Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between November 13 and November 20. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
20201120-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
At McAfee, ensuring our new team members are well prepared and supported for their roles is a top priority. From the first day of onboarding, team members are nurtured and given the tools they need for successful development.
McAfee’s traditional in-person orientation process has evolved virtually because of the pandemic. But the approach and goal is the same – to transition new team members as efficiently and comfortably as possible so they can make an immediate impact.
We asked four recent additions to the McAfee family what it’s like to join the company via virtual onboarding. They were asked to share how McAfee helped them acclimate to work life as a new employee and to offer highlights now that they’ve settled into their new roles.
Here is what they had to say:
Daniella, Regional Account Manager, Plano, Texas
Virtual resources make a difference: “It was my first time onboarding virtually and it felt like a once-in-a-lifetime experience. The process was executed very well, and all training materials were made available to me online. I believe providing these virtual resources was extremely helpful in my onboarding experience.”
Settling in with the right tools, team support: “Like most people in similar circumstances, I wondered what virtual onboarding was going to be like. How could I possibly retain this amount of information? At the end of the day, you realize that you really do have all the right resources. My manager was great and looped me in, and was able to help me to quickly acclimate to my role on the team. My onboarding buddy and fellow team members were also a huge help.”
Engaging and exceeding expectations: “I adapted to my new work life and virtually accomplished everything that most do in-person. I took all of my assessments online and team members offered the different resources that were essential to accomplishing my day-to-day work. My trainer was also very engaging throughout the process.”
Virtually learning to engage customers: “Through daily meetings, my sales coach prepared me for interactions with customers. I learned different ways to engage for meetings and customer visits, and was able to practice my sales pitch just as if it were in person.”
Building better relationships: “In cybersecurity, you are constantly in a state of learning. You never stop the process of improving yourself, your skills, your salesmanship and your relationships. I am now acclimated to my role and building better relationships with my customers.”
John, Global Business Director – Amazon, Seattle, Washington
A Productive Day One: “The basic onboarding process was easy and enabled me to get the necessary tools like a badge, email and computer equipment prior so that the first day on the job was more productive than prior experiences. I could preview the excellent benefits and enroll shortly after starting, as well as acquire office equipment necessary for me to work from home.”
Easy-to-follow training, introductions: “As an experienced leader, I had no apprehension about virtual onboarding. McAfee’s training and general onboarding introductions were easy to follow and required no advance preparation. While some of the training was time consuming, it was not a burden and frankly insightful.”
Finding balance and having fun: “My role is global, so I found balance between work and family time by juggling the global time zones and meetings. The numerous social and professional groups as well as the MS Teams program with McAfee helped with acclimating to the company. McAfee always keeps it fun with competitions and challenges on the Social Hub between employees. Virtual coffee and happy hours help too.”
Collaborative and better together: “We’re having a strong year, and a big reason is that the team has been very welcoming and always willing to provide training and support – very collaborative. Our best days lie ahead. We are better together and getting better every day.”
Mark, Director of Credit and Collections, Plano, Texas
A very normal virtual experience: “Initially, I experienced some apprehension about onboarding remotely. It’s difficult enough to learn a new job in the office, and I was worried that learning remotely without having someone sitting next to me might complicate training. But my anxiety quickly dissipated, and I can honestly say that the McAfee onboarding experience felt very normal. My manager, peers and those reporting to me were extremely helpful and stayed in constant communication as I navigated through the first several weeks at McAfee.”
Ease of learning through technology: “Virtual meetings via Teams helped me to quickly acclimate. Talking to others via video was comforting and enabled me to get to know other McAfee team members. McAfee’s onboarding technology made it very easy to learn remotely.”
No need to fear onboarding remotely: “I can truly say that the one major highlight that stands out for me is just getting to know so many amazing employees in this organization. No one should fear or have any anxiety when onboarding virtually at McAfee. It has been and continues to be a great and exciting experience!”
Rachel, Sr. Sales Operations Analyst, Plano, Texas
Easy to learn and understand: “The virtual onboarding experience was easy. The learning hub is an excellent resource and helped simplify the process, in addition to offering great product training. As someone who is not only new to McAfee but also the cybersecurity industry, I knew I would have a lot to catch up on. Everything was very easy to understand.”
