email passwords for sale, a ransomware attack on industrial systems manufacturer and online shopping tips

Today's podcast warns that passwords of hundreds of executives is being sold to hackers, and reports on a ransomware attack on Advantech

The post Cyber Security Today - Executives email passwords for sale, a ransomware attack on industrial systems manufacturer and online shopping tips first appeared on IT World Canada.

Back-to-Work Phishing Campaign Targeting Corporate Email Accounts

A phishing campaign used what appeared to be back-to-work notifications in order to compromise recipients’ corporate email accounts. Near the end of November, Abnormal Security detected one of the campaign’s attack emails. That message masqueraded as an internal notification from the recipient’s company. It did so by using spoofing techniques to disguise the sender address. […]… Read More

The post Back-to-Work Phishing Campaign Targeting Corporate Email Accounts appeared first on The State of Security.

Delaware County Pays $500,000 Ransom After Outages

Delaware County Pays $500,000 Ransom After Outages

A US county is in the process of paying half-a-million dollars to ransomware extorters who locked its local government network, according to reports.

Pennsylvania’s Delaware County revealed the attack last week, claiming in a notice that it had disrupted “portions of its computer network.

“We commenced an immediate investigation that included taking certain systems offline and working with computer forensic specialists to determine the nature and scope of the event. We are working diligently to restore the functionality of our systems,” it said.

“The investigation is ongoing and we are working with computer forensic specialists to understand the full nature and scope of the event and confirm accurate information before sharing the details. County employees have been notified and provided with information and instructions.”

The county said its Bureau of Elections and Emergency Services Department were not affected, as they are served by separate networks.

However, the news comes as the authority, like much of the US, battles a surge in COVID-19 cases. Over the past four weeks it has seen a 131% increase in positive tests for the virus and a 156% increase in hospitalizations.

That will give attackers an extra incentive to attack public sector and healthcare organizations in the country over the coming months. However, it appears as if Delaware County’s decision to pay up was influenced by virtue of its insurance policy, which reportedly covers ransomware outages.

The largest cause of cyber insurance claims in North America in the first half of 2020 was ransomware, accounting for over two-fifths (41%), according to provider Coalition.

However, there are concerns that the growing take-up of such policies also emboldens cyber-criminals as it makes it more likely that victims will pay-up to regain access to networks quickly.

As long as victims keep paying, ransomware groups will keep launching attacks.

Cyber security statistics for small organisations

No matter what size your organisation is, it will suffer a cyber attack sooner or later. There are simply too many malicious actors and too many vulnerabilities for you to identify.

Unfortunately, SMEs often fall into the trap of believing that they are too small to be on cyber criminals’ radars. Why would they even think to target you?

But criminal hackers target vulnerabilities rather than specific organisations. They look for weaknesses – whether it’s a flaw in a piece of software or an unprotected database containing sensitive information – and leverage it in whatever way they can.

That’s why small organisations need to be as concerned about cyber security as huge corporations. As we explain in our new infographic, 14 Cyber Security Statistics for SMEs, 43% of all cyber attacks occur at small organisations.

Here are some other stats from the infographic:

  • A small business is hacked every 19 seconds
  • 19% of business said the attack prevented staff from working
  • The average cost of a cyber attack increased by 61% last year, from £184,000 to £296,500
  • 70% of organisations said that remote working increases the risk of a data breach
  • Phishing attacks are the most common cause of a data breach

You can download the full infographic for free to remind you and your team of the cyber security risks that small organisations face.

See also:

The help you need with IT Governance

Most small organisations know that they should be doing more to protect themselves, but it can be difficult knowing where to begin.

That’s why, according to a Skurio report, 50% of organisations in the UK are considering outsourcing their cyber security.

This approach ensures that you get expert guidance when you need it and without the hassle of finding and appointing someone with the versatility to address whatever security issues you face.

Those considering this as a solution should take a look at our Cyber Security as a Service. With this annual subscription, you’ll receive the support you need whenever it’s necessary.

Our team will advise you on the best way to protect your organisation and guide you through essential processes such as vulnerability scans, staff training and the creation of data protection policies.

This service contains everything you need in one place, giving you the peace of mind that you’re doing everything possible to stay secure.

The post Cyber security statistics for small organisations appeared first on IT Governance UK Blog.

Company Director Disqualified After Nuisance Calls

Company Director Disqualified After Nuisance Calls

The director of a marketing company that made tens of thousands of nuisance calls has been banned from running a business for six years.

Elia Bols was director of AMS Marketing Limited, a firm founded in 2016 which was the subject of scores of complaints between October that year and October 2017.

UK regulator the Information Commissioner’s Office handed Bols a fine of £100,000 after judging that, under his direction, the firm had made over 75,000 nuisance calls. It should first have used the Telephone Preference Service (TPS) list of individuals who choose not to receive unsolicited contact, the ICO said.

AMS Marketing was wound-up in 2019, with the fine still outstanding, and Bols now lives in Australia. However, in his absence, the government has ruled that AMS Marketing broke Regulation 21 of the Privacy and Electronic Communications Regulations (PECR).

As a result, he is now disqualified from acting as director or becoming directly or indirectly involved with running or promoting a company.

“Our work with the Insolvency Service has seen the successful disqualification of 17 directors who have shut their business down to try and avoid paying a fine for illegal marketing activity,” explained Andy Curry, head of investigations at the ICO.

“Nuisance calls, emails and texts can be a huge problem and often cause people real distress. By taking unscrupulous directors out of action, we can help protect the public and their privacy.”

However, despite these successes, the ICO has been found wanting in terms of its collection of outstanding fines from such offenders.

An FOI request last month revealed that £6.6m, or over 39% of total fines, are still outstanding. Just 13% of nuisance calls fines were collected, versus 54% of data breach penalties.

University of Vermont Medical Center has yet to fully recover from October cyber attack

The University of Vermont Medical Center has yet to fully recover from a cyber attack that crippled systems at the Burlington hospital.

In October, ransomware operators hit the Wyckoff Heights Medical Center in Brooklyn and the University of Vermont Health Network. The ransomware attack took place on October 28 and disrupted services at the UVM Medical Center and affiliated facilities.

The ransomware attack has caused variable impacts at each of its affiliates.

A month later, the University of Vermont Medical Center is continuing to recover from the cyber attack that paralyzed the systems at the Burlington hospital.

The hospital announced that only on Tuesday it had restored access to its main electronic records system at the hospital

“The restoration includes inpatient and ambulatory sites at the UVM Medical Center and ambulatory clinics at Central Vermont Medical Center in Berlin, Porter Medical Center in Middlebury and Champlain Valley Physicians Hospital in Plattsburgh, New York.” reported the Associated Press.

Unfortunately, the hospital’s IT staff is still working to restore access to its and the operations could take additional time to be completed.

At the time of this writing, the hospital officials excluded that threat actors have compromised any personal information about patients.

In October, the news of the attack comes a few hours after The FBI, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) have issued a joint alert to warn hospitals and healthcare providers of imminent ransomware attacks from Russia.

This security advisory describes the tactics, techniques, and procedures (TTPs) associated with cyber criminals that could target organizations in the Healthcare and Public Health Sector (HPH) to infect systems with Ryuk ransomware.

At the time of the alert, the government agencies receive information about imminent attacks, threat actors are using the TrickBot botnet to deliver the infamous ransomware to the infected systems.

Pierluigi Paganini

(SecurityAffairs – hacking, Vermont Medical Center)

The post University of Vermont Medical Center has yet to fully recover from October cyber attack appeared first on Security Affairs.

Fired CISA Director Refutes Election Fraud Allegations

In 60 Minutes Interview, Christopher Krebs Says Paper Ballots Secured Election
Ex-CISA director Christopher Krebs revealed in a 60 Minutes interview exactly what made officials confident that the election results were accurate: paper ballots. Krebs didn't mention President Trump by name, but refuted claims by his administration and personal lawyer, Rudy Giuliani, that the election was corrupt.

MasterChef Producer Hit by Double Extortion Ransomware

MasterChef Producer Hit by Double Extortion Ransomware

A multibillion-dollar TV production company has become the latest big corporate name caught out by ransomware, it emerged late last week.

French multinational firm Banijay SAS owns over 120 production firms around the world, delivering TV shows ranging from MasterChef and Big Brother to Black Mirror and The Island with Bear Grylls.

In a short update last Thursday, it claimed to be managing a “cyber-incident” affecting the networks of Endemol Shine Group and Endemol Shine International, Dutch firms it acquired in a $2.2bn deal in July.

