Daily Archives: November 19, 2020

New infosec products of the week: November 20, 2020

Group-IB launches Fraud Hunting Platform, a digital identity protection and fraud prevention solution Group-IB’s Fraud Hunting Platform analyzes each session and examines user behavior (keystrokes, mouse movements, etc.) in web and in mobile channels in real-time. Based on user behavioral data and machine learning algorithms, the system creates a unique digital fingerprint for devices and identities. AWS Network Firewall: Network protection across all AWS workloads With AWS Network Firewall, customers can deploy granular network protections … More

The post New infosec products of the week: November 20, 2020 appeared first on Help Net Security.

56% of organizations faced a ransomware attack, many paid the ransom

There’s a continued proliferation of ransomware, heightened concerns around nation-state actors, and the need for acceleration of both digital and security transformation, a CrowdStrike survey reveals. Proliferation of ransomware leads to more frequent payouts, costing millions Survey data indicates ransomware attacks have proven to be especially effective, as 56% of organizations surveyed have suffered a ransomware attack in the last year. The COVID-19 pandemic catalyzed increasing concerns around ransomware attacks, with many organizations resorting to … More

The post 56% of organizations faced a ransomware attack, many paid the ransom appeared first on Help Net Security.

Attacks on biotech and pharmaceutical industry escalate

Attacks on the biotech and pharmaceutical industry had increased by 50% between 2019 and 2020, according to a BlueVoyant report. The report highlighted that nation-states are ramping up cyber attacks on companies that are developing vaccines, and this is likely to increase as production and distribution gets underway. The analysis examined open source records of 25 publicly reported attacks that have taken place in the last four years. It set out to define key risks … More

The post Attacks on biotech and pharmaceutical industry escalate appeared first on Help Net Security.

Consumer behaviors and cyber risks of holiday shopping in 2020

While consumers are aware of increased risks and scams via the internet, they still plan to do more shopping online – and earlier – this holiday season, McAfee reveals. Thirty-six percent of Americans note they are hitting the digital links to give gifts and cheer this year, despite 60% feeling that cyber scams become more prevalent during the holiday season. While more than 124 million consumers shopped in-store during the 2019 Black Friday to Cyber … More

The post Consumer behaviors and cyber risks of holiday shopping in 2020 appeared first on Help Net Security.

Financial services lead when it comes to fixing open source flaws

The financial services industry has the best flaw fix rate across six industries and leads a majority of industries in uncovering flaws within open source components, Veracode reveals. Fixing open source flaws is critical because the attack surface of applications is much larger than developers expect when open source libraries are included indirectly. The findings came as a result of an analysis of 130,000 applications from 2,500 companies. Fixing open source flaws The research found … More

The post Financial services lead when it comes to fixing open source flaws appeared first on Help Net Security.

Open Raven Cloud-Native Data Protection Platform: Automating security and privacy operations

Open Raven launched the Open Raven Cloud-Native Data Protection Platform to operationalize data security and privacy in the cloud. To prevent data breaches, it automates asset discovery and data classification, provides real-time mapping and policy-driven protection for Amazon Web Services and S3. The Open Raven Platform is generally available today. The Open Raven Platform auto-discovers where data is located in the cloud, what type of data it is — personal, sensitive, or regulated, — as … More

The post Open Raven Cloud-Native Data Protection Platform: Automating security and privacy operations appeared first on Help Net Security.

DigiCert Enterprise PKI Manager supports security for remote workforces

Enterprise PKI Manager in DigiCert ONE from DigiCert supports security for today’s increasingly remote workforces via certificate automation to authenticate employees and their devices at scale, and encrypt data. Working from home is here to stay, with Gartner reporting that 74% of CFOs are looking to shift some employees to permanent remote work. Digital certificates are a proven, widely adopted solution for strong authentication and are well supported by a variety of devices, platforms and … More

The post DigiCert Enterprise PKI Manager supports security for remote workforces appeared first on Help Net Security.

Red River delivers simplified WAN management with Managed SD-WAN solution

Red River unveiled a fully managed software-defined wide area network (SD-WAN) solution. Red River Managed SD-WAN leverages the company’s award-winning Managed Services and Cisco SD-WAN technology to deliver advanced enterprise networking capabilities to the public sector and enterprise markets. Managed SD-WAN provides organizations greater flexibility, control and management over their network. This solution enables wide area network management over dispersed geographical locations. Through three 24x7x365 Network Operation Centers (NOCs), Red River’s Managed Services team delivers … More

The post Red River delivers simplified WAN management with Managed SD-WAN solution appeared first on Help Net Security.

McAfee MVISION CNAPP enhances cloud-native security by integrating with AWS

McAfee announced the MVISION Cloud Native Application Protection Platform (CNAPP) with several native Amazon Web Services (AWS) integrations to help customers more easily secure their applications and data in their Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) environments. Architected to support multiple AWS services, MVISION CNAPP helps customers continuously identify and fix misconfigurations and software vulnerabilities in their AWS environment and securely accelerate their deployment of cloud-native applications. Announced last month, … More

The post McAfee MVISION CNAPP enhances cloud-native security by integrating with AWS appeared first on Help Net Security.

Entrust CryptoCoE: Enabling enterprises to take command of their crypto instances

Entrust announced its Cryptographic Center of Excellence (CryptoCoE) solutions, providing the tools and resources enterprises need to take command of their crypto instances and PKI systems through best practices that bring together the visibility, expertise and compliance required for a strong crypto strategy. Digital technologies are transforming the enterprise, from new DevOps practices, cloud and multi-cloud environments to the Internet of Things (IoT). And with this transformation comes new data security challenges. While IT leaders … More

The post Entrust CryptoCoE: Enabling enterprises to take command of their crypto instances appeared first on Help Net Security.

FileCloud 20.2: Protecting, tracking and controlling sensitive documents after distribution

The lines between our personal and professional lives are blurring, and it’s becoming more difficult to maintain control over confidential information as the world searches for ways to maintain security in a remote work environment. That’s why FileCloud put security at the forefront of FileCloud 20.2, the latest version of its enterprise product. FileCloud offers new levels of privacy and productivity, bringing advanced digital rights management into the platform and eliminating the need for a … More

The post FileCloud 20.2: Protecting, tracking and controlling sensitive documents after distribution appeared first on Help Net Security.

Aerospike unveils XDR expressions in Aerospike Database 5

Aerospike unveiled Cross-Datacenter Replication (XDR) expressions in Aerospike Database 5. Earlier this year, Aerospike released Database 5 with enhanced Cross-Datacenter Replication (XDR), enabling data to be dynamically routed between two or more geographically distributed clusters. Now, with the addition of expressions to XDR, Aerospike Database 5 easily routes just the right data to the right target at the right time. The dynamic, fine-grain control of expressions optimizes server, cloud and bandwidth resources—and helps global organizations … More

The post Aerospike unveils XDR expressions in Aerospike Database 5 appeared first on Help Net Security.

Tufin and AWS Network Firewall deploy network protections for Amazon Virtual Private Clouds

Tufin announced it will integrate with AWS Network Firewall, a new managed service that makes it easy to deploy essential network protections for all Amazon Virtual Private Clouds (Amazon VPCs) on Amazon Web Services (AWS), on-premise data centers and other cloud platforms for full visibility across the enterprise. “AWS is a very important cloud provider for our customers today and into the future, which is why we are excited to expand our collaboration and be … More

The post Tufin and AWS Network Firewall deploy network protections for Amazon Virtual Private Clouds appeared first on Help Net Security.

RepRisk and Apex partner to provide ESG risk data to private markets

RepRisk and Apex have entered into a strategic partnership to expand access to material ESG risk data for private markets participants. Apex manages the independent collection of data for investors from their underlying portfolio investments to deliver real time ESG analysis via a secure, intuitive, and flexible online platform. Apex’s unique ESG Rating and Advisory Portal now includes RepRisk Analytics Reports and Cases Data on private companies, allowing unrivalled ESG insights to private companies and … More

The post RepRisk and Apex partner to provide ESG risk data to private markets appeared first on Help Net Security.

PCI Pal and Oracle collaborate to add security and compliance options for CNP payments

PCI Pal announced a new collaboration with Oracle to offer its contact center customers additional security and compliance options for Cardholder Not Present (CNP) payments. Bringing together Oracle’s market-leading Enterprise Session Border Controller (E-SBC) with PCI Pal’s proven PCI compliance solutions, Oracle customers can ensure that their voice interactions and sensitive cardholder data are secure. With contactless transactions becoming a necessity for many businesses, CNP payments are on the rise. Correspondingly, however, bad actors have … More

The post PCI Pal and Oracle collaborate to add security and compliance options for CNP payments appeared first on Help Net Security.

Enzoic partners with OneLogin to eliminate the risk of compromised credentials

Enzoic announced a partnership with OneLogin, a cloud-based identity and access management provider. The collaboration will see Enzoic’s credentials screening service integrated into OneLogin’s SmartFactor Authentication product, ensuring that credentials exposed in a prior breach can’t be used. Verizon’s 2020 Data Breach Investigations Report identified that stolen credentials are involved in 29 percent of data breaches and that 80 percent of hacking-related breaches involve compromised and weak credentials. These findings underscore that preventing the use … More

The post Enzoic partners with OneLogin to eliminate the risk of compromised credentials appeared first on Help Net Security.

A flaw in GO SMS Pro App allows accessing media messages

An unpatched security flaw in GO SMS Pro, a popular messaging app for Android with over 100 million installs, exposes media messages.

GO SMS Pro is a popular Android messaging app with over 100 million installs, that has been found to be affected by an unpatched security flaw that publicly exposes media transferred between users.


An unauthenticated attacker could exploit the flaw to access any sensitive media shared between users of the app, including private voice messages, photos, and videos.

The flaw was discovered by researchers from Trustwave, it impacts version 7.91 of the app. The vulnerable version was uploaded to the Google Play Store on February 18, 2020.

“The GO SMS Pro application is a popular messenger app with over 100 million downloads and was discovered to publicly expose media transferred between users of the app.” reads the post published by Trustwave. “This exposure includes private voice messages, video messages, and photos.”

The experts noticed that if the recipient does not have the GO SMS Pro app installed, the app sends to the recipient an URL that points to media file via SMS. The recipient could then access the media file via a browser by clicking on the link.

SpiderLabs experts discovered that it is possible to access the link without any authentication or authorization, they also discovered that the URL link was sequential (hexadecimal) and predictable.

“Furthermore, when sharing media files, a link will be generated regardless of the recipient having the app installed.  As a result, a malicious user could potentially access any media files sent via this service and also any that are sent in the future. This obviously impacts the confidentiality of media content sent via this application.” continues the report.

An attacker can exploit the bug to generate a list of URLs and access user data without their knowledge.

The researchers also wrote a simple bash script to generate a sample list of URLs and demonstrate how an attacker could easily access masses of user data.

(echo obase=16; seq 1 $((echo ibase=16; echo FF) | bc)) | bc > 1
for i in $(cat 1); do echo "http://gs.3g.cn/D/dd1a$i /w"; done | tr -d " "

The cybersecurity firm attempted to contact the app developers multiple times since August 18, 2020, but received no reply.

Since then GO SMS Pro received two updates, but they still did not fix the flaw.

Below the timeline for the vulnerability:

  • 08/18/2020 – Vendor contacted with no response
  • 09/15/2020 – Vendor contacted with no response
  • 10/14/2020 – Vendor contacted with no response
  • 11/16/2020 – Vendor contacted with no response
  • 11/19/2020 – Advisory published

Pierluigi Paganini

(SecurityAffairs – hacking, GO SMS Pro)

The post A flaw in GO SMS Pro App allows accessing media messages appeared first on Security Affairs.

Druva acquires sfApex to offer data protection with sandbox management and data governance

Druva announced the acquisition of sfApex, a leading Salesforce developer tools and data migration service provider. This integrated Druva solution brings customers the best of both technologies, including advanced data protection with sandbox management and data governance, delivered in the exact same way their CRM service is accessed – via a cloud-native SaaS platform. Salesforce is the leading SaaS-based CRM and the second most widely adopted enterprise SaaS application, but since discontinuing its own recovery … More

The post Druva acquires sfApex to offer data protection with sandbox management and data governance appeared first on Help Net Security.

Abnormal Security raises $50M to double the size of its machine learning and data science teams

Abnormal Security announced that it raised $50 million in Series B venture capital funding. Led by Menlo Ventures, with participation from early investor Greylock, the round brings Abnormal’s total funding to $75 million. Abnormal is disrupting the market by using AI to reinvent email security. The funding comes amidst record-setting company growth during 2020, fueled by the growing importance of email security as enterprises shift to remote work. Since the start of the year, Abnormal … More

The post Abnormal Security raises $50M to double the size of its machine learning and data science teams appeared first on Help Net Security.

Home Trust quickly pivots during pandemic with IBM Cloud and VMware

The COVID-19 pandemic has been one of the greatest challenges that businesses have faced in their lifetime. But Home Trust — a financial services institution with about 1,000 employees — was ready for it, thanks to a cloud migration the previous year. “On Friday the 13th, the reality of COVID became apparent and we had…

The post Home Trust quickly pivots during pandemic with IBM Cloud and VMware first appeared on IT World Canada.

5 Fun Ways to Keep Family Connections Strong (and Secure) This Holiday 

Digital holiday dinner

5 Fun Ways to Keep Family Connections Strong (and Secure) This Holiday

The reality is beginning to hit: The holiday season will look and feel different this year. Traditional family gatherings, complete with mile-long dinner tables and flag football games, are now considered COVID “super spreader” events, putting a dent in plans for large gatherings.

Still, there’s a bright side. We may be dealing with a pandemic, but we also happen to live in time of amazing technology and ingenuity. That means when the face-to-face connection isn’t possible, we can connect with a click or two.

Physical and Digital Safety

According to the Center for Disease Control, it’s important to keep basic safety protocols such as mask-wearing, disinfecting, and social distancing in place. In addition, they recommend limiting the number of guests, celebrating outdoors if possible, and limiting the number of people in food prep areas. One of the most important things you can do, says the CDC, is to “have conversations with guests ahead of time to set expectations for celebrating together.”

A part of those conversations can also include ways to digitally connect with elderly or at risk loved ones who can’t gather and how to do it safely and securely. Here are a few ideas to get you rolling.