Very responsive and helpful: “My recruiter stayed in touch with me and made sure my questions were answered. Any time I needed something, the human resources department was very responsive and helpful. My team also rallied around me and have provided a lot of support since I joined McAfee.”
Achieving a steady course: “I love it at McAfee and everyone has been so supportive. Teammates have been incredibly helpful in guiding me through each of their best practices so I could build my roadmap to success.”
|Search Career Opportunities with McAfee
Interested in joining our team? We’re hiring! Apply now.
The post McAfee Team Members Share Their Virtual Onboarding Experiences appeared first on McAfee Blogs.
Europol has arrested two Romanians for allegedly selling services - including malware encryption - that helped cybercriminals circumvent antivirus tools.
VMware has addressed two serious ESXi vulnerabilities that were demonstrated at the Tianfu Cup International PWN Contest.
VMware has released patches for two serious ESXi vulnerabilities that were disclosed during the 2020 Tianfu Cup International PWN Contest.
The Tianfu Cup is the most important hacking contest held in China, the total bonus of the contest this year was up to 1 million US dollars.
The participants successfully tested their exploits against the following software:
- iOS 14 running on an iPhone 11 Pro
- Samsung Galaxy S20
- Windows 10 v2004 (April 2020 edition)
- Adobe PDF Reader
- Docker (Community Edition)
- VMWare EXSi (hypervisor)
- QEMU (emulator & virtualizer)
- TP-Link and ASUS router firmware
The team named “360 Enterprise Security and Government and (ESG) Vulnerability Research Institute,” which is part of the Chinese tech giant Qihoo 360, won the competition. The winning team earned $744,500 of the total $1,210,000 jackpot.
The 360 ESG Vulnerability Research Institute team warned $180,000 for an ESXi guest to host escape exploit.
Experts from VMware who were viewing the hacking contest immediately started working on patches to address the flaws. The company released the first set of patches on Thursday that fixed two vulnerabilities that were exploited by the bug hunters at the hacking competition.
The first vulnerability, tracked as CVE-2020-4004, is a use-after-free vulnerability in XHCI USB controller.
“VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.” reads the advisory.
“A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.”
The second flaw, tracked as CVE-2020-4005, is a VMX elevation-of-privilege vulnerability that was caused by the way certain system calls are managed.
“VMware ESXi contains a privilege-escalation vulnerability that exists in the way certain system calls are being managed. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.” continues the advisory.
“A malicious actor with privileges within the VMX process only, may escalate their privileges on the affected system. Successful exploitation of this issue is only possible when chained with another vulnerability (e.g. CVE-2020-4004).”
The white-hat hackers at the Tianfu contest chained the two vulnerabilities to execute code as the virtual machine’s VMX process running on the host.
The Impacted products are:
- VMware ESXi
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion Pro / Fusion (Fusion)
- VMware Cloud Foundation
(SecurityAffairs – hacking, Tianfu)
The fairly recent creation and development of cryptocurrencies, through the Dark Net, has created the possibility of full transactional anonymity for those involved in criminal activities both on- and offline.
In this edition Terry Cutler of Cyology Labs talks about credential stuffing attacks and how to stop them
The post Cyber Security Today Week In Review for Nov. 20, 2020 first appeared on IT World Canada.
Fraudsters are increasingly using free Google services to create more realistic phishing emails and malicious domains that circumvent security filters, the security firm Armorblox reports.
U.K. Prime Minister Boris Johnson announced Thursday the creation of a National Cyber Force designed to strengthen Britain's cybersecurity posture and give the country new defensive and offensive capabilities. Some security experts, however, are raising concerns about recruiting enough qualified staff members.
A U.S. unit of Italian-based eyewear maker and eye care center conglomerate Luxottica has reported a breach affecting over 829,000 individuals - the fourth largest health data breach added to the U.S. federal tally so far this year. It's unclear if a recent ransomware attack is related.
Green Beret Passed Secrets to Russia
A former Green Beret in the United States Army has admitted passing classified information to Russian intelligence agents.
Peter Rafael Dzibinski Debbins was arrested in August 2020 and charged with conspiring to provide United States national defense information to agents of a foreign government. On November 18, the 45-year-old Gainesville, Florida, resident pleaded guilty to the charge and now faces a maximum penalty of life in prison.
“Despite being entrusted to protect his colleagues and US national security, he chose to abuse this trust by knowingly providing classified information to one of our most aggressive adversaries," said Steven D’Antuono, assistant director in charge of the FBI's Washington Field Office.