Although ransomware isn’t named in the notice, previous reports suggest the firm is being extorted.

It admitted that data may have been taken, in what would be a classic “double extortion” attack.

“The business has reason to believe certain personal data of current and ex-employees may have been compromised, as well as commercially sensitive information,” it said.

“We are continuing to take the appropriate steps and remain committed to protecting our employees, past and present, so if we do identify any cases of data being taken or misused, we will contact the affected individuals directly.”

In the meantime, the firm said it is investigating the attack with “independent specialists” and has notified the relevant authorities in the Netherlands and the UK: the two countries affected by the incident.

Banijay would do well not to engage with the extortionists. A recent Coveware report warned that “paying a threat actor not to leak stolen data provides almost no benefit to the victim.”

The vendor claimed that several ransomware groups still publicly dox companies even after payment, while others may demand a second payment to remove any data they may have stolen.

Victim organizations should in any case assume that it has been or will be either sold to other threat actors or used in a future extortion attempt, Coveware claimed.

Delaware County, Pennsylvania, opted to pay 500K ransom to DoppelPaymer gang

Delaware County, Pennsylvania opted to pay a $500,000 ransom after it was the victim of a DoppelPaymer ransomware attack last weekend.

During the last weekend Delaware County, Pennsylvania, was the victim of a DoppelPaymer ransomware attack that brought down part of its network.

According to local media, the ransomware operators have compromised systems containing sensitive information, including police reports and payroll.

“Sources told Action News, the cybercriminals gained control of the network on Saturday encrypting files, including police reports, payroll, purchasing, and other databases. Prosecution evidence, however, has not been affected.” reads the post published by Philadelphia’s 6abc’s Action News.

“Sources said the county is in the process of paying the $500,000 ransom as it’s insured for such attacks.”

The infection did not impact the Bureau of Elections and the County’s Emergency Services Department.

The incident was disclosed on Monday and now Delaware County has paid a $500,000 ransom.

“The County of Delaware recently discovered a disruption to portions of its computer network. We commenced an immediate investigation that included taking certain systems offline and working with computer forensic specialists to determine the nature and scope of the event. We are working diligently to restore the functionality of our systems,” states the incident notice published by Delaware County. “The investigation is ongoing and we are working with computer forensic specialists to understand the full nature and scope of the event and confirm accurate information before sharing the details.”

The notice also confirmed that County employees have been already notified, the FBI is also investigating the attack.

BleepingComputer was informed that the Delaware County was hit by the DoppelPaymer ransomware gang.

“BleepingComputer was also told that the ransomware gang advised Delaware County to change all of their passwords and modify their Windows domain configuration to include safeguards from the Mimikatz program.” reported BleepingComputer.

A few days ago, the Microsoft Security Response Center (MSRC) warned customers of the DoppelPaymer ransomware, the tech giant provided useful information on the threat and how it spreads.

In November, the Mexican state-owned oil company Petróleos Mexicanos (Pemex) was infected with the DoppelPaymer ransomware.

Early November, the DoppelPaymer ransomware disrupted IT operations in the territory of Nunavut (Canada), all government services requiring access to electronic data were impacted.

The TA505 cybercrime group that is known for the distribution of the Dridex Trojan and the Locky ransomware, in mid-2017 released the BitPaymer ransomware (aka FriedEx) that was used in attacks against high profile targets and organizations. The ransomware was being distributed through Remote Desktop Protocol (RDP) brute force attacks.

In July, CrowdStrike experts found a new variant of the ransomware tracked as DoppelPaymer. The discovery suggests that some members of TA505 gang left the group and forked the source code of both Dridex and BitPaymer to develop new malware. Some of the crooks behind the Dridex Trojan have split from the gang and released a forked version of the BitPaymer ransomware dubbed DoppelPaymer.

Both BitPaymer and DoppelPaymer continue to operate in parallel since then.

Other victims of the DoppelPaymer are the City of Torrance in California, the Hall County, Georgia, Newcastle University, Banijay Group SAS, Bretagne Télécom, Compal, and Visser Precision.

Pierluigi Paganini

(SecurityAffairs – hacking, DoppelPaymer)

The post Delaware County, Pennsylvania, opted to pay 500K ransom to DoppelPaymer gang appeared first on Security Affairs.

How do I select a pentesting solution for my business?

Given the number of vulnerabilities that have gone global in the past few years, enterprises can’t afford to keep relying on reactive security. Just hoping that an alert doesn’t go off isn’t a strategy. Instead, groups should embrace penetration testing. For those unfamiliar with the concept, a typical pentest project consists of a pentester putting on their “evil person” hat and attacking a target, looking to infiltrate the organization in the way that a malicious … More

The post How do I select a pentesting solution for my business? appeared first on Help Net Security.

Review: The Perfect Weapon

John Maggio, an award-winning producer, director, and writer, known for The Newspaperman: The Life and Times of Ben Bradlee (2017), Panic (2018), The Italian Americans (2015) and others, based this documentary on the homonymous best-selling book by David E. Sanger. The Perfect Weapon Released at the peak of the US 2020 election campaign and just before the election itself, the documentary examines the harsh reality of today’s conflicts between nations, relying not so much on … More

The post Review: The Perfect Weapon appeared first on Help Net Security.

Pandemic thinking: What if there were a vaccine for OT ransomware?

The year 2020 has been defined globally by the COVID-19 pandemic. One of few silver linings for this difficult set of circumstances is innovation – redesigning normal processes so that life can carry on with some degree of regularity and reliability. Pre-COVID, we all took certain risks routinely, and the consequences were minor. Now the consequences are much more serious and we respond to these risks by very carefully deciding how we expose ourselves to … More

The post Pandemic thinking: What if there were a vaccine for OT ransomware? appeared first on Help Net Security.

New wave of affordable silicon leading to greater IoT project success

With up to 75 percent of remote device management projects deemed “not successful,” in 2020, IoT deployment has been limited in realizing its full potential. Path to IoT project success However, a new wave of affordable silicon that provides a wide array of features and functionality, in conjunction with the maturation of pre-packed software, will lead to a substantial increase in IoT project success in the upcoming year, predict experts at Sequitur Labs. According to … More

The post New wave of affordable silicon leading to greater IoT project success appeared first on Help Net Security.

Hacking Christmas Gifts: Putting IoT Under the Microscope

If high-tech gadgets are on your holiday shopping list, it is worth taking a moment to think about the particular risks they may bring. Under the wrong circumstances, even an innocuous gift may introduce unexpected vulnerabilities. In this blog series, VERT will be looking at some of the Internet’s best-selling holiday gifts with an eye […]… Read More

The post Hacking Christmas Gifts: Putting IoT Under the Microscope appeared first on The State of Security.

84% of global decision makers accelerating digital transformation plans

Unit4 surveyed business and IT decision makers and users working in service industries in August and September 2020, to understand how well organizations are embracing innovation and adapting to the challenges of the pandemic. Growing people-centric innovation The study shows that 84% of global decision makers are accelerating their digital transformation plans, in response to growing demands from users, who want more flexibility to work remotely in the future. During COVID-19, global decision makers cited … More

The post 84% of global decision makers accelerating digital transformation plans appeared first on Help Net Security.

Configuración segura en la nube – Explicación de IaaS, PaaS y SaaS

Si le preguntara qué productos de seguridad tenía para administrar el riesgo dentro de su organización de TI hace 10 años, probablemente enumeraría media docena de herramientas diferentes y confianza mencionar que la mayor parte de su infraestructura estaba cubierta por un conjunto de productos clave como antivirus, DLP, firewalls, etc. Pero en un mundo […]… Read More

The post Configuración segura en la nube – Explicación de IaaS, PaaS y SaaS appeared first on The State of Security.

HD-PLC Alliance to create the IEEE P1901b standard for using HD-PLC in smart grids and factories

HD-PLC Alliance has started standardization work that will allow the use of enhanced network security functions, with the aim of using High-Definition Power Line Communication technology in the fields of smart grids and distributed power management. HD-PLC (hereinafter referred to as HD-PLC) technology has already been standardized as IEEE 1901 (Broadband over Power Line Networks for MAC and PHY) by the IEEE Standards Association. This technology is particularly attracting attention in Europe as a communication … More

The post HD-PLC Alliance to create the IEEE P1901b standard for using HD-PLC in smart grids and factories appeared first on Help Net Security.