5 Creative (and Safe) Ways to Stay Connected

One big tip in organizing a successful, digitally connected holiday is to prep your technology logistics before your gathering. Ensure everyone invited to the call has downloaded the right app, adjusted privacy settings, and understands app and safety basics. For family members who may be uncomfortable connecting digitally, consider calling a few days ahead of time, previewing the app, and answering any questions. Prepping your tech will maximize your time together and ensure everyone feels confident.

1. Cook together. Use video apps such as FaceTime or Zoom to share recipes and even have grandma teach the kids to cook her famous corn casserole. Since everyone is together, you may even want to crowdsource favorite family recipes in a google doc and make a family cookbook.
Safe Family Tip: Your FaceTime app is always ideal because it’s encrypted and still private. When using video apps such as Zoom, make sure your account and meeting settings are personal.

2. Share a virtual mealtime. You might be surprised at how much fun sharing a mealtime virtually can be (we’ve tried it!) It’s easy: Set up your phone or computer on a stationary tripod or shelf that frames your dinner table. Agree on a time with family members. Dial them up on your phone or in your app. Toast the holiday in real-time.

Safe Family Tip: Be aware that with the increase in people going online to connect with family, shop, and work, hackers are also working overtime to get into Zoom (and other apps) conversations and figure out ways to plant malware. With increased digital activity, think about a comprehensive security solution, which can help protect devices against malware, phishing attacks, and other threats.

3. Enjoy movie time together. Using apps like Hulu Watch Party, Watch2gether, Amazon Watch, Netflix Party, and Houseparty makes it easy to watch a movie together from multiple locations. For kids, there’s Disney Plus Party for kid-friendly group viewing. Some of the apps require screen sharing, others separate logins, while others are simply one account holder sharing a link. The Verge offers this step-by-step on how to for several of these apps.

Safe Family Tip: Make sure the movie site or app you are using is legal and safe. Cybercriminals are hot on the trail of movie fans and have created movie apps designed to download malware onto computers. Avoid clicking on pop-up ads or random links while looking for movies or apps. Add an extra layer of protection using a Virtual Private Network (VPN) to encrypt your online activity, keep your identity secure, and secure downloads.

4. Multiplayer Game Apps. Don’t worry. Family game night lives on! Even if you are separated by miles, you can play virtual family games like Charades, Uno, Pictionary, Trivia, and many video games.

Safe Family Tip: Be sure the app you are downloading is legitimate. Read reviews and make sure there aren’t any virus or malware issues before downloading. Once downloaded, maximize your safety settings on the app, use strong passwords, and only connect with known players.

5. Virtual Karaoke. Gather on apps like Smule to enjoy some family karaoke together.

Safe Family Tip: Any group app can be a danger zone for cyberbullying or connection from strangers. Be sure that family members are aware of the dangers of allowing younger users to keep these apps on their phones following the holidays. Parental Control Software is an easy way to make sure your kids engage with safe content online.

Thanks to technology, it’s possible to shrink just about any distance. Will it take effort? Sure. Some learning? Yup. But hopefully, even though your home may feel a little more empty this year, your heart will be full.

The post 5 Fun Ways to Keep Family Connections Strong (and Secure) This Holiday  appeared first on McAfee Blogs.

Healthcare Orgs: What You Need to Know About TrickBot and Ryuk

In late October, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) co-authored an advisory report on the latest tactics used by cybercriminals to target the Healthcare and Public Health (HPH) sector. In the report, CISA, FBI, and HHS noted the discovery of, ?????ヲcredible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,??? which they shared as a warning of potential ransomware attacks.

In the report, the agencies found that threat actors are targeting the HPH Sector using TrickBot and BazarLoader malware efforts, which can result in the disruption of healthcare services, the initiation of ransomware attacks, and the theft of sensitive data. As noted in the advisory, these security issues are even more difficult to handle and remediate during the COVID-19 pandemic; something healthcare providers should take that into consideration when determining how much to invest in their cybersecurity efforts.ツ?

The FBI first began tracking TrickBot modules in early 2019 as it was used by cyberattackers to go after large corporations. According to the report, ?????ヲTrickBot now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.???

What makes it so dangerous? Researchers found that TrickBot developers created a tool called anchor_dns which uses a single-byte X0R cipher to obfuscate communications and, once de-obfuscated, is discoverable in DNS request traffic. When the malware is successfully executed, TrickBot is copied as an executable file and the copy is placed into one of the following directories:

  • C:\Windows\
  • C:\Windows\SysWOW64\
  • C:\Users\[Username]\AppData\Roaming\

From there, the executable file downloads modules from command and control servers (C2s) and places them into the host???s %APPDATA% or %PROGRAMDATA% directory. Every 15 minutes, the malware runs scheduled tasks on the victim???s machine for persistence, and after successful execution, anchor_dns deploys more malicious .bat scripts and implements self-deletion techniques through commands. The report notes that an open source tracker for TrickBot C2 servers is located here.

BazarLoader and Ryuk ransomware

CISA, FBI, and HHS note in the advisory report that around early 2020, threat actors believed to be associated with TrickBot began executing BazarLoader and BazarBackdoor attacks to infect targeted networks.

???The loader and backdoor work closely together to achieve infection and communicate with the same C2 infrastructure,??? the report says. ???Campaigns using Bazar represent a new technique for cybercriminals to infect and monetize networks and have increasingly led to the deployment of ransomware, including Ryuk. BazarLoader has become one of the most commonly used vectors for ransomware deployment.???

BazarLoader malware usually comes from phishing emails, the advisory says, with a link to a Google Drive document or another file hosting service housing what looks like a PDF file but is really an executable. The emails often appear personal with recipient or employer names in the subject line and body ??? as phishing attempts often do to gain trust. Once clicked, the infected links allow threat actors to install BazarLoader and disrupt service or steal data.

Ryuk, which first made a splash in 2018 as an offshoot of Hermes 2.1 ransomware, is often deployed as a payload from banking Trojans like TrickBot, according to the advisory. Ryuk is particularly dangerous to healthcare organizations because it provides attackers the opportunity to read, write, and execute permissions. Because it???s so powerful, cyberattackers utilizing Ryuk often try to limit suspicious activity by using native tools that allow them to move laterally within the network and remain undetected.

Once Ryuk has infiltrated a system it uses AES-256 to encrypt files as well an RSA public key to encrypt the AES key, and it also drops a .bat file to delete backup files and prevent recovery. Victims can access the RyukReadMe file for instructions on how to contact the threat actor via email, through which they are given a specific amount of money to send to a Bitcoin wallet for ransom.

Protecting your sensitive data

So, what are the steps that you can take to defend yourself against issues like TrickBot attacks? In their report, CISA, FBI, and HHS researchers encourage healthcare organizations to find continuity gaps in their business, especially when it comes to capability around handling emergencies like cyberattacks. They suggest that organizations review or establish patching plans, user agreements, and security policies to address current cybersecurity threats and make a plan for remediation.

In addition, healthcare organizations handle sensitive, confidential data every single day, increasingly digitally, and should ensure that data is protected with a comprehensive application security program. We know from the latest State of Software Security report that 76 percent of applications have at least one flaw in the latest scan run by Veracode customers and that it takes an average of 180 days to close 50 percent of discovered flaws. In the realm of healthcare where the data housed by applications is extremely sensitive, that???s simply too long.

???Blended attacks are now the norm. Social engineering and phishing are combined with the exploitation of both known and application vulnerabilities until the attack gets the high-value data they are looking for???, says Chris Wysopal, Veracode founder and CTO.

Learn more about what healthcare organizations should know about application security and keep up to date with application security news by subscribing to our content.

Nation-state actors from Russia, China, Iran, and North Korea target Canada

Canada Centre for Cyber Security warns of risks related to state-sponsored programs from China, Russia, Iran, and North Korea.

A report published by the Canadian Centre for Cyber Security, titled “National Cyber Threat Assessment 2020,” warns of risks associated with state-sponsored operations from China, Russia, Iran, and North Korea.

The report is based on both classified and unclassified sources and identifies current cyber threats and the likelihood that they will occur, and how Canadians could be affected.

“The second iteration of our unclassified assessment notes that the number of cyber threat actors is increasing, and they are becoming more sophisticated, that cybercrime will almost certainly continue to be the cyber threat most likely to affect Canadians and that Ransomware attacks will almost certainly continue to target large enterprises and critical infrastructure providers.” reads the report.

China, Russia, Iran, and North Korea are developing cyber capabilities to disrupt key Canadian critical infrastructure, including electricity supply.

Nation-state actors linked to the above countries pose the greatest strategic threats to Canada and according to the report, they will continue to attempt to steal Canadian intellectual property, especially related to COVID-19.

Threat actors are carrying out cyber espionage campaigns and online influence campaigns.

“The most sophisticated capabilities belong to state sponsored cyber threat actors who are motivated by economic, ideological, and geopolitical goals,” the center said.

“We assess that almost certainly the state-sponsored programs of China, Russia, Iran, and North Korea pose the greatest state-sponsored cyber threats to Canadian individuals and organizations,” continues the report.

“However, many other states are rapidly developing their own cyber programs, benefiting from various legal and illegal markets to purchase cyber products and services.”

The report also states that other states are rapidly building their cyber capabilities, for this reason the Canadian Government believes that state-sponsored hacking will continue to target Canadian businesses, academia, and governments.

“Defending Canada against cyber threats and related influence operations requires addressing both the technical and social elements of cyber threat activity. Cyber security investments will allow Canadians to benefit from new technologies while ensuring that we do not unduly risk our safety, privacy, economic prosperity, and national security.” concludes the report. “We approach security through collaboration, combining expertise from government, industry, and academia. Working together, we can increase Canada’s resilience against cyber threats.”

Pierluigi Paganini

(SecurityAffairs – hacking, nation state hacking)

The post Nation-state actors from Russia, China, Iran, and North Korea target Canada appeared first on Security Affairs.

Pandemic IT response shifting to user experience

One of the last things you want to hear on a 911 call is, “are you on mute?” Dropped calls and video conferences have been an ongoing problem since the pandemic began, said Jack Lumley, National Sales Manager Networking with Citrix Canada at CanadianCIO virtual roundtable with western IT leaders. “It can be life-threatening to…

The post Pandemic IT response shifting to user experience first appeared on IT World Canada.

Modernize secure access for your on-premises resources with Zero Trust

Change came quickly in 2020. More likely than not, a big chunk of your workforce has been forced into remote access. And with remote work came an explosion of bring-your-own-device (BYOD) scenarios, requiring your organization to extend the bounds of your network to include the entire internet (and the added security risks that come with it).

At this year’s Microsoft Ignite, we demonstrated how to bring your legacy on-premises resources into a Zero Trust security model that provides seamless access to all—SaaS, IaaS, PaaS, and on-premises—with a global presence and no extra steps to remember. You’re invited to watch our full presentation and review the highlights below.

The new decentralized workplace

Organizations that steadfastly relied on the “flat network” approach of firewalls and VPNs to regulate access now find themselves lacking the visibility, solution integration, and agility needed to deliver end-to-end security. A new model needed to adapt to a remote workforce, protecting people, devices, applications, and data—from anywhere.

Legacy access model

Figure 1: Legacy access model

In a Zero Trust security model, every access request is strongly inspected for anomalies before granting access. Everything from the user’s identity to the application’s hosting environment is authenticated and authorized using micro-segmentation and least privileged-access principles to minimize lateral movement.

Zero Trust means adhering to three cohesive principles:

  • Verify explicitly: Always authenticate and authorize based on all available data points, including—user identity, location, device health, service or workload, data classification, and anomalies.
  • Use least privileged access: Limit user access with just-in-time (JIT) and just-enough-access (JEA), risk-based adaptive polices, and data protection to help secure both data and productivity.
  • Assume breach: Minimize the blast radius and prevent lateral movement by segmenting access by network, user, devices, and app awareness. Verify all sessions are encrypted and use analytics to gain visibility, drive threat detection, and improve defenses.

Microsoft Zero Trust model

Figure 2: Microsoft Zero Trust model

In the diagram above, you can see how access is unified across users, devices, and networks; all the various conditions that feed into the risk of a session. Acting as a gateway, the access policy is unified across your resources—SaaS, IaaS, PaaS, on-premises, or in the cloud. This is true whether it’s Azure, Amazon Web services (AWS), Google Cloud Platform (GCP) or some other cloud. In the event of a breach, rich intelligence, and analytics help us identify what happened and how to prevent it from happening again.

Cybersecurity for our time

The right security solution for our new perimeterless workplace employs the principles of Zero Trust, allowing users access only to the specific applications they need rather than the entire network. Because Zero Trust access is tied to the user’s identity, it allows IT departments to quickly onboard new and remote users, often on non-corporate devices, scoping permissions appropriately.

A cybersecurity model for today’s digital estate should include:

For the end-user:

  • Access to all resources: SaaS, IaaS, PaaS, on-premises.
  • Seamless experience: No extra steps or unique URLs to remember.
  • Great performance: Proxy services should have a global presence and use geo-location.

For the security/IT admin:

  • Segmentation by app, not network.
  • Adaptive access based on the principles of Zero Trust.
  • Reduce infrastructure complexity and maintenance.

Connect apps to an identity based, secure access solution

With Microsoft Azure Active Directory (Azure AD), it’s easy to connect all your applications through a single identity-based control plane. When it comes to cloud apps, Azure AD supports standard authentication modes such as Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). To accommodate new apps your organization may be developing, Azure AD also provides tools and software development kits (SDK) to help you integrate these as well.

Figure 3: Microsoft Azure Active Directory

When it comes to classic or on-premises applications, Azure AD Application Proxy enables your security team to easily apply the same policies and security controls used for cloud apps to your on-premises apps. All that’s needed is to install a lightweight agent called a connector onto your Windows server, allowing a connection point to your on-premises network. In this way, one connector group can be configured to serve multiple back-end applications, giving you the freedom to architect a truly micro-segmented solution.

Azure Active Directory Application Proxy

Figure 4: Azure Active Directory Application Proxy

Azure AD Application Proxy Connectors use outbound connections as well; meaning, no additional inbound firewall rules need to be opened. Also, it doesn’t require placement in a demilitarized zone (DMZ), as was the case with the legacy Purdue Model. Your apps won’t need to change, and Azure AD Application Proxy also supports multiple authentication modes; so your users can still get a single sign-on (SSO) experience. Users can then access the app from an external URL using any device—no VPN required.