According to court documents, Debbins conspired with agents of a Russian intelligence service from December 1996 to January 2011, periodically visiting Russia to meet with those agents in person.
Debbins was assigned a code name by Russian intelligence agents in 1997 after signing a statement in which he pledged his allegiance to Russia.
From 1998 to 2005, Debbins served on active duty as an officer in the US Army, working in chemical units before being selected to join the US Army Special Forces, where he served at the rank of captain.
Throughout the 13-year conspiracy, Debbins gave Russian intelligence agents information that he obtained as a US Army member, including data about his chemical and Special Forces units.
In 2008, after leaving active duty service, Debbins disclosed to the Russian intelligence agents classified information about his previous activities while deployed with the Special Forces.
Debbins also provided agents with the names of, and information about, his former Special Forces team members. Agents used this information to decide who to approach and sound out about the possibility of cooperating with the Russian intelligence service.
“President Kennedy called the Green Berets ‘a symbol of excellence, a badge of courage, a mark of distinction.’ Mr. Debbins’ actions were a symbol of betrayal, a badge of cowardice, and a mark of treachery,” said Alan Kohler, Jr., assistant director of the FBI's Counterintelligence Division.
“He pledged his allegiance to Russia, and in doing so, sold-out his country and fellow Green Berets."
Debbins is scheduled to be sentenced on February 26, 2021.
"Has anyone witnessed any examples of criminals abusing artificial intelligence?" That's a question security firms have been raising. A new report has identified likely ways in which such attacks might occur and offers examples of threats already emerging
Authorities in India believe that a major power outage that occurred in October in Mumbai may have been caused by hackers.
On October 13, a major power outage occurred in the metropolitan area of Mumbai causing the partial disruption of the traffic management systems and the paralysis of the rail traffic and also impacted work at the stock exchange.
The power outage for essential services lasted two hours, while authorities spent up to 12 hours to restore power in some of the affected areas.
“Last month’s power outage in the Mumbai Metropolitan Region (MMR) was possibly the result of a sophisticated sabotage attempt involving foreign entities, a probe carried out by the state police’s cyber cell has revealed.” reads the post published by the Mumbai Mirror.
According to the Mumbai Mirror, the incident may have been caused by a cyberattack. The media outlet revealed that cyber police have found evidence suggesting this assumption. It seems that foreign hackers have been trying to hack into the country’s power utilities since February.
According to India Today, experts involved in the investigation have discovered malware at a load dispatch center, which is responsible for ensuring the operation of the power grid, monitoring grid operations, and scheduling and dispatching electricity.
“The primary cause of the power outage was said to be due to tripping at the Padgha-based load dispatch center in Thane district which distributes power for Mumbai, Thane and Mavi Mumbai areas.” states India Today.
The suspicious logins have been traced to Singapore and other South Asian countries.
“A source who is privy to the probe, said hackers have been trying to target the country’s power utilities since February. In June, a swarm of 40,000-plus hacking attacks by non-state groups purportedly operating from China had used a type of malware to access and then encrypt sensitive data of targeted private and public entities.” continues the article. “A power supply provider in Jammu and Kashmir had also come under the hackers’ attack.”
The media outlet speculate that the attacks were carried out by financially-motivated foreign hackers that launched multiple attacks against the Indian utilities, including phishing campaigns, ransomware and DDoS attacks, and BGP hijacking.
This kind of incidents are very dangerous, power grids are critical infrastructure and a cyber attack could impact hospital and research institutes involved in the response of the ongoing pandemic.
(SecurityAffairs – hacking, power grid)
Data Breach at Iowa Hospital
A data breach at an Iowa hospital has exposed the Social Security numbers and private medical information of more than 60,000 patients.
Mercy Iowa City began notifying patients on November 13 of a data breach that occurred in spring 2020 after an employee's email account was accessed by a threat actor.
The hospital detected the breach on June 24 when the targeted account began sending out phishing emails and spam. An investigation revealed that the hacked account had been compromised between May 15 and June 24.
Security experts brought in to scrutinize the incident confirmed in October that sensitive patient data could have been accessed by the attacker.
Data exposed may have included names, Social Security numbers, driver's license numbers, and health insurance information.
Chicago-based Polsinelli law firm, representing the hospital, said that 60,473 Iowa residents may have been impacted by the security incident.