Microsoft Azure Databricks receives FedRAMP ATO

Databricks announced that Microsoft Azure Databricks has received a Federal Risk and Authorization Management Program (FedRAMP) High Authority to Operate (ATO). This authorization validates Azure Databricks security and compliance for high-impact data analytics and AI across a wide range of public sector, industry, and enterprise use cases. FedRAMP is a standardized approach to security assessment, authorization, and continuous monitoring for cloud services as defined by the National Institute of Standards and Technology (NIST). The ATO … More

The post Microsoft Azure Databricks receives FedRAMP ATO appeared first on Help Net Security.

Crooks stole 800,000€ from ATMs in Italy with Black Box attack

A cyber criminal organization has stolen money from at least 35 Italian ATMs with a black box attack technique.

A criminal organization has stolen money from at least 35 ATMs and Post Office cash dispensers operated by Italian banks with a new black box attack technique.

The Carabinieri of Monza dismantled by the gang, the Italian law enforcement agency confirmed that the cybercrime organization stole about 800,000€ in just 7 months using #ATM Black Box attack.

The Italian Carabinieri identified 12 people, 6 have been already arrested, 3 are currently restricted in Poland, one has returned to Moldova before being stopped and 2 may no longer be on Italian territory.

According to local media, the gang had numerous logistical bases in the provinces of Milan, Monza, Bologna, Modena, Rome, Viterbo, Mantua, Vicenza and Parma.

Black box attacks are a type of jackpotting attack aimed at forcing an ATM to dispense the cash by sending a command through a “black box” device.

In this attack, a black box device, such as a mobile device or a Raspberry, is physically connected to the ATM and is used by the attackers to send commands to the machine.

The ATM black box attacks are quite popular in the cybercrime underground and several threat actors offer the hardware equipment and malware that could be used to compromise the ATMs.

Below the list of the compromised ATM:

  • UFF PP TT 12/07/2020 BELLUSCO
  • BPM 07/18/2020 WEEKLY
  • BPM 07/20/2020 MORAZZONE
  • UFF PP TT 08/05/2020 CARUGATE
  • UFF PP TT 08/18/2020 SEVESO
  • UFF PP TT 08/19/2020 FAGNANO OLONA
  • BBPM 08/21/2020 COMO
  • UFF PP TT 01/09/2020 SIZIANO
  • UFF PP TT 02/09/2020 MELZO
  • UFF PP TT 07/09/2020 SENAGO
  • UFF PP TT 11/09/2020 BRESCIA
  • BPM 11/09/2020 PARMA
  • UFF PP TT 09/14/2020 BUSNAGO
  • BBPM 09/18/2020 ROZZANO
  • UFF PP TT 21/09/2020 GHEDI
  • BBPM 09/22/2020 CASARILE
  • BBPM 09/24/2020 MACHERIO
  • BBPM 09/30/2020 RESCALDINA
  • BBPM 09/30/2020 LIMENA
  • VOLKS 21/10/2020 VILLAVERLA
  • BANCO S. MARCO 10/28/2020 SPINEA
  • BBPM 11/06/2020 BIASSONO
  • BBPM 11/8/2020 Santo Srefano Ticino
  • BCC 10/11/2020 Junction of Capannelle (RM)
  • OFFICE PP. TT. 11/11/2020 Vermicino- Frascati
Black Box attack italian bank

Poorly protected ATMs are more exposed to this type of attack because crooks can easily tamper with their case in order to connect the mobile device.

In July, Diebold Nixdorf, a leading manufacturer of ATM machines, issued an alert to customers warning all banks of a new variant of ATM black box or jackpotting attacks. The alert was issued after the Agenta Bank in Belgium was forced to shut down 143 ATMs after a jackpotting attack.

All the compromised machines were Diebold Nixdorf ProCash 2050xe devices. This was the first time that Belgian authorities observe this criminal practice in the country.

According to the security alert issued by Diebold Nixdorf, and obtained by ZDNet, the new variation of black box attacks has been used in certain countries across Europe.

Pierluigi Paganini

(SecurityAffairs – hacking, black box attack)

The post Crooks stole 800,000€ from ATMs in Italy with Black Box attack appeared first on Security Affairs.

A critical flaw in industrial automation systems opens to remote hack

Experts found a critical flaw in Real-Time Automation’s (RTA) 499ES EtherNet/IP stack that could allow hacking industrial control systems.

Tracked as CVE-2020-25159, the flaw is rated 9.8 out of 10 in severity by the industry-standard Common Vulnerability Scoring System (CVSS) and impacts all versions of EtherNet/IP Adapter Source Code Stack prior to 2.28, which was released on November 21, 2012.

Security researchers from security company Claroty have discovered a critical flaw in Real-Time Automation’s (RTA) 499ES EtherNet/IP (ENIP) stack that could be exploited by a remote attacker to hack the industrial control systems.

“Claroty has privately disclosed details to Real Time Automation (RTA), informing the vendor of a critical vulnerability in its proprietary 499ES EtherNet/IP (ENIP) stack. The vulnerability could cause a denial-of-service situation, and depending on other conditions, could expose a device running older versions of the protocol to remote code execution.” reads the security advisory published by Claroty.

RTA’s ENIP stack is widely implemented in industrial automation systems.

The flaw, tracked as CVE-2020-25159, has received a CVSS score of 9.8 out of 10, it impacts all versions of EtherNet/IP Adapter Source Code Stack prior to 2.28.

Brizinov reported the stack overflow issue to the US agency CISA that published a security advisory.

“Successful exploitation of this vulnerability could cause a denial-of-service condition, and a buffer overflow may allow remote code execution,” reads the advisory published by the US cybersecurity and infrastructure agency (CISA). “The affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to send a specially crafted packet that may result in a denial-of-service condition or code execution.”

Experts used the search engines for Internet-connected devices, like, to search for ENIP-compatible internet-facing devices and discovered more than 8,000 systems exposed online.

Industrial Automation systems RTA-ENIP-BLOG-IMAGE-1-1024x580

Experts was that vendors may have bought vulnerable versions of this stack before the 2012 update and are still using it in their firmware.

“However, many vendors may have bought vulnerable versions of this stack prior to the 2012 update, starting in the early 2000s when it was first issued, and integrated it into their own firmware. This would leave many running in the wild still today.” continues the report.

“Claroty researchers were able to scan 290 unique ENIP-compatible devices, which identified 32 unique ENIP stacks. Eleven devices were found to be running RTA’s ENIP stack in products from six unique vendors.”

Operators have to update to current versions of the ENIP stack to address the vulnerability. CISA provided the following recommendations to minimize the risk of exploitation of this vulnerability:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Pierluigi Paganini

(SecurityAffairs – hacking, industrial automation systems)

The post A critical flaw in industrial automation systems opens to remote hack appeared first on Security Affairs.

Security Affairs newsletter Round 291

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

A cyberattack crippled the IT infrastructure of the City of Saint John
Hundreds of female sports stars and celebrities have their naked photos and videos leaked online
Romanians arrested for running underground malware services
Threat actor shared a list of 49,577 IPs vulnerable Fortinet VPNs
Computer Security and Data Privacy, the perfect alliance
FBI issued an alert on Ragnar Locker ransomware activity
Massive threat campaign strikes open-source repos, Sonatype spots new CursedGrabber malware
TikTok fixed security issues that could have led one-click account takeover
VMware discloses critical zero-day CVE-2020-4006 in Workspace One
VMware fixed SD-WAN flaws that could allow hackers to target enterprise networks
2FA bypass in cPanel potentially exposes tens of millions of websites to hack
A new Stantinko Bot masqueraded as httpd targeting Linux servers
Baidu Android apps removed from Play Store because caught collecting user details
Credential stuffing attack targeted 300K+ Spotify users
Crooks social-engineered GoDaddy staff to take over crypto-biz domains
Microsoft fixes Kerberos Authentication issues with an out-of-band Update
TrickBot operators continue to update their malware to increase resilience to takedown
Belden discloses data breach as a result of a cyber attack
Group-IB Hi-Tech Crime Trends 2020/2021 report
Operation Falcon: Group-IB helps INTERPOL identify Nigerian BEC ring members
Retail giant Home Depot agrees to a $17.5 million settlement over 2014 data breach
UK NCSCs alert urges orgs to fix MobileIron CVE-2020-15505 RCE
Watch out, WAPDropper malware could subscribe you to premium services
A zero-day in Windows 7 and Windows Server 2008 has yet to be fixed
Carding Action 2020: Group-IB supports Europol-backed operation saving €40 million
Danish news agency Ritzau hit by ransomware, but did not pay the ransom
Ransomware hits US Fertility the largest US fertility network
Sophos notifies data leak after a misconfiguration
SSH-backdoor Botnet With ‘Research Infection Technique
A week later, Manchester United has yet to recover after a cyberattack
Canon publicly confirms August ransomware attack and data breach
Details of 16 million Brazilian COVID-19 patients exposed online
Drupal emergency updates fix critical arbitrary PHP code execution
North Korean hackers allegedly behind cyberattacks on AstraZeneca
The global impact of the Fortinet 50.000 VPN leak posted online
Chip maker Advantech hit by Conti ransomware gang
Hundreds of C-level executives credentials available for $100 to $1500 per account
Office 365 phishing campaign leverages Oracle and Amazon cloud services

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 291 appeared first on Security Affairs.