Azure AD pre-authenticates every request, ensuring that only verified traffic ever gets to your app; thus giving you another layer of protection. In addition, any conditional access policies you’ve set up can be enforced at that point.

Protecting you in real-time

Microsoft Cloud App Security integrates natively with Azure AD conditional access to extend real-time security into the session for both your cloud and on-premises applications. This native Microsoft solution stack ensures that your on-premises applications will still boot up quickly and look the same. The difference is you’re now able to control granular actions, such as uploads, downloads, and cut, copy, and paste, based on the sensitivity of the data. For example, users accessing an on-premises instance of Team Foundation Server (TFS) through the App Proxy can use Cloud App Security to enable developers to make code changes but block their ability to download files onto an unmanaged device. Many other scenarios are supported like, blocking malware in file upload attempts to ensure that your on-premises infrastructure remains secure.

Malware detection screen

Figure 5: Malware detection screen

See what else Azure AD and Microsoft Cloud App Security can do

At Microsoft, we believe that tight integration between identity and security is pivotal to your Zero Trust strategy, and we are constantly innovating in this area. To see some of the existing capabilities described in this blog come to life, watch the archived presentation for demonstrations of the powerful capabilities that Microsoft identity and security tools enable for your on-premises applications. Learn how you can easily set controls to allow or block access, require a password reset, block legacy authorization, require multifactor authentication, control sessions in real-time, and more.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Modernize secure access for your on-premises resources with Zero Trust appeared first on Microsoft Security.

Running code in the context of iOS Kernel: Part I + LPE POC on iOS 13.7

Running code in the context of iOS Kernel: Part I + LPE POC on iOS 13.7

Abstract.  Due to its popularity, iOS has attracted the attention of a large number of security researchers.  Apple is constantly improving iOS security, develops and adapts new mitigations at a rapid pace. In terms of the effectiveness of mitigation measures, Apple increases the complexity of hacking iOS devices making it one of the hardest platforms to hack, however, it is not yet sufficient to block skilled individuals and well-funded groups from achieving remote code execution with elevated permissions, and persistence on the device.

This blog post is the first of multiple in a series of achieving elevated privileges on iOS. 

This series of posts will go all the way until privileged access is obtained, the userspace exploit, as well as persistence on the device following a reboot. The full reports are currently available to iOS Threat Intelligence subscribers of ZecOps Mobile Threat Intelligence.

We will cover in detail how chaining a few bugs leads us to run code in the context of iOS kernel. Chaining such bugs with other exploits (e.g. the iOS MailDemon vulnerability, or other webkit based bugs) allow to gain full remote control over iOS devices.

This exploit was obtained as part of ZecOps Reverse Bounty, and donated to FreeTheSandbox initiative.

Freethesandbox.org – Free The Sandbox restrictions from iOS & Android devices

We would like to thank @08Tc3wBB for participating in ZecOps Reverse Bounty, and everyone else that helped in this project. We would also like to thank the Apple Security team for fixing these bugs and preventing further abuse of these bugs in up to date versions of iOS.

As we’re planning to release the additional blogs, we are already releasing a full Local Privilege Escalation chain that works on iOS 13.7 and earlier versions on both PAC and non-PAC devices.

We are making this release fully open-source for transparency. We believe that it is the best outcome to improve iOS research and platform security.

You may access the source here: https://github.com/ZecOps/FreeTheSandbox_LPE_POC_13.7

The Vulnerabilities – Part I

AppleAVE2 is a graphics IOKit driver that runs in kernel space and exists only on iOS and just like many other iOS-exclusive drivers, it’s not open-source and most of the symbols have been removed. 

The driver cant be accessed from the default app sandbox environment, which reduces the chances of thorough analysis by Apple engineers or other researchers. The old implementation of this driver seems like a good attack surface and the following events demonstrate this well. 

iOS Threat Intelligence

Back in 2017,  7 vulnerabilities were exposed in the same driver, by Adam Donenfeld of the Zimperium zLabs Team,

From the description of these vulnerabilities, some remain attractive even today, while powerful mitigations like PAC (for iPhones/iPads with A12 and above) and zone_require (iOS 13 and above) are present, arbitrary memory manipulation vulnerabilities such as CVE-2017-6997, CVE-2017-6999 play a far greater role than execution hijacking type, have great potential when used in chain with various information leakage vulnerabilities.

Despite the fact that these vulnerabilities have CVEs, which generally indicating that they have been fixed, Apple previously failed to fix bugs in one go and even bug regressions. With that in-mind, let’s commence our journey to hunt the next AVE vulnerability! 

We will start off from the user-kernel data interaction interface:

user-kernel data

AppleAVE2 exposes 9 (index 0-8) methods via rewriting IOUserClient::externalMethod:

Two exposed methods (index 0 and 1) allow to add or remove clientbuf(s), by the FIFO order.

The rest of the methods (index 3-8) are all eventually calling AppleAVE2Driver::SetSessionSettings through IOCommandGate to ensure thread-safe and avoid racing.

 *1 Overlapping Segment Attack against dyld to achieve untethered jailbreak, first appearance in iOS 6 jailbreak tool — evasi0n, then similar approach shown on every public jailbreak, until after Pangu9, Apple seems finally eradicated the issue.
*2  Apple accidentally re-introduces previously fixed security flaw in a newer version.

We mainly use method at index 7 to encode a clientbuf, which basically means to load many IOSurfaces via IDs provided from userland, and use method at index 6 to trigger trigger the multiple security flaws located inside AppleAVE2Driver::SetSessionSettings.

The following chart entails a relationship map between salient objects:

clientbuf is memory buffer allocated via IOMalloc, with quite significant size (0x29B98 in iOS 13.2).

Every clientbuf objext thats is being added contains pointers to the front and back, forming a double-linked list, so that the AppleAVE2Driver’s instance stores only the first clientbuf pointer.

The clientbuf contains multiple MEMORY_INFO structures. When user-space provides IOSurface, an iosurfaceinfo_buf will be allocated and then used to fill these structures.

iosurfaceinfo_buf contains a pointer to AppleAVE, as well as variables related to mapping from user-space to kernel-space.

As part of the clientbuf structure, the content of these InitInfo_block(s) is copied from user-controlled memory through IOSurface, this happens when the user first time calls another exposed method(At index 7) after adding a new clientbuf.

m_DPB is related to arbitrary memory reading primitive which will be explained later in this post.

Brief Introduction to IOSurface

In case if you are not familiar with IOSurface, read the below:

According to Apple’s description IOSurface is used for sharing hardware-accelerated buffer data ( for framebuffers and textures) more efficiently across multiple processes.

Unlike AppleAVE, an IOSurface object can be easily created by any userland process (using IOSurfaceRootUserClient). When creating an IOSurface object you will get a 32 bit long Surface ID number for indexing purposes in the kernel so that the kernel will be able to map the userspace memory associated with the object into kernel space.  

Now with these concepts in mind let’s talk about the AppleAVE vulnerabilities. 

The First Vulnerability (iOS 12.0 – iOS 13.1.3)

The first AppleAVE vulnerability has given CVE-2019-8795 and together with other two vulnerabilities — A Kernel Info-Leak(CVE-2019-8794) that simply defeats KASLR, and a Sandbox-Escape(CVE-2019-8797) that’s necessary to access AppleAVE, created an exploit chain on iOS 12 that was able to jailbreak the device. That’s until the final release of iOS 13, which  destroyed the Sandbox-Escape by applying sandbox rules to the vulnerable process and preventing it from accessing AppleAVE, So the sandbox escape was replaced with another sandbox escape vulnerability that was discussed before. 

The first AppleAVE vulnerability was eventually fixed after the update of iOS 13.2.

Here is a quick description about it and for more detailed-write up you can look at a previous writeup.

When a user releases a clientbuf, it will go through every MEMORY_INFO that the clientbuf contains and will attempt to unmap and release related memory resources.

The security flaw is quite obvious if you compare to how Apple fixed it:

The unfixed version has defect code due to an  out-of-bounds access that allows an attacker to hijack kernel code execution in regular and PAC-enabled devices. This flaw can also become an arbitrary memory release primitive via the operator delete. and back then, before Apple fixed zone_require flaw on iOS 13.6, that was enough to achieve jailbreak on the latest iOS device.

The POC released today is just an initial version that will allow others to take it further. The POC shares basic analytics data with ZecOps to find additional vulnerabilities and help further secure iOS – this option can be disabled in the source.

In the next posts we’ll cover:

  • Additional vulnerabilities in the kernel
  • Exploiting these vulnerabilities
  • User-space vulnerabilities
  • The ultimate persistence mechanism that is likely to never be patched

Oregon County Hit by Ransomware Attack

Oregon County Hit by Ransomware Attack

An Oregon county hit by wildfires and a fall surge in Covid-19 cases is now dealing with the fallout from a cyber-attack.

Jackson County's website is currently down following a recent ransomware attack on the county's web-hosting service provider, Managed.com. The company took down all its servers on Monday after reportedly becoming the latest target of REvil. 

status update issued by Managed.com on November 19 said: "On Nov. 16, the Managed.com environment was attacked by a coordinated ransomware campaign. To ensure the integrity of our customers’ data, the limited number of impacted sites were immediately taken offline. Upon further investigation and out of an abundance of caution, we took down our entire system to ensure further customer sites were not compromised. 

"Our Technology and Information Security teams are working diligently to eliminate the threat and restore our customers to full capacity. Our first priority is the safety and security of your data. We are working directly with law enforcement agencies to identify the entities involved in this attack. As more information is available, we will communicate directly with you."

With Jackson County’s regular website, jacksoncountyor.org, still inoperable, the county has established an alternate page, jacksoncounty.org, to allow the public to access key links on property taxes, 2020 election results, marriage applications, and public virtual meetings of the county Board of Commissioners during the outage.

On November 17, the county tweeted: "The Managed.com outage is still affecting our main public website. Internal county systems and data are not affected. Key online services remain available at jacksoncounty.org. No ETA yet to restore full public website. Thanks for your patience."

The attack on their service provider couldn't have come at a worse time for Jackson County. In addition to dealing with a rise in the number of coronavirus cases, the county is also taking the lead on recovery efforts related to what has been one of the most destructive seasons in Oregon's wildfire history. 

Earlier this week, Oregon announced free programs to clear hazardous fire-related debris from residential and business properties, then remove any remaining ash, rubble, burned vehicles, damaged trees, and debris.

Get the free Security Intelligence Handbook from Recorded Future

Graham Cluley Security News is sponsored this week by the folks at Recorded Future. Thanks to the great team there for their support! Security intelligence is an outcomes-centric approach to reducing risk that fuses internal and external threat, security, and business insights across an entire organization. It easily scales up and down to match the … Continue reading "Get the free Security Intelligence Handbook from Recorded Future"

Drupal addressed CVE-2020-13671 Remote Code Execution flaw

Drupal development team has released security updates to address a remote code execution flaw, tracked as CVE-2020-13671.

The Drupal development team has released security updates to fix a remote code execution vulnerability related caused by the failure to properly sanitize the names of uploaded files.

The vulnerability, tracked as CVE-2020-13671, has been classified as critical according to the NIST Common Misuse Scoring System.

The vulnerability could be exploited by an attacker by uploading files with certain types of extensions (phar, php, pl, py, cgi, html, htm, phtml, js, and asp) to the server to achieve remote code execution.

“Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.” reads the security advisory published by Drupal.

The development team has addressed the flaw in Drupal 7, 8 and 9 with the release of versions 7.74, 8.8.11, 8.9.9, and 9.0.8.

The vulnerability was reported to team by the following experts:

The development team recommends users to check their servers for files that include more than one extension, such as filename.php.txt or filename.html.gif.

In March, the development team released security updates for versions 8.8.x and 8.7.x that fix two XSS vulnerabilities affecting the CKEditor library.

In May they addressed XSS and open redirect flaws, while in June they released security updates to address multiple security vulnerabilities, including a “critical” flaw tracked as CVE-2020-13664 that could be exploited by an attacker to execute arbitrary PHP code.

In September, Drupal maintainers fixed several information disclosure and cross-site scripting (XSS) vulnerabilities in the popular content management system (CMS).

Pierluigi Paganini

(SecurityAffairs – hacking, Drupal)

The post Drupal addressed CVE-2020-13671 Remote Code Execution flaw appeared first on Security Affairs.

Hard Rock Stadium Ups Cybersecurity

Hard Rock Stadium Ups Cybersecurity

The critical infrastructure of a famous Florida sporting and entertainment venue is being protected by a brand-new cybersecurity solution.

Atos and Forescout Technologies today announced a jointly developed solution that allows Miami Gardens' Hard Rock Stadium to offer fans, staff, and spectators a whole new level of cybersecurity.

The joint solution of Forescout’s cloud-based network segmentation solution eyeSegment and Atos’ managed security services used more than 20 real-time monitoring techniques to protect over 7,100 IT, Internet of Things (IoT), and operational technology (OT) devices, including point-of-sale terminals, scoreboards, televisions, visual broadcasting equipment, field microphones, and servers connecting to the network.

It was successfully implemented for the first time over a two-week period in February 2020 to secure and manage the venue's critical infrastructure for Super Bowl LIV.

“The security of our fans and their physical and online environments is of the utmost importance to us. While more than 65,000 fans are excited for touchdowns, most are unaware thousands of technology devices in our stadium’s infrastructure must be protected from malicious intent by threat actors,” said Kim Rometo, vice president and chief information officer, Miami Dolphins and Hard Rock Stadium. 

“With Atos and Forescout we recognized an opportunity to secure Hard Rock Stadium in new and critical ways, effectively creating a defense strategy that protects our operational and informational technology.”

Deploying the new solution has allowed its creators to flag more than 600 security events and secure 400 new OT devices connected to the network for the venue's halftime show. Furthermore, it has allowed over 1,200 point-of-sales devices to be monitored for malicious patterns.

“Stadiums present unique challenges for CIOs as they create strategies to secure their dynamic and highly connected infrastructure,” said Jon Connet, general manager of Network Segmentation at Forescout Technologies. 

“Working with Atos, we provide complete device visibility and network segmentation that together help reduce the attack surface and protect Hard Rock Stadium from today’s cybersecurity threats.”