In a letter sent out to affected Iowa residents on the hospital's behalf, Bruce Radke of Polsinelli stated: "Mercy is not aware of any fraud or identity theft to any individual as a result of this incident. Nevertheless, because there was an email account compromise, Mercy searched the impacted account to determine if it contained any personal information that may have been viewed by the third party.
"Mercy determined that the compromised account contained certain personal information, including, depending on the person, their name, Social Security number, driver's license numbers, date of birth, medical treatment information, and health insurance information."
Mercy Iowa City is offering one year of complimentary identity theft protection services to patients whose driver's license numbers and Social Security numbers may have been compromised.
The hospital said that it is implementing a series of cybersecurity measures including multi-factor authentication to prevent any more breaches from happening.
"We have taken steps to reduce the risk of the type of incident occurring in the future, including enhancing our technical security measures," said Mercy's privacy officer, Kelli Hale.
This latest data spill is the second and worst breach to occur at Mercy Iowa City. In 2016, the acute care hospital reported a security breach that may have exposed the information of 15,625 patients.
From the impact of the pandemic on cybersecurity careers to workers’ job satisfaction, the report offers a number of interesting findings
The post 5 takeaways from the 2020 (ISC)<sup>2</sup> Cybersecurity Workforce Study appeared first on WeLiveSecurity
IBM is warning infosec pros of a hijacking vulnerability in its DB2 database on Windows.
In a security bulletin issued Thursday, the company said the issue could allow a locally authenticated attacker to execute arbitrary code on the system. The cause is a DLL search order hijacking vulnerability in the Microsoft Windows client.
“By placing a specially crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system,” the bulletin says.
IBM says the issue carries a Common Vulnerability Scoring System (CVSS) Base score of 7.8.
All fix pack levels of IBM DB2 including V9.7 (which reached end of life in September 2017), V10.1, V10.5, V11.1, and V11.5 editions on Windows are affected.
Customers running any vulnerable fixpack level of an affected version can download a special build containing the interim fix for this issue from IBM Fix Central. These special builds are available based on the most recent fixpack level for each impacted release. There are no workarounds or mitigations.
Meanwhile, Cisco has issued patches for its Webex Meetings server and client application to close vulnerabilities that allowed a hacker to listen in to meetings without being detected. A so-called ‘ghost’ attendee could have picked up valuable corporate intelligence.
The vulnerabilities, discovered by IBM researchers, allow a person to have full access to audio, video, chat and screen-sharing without being seen on the participant list. In fact they could stay in a Webex meeting and listen in even after being expelled from a session by maintaining the audio connection.
These vulnerabilities work by exploiting the handshake process that Webex uses to establish a connection between meeting participants, IBM explained. Usually, a client system and a server conduct a handshake process by exchanging ‘join’ messages with information about the attendees, client application, meeting ID, meeting room details and more.
A malicious actor can become a ghost by manipulating these messages during the handshake process between the Webex client application and the Webex server back-end to join or stay in a meeting without being seen by others.
The post IBM urges infosec pros to patch DB2 for Windows, Cisco urges patches for Webex Meetings first appeared on IT World Canada.
FireEye Acquires Respond Software
The transaction closed on November 18, 2020, and is valued at approximately $186m in cash and stock.
FireEye said that the acquisition of Respond Software will open new market opportunities to deliver eXtended Detection and Response (XDR) capabilities to a wide range of customers. Furthermore, the deal will enable Mandiant Solutions to scale its expertise and front-line intelligence as part of the Mandiant Advantage platform.
“Respond’s product dramatically reduces time spent investigating false positives as it connects the dots among siloed, multi-vendor security controls in an easy-to-deploy cloud-based package," said Mike Armistead, Respond Software's chief executive officer prior to the acquisition.
"Now coupled with Mandiant’s world-class threat intelligence and incident response expertise feeding our models, customers can be confident the most up-to-date and relevant attack tactics and techniques are recognized and appropriately escalated."
California-based company Respond is creator of the Respond Analyst, an XDR engine that uses cloud-based data-science models to accelerate cyber-investigation and response. After ingesting data from a comprehensive set of security technologies, the engine automatically correlates multi-sourced attack evidence.
FireEye plans to make the XDR technology an integral part of the Mandiant Advantage platform, bringing vendor-agnostic XDR and investigation capable of integration with all customer environments. The company said the changes will quicken response times and provide better security outcomes for customers.