Sopra Steria estimates financial Impact of ransomware attack could reach €50 Million

IT services provider Sopra Steria estimates that a recent ransomware attack will have a financial impact ranging between €40M and €50M.

At the end of October, French IT outsourcer Sopra Steria has been hit by a ransomware attack. While the company did not reveal the family of malware that infected its systems, local media speculate the involvement of the Ryuk ransomware. The European IT firm has 46,000 employees operating in 25 countries worldwide. It provides a wide range of IT services, including software development and consulting.

Now the company estimates that a recent ransomware attack will have a financial impact ranging between €40 million ($48 million) and €50 million ($60 million).

In a new statement issued by Sopra Steria, the company confirmed that it has detected an attack involving the Ryuk ransomware on 21 October.

The internal cybersecurity staff rapidly blocked the threat and the measures implemented allowed the company to contain the virus to only a limited part of the Group’s infrastructure.

“At this stage, Sopra Steria has not identified any leaked data or damage caused to its customers’ information systems.” states the company.

“The secure remediation plan launched on 26 October is nearly complete. Access has progressively been restored to workstations, R&D and production servers, and in-house tools and applications. Customer connections have also been gradually restored.”

“The remediation and differing levels of unavailability of the various systems since 21 October is expected to have a gross negative impact on the operating margin of between €40 million and €50 million. The Group’s insurance coverage for cyber risks totals €30 million.” the company added.

The IT services provider said that sales activity for the fourth quarter should not be significantly affected by this event.

Sopra Steria expects to see negative organic revenue growth of between 4.5% and 5.0% (previously ‘between -2% and -4%’) for the financial year 2020. The company also estimates an operating margin on business activity of around 6.5% (previously ‘between 6% and 7%’), and free cash flow of between €50 million and €100 million (previously ‘between €80m and €120m’).”

Pierluigi Paganini

(SecurityAffairs – hacking, Ryuk ransomware)

The post Sopra Steria estimates financial Impact of ransomware attack could reach €50 Million appeared first on Security Affairs.

Operators behind Dark Caracal are still alive and operational

The Dark Caracal APT group has carried out a series of attacks against multiple sectors using a new variant of a 13-year-old backdoor Trojan.

The Dark Caracal cyberespionage group is back, researchers from Check Point uncovered a new series of attack against multiple industries.

The Dark Caracal is an APT group associated with the Lebanese General Directorate of General, in recent attacks it employed a new version of a 13-year-old backdoor Trojan dubbed Bandook.

The Bandook was spotted last time in 2015 and 2017 campaigns, dubbed “Operation Manul” and “Dark Caracal“, respectively attributed to Kazakh and the Lebanese governments. This circumstance suggests that the implant was developed by a third-party actor and used by multiple APT groups.

“During this past year, dozens of digitally signed variants of this once commodity malware started to reappear in the threat landscape, reigniting interest in this old malware family.” reads the report published by Check Point.

“In the latest wave of attacks, we once again identified an unusually large variety of targeted sectors and locations. This further reinforces a previous hypothesis that the malware is not developed in-house and used by a single entity, but is part of an offensive infrastructure sold by a third party to governments and threat actors worldwide, to facilitate offensive cyber operations.”

During the last campaign, the hackers targeted multiple sectors including Government, financial, energy, food industry, healthcare, education, IT, and legal institutions.

The APT group targeted entities in Singapore, Cyprus, Chile, Italy, the USA, Turkey, Switzerland, Indonesia, and Germany.

The infection chain used in the attacks is constantly evolving, in the following image are reported the three main stages.

Dark Caracal malware-attack-flow

The first stage leverages a lure Microsoft Word document (e.g. “Certified documents.docx”) delivered inside a ZIP file. Upon opening the archive, malicious macros are downloaded, which subsequently proceeds to drop and execute a second-stage PowerShell script encrypted inside the original Word document.

In the last phase of the attack, the PowerShell script downloads encoded executable parts from legitimate cloud storage services like Dropbox or Bitbucket then assemble the Bandook loader, which injects the RAT into a new Internet Explorer process.

The Bandook RAT is available on the underground market since 2007, it supports common backdoor commands, including capturing screenshots and carrying out various file-related operations.

Experts noticed that the new release of Bandook is a slimmed-down version of the original variant malware and supports only 11 commands out of the 120 commands. The support for a subset of commands suggests the threat actors attempt to remain under the radar.

Experts observed several samples of the malware that were digitally signed with valid certificates issued by Certum. Check Point researchers also spotted two digitally-signed and unsigned variants which they believe are operated by a single entity.

“Some of this campaign’s characteristics and similarities to previous campaigns leads us to believe that the activity we describe in this report is indeed the continuation and evolution of the infrastructure used during the Dark Caracal operation:

  • The use of the same certificate provider (Certum) throughout the various campaigns.
  • The use of the Bandook Trojan, in what appears to be a unique evolving fork from the same source code (which is not known to be publicly available). Samples from the Dark Caracal campaign (2017) utilized around 100 commands, compared to the current 120 command version we analyzed.
  • This wave of attacks shares the same anomalous characteristics for targeted attacks –  an extreme variance in the selected targets, both in their industry and their geographic spread.” concluded the experts.

“All evidence points to our belief that the mysterious operators behind the malicious infrastructure of “Operation Manul” and “Dark Caracal” are still alive and operational, willing to assist in the offensive cyber operations to anyone who is willing to pay.”

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post Operators behind Dark Caracal are still alive and operational appeared first on Security Affairs.

Week in review: Drupal-based sites open to attack, cPanel 2FA bypass vulnerability

Here’s an overview of some of last week’s most interesting news and articles: Challenges organizations face in combating third-party cyber risk A CyberGRX report reveals trends and challenges organizations of all sizes face in combating third-party cyber risk today. Each insight was gleaned from proprietary assessment data gathered from a sample of 4,000 third parties. cPanel 2FA bypass vulnerability can be exploited through brute force A two-factor authentication (2FA) bypass vulnerability affecting the popular cPanel … More

The post Week in review: Drupal-based sites open to attack, cPanel 2FA bypass vulnerability appeared first on Help Net Security.

Weekly Update 219: IoT Unravelled with Scott Helme

Weekly Update 219: IoT Unravelled with Scott Helme

What. A. Week. Blog post every day, massive uptick in comments, DMs, newsletter subscribers, followers and especially, blog traffic. More than 200,000 unique visitors dropped by this week, mostly to read about IoT things. This has been a fascinating experience for me and I've enjoyed sharing the journey, complete with all my mistakes 🙂 I topped the week off by spending a couple of hours talking to Scott Helme about our respective IoT experiences so that's the entirety of this week's update - Scott and I talking IoT. I hope you enjoy this temporary change in programming so here it is, the IoT unravelled livestream with Scott:

Weekly Update 219: IoT Unravelled with Scott Helme
Weekly Update 219: IoT Unravelled with Scott Helme
Weekly Update 219: IoT Unravelled with Scott Helme
Weekly Update 219: IoT Unravelled with Scott Helme


  1. IoT Unravelled Part 1: It's a Mess... But Then There's Home Assistant
  2. IoT Unravelled Part 2: IP Addresses, Network, Zigbee, Custom Firmware and Soldering
  3. IoT Unravelled Part 3: Security
  4. IoT Unravelled Part 4: Making it All Work for Humans
  5. IoT Unravelled Part 5: Practical Use Case Videos
  6. Sponsored by: 1Password is a secure password manager and digital wallet that keeps you safe online

Chip maker Advantech hit by Conti ransomware gang

The IIoT chip maker Advantech was hit by the Conti ransomware, the gang is now demanding over $13 million ransom from the company.

The Conti ransomware gang hit infected the systems of industrial automation and Industrial IoT (IIoT) chip maker Advantech and is demanding over $13 million ransom (roughly 750 BTC) to avoid leaking stolen files and to provide a key to restore the encrypted files.