Karan Chetal, vice president of strategic engagements at Atos, said venues like Hard Rock Stadium were at increasing risk from bad actors. 

She said: "Cyberattacks continue to get more aggressive and the sporting and entertainment industry is a major target for these malicious threats."

#DxPsummit: CISOs Discuss Ransomware Strategies for Recovery and Resistance

#DxPsummit: CISOs Discuss Ransomware Strategies for Recovery and Resistance

Speaking as part of Druva’s Cloud Data Protection Summit, panel moderator and Druva CISO Drew Daniels focused on the theme of cyber-resiliency, specifically on the subject of ransomware and what the role of data protection is in combatting the threat.

Asking the speakers for their perspectives on ransomware detection and recovery, Mike Towers, CISO at Takeda Pharmaceuticals, said he follows a six-point plan of:

  • Risk ranking to be in focus on what cannot go down
  • Have resiliency and test resources
  • Use modern endpoint security and make sure to log everything so you can identify patient zero
  • Maximize threat intelligence feeds
  • Make sure you have targeted visibility
  • Help others in your provider space

Dave Estlick, vice-president and CISO at Chipotle, said another element is how you bring the threat intelligence in and “make it real as a tool for your organization.” He said this can prepare the staff before ransomware hits their vertical, and if people have seen the issue and are trained, they are less likely to fall for the campaign.

Daniels said it is important to be prepared to fail, as actors will try to exploit companies, and it is worth preparing for this. Marshall O’Keefe, corporate technology leader at HED, was asked how data protection can aid ransomware recovery, and he said that there are different systems used for backing up to recover the environment and core systems.

Shaun Marion, CISO at Republic Services, explained that data protection is central, as the attacker is after data no matter whom they are. “I don’t have unlimited funds, so we have got to get hyper focused on how we use those funds and understand where the critical data is, and use the same controls,” he said.

“Some systems are so critical that downtime is unacceptable, and you apply different controls. So from a data protection point of view, if we’re talking about ransomware, it is the same thing – how do I protect that data, as once it is encrypted, do I care? Applying controls is key.”

Jason Lee, CISO at Zoom, said adding protections is vital, and during the pandemic, the CISO has had a larger role as the business needs to know where those assets are and what the backup strategy is. Daniels agreed, saying the CISO is the firefighter, and “often called into action when it is an emergency.”

Asked by Daniels how other ransomware incidents impact a strategy, Lee said he was definitely aware of other incidents, and the issue “is growing and growing and you need to have this challenge as part of your cyber-strategy.” He raised the issue of zero-trust, which should now include all users and endpoints, and not just the firewalls as part of the perimeter.

“Preparedness is key here, so make sure you’re educating your users, and one thing I find [beneficial] now is making sure users are diligent when working from home, as it is easy to let your guard down but phishing emails and ransomware are increasing.”

Free VPNs May Still Come with a Price

Using a VPN on Public WiFi

Free VPNs May Still Come with a Price

If we’re being honest, many of us are consuming a lot of online content these days, whether it be for work, education, or sheer entertainment. I know my family is trying to balance what we need to do online, like meetings and classes, with fun activities like streaming movies, given that we are all spending more time safely at home.

But as a security professional what I’m really concerned about is how we are connecting to all this digital content. There has been a surge in VPN (virtual private network) downloads so far this year, showing that users are concerned about their online privacy, which is a good thing.

As you may know, a personal VPN is simply a piece of software that can establish a secure tunnel over the internet, offering you both privacy and freedom from IP-based tracking. It protects your identity and financial information by encrypting, or scrambling, the data that flows through the tunnel, and can mask your true location, making it appear as though you are connecting from somewhere else.

However, the myriad of VPN options—from free, to paid, to “freemium” (limited products offered on a trial basis for free, hoping customers will invest in more comprehensive, paid versions)—can be confusing and cause some customers to walk away unprotected. This is unfortunate, because here at McAfee we’ve recorded a growing number of network attacks, including targeted attacks against a variety of business and educational enterprises.

These threats mean that we need to do our best to ensure that our sensitive information stays safe, which is why I’d like to take a look at the difference between free VPNs and premium VPNs.

Sometimes a VPN is included in more robust security software, as it is in McAfee® Total Protection, but often it is a standalone tool, that is offered either at a monthly subscription rate, or for free. While it may be tempting to go for a free option, there are some serious considerations that you should take to heart.

Free VPNs – Risky Business

Since free VPNs are not making money directly from their users, many make revenue indirectly, through advertising. This means that not only are users bombarded with ads, they are also exposed to tracking, and potentially malware. In fact, one study of 283 free VPN providers found that 72% included trackers. This is not that surprising, given that advertisers depend on gathering your personal data to better target their ads.

But beyond the frustration of ads, slowness, and upgrade prompts is the fact that some free VPN tools include malware that can put your sensitive information at risk. The same study found that 38% of the free VPN applications in the Google Play Store were found to have malware, such as keyloggers, and some even stole the data off of users’ devices.

Also concerning is how these free providers handle your data. In one worrying incident, a VPN provider exposed thousands of user logs and API access records openly on the web, including passwords and identity information.

Privacy Worth Paying For – Paid VPN Benefits

VPNs are critical tools for enhancing our privacy and shouldn’t be an avenue for potentially opening the door to new risks. That’s why I always advise users to look for a paid VPN with the following features:

Unlimited Bandwidth —You want your network connection to stay secured no matter how much time you spend online.

Speedy Performance—We all know how frustrating a sluggish internet connection can be when you are trying to get things done. Whether connecting for productivity, education, or entertainment, we are all dependent on bandwidth. That’s why it’s important to choose a high-speed VPN that enhances your privacy, without sacrificing the quality of your connection.

 Multiple Device Protection—These days many of us toggle between mobile devices, laptops, and computers, so they should all be able to connect securely.

 Less Battery Drain—Some free mobile VPNs zap your battery life, making users less likely to stay protected. You shouldn’t have to choose between your battery life and safeguarding your privacy.

 Ease of Use— As I’ve written recently, for technology to really work it has to be convenient. After all, these technologies should power your connected life, not serve as a hindrance.

Fortunately, we don’t have to sacrifice convenience, or pay high prices, for a VPN that can offer a high level of privacy and protection. A comprehensive security suite like McAfee Total Protection includes our McAfee® Safe Connect standalone VPN with auto-renewal and takes the worry out of connecting, so you can focus on what’s important to you and your family, and enjoy quality time together.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Free VPNs May Still Come with a Price appeared first on McAfee Blogs.

Raytheon Employee Jailed for Exporting Missile Data to China

Raytheon Employee Jailed for Exporting Missile Data to China

A former Raytheon employee has been imprisoned in the United States for exporting sensitive military data from America to the People's Republic of China. 

Chinese national Wei Sun was employed in Tucson, Arizona, as an electrical engineer with Raytheon Missiles and Defense for 10 years. In February 2020, the 49-year-old pled guilty to violating the Arms Export Control Act (AECA) by taking a company-issued laptop containing sensitive information to China during a vacation.  

Raytheon Missiles and Defense, one of four business segments of American multinational Raytheon Technologies, develops and produces missile systems for use by the United States military.

During his 10-year tenure with the company, naturalized United States citizen Sun had access to information directly related to defense-related technology. 

"Some of this defense technical information constituted what is defined as 'defense articles,' which are controlled and prohibited from export without a license under the AECA and the International Traffic in Arms Regulations (the ITAR)," said the US Department of Justice. 

Sun took a personal trip to the PRC in December 2018, returning to the United States in January 2019. On that winter holiday, Sun brought unclassified technical information in his computer, including data associated with an advanced missile guidance system that was controlled and regulated under the AECA and the ITAR. 

"Despite having been trained to handle these materials correctly, Sun knowingly transported the information to China without an export license in violation of the AECA and the ITAR," said the DOJ. 

The assistant director of the FBI's Counterintelligence Division, Alan Kohler, Jr., said Sun's transportation of sensitive military data to China was no accident. 

“This isn’t about a laptop mistakenly taken on a trip, this was the illegal export of US missile technology to China,” said Kohler.

“The FBI will continue to partner with companies to protect their information and our national security while bringing criminals such as Wei Sun to justice.”

On November 18, District Court Judge Rosemary Marquez sentenced the former engineer to 38 months in prison.

“Sun was a highly skilled engineer entrusted with sensitive missile technology that he knew he could not legally transfer to hostile hands,” said Assistant Attorney General John Demers.

"Today’s sentence should stand as a warning to others who might be tempted similarly to put the nation’s security at risk.”

IoT Cybersecurity Improvement Act Passed, Heads to President’s Desk

Security experts praised the newly approved IoT law as a step in the right direction for insecure connected federal devices.

HMRC Records 73% Growth in Email Phishing Attacks During #COVID19

HMRC Records 73% Growth in Email Phishing Attacks During #COVID19

The UK’s HMRC detected a 73% rise in email phishing attacks in the six months that the COVID-19 pandemic struck the country, according to official data obtained following a FOI request by accountancy firm Lanop Outsourcing.

It revealed that from March to September 2020, there was an average of 45,046 email attacks per month in the UK. This compares to an average of 26,100 in the two months preceding the introduction of COVID-19 lockdown measures, in January and February. In total, HMRC revealed it had received 367,520 reports of phishing email attacks during 2020 up to September.

During the six months since the start of lockdown, September had the largest monthly quantity, at 57,801 cases, while August experienced the lowest, at 38,096.

Additionally, HMRC reported 199,621 cases of phone scams and 58,921 SMS referrals during this period. Interestingly, phone and text scams were at their lowest point in the first full month of lockdown, in April, with 425 and 2515 cases reported, respectively. This could be due to cyber-criminals focusing on email phishing attacks to take advantage of the shift to home working at this time.

Phone and SMS scams began to grow again when lockdown restrictions were first lifted in the UK in June, with phone scams steadily rising to reach a peak of 46,015 in September.

Steve Peake, UK systems engineer manager, Barracuda Networks, commented: “Interestingly, Barracuda’s own data recently unveiled a similar pattern of cyber-attacks facing regular businesses, with our researchers observing a 667% spike in spear-phishing attacks from February to March, as a direct result of coronavirus. Similarly, other sectors, such as education, have also observed an upward trend of COVID-19 related phishing attacks during our battle against the virus.

“As the pandemic continues, businesses must anticipate COVID-19 themed attacks to increase in quantity. It’s also worth noting that cyber-attacks and scams aren’t just contained to email messages, SMS-based phishing attacks, or ‘Smishing,’ and fraudulent phone calls also pose a serious threat to consumers, workers and the general public.”

Mohammad Sohaib, director at Lanop Outsourcing, added: “Cyber-criminals have not missed a trick when it comes to using the devastating coronavirus to lure unknowing victims into leaking their own private information, such as passwords and payment details, via a phishing scam.

“In one such example, scammers impersonated HMRC to trick business owners into believing that their VAT deferral application, a key government support initiative during the pandemic, had been rejected. They would then redirect victims to a website with official HMRC branding, before stealing credit card details.”

Last month it was revealed that HMRC recorded 521,582 malicious emails between June and September.

IT and OT Cybersecurity: United We Stand, Divided We Fall

I was intrigued to learn that certain coyotes and badgers team up while hunting. If the prey runs fast, the coyote takes the lead. If the prey dives underground, it’s the badger’s department.

IT and OT can take note. They share a common enemy: cyberattacks targeting the industrial networks that connect Internet of Things (IoT) sensors and industrial control systems (ICS) that control valves, boilers, breakers, motors, robots and everything else that makes industrial operations safe and efficient.

But where the coyote-badger partnership is helpful but not necessary, I’ll argue that the IT-OT collaboration is mandatory for securing industrial networks. Without a partnership with OT, IT will fail.

Why IT can’t do it alone

I’ll explain with an example. Say the network carries a message modifying a controller configuration. The message could be legitimate. Then again, it could be an attack designed to raise boiler temperature to dangerous levels, make a robot go berserk, or open a valve to release toxic chemicals into the environment. To respond appropriately, IT needs input from OT. What signs indicate a modified configuration is malicious? If the message snuck through defenses, should the assets be quarantined? Is there a better way to contain the attack without putting the rest of the process at risk?

Making the case to OT        

Many OT teams hang a “keep out” sign on their network, so be prepared to make a case for collaboration. Fortunately, you can offer a powerful incentive. That is, the information that IT needs will also help OT maximize uptime, production output, and safety.

The collaborative process can be summarized as “identify to protect, then detect.” This approach is generally agreeable to both IT and OT. It’s what NIST describes in Framework for Improving Critical Infrastructure Cybersecurity, and what the International Society of Automation (ISA) recommends in ISA99/IEC62443.

A framework for collaboration

The first step is “identify to protect.” If you don’t know what’s connected to the network, you’ll operate in the dark. Start by building a complete inventory of everything connected to the industrial network, noting how critical each asset is to the business.

Next, IT and OT work together to group assets into zones and conduits that contain attacks. Industrial firewalls like the Cisco ISA 3000 industrial security appliance comply with OT requirements and don’t require IT to learn a new interface. IT manages the ISA 3000 using the same software they already use for other Cisco Firepower firewalls.

When assets are grouped, IT can start building the appropriate security policies. The pre-work helps to focus threat detection on what really matters.

Cisco Cyber Vision simplifies the collaborative workflow I just described. For OT teams, Cyber Vision is an easy way to group assets into zones and to define the normal state for various parts of the network. This gives IT the context to build security policies, identify anomalous behaviors, and respond to threats in a way that doesn’t disrupt critical processes.

When anomalies are detected, Cyber Vision alerts both teams. IT responds by investigating and mitigating the attack, and OT responds by making adjustments to keep production going. As a side benefit, Cyber Vision gives OT the operational insights to improve production efficiency.

Cyber Vision shares all OT asset information and events with existing IT security platforms. Using products like Cisco SecureX, IT can investigate and remediate threats across both the IT and OT domains and build a truly converged IT/OT security strategy.

Where partnership is optional for the coyote and badger, it’s a must-have for IT and OT teams working to secure industrial networks. OT shares its knowledge of connected devices and industrial processes, and IT applies its cybersecurity expertise to detect and mitigate threats. Neither team can succeed without the other.

To learn more about how this collaborative workflow will enable you to build a converged IT/OT security strategy, I invite you to check out our new white paper by clicking here.