“With Mandiant’s position on the front lines, we know what to look for in an attack, and Respond’s cloud-based machine learning productizes our expertise to deliver faster outcomes and protect more customers,” said Kevin Mandia, FireEye chief executive officer.
“This creates a learning system with new capabilities that will enable us to expand our Mandiant portfolio and drive new XDR revenue through our Mandiant Advantage platform.”
Max Gazor from CRV, who led the Respond Software’s Series Seed round in 2016, commented: "Respond Software’s acquisition follows in the footsteps of other great CRV portfolio companies such as CloudGenix (acquired by Palo Alto Networks), Affirmed Networks (acquired by Microsoft), and Signal Sciences (acquired by Fastly) making it the fourth major acquisition in CRV’s portfolio this year."
In anticipation of the third chapter of Politik’s Interzone digital gathering in early December, we sat down with one of Canada’s most recognized names in cybersecurity.
When the PCI Security Standards Council (PCI SSC) developed its Software Security Framework (SSF) a few years ago, it relied on the expertise of a Software Security Task Force. As part of this task force, SAFECode, along with other industry partners, played an instrumental role in the development of the framework and its standards.
#ISSE2020: Focus on 2020's Crypto Successes Rather than Efforts to Break it
Efforts to break encryption in new crypto wars are ongoing, but there are many successes to recount in the past year.
Speaking in the closing session the virtual ISSE Conference Professor Bart Preneel from the KU Leuven, where he heads the COSIC research group, said more and more research crypto has been published this year and he praised the work to enable contact tracing, but was critical of government and law enforcement’s efforts around end-to-end (E2E) encryption.
Saying the “crypto wars have come back again, something I’m doomed to live with for the rest of my life,” Preneel referred to the case in 1993 when AT&T introduced a secure phone with E2E-based on Triple DES, which the US government was not happy with “as it stopped them intercepting phone calls, especially outside US.” The clipper chip with key escrow project failed, and now the crypto wars have come back as cryptography has shifted from hardware to software.
He said there is a case for interception of those people communicating child abuse images, terrorist acts and kidnapping cases, and governments are unable to access encrypted communications, “so the government has no access.” Preneel also said some people use Facebook Messenger for those purposes, and it is possible at the moment as it is not E2E encrypted, but Facebook announced E2E for Messenger to stop that channel of access, “and the stupid people will not be able to escape.”
He said this proposal was met with criticism as most people are not happy with backdoors, and as a society, we can agree to filter for abuse messages and images, but it could also be used against the freedom of speech of people you don’t like, and for political purposes.
“It keeps coming in different forms and shapes, but the debate is essentially the same and the main complaint is police and intelligence services have lots of metadata, once they find one person they can use that infrastructure to find other people, once you have metadata you have access,” he said. “It is a one-sided debate as law enforcement does not show what they acquired in the last 20 years, so that is actually a debate that is happening, and it is difficult to debate with one side who doesn’t disclose.”
Among other cryptography highlights from 2020, Preneel cited the breaking of RSA 250, where the researchers found two prime factors. “It is important as a large part of digital infrastructure relies on RSA,” he said. “It was amazing as they used so little power, and more effort and money was put in.”
Speaking on quantum computing, he said despite Google, Intel and Microsoft building and spending in quantum computing research, there were no big examples of successes this year, even by companies “spending small fortunes.” He said in order to break RSA 2048 you will need something like 20 million qbits, and most companies were very far from that, so he predicted that we will be safe until 2035.
With regards to contact tracing, Preneel welcomed the work done to create apps that anonymized user details, and using decentralized proximity tracing (DP3T), he said there had been 57 million downloads of DP3T-based apps across 18 EU countries and Switzerland. He said: “There are still problems in integration in some national health systems, but it is a solution that seems to work. There are clear indications it works and people are being warned and it is cost effective. The solution was security and privacy friendly.”
Mitsubishi Electric Corp. was hit by a new cyber attack that may have caused the leakage of information related to its business partners.
Mitsubishi Electric Corp. was hit again by a massive cyberattack that may have caused the leakage of information related to its business partners.
“Company officials on Nov. 20 said they were checking the 8,653 accounts of those it has business transactions with to determine if information related to bank accounts of the other parties as well as other information leaked.” reads a post published on the Asahi Shimbun website.