Advantech has 8,000 employees worldwide and has reported a yearly sales revenue of over $1.7 billion in 2019.

The ransomware gang announced on November 21, 2020 the leak of stolen data if the chipmaker would not have paid the ransom within the next day.

As proof of the capability to restore the data, Conti ransomware operators are willing to decrypt two of the encrypted files.

On November 26, the ransomware operators began leaking the data stolen from Advantech, an archive of 3.03GB that accounts for 2% of the total amount of stolen data.

According to Bleeping Computer, the Conti ransomware gang also promised to remove any backdoors from the company’s network after the payment of the ransom. The operators also announced that the stolen data will be permanently removed from its servers and it will provide security tips on how to secure the network to prevent future infections.

Conti ransomware operators implement a private Ransomware-as-a-Service (RaaS), the malware appeared in the threat landscape at the end of December 2019 and was distributed through TrickBot infections.

Since August 2020, the group launched its leak site to threaten its victim to release the stolen data.

Pierluigi Paganini

(SecurityAffairs – hacking, Advantech)

The post Chip maker Advantech hit by Conti ransomware gang appeared first on Security Affairs.

Office 365 phishing campaign leverages Oracle and Amazon cloud services

Experts warn of a new sophisticated phishing scheme for stealing Office 365 credentials from small and medium-sized businesses in the U.S.

The new sophisticated phishing scheme was implemented by threat actors for stealing Office 365 credentials, it leverages both cloud services from Oracle and Amazon for their infrastructure.

The campaign has been active for more than half a year and targeted small and medium-sized businesses in the U.S. and Australia.

Threat actors used to compromise legitimate websites and used them as a proxy chain, This campaign also outstands for the abuse of legitimate services and websites for data exfiltration.

The phishing messages are fake notifications for voice messages and Zoom invitations that are created to trick victims into clicking an embedded link that finally lead the victim to the phishing page that was designed to steal login credentials.

Office 365 phishing
Source Bleeping Computer

According to cybersecurity firm Mitiga, the threat actors used compromised accounts to send out phishing messages and used Amazon Web Services (AWS) and Oracle Cloud in the redirect chain.

“Once the link was clicked, the user is redirected through several proxies, including AWS load balancers, all the way to a legitimate but compromised website” Ofir Rozmann, threat intelligence at Mitiga told Bleeping Computer.

Before the victims land the final landing page, the user is redirected through several proxies, including AWS load balancers.

Most of the fake Office 365 login pages were hosted on Oracle Cloud computing service, but experts also observed the use of Amazon Simple Storage Service (Amazon S3).

Mitiga researchers discovered more than 40 compromised websites that were employed in this Office 365 phishing campaign.

The analysis of the HTML code for the fake Office 365 pages suggests that attackers opted for a phishing-as-a-service.

Based on the email addresses employed in this campaign, Mitiga researchers determined that the campaign mainly aimed at C-level executives at small and medium-sized businesses as well as major financial institutions.

Additional technical details about this campaign, along with Mitiga recommendations to avoid falling victim to these attacks are reported here.

Pierluigi Paganini

(SecurityAffairs – hacking, Office 365)

The post Office 365 phishing campaign leverages Oracle and Amazon cloud services appeared first on Security Affairs.

CISA Warns of Password Leak on Vulnerable Fortinet VPNs

Agency Says Hackers Can Use a Known Bug for Further Exploitation
CISA is warning about a possible password leak that could affect vulnerable Fortinet VPNs and lead to further exploitation. The latest agency notice comes just days after hackers began publishing what they claim are leaked passwords on underground forums, according to researchers.

Is AliExpress Safe? The Answer Might Surprise You

Is AliExpress Safe? A Brief History of Online Shopping  According to ODM World, online shopping refers to a “unique form of electronic commerce (known as eCommerce) which connects customers and sellers on all corners of the internet with the use of a web browser. […] there are two forms an online shop could take. First […]

The post Is AliExpress Safe? The Answer Might Surprise You appeared first on Heimdal Security Blog.

Hundreds of C-level executives credentials available for $100 to $1500 per account

A credible threat actor is offering access to the email accounts of hundreds of C-level executives for $100 to $1500 per account.

Access to the email accounts of hundreds of C-level executives is available on the for $100 to $1500 per account. is a popular closed-access underground forum for Russian-speaking hackers, and it isn’t the only one, other prominent forums are, Blackhacker, Omerta, and L33t. 

The news reported by ZDnet is not surprising, I have discovered several times such kind of offer, but it is important to raise awareness on the cybercrime-as-a-service model that could rapidly enable threat actors to carry out malicious activities.

The availability of access to the email accounts of C-level executives could allow threat actors to carry out multiple malicious activities, from cyber espionage to BEC scams.

The threat actor is selling login credentials for Office 365 and Microsoft accounts and the price depends on the size of the C-level executives’ companies and the internal role of the executive.

The threat actor claims its database includes login credentials of high-level executives such as:

  • CEO – chief executive officer
  • COO – chief operating officer
  • CFO – chief financial officer or chief financial controller
  • CMO – chief marketing officer
  • CTOs – chief technology officer
  • President
  • Vice president
  • Executive Assistant
  • Finance Manager
  • Accountant
  • Director
  • Finance Director
  • Financial Controller
  • Accounts Payables

ZDnet confirmed the authenticity for some of the data available for sale.

“A source in the cyber-security community who agreed to contact the seller to obtain samples has confirmed the validity of the data and obtained valid credentials for two accounts, the CEO of a US medium-sized software company and the CFO of an EU-based retail store chain.” reported ZDNet.

At the time of writing, it is unclear how the threat actor has obtained the login credentials.

Experts from threat intelligence firm KELA, speculate the threat actor could have obtained the credentials buying “Azor logs,” which are lots of data stolen from computers infected with the AzorUlt info-stealer trojan.

Data collected by info-stealers are available for sale in the underground, threat actors use to buy and parse them searching for sensitive data such as account credentials.

In July, the US Department of Justice has indicted a hacker that goes online with the moniker Fxmsp for hacking over three hundred organizations worldwide and selling access to their networks.

Once the hacker gained access to the network, they deployed password-stealing malware and remote access trojans (RATs) to harvest credentials and establish persistence in the system.

The name Fxmsp refers a high-profile Russian- and English-speaking hacking group focused on breaching high-profile private corporate and government information.

Since March 2019, Fxmsp announced in cybercrime forums the availability of information stolen from major antivirus companies located in the U.S.

Between 2017 and 2018, Fxmsp created a network of trusted proxy resellers to promote their breaches on the criminal underground.

Fxmsp used to compromise Active Directory of target organizations and ensure external access through remote desktop protocol (RDP) connections.

Turchin attempted to sell access to these networks on hacker forums (i.e.,, Club2Card, Altenen, Blackhacker, Omerta, Sniff3r, and L33t) and dark web marketplaces for prices ranging between a few thousands of dollars up to over $100,000.

The group also claimed to have developed a credential-stealing botnet capable of infecting high-profile targets and exfiltrate sensitive data, including access credentials.

Fxmsp hacked antivirus companies 2

In 2019, Fxmsp confirmed to have breached the networks of some security companies and to have obtained long-term access.

The group offered access to single companies for $250,000 and is asking $150,000 for the source code of the software. Buyers can also pay at least $300,000 to acquire both, the price depends on the compromised company.

Pierluigi Paganini

(SecurityAffairs – hacking, executive)

The post Hundreds of C-level executives credentials available for $100 to $1500 per account appeared first on Security Affairs.

Drupal emergency updates fix critical arbitrary PHP code execution

Drupal has released emergency security updates to fix a critical flaw with known exploits that could allow for arbitrary PHP code execution.

Drupal has released emergency security updates to address a critical vulnerability with known exploits that could be exploited to achieve arbitrary PHP code execution on some CMS versions.

The Drupal project uses the PEAR Archive_Tar library that was recently updated to address the CVE-2020-28948 and CVE-2020-28949.

As a consequence, multiple vulnerabilities impact Drupal installs when they are configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.

“Drupal has released security updates to address vulnerabilities in Drupal 7, 8.8 and earlier, 8.9, and 9.0. An attacker could exploit this vulnerability to take control of an affected system.” reads the advisory published by CISA.

“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Drupal Advisory SA-CORE-2020-013 and apply the necessary updates.”

“According to the regular security release window schedule, November 25th would not typically be a core security window,” reads the security advisory published by Drupal.

“However, this release is necessary because there are known exploits for one of core’s dependencies and some configurations of Drupal are vulnerable.”