Want to get the latest news on IoT security? Subscribe to the Cisco IoT Security Newsletter.

What are your hopes and concerns for converged IT/OT cybersecurity? Please share in the comments below.

ISE 3.0 Dynamic Visibility: Step into zero trust for the workplace

Within our Cisco Identity Service Engine (ISE) 3.0 release, we started talking about dynamic visibility. But what is dynamic visibility, what are the benefits, and why should we care? Maybe we should begin with what it is not. Dynamic visibility is not assuming trust based on location. It is not authenticating or establishing trust, based solely on login credentials or a single device identifier such as MAC address. Dynamic visibility has context that can be updated from the cloud and throughout the session to keep up with threats. As your endpoint’s posture and risk levels are updated, so are their access policies. Dynamic visibility recognizes that authorization does not happen just once. It is continual and re-accomplished at multiple decision points throughout the network to enforce trust closest to the resource and maintain a zero-trust framework.

What are the benefits of dynamic visibility?

Build zero trust: If your endpoints are not continually analyzed with analytics to build and maintain trust, based on several identifiers regardless of location—you are not doing zero trust within the workplace. Dynamic visibility gives you visibility into the endpoint’s identity to continually authorize access based on “least privilege” and to maintain access based on trust levels that may change throughout the session. With visibility that is dynamic, you can reduce mean time to remediation, automate threat containment, and build zero trust within the workplace.

Continual compliance: Compliance is not a set it and forget strategy. Our compliance policies are a framework, but what accesses them is not static. We need the ability to continually update access based on the endpoint’s posture and look deep into the device itself. If not, we risk falling out of compliance without ever knowing until it is too late.

Gain granular control: With this level of visibility, organizations can gain granular control to build and implement access policies based on their organizational needs, enabling network segmentation and shrinking the attack surface within zones of trusted access.

Be all-knowing: Identify, track, and profile all connected endpoints, whether managed or unmanaged and without agents to provide accurate asset inventories and gain the visibility required for granular control.

There are many reasons why we need to focus on dynamic visibility. But it comes down to two big “macro-trends” that are themselves dynamic. One, threat actors are dynamic. They are continually evolving, and dynamic visibility gives you the continual assurance that the endpoint is still who they said they are and behaving the way they are supposed to, allowing you to keep up with the changing threat landscape. And two, access is dynamic. With people, processes, applications, and data spread across the distributed network, we access everything from anywhere and on anything. We need the ability to extend our networks to anywhere and allow users to connect on anything to enable this transition. Dynamic visibility is the first step to extending the zero-trust workplace. But we all know that the most significant barrier to change is the ease of use. So, we need to make obtaining dynamic visibility easy and simple. So, within the ISE 3.0 release, we fixated on simplicity and ease of use.

Three ways 3.0 is simplifying visibility and zero trust

Agentless posture: In ISE 3.0, our focus on simplicity extended into our core value to build visibility and maintain access control within a zero-trust framework. With this in mind, we added agentless posture for compliance. Now IT teams have the flexibility they need to rapidly provision new users, devices, and endpoints no matter where they are without sacrificing protection.

Integration with AI Endpoint Analytics: ISE 3.0 closes the gaps of visibility into endpoints with additional visibility from AI Endpoint Analytics and DNA Center. With this integration, customers can now leverage machine learning to automate endpoints’ identification and ensure access based on privilege, a critical tenant of zero trust. Read how Adventist Health identified 70% of all endpoints.

Moving onto the cloud: Where and how customers consume their security and build identity has evolved, and to lead in this transition, ISE 3.0 is deployable from the cloud (AWS and Azure). We are also increasing our integration with cloud-based ID stores with SSO (single sign-on) to work with Azure AD. This is just the start of how we are going to enable the multi-cloud migration.

We are always on the quest for more visibility within our environments. But it is just not about the quantity or getting more; it is about getting the right visibility and asking, “What do we need to know to allow access based on least privilege?” And since we need to always assume threats continue to exist, assume that they get in. How do we re-authenticate and re-authorize based on continual learning throughout the session that will enable us to keep up in the arms race that fuels the malware economy? Because risk does not stop when access is granted, endpoints can be infected at any time, even within your walls. We must have visibility that is dynamic to authenticate based on more than one parameter. With this level of visibility, we can confidently identify and profile all of our endpoints. But we must also authorize access based on context to ensure that no matter where the endpoint is, we are continually establishing and re-establishing trust. And with this level of visibility, we can build network segmentation and zero trust in our workplace. But that discussion is for another time and another blog.

To learn more about ISE 3.0, take a look at What’s New in 3.0, At-a-Glance, or visit our ISE product page.


IAM-Driven Biometrics: The Security Issues with Biometric Identity and Access Management (IAM)

The increase of cybersecurity incidents brings along a higher demand for enhanced security protections. Thus, in the attempt of preventing unauthorized third parties from accessing their accounts and sensitive data, companies are increasingly turning to biometric authentication. Contemporary Identity and Access Management (IAM) technologies have moved beyond basic login methods based on usernames and passwords. […]

The post IAM-Driven Biometrics: The Security Issues with Biometric Identity and Access Management (IAM) appeared first on Heimdal Security Blog.

Payment Security in India: 2020 India Forum

As Associate Director for India, Nitin Bhatnagar is responsible for driving awareness and adoption of PCI Security Standards in the country. Bhatnagar works closely with merchants, acquirers, financial institutions, security practitioners, law enforcement and other key stakeholders across the Indian payment ecosystem. Here he discusses payment security challenges and opportunities in India and the second annual PCI SSC India Forum  planned for 9 December online

Hackers are using Google services to bypass email defence, researchers warn

Threat actors are increasingly using Google services such as Forms, Firebase and Sites to get around email defences that look for suspicious code and URLs, security vendor Armorblox has warned.

In a blog released this morning, the company said infosec pros need to tailor their strategies to prepare for these deceptions, especially if their organization uses free Gmail or GSuite.

Here are several examples of attackers’ tactics Armorblox has seen:

  • An email claims to come from a company’s IT team and asks readers to review a secure message their colleagues had shared over Microsoft Teams. Clicking the link takes victims to a page resembling Microsoft Teams, which then when to a credential phishing site resembling the Office 365 login portal.
  • The Office 365 login portal was hosted on Google Sites, a wiki and web page creation tool. Victims may be fooled by the legitimacy of the page’s domain, which starts “sites.google.com.”
  • An email impersonating an organization’s payroll team goes to named employees with payslip details, asking them to click on a link and check if their personal information for the payslip is accurate. As an extra pressure tactic, the message asks victims to check before 5 p.m.
  • The link in the email leads to a page hosted on Google Docs. Since Google Docs is commonly used, some people might not be surprised to see a Google Docs link in an email from a colleague.
  • An email pretending to be from an organization’s security team with an email tells victims they haven’t received some ‘vital’ emails because of a storage quota issue. The message includes a link for readers to verify their information and resume email delivery.

The email link leads to a fake login page hosted on Firebase, Google’s mobile platform that enables users to create apps, host files and images, and serve user-generated content. The parent URL of the fake page – https://firebasestorage.googleapis.com – won’t be blocked by any security filters. The login screen for capturing credentials has the email address of the victim pre-entered into the first field.

Some of these tactics won’t fool a sharp-eyed — and well-trained — person if certain defences are in place. For example, if the corporate email is set up to brand messages as coming from an external (outside the company) source, then staff should realize a message purportedly coming from a colleague or another company department must be malicious.

Still, Armorblox recommends infosec staff, if they haven’t already done so to implement multifactor authentication for email accounts and have staff use an approved password manager, making sure staff don’t use common and insecure passwords; train staff to be careful with emails related to money and data and make sure all existing email security capabilities are enabled. Some security vendors may have products that can spot Google service abuse.

The post Hackers are using Google services to bypass email defence, researchers warn first appeared on IT World Canada.

The US Military Buys Commercial Location Data

Vice has a long article about how the US military buys commercial location data worldwide.

The U.S. military is buying the granular movement data of people around the world, harvested from innocuous-seeming apps, Motherboard has learned. The most popular app among a group Motherboard analyzed connected to this sort of data sale is a Muslim prayer and Quran app that has more than 98 million downloads worldwide. Others include a Muslim dating app, a popular Craigslist app, an app for following storms, and a “level” app that can be used to help, for example, install shelves in a bedroom.

This isn’t new, this isn’t just data of non-US citizens, and this isn’t the US military. We have lots of instances where the government buys data that it cannot legally collect itself.

Some app developers Motherboard spoke to were not aware who their users’ location data ends up with, and even if a user examines an app’s privacy policy, they may not ultimately realize how many different industries, companies, or government agencies are buying some of their most sensitive data. U.S. law enforcement purchase of such information has raised questions about authorities buying their way to location data that may ordinarily require a warrant to access. But the USSOCOM contract and additional reporting is the first evidence that U.S. location data purchases have extended from law enforcement to military agencies.

We infiltrated an IRC botnet. Here’s what we found

The CyberNews.com Investigation team carried out an infiltration operation against an IRC botnet and reported it to CERT Vietnam to help take it down.

Original post @ https://cybernews.com/security/we-infiltrated-an-irc-botnet-heres-what-we-found/

In order to gather valuable information about the IRC botnet’s activity, we joined its Command and Control channel where we met the botmaster who was responsible for running the entire network of compromised systems. We also used this infiltration opportunity to learn the botmaster’s motives and the possible purpose of the IRC botnet. 

What follows is a story of how we managed to detect an attempt to infect one of our systems, and how our curiosity led us to an unlikely interview with the botmaster of a rare, dying breed of a botnet. 

Here’s how it all happened.

About this investigation

To conduct this investigation, a CyberNews researcher infiltrated an IRC botnet that we captured in one of our honeypots. By conversing with the botmaster, the researcher attempted to find out what the IRC botnet is being used for, as well as whether the cybercriminals who were controlling it were involved in other activities. 

After interviewing the botmaster, the researcher reported the botnet to CERT, so they could close down the command and control server of the botnet.

How we found the IRC botnet

Infiltrating a cybercriminal operation can provide valuable data about different types of malicious activities, including DDoS attacks, malware distribution, and more. That’s why our researchers use multiple cyberattack detection strategies and are always on the lookout for possible interception and infiltration opportunities.

This September, one such opportunity presented itself to one of our researchers.

Our honeypot setup

In cybersecurity terms, a honeypot is a decoy service or system that poses as a target for malicious actors. When targeted by a threat actor, the honeypot system uses their intrusion attempt to gain valuable information about the attacker.

In order to capture malware and monitor cyberattacks across the internet in real-time, we run multiple honeypot systems that are contained in isolated execution environments, otherwise known as containers. One of the honeypot systems that we run in a container is a Cowrie honeypot, which is designed to detect and log brute force attacks as well as shell interactions (attempts by a threat actor to create a malicious communications tunnel between them and the compromised machine) that are carried out by an attacker or an attacker’s script.

Initial detection: Someone is trying to infect us

In late September, we noticed an attempt to download a malicious file on one of the machines connected to our Cowrie honeypot:

The malicious file contained a Perl script that was designed to infect the host machine and allow the attacker to execute remote commands on the system. 

We investigated the file and determined that the malicious program used by the attackers was likely created back in 2012 by the w0rmer Security Team, a now seemingly defunct hacker team that was linked to the infamous hacktivist group Anonymous.

While investigating the script, we learned that this malicious program is used to recruit the host machine into an IRC botnet. This really piqued our interest, because IRC botnets, while relatively widespread in the past, are considered a rarity in 2020. They’re relatively easy to take down and there are far larger botnets powered by newer technologies such as the Internet of Things (IoT).

A vintage botnet, rarely seen in the wild

By further analyzing the code, we observed that the malicious program was able to carry out DDoS attacks over UDP, TCP, HTTP, and other protocols and to execute commands that all pointed towards the program being used for distributed denial of service (DDoS) campaigns:

We could also identify the IP address and port number of the botnet’s Command and Control server, as well as the botmaster’s nicknames and the IRC channel that was used to control the bots. 

This led us to believe that we have just encountered an IRC botnet – an old, dying breed of botnets rarely encountered in this age of massive networks of infected IoT devices.

Internet Relay Chat (IRC) networks use simple, low bandwidth communication methods. This makes them suitable for hosting centralized servers that can be used to remotely control massive collections of infected machines (called ‘zombies’ or ‘bots’). These collections of infected bots controlled over IRC channels are called IRC botnets and are still used by cybercriminals to spread malware and carry out small-scale DDoS attacks.

Reconnaissance: Joining the botmaster’s IRC channel

With the acquired information in hand, we jumped at the opportunity to carry out reconnaissance. We wanted to find out as much as we could about this vintage botnet and the cybercriminals behind it. Once we had collected enough data to bring the botnet down, we would report everything we discovered to the appropriate authorities. 

Our researcher began reconnaissance by connecting to the IRC server address found in the malicious file to see whether the botnet server was still active. 

It was:

Excited by this discovery, the researcher joined the IRC channel that was used for communication between the bots and the botmaster. What they found was a functioning IRC botnet with no less than 137 compromised systems. Most of the zombies were named “lol-XXXX” and were currently connected to the botnet’s Command and Control center, with 241 bots being the maximum number for this particular botnet:

An IRC botnet

This meant that the IRC botnet was not very significant in scale, and could in all likelihood only be used to carry out minor DDoS attacks or commit other, relatively small-scale malicious acts. 

As we continued to observe the botnet over the next several days, the number of bots kept fluctuating. It was, however, decreasing over time.

The interview: Striking a conversation with the botmaster

Before taking action against the IRC botnet, we wanted to ascertain the botmaster’s motives: why were they operating this botnet? Did they run any other criminal operations as well?

Also, we needed to know what exactly the botnet was being used for. To get these answers, our researcher (BLUE) initiated a conversation with the botmaster (RED) on the IRC channel. 

Graphical user interface, text  Description automatically generated

After a brief back-and-forth, the botmaster invited the researcher to move to Discord, presumably thinking that the researcher was a fellow cybercriminal. 

As soon as the researcher entered the botmaster’s Discord channel, they noticed that it was populated by four users who were previously informed that our researcher had entered the botnet IRC server. 

Text  Description automatically generated

Not only that, but the botmaster also apparently already knew that their malicious activity was captured on a honeypot, since honeypots are widely used to detect such botnets.

Graphical user interface, text  Description automatically generated

Soon after, the botmaster expressed frustration with people (they used a far less charitable term) frequently stumbling upon their IRC server. They went on to state that they usually dealt with such intruders by carrying out DDoS attacks against them.

Testing, backdoors, and money

After a bit of relatively inconsequential chat, the researcher began to gently interrogate the botmaster about the purpose of the IRC botnet. The botmaster provided several answers, claiming to use the network for DDoS attacks, as well as “testing,” “backdoors,” and “money.”

While we can only speculate as to the true purpose of this relatively small and very old-school IRC botnet, the botmaster was likely using it to conduct malware tests or experiment with planting and executing various exploits on compromised systems.

An infamous cybercriminal and an aspiring YouTuber?

As the interview went on, the botmaster’s ego appeared to be growing bigger with each subsequent question. Late into the conversation, they claimed to have operated a botnet that spanned a whopping 100,000 (!) IoT devices, a very large botnet by today’s standards. With a botnet this big, they would be able to carry out large-scale DDoS attacks and launch massive spam campaigns.

And the bragging didn’t stop there. The botmaster then went on to claim to be the criminal mastermind behind the infamous DynDNS attack, the massive cyberattack that brought down countless websites across the US and Europe, including the likes of Twitter, Reddit, Netflix, CNN, and many others back in 2016.

This kind of shameless bravado is particularly common among cybercriminals. Needless to say, the botmaster did not provide any proof for their claim when asked to do so.

When asked about their current activities, the botmaster claimed to be accumulating networks of compromised devices and selling them off for $3000 to other cybercriminals. 

This time, the botmaster even provided proof in the form of a promotional video. Upon further investigation, the researcher discovered more videos on the botmaster’s YouTube channel, featuring multiple ads of botnets for sale.

According to the botmaster, these botnets vary from 100 Gbps to 300 Gbps. Gigabits per second (Gbps) is used to measure a botnet’s size and memory or bandwidth capacity – the bigger the bandwidth, the bigger the DDoS attacks the botnet can carry out. The botnets advertised by the cybercriminal would have enough bandwidth to launch medium-scale targeted DDoS attacks that could cripple various online services.

Finally, the botmaster claimed that they had 7,000 compromised IoT devices/bots in their current botnet, and that the IRC botnet found by the researcher was only used for testing.

An abrupt ending

As far as conversations with cybercriminals go, this one was going quite well, and it was then that we decided to try our luck and ask the botmaster for an official interview that we would conduct anonymously. This would allow us to dig deeper into the botmaster’s motives and perhaps gain more valuable insights into their other operations.

Unfortunately, as soon as our researcher revealed his professional identity and made his request, the botmaster promptly declined and went radio silent.

Our only option from that point on was to report the IRC botnet to CERT in Vietnam, where the Command and Control server of the botnet was apparently located. We informed CERT Vietnam about the botnet on October 26, and the country’s computer emergency response team is currently working to shut down the botmaster’s Command and Control server.

Original post available at https://cybernews.com/security/we-infiltrated-an-irc-botnet-heres-what-we-found/

Pierluigi Paganini

(SecurityAffairs – hacking, IRC botnet)

The post We infiltrated an IRC botnet. Here’s what we found appeared first on Security Affairs.

WARNING: Unpatched Bug in GO SMS Pro App Exposes Millions of Media Messages

GO SMS Pro, a popular messaging app for Android with over 100 million installs, has been found to have an unpatched security flaw that publicly exposes media transferred between users, including private voice messages, photos, and videos. "This means any sensitive media shared between users of this messenger app is at risk of being compromised by an unauthenticated attacker or curious user,"

UN and Europol Warn of Growing AI Cyber-Threat

UN and Europol Warn of Growing AI Cyber-Threat

Cyber-criminals are just getting started with their malicious targeting and abuse of artificial intelligence (AI), according to a new report from Europol and the UN.

Compiled with help from Trend Micro, the Malicious Uses and Abuses of Artificial Intelligence report predicts AI will in the future be used as both attack vector and attack surface.

In effect, that means cyber-criminals are looking for ways to use AI tools in attacks, but also methods via which to compromise or sabotage existing AI systems, like those used in image and voice recognition and malware detection.

The report warned that, while deepfakes are the most talked about malicious use of AI, there are many other use cases which could be under development.

These include machine learning or AI systems designed to produce highly convincing and customized social engineering content at scale, or perhaps to automatically identify the high-value systems and data in a compromised network that should be exfiltrated.

AI-supported ransomware attacks might feature intelligent targeting and evasion, and self-propagation at high speed to cripple victim networks before they’ve had a chance to react, the report argued.

By finding blind spots in detection methods, such algorithms can also highlight where attackers can hide safe from discovery.

“AI promises the world greater efficiency, automation and autonomy. At a time where the public is getting increasingly concerned about the possible misuse of AI, we have to be transparent about the threats, but also look into the potential benefits from AI technology.” said Edvardas Šileris, head of Europol’s Cybercrime Center.

“This report will help us not only to anticipate possible malicious uses and abuses of AI, but also to prevent and mitigate those threats proactively. This is how we can unlock the potential AI holds and benefit from the positive use of AI systems.”

To that end, the paper highlights multiple areas where industry and law enforcement can come together to pre-empt the risks highlighted earlier. These include the development of AI as a crime-fighting tool and new ways to build resilience into existing AI systems to mitigate the threat of sabotage.

Cybercriminals Batter Automakers With Ransomware, IP Theft Cyberattacks

While the industry focus is on vehicle hacking, when it comes to the automotive industry cybercriminals are opting for less complex and sophisticated attacks - from phishing to ransomware.

Egregor Ransomware Attack Hijacks Printers to Spit Out Ransom Notes

So, you’re a ransomware gang and you want to ensure that you have caught the attention of your latest corporate victim. You could simply drop your ransom note onto the desktop of infected computers, informing the firm that their files have been encrypted. Too dull? You could lock infected PCs and display a ghoulish skull […]… Read More

The post Egregor Ransomware Attack Hijacks Printers to Spit Out Ransom Notes appeared first on The State of Security.

MoD Receives Funding Boost and Confirms Increase in Cyber-Spending

MoD Receives Funding Boost and Confirms Increase in Cyber-Spending

The UK government has dedicated an extra £16.5bn to defense spending which will see a heavy investment in cybersecurity defense and offensive capabilities.

The Ministry of Defence has been given a four-year funding settlement, which includes a 10% increase in its annual £40bn budget – despite other government departments having a single-year settlement due to the COVID-19 impact.

According to BBC News, Prime Minister Boris Johnson said on Wednesday evening that he was making the announcement “in the teeth” of the pandemic because “the defense of the realm must come first.”

Speaking to BBC Radio 4’s The Today Show, defense minister Ben Wallace said there was a need to modernize and invest in defending new domains that pose a threat to our way of life. This includes cyber “as our adversaries are investing heavily and [they] are using what we would call the sub threshold to constantly attack us, and we need to make sure we defend against that.”

Also, £1.5bn of the budget will go on creating a national cyber-force and will provide the option “to launch offensive cyber-weapons against our adversaries, or against other areas that currently pose a threat.” Wallace said this would give the opportunity to attack a server being used by an attacker as an example, as some adversaries are foreign states.

“We have to be mindful that the power of cyber can cause real problems, so we need the ability to strike back if we need to,” he said. “We also need the ability to tackle the non-state threats.” He explained his will include taking down servers being used to host child abuse images.

Plans for the National Cyber Force were announced in 2018. It will bring together offensive operations, combine contractors, GCHQ spies and military personnel in a force of up to 2000 online experts, and will be operated by the MoD and GCHQ.

Commenting, Francis Gaffney, director of threat intelligence and response at Mimecast, said: “It is really positive to see the UK government acknowledging cybersecurity as a significant enough concern to continue with these large investments in its cyber-activity.

“At Mimecast, our latest threat report observed a total number of 163.92 million attacks in the last month, taking the total number of attacks in 2020 past the one billion mark. This is almost certainly a result of the pandemic and many UK organizations working remotely in such a volume for the first time, leaving many of them potentially more vulnerable to cyber-attacks.

“This initiative will also have a positive impact on the overall cyber-hygiene level of citizens and organizations of the UK, as it further elevates the cybersecurity threat and keeps it at the forefront of the thoughts of the British public. I definitely welcome the continued interest and funding of the UK’s cyber-defenses. Long may it continue.”

6 Tips for a More Cyber-Secure Holiday Season

In any other year, many of us would be gearing up for airline travel, big family dinners, cocktail hours or potlucks with friends, and much more. But with all the challenges this year has brought in terms of how we work and connect during a global pandemic, I’m guessing all our plans look a little different than we thought they would.

Since most of us are now online more than ever before for work, school, personal connection, shopping, etc., it’s critical that take extra steps to keep our digital selves safe. With that in mind, we’ve put together a list of 6 (ish) tips to help you and your family stay safe online this holiday season, no matter how or where you celebrate it.

1. Watch out for an increase in scam emails and websites

What follows are just a few of the ways scammers may target you this holiday season. We recommend you install easy-to-use tools such as Fakespot, which is an add-on that protects consumers by detecting fraudulent product reviews and third-party sellers in real time, to help you avoid the fakes.

  • Flash sale alerts
    During the holidays, the number of promotional emails you receive is likely to go up as online stores run flash sales. With that in mind, scammers are likely to up their game, mimicking legitimate offer emails and websites in the hopes that your desire for a sweet deal will pay out for them. Use extra caution and don’t click anything in an offer email. Go to the retailer’s official website (type it directly into your browser instead of clicking a link in an email) to help ensure you’re shopping securely.
  • “Free” gift cards
    You may get offers for “free” gift cards to online retailers, such as Amazon, Walmart or Target. Remember: very little in life is free. This is another way that criminals may try to trick you into downloading malware or exposing sensitive information that they can use to steal your money or identity.
  • Fake “missed delivery” notices
    Since 94% of people are shopping online more or about the same as they were pre-pandemic, fake package notifications are another way that cybercriminals may target you. If you receive an email or text message about a missed delivery, be sure to double-check the details, such as the shipper (for example, maybe you’re only expecting a Prime or USPS delivery, so a FedEx notification should throw a red flag), the tracking numbers, etc. And, of course, don’t click or download anything in the text or email message itself
  • Discounts so deep they can’t be real
    If you see an ad or email for a high-ticket item that suddenly costs less than 10% of the regular retail price, it’s practically guaranteed to be 100% fake. Let’s face it: there’s just no way you’re going to get real Ray-Bans for the low, low price of $24.99.

2. Use caution with your charitable donations

It’s the giving season and, thanks to the pandemic, natural disasters, and other current events, there are plenty of people in the world who could use a little extra help. Good on you for contributing to the public good! Unfortunately, not even charities are sacred to scammers, and they will take advantage of your desire to help others.

It’s critical to do your research! We recommend you visit trusted organizations, like Charity Watch, to learn more about the charities you’ve chosen and their efficiency, governance and accountability before committing money. Additionally, be suspicious of aggressive pitches including multiple calls and emails or tactics that require immediate donation. Lastly, never pay by gift card of wire transfer. Use a credit card instead, as it’s easier to track and recover fraudulent transactions.

3. Research your smart devices

When we say “smart devices,” we don’t just mean things like Alexa or Google Home. There are internet-enabled fridges that tell you when you’re low on groceries, let you hear and speak to someone at your front door, function as a baby monitor, and even tell you when your laundry’s done. There are also smart thermostats, garage door openers, light fixtures, and so much more. All of these gadgets form a network of connected devices known as the Internet of Things (IoT). And each one could potentially let a hacker into your home network.

Be selective when it comes to purchasing connected smart home and IoT devices. Choose reputable brands that include security, such as the ability to change passwords and perform firmware updates. Cheaper knockoffs of name brand devices might be easier on your wallet, but they are often designed without security in mind. Additionally, since the business model for knockoffs is typically to turn a profit as quickly as possible, there’s no guarantee the device manufacturer will even be around in a year or two to send out security updates or offer support if your device malfunctions

4. Secure any new tech toys right away

Get a cool new gadget in the family gift swap? (Or buy something awesome just for yourself? Don’t worry, we won’t tell the kids.) Protect that tech investment by installing security right away. It’s not the most exciting thing to do with a new toy, but it’ll help make sure you get to enjoy it without worrying about malicious actors joining in on the fun

5. Use reputable video chatting services to connect with loved ones

When planning your virtual holiday get-togethers, use trusted video conferencing providers like Zoom, who have paid close attention to security issues this year and adapted product defaults to enable safer user experiences. Also, be cautious of any websites that request permissions from your browser to access your camera and microphone. If you get one of these notifications, close out of your browser. Do not engage with the permissions request in any way

6. Remember the basics

We’ve said it before, we’ll say it again. Good online habits are your best defense – and it really doesn’t take much effort to keep yourself and your family safe

  • Use strong, unique passwords for all your accounts and don’t share them. Length is strength, so passphrases are a good help.
  • Install virus protection on all your devices and keep it up to date.
  • Use a secure cloud backup.
  • Connect to the internet using a VPN, even on your home network (and especially if transmitting sensitive info, like credit card numbers or online banking details.)
  • Keep your device operating systems up to date so you have the latest patches against exploits.
  • Don’t enable macros. Ever. If a document or website asks you to enable macros or hidden content or “allow access”, just don’t do it. There are very few legitimate reasons for documents or websites to request these permissions.
  • Keep a close eye on your financial accounts and look out for any fraudulent activity.

Here’s wishing you a safe and cyber-secure holiday season! Keep an eye on the Webroot Blog and the Webroot Community for more tips and news on the latest cyber threats.

The post 6 Tips for a More Cyber-Secure Holiday Season appeared first on Webroot Blog.

Cisco Webex vulnerabilities may enable attackers to covertly join meetings

Cisco has fixed three bugs in its Cisco Webex video conferencing offering that may allow attackers to: Join Webex meetings without appearing in the participant list (CVE-2020-3419) Covertly maintain an audio connection to a Webex meeting after being expelled from it (CVE-2020-3471) Gain access to information (name, email, IP address, device info) on meeting attendees without being admitted to the meeting (CVE-2020-3441) About the Cisco Webex vulnerabilities The three flaws were discovered by IBM researchers, … More

The post Cisco Webex vulnerabilities may enable attackers to covertly join meetings appeared first on Help Net Security.