Drupal released the following updates to address the issues:

“Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage,” Drupal’s security team added.

Drupal also recommends to mitigate this issue by preventing untrusted users from uploading .tar, .tar.gz, .bz2, or .tlz files.

The number of vulnerable Drupal installs is approximatively over 940,000 out of a total of 1,120,94.

Last week, the Drupal development team has released security updates to fix a remote code execution vulnerability related caused by the failure to properly sanitize the names of uploaded files.

The vulnerability, tracked as CVE-2020-13671, has been classified as critical according to the NIST Common Misuse Scoring System.

The flaw could be exploited by an attacker by uploading files with certain types of extensions (phar, php, pl, py, cgi, html, htm, phtml, js, and asp) to the server to achieve remote code execution.

Pierluigi Paganini

(SecurityAffairs – hacking, PHP code execution)

The post Drupal emergency updates fix critical arbitrary PHP code execution appeared first on Security Affairs.

Rebooting the Office

Employers face not only the challenge of developing a plan to safely reopen the office. They must also begin to reimagine the future of work in this new environment. In short, it is time to “reboot” the office. The reboot will affect everything, not just physical office space, but also technology, people and policies. It…

The post Rebooting the Office first appeared on IT World Canada.

Cyber Security Today Week In Review for November 27, 2020

The holiday shopping period is upon us with Black Friday officially starting today. Why not get a security-related gift? Guest analyst Dinah Davis of Arctic Wolf and I discuss what's available in books, software and stocking-stuffers

The post Cyber Security Today Week In Review for November 27, 2020 first appeared on IT World Canada.

Out-of-band Drupal security updates fix bugs with known exploits

Drupal has released out-of-band security updates to fix two critical code execution flaws (CVE-2020-28948, CVE-2020-28949) in Drupal core, as “there are known exploits for one of core’s dependencies and some configurations of Drupal are vulnerable.” The vulnerabilities (CVE-2020-28948, CVE-2020-28949) CVE-2020-28948 and CVE-2020-28949 are arbitrary PHP code execution vulnerabilities found in the open source PEAR Archive_Tar library, which Drupal uses to handle TAR files in PHP. “(The) vulnerabilities are possible if Drupal is configured to allow … More

The post Out-of-band Drupal security updates fix bugs with known exploits appeared first on Help Net Security.

North Korean hackers allegedly behind cyberattacks on AstraZeneca

The Reuters agency revealed in an exclusive that the COVID vaccine maker AstraZeneca was targeted by alleged North Korea-linked hackers.

According to a report published by Reuters, suspected North Korea-linked hackers targeted AstraZeneca, one of the companies that are developing a COVID vaccine.

The attack attempts took place in recent weeks, two people with knowledge of the matter told Reuters. The attackers used a well-known tactic, the hackers posed as recruiters on popular social network platforms and instant messaging applications, including LinkedIn and WhatsApp, to approach AstraZeneca employees with fake job offers.

“They then sent documents purporting to be job descriptions that were laced with malicious code designed to gain access to a victim’s computer.” reported Reuters. “The hacking attempts targeted a “broad set of people” including staff working on COVID-19 research, said one of the sources, but are not thought to have been successful.”

Pyongyang has always denied carrying out cyberattacks on healthcare organizations and entities involved in the development of a vaccine.

The attribution to North Korea is based on the analysis of tools and techniques used in the cyber that presents significant overlaps on an ongoing hacking campaign that U.S. officials and cybersecurity researchers.

According to the experts, the same campaign also aimed at defence companies, media organisations, and COVID-related targets, such as vaccine scientists and drugmakers.

A report recently published by the Canadian Centre for Cyber Security, titled “National Cyber Threat Assessment 2020,” warns of risks associated with state-sponsored operations from China, Russia, Iran, and North Korea.

Nation-state actors linked to the above countries pose the greatest strategic threats to Canada and according to the report, they will continue to attempt to steal Canadian intellectual property, especially related to COVID-19.

Threat actors are carrying out cyber espionage campaigns and online influence campaigns.

South Korean lawmakers announced last week that the country’s intelligence agency had foiled cyber attacks.

Reuters added that some of the accounts employed in the attacks on AstraZeneca were registered to Russian email addresses, but one of the sources speculated that it could be a false flag used by the attackers.

At the time of writing, AstraZeneca declined to comment.

Pierluigi Paganini

(SecurityAffairs – hacking, AstraZeneca)

The post North Korean hackers allegedly behind cyberattacks on AstraZeneca appeared first on Security Affairs.

SHAKE them and STIR them: how Canada is fighting scam calls

Scam calls suck. In 2019 alone, 26 billion illegal robocalls and scam calls eroded subscriber’s faith in telephone service worldwide, an increase of 18 per cent year over year. In many cases, vampiric scammers hunted people’s wallets. Between January and October 2019, they stole $24 million from Canadians.

Fraud and anti-spam laws set harsh punishments for criminals, but they can only be enforced after the damage has been done. Netting the perps is even harder. Therefore, these calls must be stopped before they reach the receiver.

Amid the swelling volume of spam calls, the world raced to find a defence. In Canada and the United States, STIR/SHAKEN has been selected as the best candidate. With a name inspired by James Bond’s famed quote, STIR/SHAKEN will be the first antidote to curing the spam call plague.

Key terms:

  • STIR: Secure Telephony Identity Revisited, the standard developed by the IETF that defines signature-based call authentication.
  • SHAKEN: Signature-based Handling of Asserted information using toKENs, the framework for implementing STIR.

However, before discussing STIR/SHAKEN’s implementation, it’s important to understand the two popular telephone network protocols.

TDM vs SIP telephone networks

These calls were made over the Public Switched Telephone Network (PSTN), a term that would persist to describe the plain old telephone service. Old films often cast operators swapping wires on a switchboard to route a call. These depict the circuit-switched system. Eventually, the invention of the SS7 protocol set and the time-division multiplexing (TDM) in 1975 retired the human operators.

The TDM-based system was superior to humans in that it could carry many calls over a single wire, consolidating the hundreds of cables in dedicated connections. It achieved this by quickly switching between different calls, so quick that the gaps between voices were unperceivable. Its high reliability and simple implementation would dominate the phone industry for the next 50 years. But in the 21st century, demand for richer call services have exceeded TDM’s capabilities.

After much scouring, the industry settled on the session initiation protocol (SIP). The SIP protocol is a part of voice-over IP (VoIP) technology and operates over the internet as opposed to TDM’s specialized telephone hardware. Phone operators valued the SIP network’s reliability, cheaper hardware, the potential for new services, multimedia support, and better management capabilities. Its flexibility enabled STIR/SHAKEN, the upcoming hero in thwarting spoofed calls.


The principle behind STIR/SHAKEN is based on digital signatures, an established technology that’s almost as old as the internet.

SHAKEN authentication over a SIP interconnect is trivial. When the caller makes a call, the SHAKEN Authentication module appends a digitally signed token to the call invite before passing it through the SIP interconnect. Once the invite reaches the receiver, the SHAKEN verification system qualifies the token and delivers/blocks the call. This simple system makes number spoofing exponentially harder.

STIR has been around since 2013.

But there’s a catch: these tokens cannot be transmitted over legacy networks, which carries 85 per cent of all robocalls. This is because the tokens are dropped at the first SIP to TDM conversion. When the terminating STIR verification system does not see a token, it simply drops the invite. This is the largest roadblock in establishing the STIR/SHAKEN in Canada as most operators use a mix of both systems.


What are digital certificates and how do they work?


The solution is out-of-band (OOB) STIR/SHAKEN. It hands the token to a call placement service (CPS) before the network conversion, removing it from the call path and sends it to the destination over the internet instead. Once received, the authentication server would match the call invite and the token at the destination and begin the verification process. This small change bypasses the barriers between mixing network types.

Out-of-Band STIR/SHAKEN bypasses telephone network changes.

For operators with SIP networks, OOB STIR/SHAKEN is turnkey-esque. Operators that exclusively use TDM switches can upgrade to SIP hardware using inexpensive off-the-shelf parts. For situations where that’s impossible, operators can use an ISUP to SIP gateway.

Companies without direct access to phone numbers can implement STIR/SHAKEN as well. Google, for example, integrated STIR/SHAKEN in its proprietary call blocking service.

Because CPS has insight into all calls, its security needs to be carefully managed. The certification authority needs to gain approval from policymakers to run the CPS and be held accountable when things run amok. In Canada, the Canadia Secure Token-Governance Authority (CST-GA) is the central policymaker for digital certificates.

The governance authority has the highest authority in dictating policy. In Canada, that’s the CST-GA.