Phishers Using Redirector Sites with Custom Subdomains for Evasion

Malicious actors launched a phishing attack that’s using redirector websites with custom subdomains in order to evade detection. On November 16, Microsoft Security Intelligence tweeted out that it had spotted the phishing attack attempting to lure in recipients with emails disguised as password update reminders, helpdesk tickets and other seemingly legitimate business correspondence. Microsoft Security […]… Read More

The post Phishers Using Redirector Sites with Custom Subdomains for Evasion appeared first on The State of Security.

New Grelos skimmer variant reveals murkiness in tracking Magecart operations

Security experts from RiskIQ discovered a new variant of the Grelos skimmer that presents overlap with Magecart group operations.

Researchers from RiskIQ analyzed the increased overlap of a new variant of the skimmer dubbed Grelos and the operations of the groups under the Magecart umbrella. The analysis demonstrates the difficulty in associating new strains of skimmer to groups that were behind major Mahecart campaigns. The experts observed an increased overlap of domain infrastructure used by multiple threat actors spreading software skimmers focused on the theft of payment card data from e-stores. 

Hacker groups under the Magecart umbrella continue to target e-stores to steal payment card data with software skimmers. Security firms have monitored the activities of a dozen groups at least since 2010

According to a previous report published by RiskIQ and FlashPoint, some groups are more advanced than others, in particular, the gang tracked as Group 4 appears to be very sophisticated.

The list of victims of the groups is long and includes several major platforms such as British AirwaysNeweggTicketmasterMyPillow and Amerisleep, and Feedify

Millions of Magecart instances were detected over time, security experts discovered tens of software skimming scripts.

The Grelos skimmer has been around since at least 2015 and is associated with operations of Magecart groups 1 and 2. The new variant uses WebSockets for skimming operations, a technique that was first documented in December 2019 when used by the Magecart Group 9.

“We believe this skimmer is not directly related to Group 1-2’s activity from 2015-16, but instead a rehash of some of their code,” reads the post published by RiskIQ. “This version of the skimmer features a loader stage and a skimmer stage, both of which are base64 encoded five times over.”

RiskIQ researchers were analyzing the links shared by Malwarebytes related to the Magecart attack on Boom! Mobile carried out by the Fullz House group.

The researchers, Affable Kraut and Denis Sinegubko, shared on Twitter a list of possibly connected skimmer domains. The list included the domains facebookapimanager[.]com and googleapimanager[].com.

The analysis of the domains allowed the expert to discover a new Grelos skimmer variant instead of the Fullz House group’s skimmer. The new variant uses a base64 encoded loader stage with a single layer of encoding.

“A sample we collected from one victim site shows a similar base64 encoded loader stage to one documented by Affable Kraut, except this loader stage is only under one layer of encoding. Also, a duplicate of the encoded script tag appears just below it, without encoding” continues the analysis. “The clear version of the base64 encoded script is nearly identical to the previous version. The skimmer, however, is a bit different. Here we see a dictionary named “translate,” which contains various phrases used by a fake HTML payment form created by the skimmer:”

The researchers pointed out that multiple variants of Magecart-related skimmers are reusing code from past operations. For example, the code used by the Fullz House skimmer has been co-opted by other hacking groups that in some cases are leveraging part of the same infrastructure to host other skimmers, such as Grelos. RiskIQ researchers noticed that the new variant of the Grelos skimmer shares IPs with the Inter skimmer

“For instance, when we examine the hosting when we look at the hosting provider used by Full(z) House to carry out its recent skimming activity, including the compromise of boom! Mobile, we see Alibaba. This same hosting provider is used by the Grelos skimmer, the Inter skimmer, and others. In fact, we even see an overlap in the specific infrastructure used by an Inter skimmer implementation and the most recent version of Grelos, detailed in this post.” concludes the analysis. “This complex overlap illustrates the increasingly muddy waters for researchers tracking Magecart.”

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post New Grelos skimmer variant reveals murkiness in tracking Magecart operations appeared first on Security Affairs.

Researcher Drops Gender Discrimination Lawsuit Against Microsoft

Researcher Drops Gender Discrimination Lawsuit Against Microsoft

Computer researcher Katie Moussouris has dropped her gender discrimination lawsuit against tech giant Microsoft.

Issued in 2015, the lawsuit claimed that Microsoft unfairly discriminated against Moussouris (who worked at the company between 2007 and 2016) and other female employees because of their gender. It claimed that female workers were passed over for promotions, while less qualified male colleagues were promoted.

“I have dropped my lawsuit because my funds are better put towards solutions that help to implement both real change and demonstrate strong commitment to pay equity in our lifetime for women around the world, leaving behind organizations like Microsoft that pantomime pay equity, while resisting any real commitment to change,” Moussouris wrote in a blog post published on November 18 2020.

Moussouris went on to explain that, in dropping her case, she did not sign a non-disclosure agreement or receive a payment of any type.

“I’m free to focus on pay inequity without any limitations, using both my voice and my hard-earned assets to put a spotlight on companies like Microsoft, who are on the wrong side of history. These companies will be remembered for their resistance to change as the rest of the modern world takes decisive action towards pay equity in our lifetime.”

She urged organizations to support the Pay Equity Now Pledge (which she founded), as well as to make real pay, bonus, hiring, assignment and promotion rate changes that truly put all genders on equal footing as human beings.

“The legal system failed me and many other women to help us hold Microsoft and other companies accountable for gender discrimination that manifested in pay inequity over many years. I refuse to stop fighting for pay equity for women and racial minorities, and I have found a way forward regardless of Microsoft’s resistance to positive change.”

Strong Crypto and Policing: EU Again Debates Encryption

EU Lawmakers Tackle Strong Crypto and Law Enforcement Access to Data
European lawmakers are once again considering encryption policies, and attempting to strike a balance between the privacy and security afforded by strong encryption, as well as law enforcement needs. But with encryption being a cornerstone of the internet, is there any new balance to be struck?

Publicly Available Exploit Code Gives Attackers 47-Day Head Start

Publicly Available Exploit Code Gives Attackers 47-Day Head Start

When exploit code is released into the wild, it gives attackers a 47-day head start on their targets, new research has warned.

Kenna Security teamed up with the Cyentia Institute to analyze 473 vulnerabilities from 2019 where there was some evidence of exploitation in the wild.

Over the succeeding 15 months, the team noted when a vulnerability was discovered, when a CVE was reserved, when a CVE was published, when a patch was released, when the bug was first detected by vulnerability scanners and when it was exploited in the wild.

It claimed that exploit code is released into the wild in around one in four (24%) cases and the majority (70%) of exploited CVEs are likely to have been predated by publicly available exploit code.

There is therefore strong evidence that “early disclosure of exploit code gives attackers a leg up,” argued Kenna Security CTO, Ed Bellis.

However, things are a little more complicated than that, he added.

“At the same time, when exploits are released before patches, it takes security teams more time to address the problem, even after the patch is released,” Bellis explained. “That’s an indication that exploit code availability is not the motivator that some would suggest it is.”

Early disclosure may also actually help the white hat community by providing the code from which IDS and IPS systems can derive signatures. It could also push software developers to produce patches more quickly, and organizations to patch once one becomes available.

The good news is that responsible disclosure processes appear to be working quite well. Around 60% of vulnerabilities have a patch before a CVE is officially published, rising to over 80% within just a few days following the publication of a CVE.

However, once again, this doesn’t tell the whole story.

“Just because a patch is released, it doesn’t mean it will get used. Companies have a backlog of open vulnerabilities,” explained Bellis.

“Conversely, just because an exploit is available, that doesn’t mean attackers will use it. So, there are periods of time when attackers are able to deploy more attacks than defenders can patch, and there are times when defenders have momentum.”

Unfortunately, at present, attackers have momentum 60% of the time, according to the research.

Evolution of Emotet: From Banking Trojan to Malware Distributor

Emotet is one of the most dangerous and widespread malware threats active today. Ever since its discovery in 2014—when Emotet was a standard credential stealer and banking Trojan, the malware has evolved into a modular, polymorphic platform for distributing other kinds of computer viruses. Being constantly under development, Emotet updates itself regularly to improve stealthiness, persistence,

Google forces devs to reveal Chrome extensions’ data use, privacy practices

Starting January 2021, developers of Chrome extensions will have to certify their data use and privacy practices and provide information about the data collected by the extension(s), “in clear and easy to understand language,” in the extension’s detail page in the Chrome Web Store. “We are also introducing an additional policy focused on limiting how extension developers use data they collect,” Google added. Privacy practices get more attention Two weeks ago Apple announced that developers … More

The post Google forces devs to reveal Chrome extensions’ data use, privacy practices appeared first on Help Net Security.

Chinese Cloud Hopper Attackers Use Zerologon in New Campaign

Chinese Cloud Hopper Attackers Use Zerologon in New Campaign

Chinese state-sponsored attackers are operating a major global campaign against multiple verticals exploiting the Zerologon vulnerability, according to new research from Symantec.

The security giant claimed that the Cicada group (aka APT10, Cloud Hopper) is targeting Japanese companies and their subsidiaries in 17 countries with information-stealing attacks. Affected sectors include automotive, pharmaceutical, engineering and managed service providers (MSPs).

APT10 is well-known to researchers, having been unmasked as the entity behind the infamous Cloud Hopper campaign against global MSPs back in 2017 — at the time branded “one of the largest ever sustained global cyber-espionage campaigns.”

The current campaign is said to have been ongoing since October 2019, with attackers maintaining persistence on some of their victims’ networks for a year, although for others the attacks lasted just days.

Symantec was first alerted to the campaign when it noticed suspicious DLL side-loading activity on one of its customer’s networks. The technique was in fact used by APT10 during multiple stages of attacks to load malware into legitimate processes, the report claimed.

Other classic techniques used by the group include “living off the land” via use of legitimate Windows functions like PowerShell, dual use and publicly available tools like WMIExec, and custom malware like the newly discovered Backdoor.Hartip.

The group was also observed exploiting the Zerologon elevation-of-privilege bug patched back in August, to remotely hijack a domain to compromise all Active Directory identity services.

“Intelligence gathering and stealing information has generally been the motivation behind Cicada’s attacks in the past, and that would appear to be the case in this attack campaign too. We observed the attackers archiving some folders of interest in these attacks, including in one organization folders relating to human resources, audit and expense data, and meeting memos,” the report noted.

“The group’s use of techniques such as DLL side-loading and a wide array of living-off-the-land tools underline the need for organizations to have a comprehensive security solution in place to detect this kind of suspicious activity before actors like Cicada have the chance to deploy malware or steal information from their networks.”

#DxPsummit: How Zoom Met 2020’s Security Challenges

#DxPsummit: How Zoom Met 2020’s Security Challenges

This was the year that Zoom became a verb that everyone uses in context as it became “a critical service for everybody.”

Speaking as part of Druva’s Cloud Data Protection Summit, Druva CMO Thomas Been talked to Zoom corporate CIO Sunil Madan about the challenges the company has faced this year.

Madan said the mission of Zoom was to support businesses and to be frictionless and, in a secure way, get more things done. “This year has brought some unprecedented challenges for many organizations, including Zoom, with the exponential growth of the product, the consumption of the product and the global scale of the product – we had daily uses grow from 10 million to 300 million in a matter of weeks,” he said.

“We planned for over-subscription, but never by 30-times, that is unheard of, so we got together and figured out how to scale over-subscription, and luckily we have architected the product and could horizontally scale, whether at the data center or at the country or global level.”

He also said the company was designed as an enterprise product, but remote working made it a consumer product as well, and this made the company think about how to give a good experience for both.

Speaking on security and privacy challenges, Madan said there has been a “fair few challenges faced” as Zoom became a consumer product as well as a business product.

“That was the best change going forward, as we now look at ourselves through a different lens,” he said. “We put together a 90-day plan, we went through a security review, and put everything on hold for 90 days so we could take care of security and privacy.”

He said this enabled the company to come back “redefined” and with confidence for users, who know they are using a secure platform. Speaking on how the rapid change drove Zoom’s data protection strategy, Madan said COVID-19 has brought humanitarian challenges to the world, but “Zoom users are trying their best to stay connected.”

He said that everyone is looking for solutions, and most companies had gone through this accelerated transformation to remote working, and most organizations were not ready for it. “We’re dealing with a level of complexity at home and an IT team that was corporate and is now at home.”

This means that there is so much reliance on cloud, which he said “is saving humanity” as data protection and retention became important.

REvil ransomware demands 500K ransom to Managed.com hosting provider

Managed web hosting provider Managed.com was hit with REvil ransomware that forced it to take down their servers and web hosting systems.

Managed web hosting provider Managed.com was hit by a REvil ransomware attack over the weekend that took their servers and web hosting systems offline.

At the time of writing this post, Managed.com hosting systems continue to be unavailable.

Early this week, the provider disclosed the incident and announced the launch of an investigation.

According to ZDNet, Managed.com initially said that the incident only impacted a limited number of customer sites, but a few hours later it was forced to take down its entire web hosting infrastructure.

Impacted systems included WordPress and DotNetNuke managed hosting platforms, online databases, email servers, DNS servers, RDP access points, and FTP servers.

The company reported the incident to law enforcement and started working to restore its infrastructure.

The company only disclosed the ransomware attack on Tuesday and explained that it was forced to shut down its infrastructure to protect the integrity of its customer’s data.

“November 17, 2020 – On Nov.16, the Managed.com environment was attacked by a coordinated ransomware campaign. To ensure the integrity of our customers’ data, the limited number of impacted sites were immediately taken offline. Upon further investigation and out of an abundance of caution, we took down our entire system to ensure further customer sites were not compromised. Our Technology and Information Security teams are working diligently to eliminate the threat and restore our customers to full capacity.” reads an update published by the company. “Our first priority is the safety and security of your data. We are working directly with law enforcement agencies to identify the entities involved in this attack. As more information is available, we will communicate directly with you,”

BleepingComputer, citing multiple sources, states that Managed.com was hit by the popular REvil ransomware gang that is demanding a $500,000 ransom in Monero to receive a decryptor.

Managed.com revil
Source Bleeping Computer

The REvil ransomware gang is known to use a double extortion model threatining to leak online files stolen from the victim, but it is not clear if they stole unencrypted files before encrypting devices of the provider.