The business case lies in rich call data

STIR/SHAKEN also enhances a key peripheral use–rich call data. Rich call data contains information about who is calling and why. Additionally, it can contain information like name, logo, picture, and call reason. It even allows for a URL that links to external files to give deeper caller context. Together with STIR/SHAKEN, users can authenticate calls at a glance and companies gain greater control over their brand’s appearance.

SHAKEN token with rich call data includes extra fields for added caller transparency.

“There’s real value in that, it’s an easy business case to justify,” said Jim Dalton, CEO of TransNexus at the 2020 Canadian Telecom Summit. “We believe customers are going to pay for rich call data. And we think that because there are enterprises saying ‘I need my calls answered’…that’s the obvious first market: to sell to give them control over their branding, how and when they make a call, how it’s displayed while they’re calling. And most of all, it’s going to improve their call completion rates.”

An example of rich call displays with SHAKEN. Note the customizable logo, caller name, and the verified caller ID indicated by the green checkmark.

RCD is coming to desktop phones, smartphones, smart TVs, and stationary phones. It can even come to virtual communication. Zoom calls, for example, doesn’t verify where the connection is coming from. The user can access a meeting by clicking on the invite in the email. Imposters can easily hijack the link and pretend to be the recipient.

“We think there’s value in that it gives you a security identity for these outbound calls that you make,” said Dalton. “And it’s going to be great for inbound call centers….when they get that digitally signed token, there’s been some vetting by the service provider…and they can verify it with that call. It’s going to make their call or authentication processes much more robust.”

It’s up to the telecom operators to implement STIR/SHAKEN, but smartphone manufacturers will need to support rich call data. Dalton said it will be market-driven; if there’s high user demand, then it’s very likely it will be added quickly.

When is STIR/SHAKEN coming to Canada?

STIR/SHAKEN is planned for June 2021, but Canadians already have basic call protection.

In December 2019, Canadian carriers deployed a rudimentary blocking feature that barred calls from bogus numbers. While it blocked the most flagrant calls, it does nothing to combat call spoofing.

Thus, the CRTC mandated carriers to add STIR/SHAKEN by September 2020. But due to the effects of the pandemic, Canadian operators requested the CRTC to extend its implementation date by nine months. Rogers cited that some technical standards relating to STIR/SHAKEN haven’t been defined and that it needed more time to renegotiate contracts with vendors.

The post SHAKE them and STIR them: how Canada is fighting scam calls first appeared on IT World Canada.

The genesis of an ethical digital blueprint for the post-pandemic economy | An interview with Danny Lange, SVP of AI at Unity Technologies

We recently chatted with Danny Lange, senior vice president of AI at Unity Technologies to get his thoughts on the role of artificial intelligence in advancing a more ethical blueprint for the post-pandemic economy.

The post The genesis of an ethical digital blueprint for the post-pandemic economy | An interview with Danny Lange, SVP of AI at Unity Technologies first appeared on IT World Canada.

How to Reduce Fake News in Online Advertising

How to Reduce Fake News in Online Advertising

Steps can be taken to reduce the threat of fake news infiltrating online advertising.

Speaking during the Westminster Forum Conference about tackling fake news and online misinformation, Konrad Shek, deputy director, policy and regulation at the Advertising Association, said the advent of disinformation has had an “enormous impact on trust in the media and politics.”

He said within commercial advertising there have been cases of false claims and promoted stories, and manipulated content, which can appear on social media and news feeds, while some websites that do “propagate false information are supported by adverts and legitimate ads can find themselves on these dubious websites.”

He also explained that there are online fraudsters that use tactics to better promote adverts, including adding clicks for misattribution, which can divert advertisers’ money to the fraudulent actor. “I’d refrain from saying that restricting adverts is a solution, as you have to think about the consequences of an approach and the impact it would have on the free internet,” he said. This calls for four options, he contitinued:

  1. Try and choke the funds to fake news websites, as brands are already sensitive about the impact of being associated with these websites and this is a good incentive to work towards being placed on such websites. However, he pointed out that the speed of ads in the supply chain mean it may not always be possible to know where the ad has been published
  2. The use of standards and technology to reduce ad fraud and reduce advertising money in the supply chain. “There are already a number of industry standards that have anti-fraud certification processes,” he said, with technology that can aid in the fight against ad fraud with an ever-increasing number of detection and prevention tools. “To that end, it is really important that the ASA is properly funded and it can continue to invest in technology to help it spot non-compliant ads online”
  3. Aiding the general public to build resistance and encourage critical thinking skills. “We need to invest more in digital literacy to help people inoculate themselves against scams and misinformation,” he said. “With society as a whole, we need to look at media more critically – look at ads with a more critical eye and ask what the motivation behind it is, and is it too good to be true?”
  4. Address political advertising, as this is not regulated by the ASA. “Politicians and political parties need to come together to figure out an appropriate solution soon, as in the meantime, unregulated political advertising erodes trust in all advertising”

“There is obviously a lot more to be done,” Shek said. “Economic gain is a significant factor in why disinformation exists as advertising plays a core part in it, but we need to realize there are other factors in play.”

He claimed a solution requires a holistic and proper multi-disciplinary approach, and work needs to be done to ensure like-minded countries are allied on this, as it is hard to discern what is real and what is not.

Experts Call for Online Fake News to Be Addressed as #COVID19 Vaccine Emerges

Experts Call for Online Fake News to Be Addressed as #COVID19 Vaccine Emerges

There needs to be better steps taken by politicians and social media platforms to deal with fake news, especially as the COVID-19 vaccine is created.

Speaking during the Westminster Forum Conference on tackling fake news and online misinformation, event chair Khalid Mahmood MP, shadow defense minister for procurement, said, as we have seen throughout the pandemic, certain misinformation has been passed around and it is effective in getting to people. “That is just in terms of the pandemic that we are seeing at the moment,” he added, pointing out that fake news is published about politicians too.

He said an issue is how responsibility “is totally negated from platforms where someone can put whatever they want and move forward” and trying to trace that back and address that is becoming increasingly difficult as platforms take time to deal with it.

Admitting that this is a very difficult issue to deal with, he said we need to look at some sort of level footing on this, before it is out of control.

Commenting on the role of platform providers, Katie O’Donovan, head of public policy at Google UK, said there is a challenge around freedom of speech where the meaning around the words can vary, depending on how things are said.

She said: “So you cannot regulate words and sentences, you have to understand the context of how they were made, and ask what is the context and hyperbole and is it a threat made to an individual or a group of people?”  

Asked by Infosecurity if social media platforms are doing enough to prevent fake news whilst enabling free speech, O’Donovan said there is a need for more legislation and regulation. She argued that government is doing a good job on addressing a broad range of harms, whilst offering the opportunity to engage and to “have a vibrant online debate.” However, platforms have a responsibility not to wait for that regulation, and over the years, that has grown very steadily.

Michael Wendling, editor of the Trending and Anti-Disinformation Unit at BBC News, said there is going to be a massive wave of vaccine disinformation, which is ramping up now, and as the vaccine becomes available for COVID-19 “that will make what happened over the 5G masts look like a minor skirmish.” He said if measures by platforms are effective, there will be a larger take up of the vaccine, and if not, there will be less of a take up and the pandemic may continue.

Also speaking was Oscar Tapp-Scotting, deputy director for security and international at DCMS, who confirmed it has been working with platforms to address disinformation and has seen platforms take steps to reduce “misleading narratives.”

He said: “Each of the platforms is different; each has a different user base and provides information in different ways, so how they tackle this will vary by platform.” He also said that in a recent meeting with social media platforms, they would agree to work with healthcare organizations to publish correct information, so users have the ability to make the right choice.

Mahmood said there is a need for politicians to look at social media and how it deals with fake news, “and this has to be the way for all of us in how we deal with fake news, as ultimately there has to be some sort of responsibility between both us and the platforms and how we get the motion across and how we get them to work together.”

NCSC Helping Man United Recover from Cyber-Attack

NCSC Helping Man United Recover from Cyber-Attack

The National Cyber Security Centre (NCSC) is assisting Manchester United in dealing with the cyber-attack which struck the English football club last week.

Last Friday, the Premier League side confirmed in a statement that an incident had taken place,  following which affected systems were shut down to “contain the damage and protect data.”

One week later and the club’s internal IT system is not fully back up and running, with staff still unable to access emails alongside other operations. The NCSC is now helping Manchester United as it seeks to secure its network before restoring its IT system to full capacity.

A NCSC spokesperson is quoted as saying: “The NCSC is aware of an incident affecting Manchester United football club and we are working with the organization and partners to understand the impact.”

In its original statement, Manchester United said that its website and app were unaffected by the attack and it was not aware of any breach of personal data belonging to fans or customers, and this was reiterated on Thursday night. Quoted in The Guardian, the new statement read: “This attack was by nature disruptive, but we are not currently aware of any fan data being compromised.

“Critical systems required for matches to take place at Old Trafford remained secure and games have gone ahead as normal.”

Manchester United added that it would not be commenting on who was responsible for the attack or the motives that lay behind it.

Security experts have suggested the attack is likely to be ransomware. Commenting earlier this week, Jon Niccolls, EMEA & APAC incident response lead at Check Point, said: “It isn’t clear what type of attack hit the club, but as its statement mentioned that it ‘shut down affected systems to contain the damage and protect data,’ this suggests ransomware, and possibly a double extortion attack where the attackers both steal data with the threat of leaking it, as well as encrypting it to disrupt operations.”

Commenting on the incident, Adam Enterkin, SVP, EMEA, BlackBerry, told Infosecurity: “The exploitation of sporting giants by cyber-criminals is not a surprise. Amid a pandemic characterized by opportunistic cyber-attackers, and a huge deficit of security professionals in the UK, such an attack was all but inevitable. Manchester United isn’t the first to be hacked, and it won’t be the last.

“These attacks are, however, preventable. The truth is that the entire nation needs better cyber-hygiene. Even national institutions like sports teams can fall prey to simple phishing emails, which are responsible for a large proportion of cyber-attacks. Cyber-criminals are waiting for organizations and the public to drop their guard. We must not give them the opportunity.” 

“Ultimately, security teams at football clubs need the same tech as major banks and hospitals, to protect livelihoods and customer data. AI technology can help manage the volume of potential threats, spotting anomalies in data and dealing with menial and repetitive tasks whilst flagging potentially serious situations to the cybersecurity team. Humans and tech must work hand-in-hand, so the professionals are equipped with the right knowledge and skill sets to keep our nation’s much-loved sporting institutions safe.”

Productivity Tools May Be Monitoring Workers’ Productivity

Regulatory and Employee Litigation Risks Face Businesses That Violate Privacy Rules
Warning to workers: Your productivity tools may also be tracking your workplace productivity, and your bosses may not even know it. But as more workplace surveillance capabilities appear, legal experts warn that organizations must ensure their tools do not violate employees' privacy rights.

Two in Five Home Workers Vulnerable to Cyber-Attacks

Two in Five Home Workers Vulnerable to Cyber-Attacks

Two in five remote workers in the UK are vulnerable to cyber-attacks as they have not received information about how to avoid COVID-19 scams or had any video call security training. This is according to a new report by Fasthosts, which looked at the additional cyber-risks businesses are facing as a result of the shift to home working this year.

The study also found that over half (54%) of remote workers are currently operating without a VPN, potentially increasing the risk of personal and company data getting compromised. Additionally, around a quarter allow others in their household look at confidential documents.

The researchers revealed that those employed in the science and pharmaceutical industry were most likely to allow other members of their household access to their work computer/laptop, while law enforcement and security staff were the biggest culprits in allowing access to confidential data and documents.

Despite recent positive news regarding the development of a vaccine for the virus, it is expected that there will be far more remote working going forward compared to pre-COVID. Fasthosts cited data from the Institute of Directors showing that three quarters (74%) of 958 company directors intend to continue with increased home working after the pandemic. It is therefore vital that organizations provide the tools and training to ensure their staff are more secure whilst operating from home.

Michelle Stark, sales and marketing director at Fasthosts, commented: “It’s sad to see the risks of cybercrime so prevalent whilst many Britons are working from home. Keeping you and the business safe online is critical to keep confidential data secure. We urge all consumers to read our top tips, be more mindful and seek the correct training whilst working from home.”

Last month, a study by Mimecast found that remote workers are increasingly putting corporate data and systems at risk by failing to follow best practice security.

A week later, Manchester United has yet to recover after a cyberattack

Manchester United is still facing problems after the cyber attack that suffered last week, it has yet to fully restore its systems.

Last week Manchester United was hit by a sophisticated cyber attack, the attack took place on Friday evening and the football club shut down its systems to prevent the malware from spreading within.

“Manchester United can confirm that the club has experienced a cyber attack on our systems. The club has taken swift action to contain the attack and is currently working with expert advisers to investigate the incident and minimise the ongoing IT disruption.” reads a statement issued by the Manchester United and reported by The Guardian.

“Although this is a sophisticated operation by organised cyber criminals, the club has extensive protocols and procedures in place for such an event and had rehearsed for this eventuality. Our cyber defences identified the attack and shut down affected systems to contain the damage and protect data.”

Manchester United

The club notifies the British authotities about the incident, including the Information Commissioner’s Office. The United also launched a forensic investigation into the incident.

A week later, Manchester United has yet to fully restore its computer systems, yesterday the company was still unable to send and receive emails, and other functions were unavailable too.

“Following the recent cyberattack on the club, our IT team and external experts secured our networks and have conducted forensic investigations,” Manchester United said in a statement.

The club did not comment on the possible culprits and their motivation, it only revealed that attackers aimed at disrupt the target systems.

“This attack was by nature disruptive, but we are not currently aware of any fan data being compromised,” the club said. “Critical systems required for matches to take place at Old Trafford remained secure and games have gone ahead as normal.”

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

The post A week later, Manchester United has yet to recover after a cyberattack appeared first on Security Affairs.

You too can be a security intelligence expert, with these free tools from Recorded Future

Many thanks to the great folks at Recorded Future, who have sponsored my writing for the past week. If 2020 taught the security industry anything, it is this: There has never been a better time to be a cybercriminal. From extortion ransomware to cyberespionage campaigns, adversaries are capitalizing on uncertainty, causing chaos, and cashing in. … Continue reading "You too can be a security intelligence expert, with these free tools from Recorded Future"

Cybersecurity Predictions for 2021: Robot Overlords No, Connected Car Hacks Yes

While 2021 will present evolving threats and new challenges, it will also offer new tools and technologies that will we hope shift the balance towards the defense.

ThreatList: Cyber Monday Looms – But Shoppers Oblivious to Top Retail Threats

Online shoppers are blissfully unaware of credit card skimming threats and malicious shopping apps as they head into this year's Black Friday and Cyber Monday holiday shopping events.

Coffee Briefing, November 27, 2020 – Leadership changes, Dell’s Q3, and MSPs ask for help managing bad clients

Today's Coffee Briefing features a list of recent leadership changes, Dell's Q3 earnings, and social media chatter from MSPs seeking help with bad clients.

The post Coffee Briefing, November 27, 2020 - Leadership changes, Dell's Q3, and MSPs ask for help managing bad clients first appeared on IT World Canada.

New Code to Force Tech Giants to Provide Greater Data Transparency and Choice

New Code to Force Tech Giants to Provide Greater Data Transparency and Choice

The UK government has unveiled plans to develop a new statutory code for tech companies that is designed to give customers more choice and control over their data.

The Department for Digital, Culture, Media and Sport (DCMS) said that a dedicated Digital Markets Unit will work alongside regulators such as Ofcom and the Information Commissioners Office (ICO) to create and enforce the code, which will govern the behavior of digital platforms, including those funded by digital advertising currently dominating the market, such as Google and Facebook. Measures are likely to include forcing such firms to be more transparent about how they are using customer data and to offer consumers a choice on whether they’d like to receive personalized advertising.

Another important aim of the code is to harness more competition within the online publishing industry by helping ensure smaller businesses aren’t disadvantaged by tech giants. This could include ensuring small businesses have fair access to platform services that help them grow their online business, such as digital advertising.

The unit, which will be part of the Competitions and Markets Authority (CMA), will begin operating from April 2021, and may have the power to suspend, block and reverse decisions made by tech firms as well as impose financial penalties for non-compliance.

Issues surrounding the use of data online have come into sharper focus this year, with the COVID-19 pandemic leading to a huge rise in digital users, including the sharing of creative content and advertising of small businesses’ products and services.

Digital secretary Oliver Dowden commented: “I’m unashamedly pro-tech and the services of digital platforms are positively transforming the economy, bringing huge benefits to businesses, consumers and society.

“However, there is growing consensus in the UK and abroad that the concentration of power among a small number of tech companies is curtailing growth of the sector, reducing innovation and having negative impacts on the people and businesses that rely on them. It is time to address that and unleash a new age of tech growth.”