REvil gang is one of the major ransomware operations, it has been active since April 2019, its operators claim to earn over $100 million a year through its RaaS service.

In a recent interview with the public-facing representative of REvil, the ransomware operation claims to earn over $100 million a year in extortion payments.

The list of the victims of the group is long and includes TravelexKenneth ColeSeaChangeBrown-Forman, BancoEstado, Grubman Shire Meiselas & Sacks (GSMLaw), Valley Health Systems, Telecom Argentina, and Lion.

Pierluigi Paganini

(SecurityAffairs – hacking, Managed.com)

The post REvil ransomware demands 500K ransom to Managed.com hosting provider appeared first on Security Affairs.

Attacks on Pharma Rise Amid Targeting of #COVID19 Vaccine Development

Attacks on Pharma Rise Amid Targeting of #COVID19 Vaccine Development

Attacks on the biotech and pharmaceutical industry have risen by 50% in 2020 compared to 2019, according to a new report from BlueVoyant.

These findings come amid positive recent news regarding the development of COVID-19 vaccines. It is unsurprising therefore that the cybersecurity firm found that eight of the most prominent companies working to create a vaccine for this virus have faced disproportionate levels of targeted malicious attacks in 2020 compared to other major pharma organizations.

Additionally, the researchers said the number one emerging threat this year is nation state espionage aimed at stealing COVID-19 vaccine research data, although the top threat overall in this sector remains ransomware.

In an analysis of open-source records of 25 publicly reported attacks during the past four years as well as research into 20 companies, including 12 of the largest biotech and pharma organizations in the world, BlueVoyant noted an escalating number of attacks. It observed that of the 25 attacks reported to the media since 2017, 10 (40%) occurred in 2020, while 80% of the 20 companies researched had experienced malicious, international and focused efforts this year.

Worryingly, most of the companies analyzed had not implemented important defenses against these types of attacks, such as securing open remote desktop access ports and phishing security.

Jim Penrose, COO, BlueVoyant, commented: “Pharmaceutical companies develop highly lucrative IP, they handle large amounts of patient and healthcare data and as such are a prime target for criminals looking to compromise, steal and exploit information. Now they face an even more elevated risk environment in the current pandemic as well-resourced nation state actors mount aggressive and focused campaigns.”

Jim Rosenthal, founder and CEO at BlueVoyant, added: “The ongoing effort to find a vaccine and cure for COVID-19 is an endeavor we all want to succeed. The high level of cyber-risk associated with the firms working on this critical mission ought to be a call for action to take immediate measures to drive down cyber-risk. Around the globe all citizens want peace of mind that these firms will guarantee confidentiality, integrity and availability in their research, development, manufacturing and data management activities as they race against the clock to deliver life-saving breakthroughs.”

Earlier this week, it was reported that data breaches in the healthcare industry are expected to triple in volume in the coming year.

Inside the Cit0Day Breach Collection

Inside the Cit0Day Breach Collection

It's increasingly hard to know what to do with data like that from Cit0Day. If that's an unfamiliar name to you, start with Catalin Cimpanu's story on the demise of the service followed by the subsequent leaking of the data. The hard bit for me is figuring out whether it's pwn-worthy enough to justify loading it into Have I Been Pwned (HIBP) or if it's just more noise that ultimately doesn't really help people make informed decisions about their security posture. More on that shortly, let's start with what's in there and we're looking at a zip file named "Cit0day.in_special_for_xss.is.zip" that's 13GB when compressed:

Inside the Cit0Day Breach Collection

A couple of folders down are two more folders named "Cit0day [_special_for_xss.is]" and "Cit0day Prem [_special_for_xss.is]"

Inside the Cit0Day Breach Collection

And then this is where it gets interesting: The first folder has 14,669 .rar files in it whilst the second has a further 8,949 .rar files giving a grand total of 23,618 files. This is where the "more than 23,000 hacked databases" headlines come from as this is how many files are in the archive. Because it's relevant to the story and especially relevant to people who find their data in this breach via an HIBP search, I'm going to list the two sets of files in their entirety via the following Gists:

  1. Cit0day [_special_for_xss.is]
  2. Cit0day Prem [_special_for_xss.is]

Let's drill deeper now and take a look inside one of these files and I'm going to pick "chordie.com {1.515.111} [HASH+NOHASH] (Arts)_special_for_XSS.IS.rar" simply because it's one of the larger ones. Here's the contents:

Inside the Cit0Day Breach Collection

Taking that first and largest file from the archive, there are over 1.5M lines comprised of email address and MD5 hash pairs. I'm going to highlight one particular row that used a Mailinator address simply because Mailinator accounts are public email addresses where there is no expectation whatsoever of privacy. Here it is:


When looking at the "Results.txt" file, that email address appears with a cracked password:


The "NotFound.txt" file consists of email address and MD5 hash pairs and for each hash I randomly Googled, no plain text result was found so this appears to be hashes that weren't cracked. The "Rejected.txt" file contained malformed email addresses and "Result(HEX).txt" had a small number of email address and password hex pairs. This same pattern appeared over and over again across the other archives and it gives us a pretty good idea of what the data was intended for: credential stuffing.

I extracted all the files, ran my usual email address extraction tool over it (effectively just a regex that can quickly enumerate through a large number of files), and found a total of 226,883,414 unique addresses. A substantial number, although not even in the top 10 largest breaches already in HIBP.

But is it legit? I mean can we trust that both the email addresses and passwords from these alleged breaches represent actual accounts on those services? Let's take the example above which allegedly came from chordie.com, a guitar forum. Over to the password reset and drop in the Mailinator address from before:

Inside the Cit0Day Breach Collection

Apparently, an email has been sent to that address which indicates it does indeed exist on the site:

Inside the Cit0Day Breach Collection

And sure enough, in that public Mailinator inbox is the password reset email for a user by the name of "trawis":

Inside the Cit0Day Breach Collection

Consequently, there is a very high likelihood this data is legit. I haven't notified Chordie as they're one of more than 23k sites listed so clearly disclosure in the traditional sense isn't going to work, at least not where I privately contact the company. But each time I checked, the pattern repeated itself; rakesh_pandit@mailinator.com has an account on fullhyderabad.com:

Inside the Cit0Day Breach Collection
Inside the Cit0Day Breach Collection

Or over on sandhuniforms.com, pentestaaa@mailinator.com also had an account:

Inside the Cit0Day Breach Collection
Inside the Cit0Day Breach Collection

In that example, the data was found in a file called "www.sandhuniforms.com {54.629} [NOHASH].txt" and true to its name, it appears from the forgotten password email that they were never even hashed in the first place. Same again for johnbvcxzy@mailinator.com on acdc-bootlegs.com:

Inside the Cit0Day Breach Collection
Inside the Cit0Day Breach Collection

I'm conscious I'm showing actual email addresses and either passwords or reset tokens in the images above, but again, these are very clearly test accounts with no expectation of privacy. I'm showing these for impact; this is a serious set of data that includes actual breaches that are almost certainly unknown by the site operators.

Many of the sites indicated in this collection of data are now defunct. For example, as of the time of writing, flyinghearts.info simply returns "Forbidden". Back in May, it was a service for blokes to meet Czech women according to archive.org. Or take cyberlearningmauritius.org which is returning HTTP500 today, but in Jan last year was a (self-proclaimed) global leader in digital education.

At least one other site in the collection was previously (publicly) known to have been breached and in this particular case, was already in HIBP. For example, "hookers.nl {287.560} [HASH+NOHASH] (Adult)_special_for_XSS.IS.rar" is already in HIBP as a sensitive breach. I'm sure there are probably others too so inevitably this isn't 100% new data, let's see if we can put a number on that:

I was curious as to how much of this data had been seen in other breaches before and if there was an obvious trend. For example, is this largely just data from, say, the Collection #1 credential stuffing list I loaded early last year? I took a slice of addresses from the 226M I'd extracted and started running them against HIBP. Here's what I found after checking over 74k addresses:

Inside the Cit0Day Breach Collection

Only 55% of the addresses in the sample set had been seen before (after loading the complete data set into HIBP, that number rose to 65%). There were a bunch of addresses in the Collection #1 incident and also in the 2,844 breach collection I added in Feb 2018, but clearly based on the red "null" results there were also many new addresses. In other words, there were a substantial number of people who prior to loading this data, would get no hits when searching HIBP but had previously been in a breach.

Then there were the passwords. Eyeballing them, they're all the sorts of terrible passwords you'd expect most people to use. Passwords like "Ashtro1969", "Odette1978" and, perhaps unsurprisingly given the file I was looking at, "ilovechordie". Whilst many of the passwords I tested were terrible enough to have previously appeared in other data breaches and flowed through to Pwned Passwords, these three didn't exist there at all. In fact, over 40M of them didn't exist at all.

The passwords, however, do also pose a bit of a conundrum when parsing them out of thousands of separate files. Whilst many existed as credential pairs in the "Results.txt" files of the respective archives, others existed in files such as "libertidating.com {1.928} decrypted.txt" (they're almost certainly cracked hashes rather than "decrypted" ciphers) and "promotionalproductsglobalnetwork.ca {2.166} [NOHASH].txt", the latter possibly indicating that passwords were never hashed to begin with. So, thousands of files, different naming formats and whilst mostly consistent in terms of structure, inevitably there are some parsing issues in there. For example, this "password":

3px;"><a href="docs/!INDEX.html"><b>Ãëàâíàÿ</b></a></div><div style="padding-left: 10px; padding-top: 3px; padding-bottom: 3px;"><a href="docs/ondfi5.html" style="">Î êîìïàíèè</a><br/></div><div style="padding-left: 10px; padding-top: 3px; padding-bottom: 3px;"><a href="docs/8qjisp.html" style="">Óñëóãè</a><br/></div><div style="padding-left: 10px; padding-top: 3px; padding-bottom: 3px;"><a href="

This would be an epic password if someone did in fact use it, but it's almost certainly an upstream parsing error. Or take this password:


Yes, I can envisage someone using it on a website (perhaps one related to cooking), but no, I don't believe it would have been used 6,349 times which is the number of occurrences that were found within the breach corpus. Interestingly, they were all sourced from "www.vcanbuy.com {134.303} [HASH] (Business and Industry).txt" and as best I can make it, vcanbuy.com is a Thai fashion site. But neither of these data quality issues matter - here's why:

When these passwords flow through into Pwned Passwords, they ultimately exist as hashes to be downloaded or queried using k-anonymity. Nobody is going to use the first password with all the HTML in it so it has no real world impact. Someone might feasibly try to use the second password and a service using HIBP's Pwned Passwords might then reject it due to its prevalence. I'm ok with that because it's not a good password! But what about hash collisions? What if someone else tries to use a password where the SHA-1 hash is equal to the SHA-1 hash of the junk data? It'd return a hit in HIBP which would effectively be a false positive, but whether there's a small amount of junk data in there or not (and it's a very small amount - well under 1%), the same issue prevails. Plus, considering that SHA-1 hashes occupy a total character space of 16^40, you can easily do the maths on how extremely unlikely this is (and the impact is still very low if it does).

Given the number of individual breaches, the legitimacy of the data plus the vast number of previously unseen email addresses and passwords, I've loaded it all into HIBP. The lot - both emails and passwords (note: these go in as separate archives and never as pairs, read more about Pwned Passwords here). As with other breaches without a single clear origin, this means that people may find themselves pwned and not know which service leaked their data. It also means they may find their password breached and not know which service leaked it. But it also doesn't matter - here's why:

The goal of HIBP has always been to change behaviours, namely to move people from using those one or two or three weak passwords all over the place and get themselves into a proper password manager like 1Password and create strong, unique passwords everywhere (full disclosure: I'm on their board of advisors). If you've done that already and then find yourself in the Cit0day data then it's a non-event for two reasons:

  1. Being in one of the 23k breaches isolates your risk to that breach alone; because you've not reused the password anywhere else, exposure in that one place doesn't put you at risk anywhere else.
  2. Passwords randomly generated from a password manager are almost certainly not going to be cracked; even when stored weakly (for example, as an unsalted MD5 hash), your ~40 character random string isn't being cracked. If, on the other hand, the site stored it in plain text, see point 1.

And if you don't already have a password manager? Then you need to get one and promptly change the password on every important account anyway!

But there is a gap that goes beyond the risks associated with exposed passwords alone, and that's the personal impact of other exposed data. If, for example, you filled a bunch of other personal information into Chordie then it would be reasonable to assume that's now in the possession of other parties and you would quite rightly want to know about that. This is where we really need the sites indicated in those two Gists above to come forth and I suggest the following: If they're on the list, test a sample set of their own subscriber's email addresses on HIBP. If you're worried about submitting someone else's personal info to my service, grab some Mailinator addresses and check those. If they come back with hits against the Cit0day breach then that's a very strong indication of breach.

In closing, there's now 226M more breached accounts in HIBP and a further 41M passwords (just over 40M new ones from this incident and just under 1M from other incidents since the last release). Just to emphasise why it was important to get this data set into HIBP, the Pwned Passwords k-anonymity API has been hit 815M times in the last month:

Inside the Cit0Day Breach Collection

Feeding these passwords into the corpus of known breached ones has an immediate an tangible impact on account takeovers which is good for online services, good for individuals and good for the web as a whole.

Researchers Warn of Critical Flaw Affecting Industrial Automation Systems

A critical vulnerability uncovered in Real-Time Automation's (RTA) 499ES EtherNet/IP (ENIP) stack could open up the industrial control systems to remote attacks by adversaries. RTA's ENIP stack is one of the widely used industrial automation devices and is billed as the "standard for factory floor I/O applications in North America." "Successful exploitation of this vulnerability could cause a

Group-IB launches Fraud Hunting Platform, a digital identity protection and fraud prevention solution

Group-IB has presented its new solution for digital identity protection and fraud prevention Fraud Hunting Platform. The solution guards 130 million users daily. In H1 2020, Group-IB’s Fraud Hunting Platform shielded banking and eCommerce portals in Europe and Asia from bot activities, malware, and social engineering attacks and saved them roughly $140 million. Malware attacks, social engineering and bot activity are the top 3 threats for users of eCommerce and banking portals, based on the … More

The post Group-IB launches Fraud Hunting Platform, a digital identity protection and fraud prevention solution appeared first on Help Net Security.