Mitsubishi Electric continues to be the target of hackers, in 2018, an alleged China-linked cyber espionage group compromised the servers at the company by exploiting a zero-day vulnerability in Trend Micro OfficeScan. The breach was detected almost eight months ago, on June 28, 2019, with the delay being attributed to the increased complexity of the investigation caused by the attackers deleting activity logs.
The intrusion took place on June 28, 2019, and the company launched an investigation in September 2019. Mitsubishi Electric disclosed the security incident only after two local newspapers, the Asahi Shimbun and Nikkei, reported the security breach. Highly confidential information belonging to organizations in the defense sector, railways and electric power supply was apparently stolen.
The hacker group has been targeting Japanese heavy industry, manufacturing and international relations at least since 2012,
According to the experts, the group is linked to the People’s Republic of China and is focused on exfiltrating confidential data.
After the attack, the company installed an improved defense system to prevent attacks in the future, the company also created a new department reporting directly to the company president to implement new cybersecurity measures.
According to local media, the latest cyber attack was likely orchestrated by an APT group because of the major role of Mitsubishi Electric in supporting Japan’s national security and infrastructure.
Mitsubishi Electric confirmed that information linked to thousands of bank accounts has been leaked after a cloud storage system operated by a contractor was breached by hackers.
The company confirmed that the incident took place on Monday and that 8,635 bank accounts held by business partners have been compromised. Data exposed after the incident data includes names, addresses, and phone numbers of account holders.
(SecurityAffairs – hacking, malware)
A 21-year-old Irishman who pleaded guilty to charges of helping to steal millions of dollars in cryptocurrencies from victims has been sentenced to just under three years in prison. The defendant is part of an alleged conspiracy involving at least eight others in the United States who stand accused of theft via SIM swapping, a crime that involves convincing mobile phone company employees to transfer ownership of the target’s phone number to a device the attackers control.
Conor Freeman of Dublin took part in the theft of more than two million dollars worth of cryptocurrency from different victims throughout 2018. Freeman was named as a member of a group of alleged SIM swappers called “The Community” charged last year with wire fraud in connection with SIM swapping attacks that netted in excess of $2.4 million.
Among the eight others accused are three former wireless phone company employees who allegedly helped the gang hijack mobile numbers tied to their targets. Prosecutors say the men would identify people likely to have significant cryptocurrency holdings, then pay their phone company cohorts to transfer the victim’s mobile service to a new SIM card — the smart chip in each phone that ties a customer’s device to their number.
A fraudulent SIM swap allows the bad guys to intercept a target’s incoming phone calls and text messages. This is dangerous because a great many sites and services still allow customers to reset their passwords simply by clicking on a link sent via SMS. From there, attackers can gain access to any accounts that allow password resets via SMS or automated calls, from email and social media profiles to virtual currency trading platforms.
Like other accused members of The Community, Freeman was an active member of OGUsers, a forum that caters to people selling access to hijacked social media and other online accounts. But unlike others in the group, Freeman used his real name (username: Conor), and disclosed his hometown and date of birth to others on the forum. At least twice in the past few years OGUsers was hacked, and its database of profiles and user messages posted online.
According to a report in The Irish Times, Freeman spent approximately €130,000, which he had converted into cash from the stolen cryptocurrency. Conor posted on OGUsers that he spent approximately $14,000 on a Rolex watch. The rest was handed over to the police in the form of an electronic wallet that held the equivalent of more than $2 million.
The Irish Times says the judge in the case insisted the three-year sentence was warranted in order to deter the defendant and to prevent others from following in his footsteps. The judge said stealing money of this order is serious because no one can know the effect it will have on the victim, noting that one victim’s life savings were taken and the proceeds of the sale of his house were stolen.
One way to protect your accounts against SIM swappers is to remove your phone number as a primary or secondary authentication mechanism wherever possible. Many online services require you to provide a phone number upon registering an account, but in many cases that number can be removed from your profile afterwards.
It’s also important for people to use something other than text messages for two-factor authentication on their email accounts when stronger authentication options are available. Consider instead using a mobile app like Authy, Duo, or Google Authenticator to generate the one-time code. Or better yet, a physical security key if that’s an option.
Coffee Briefings deliver our entire audience – the IT administrators and channel partners as well as the C-Suite – the most complete news package with the latest headlines, interviews, and social media chatter. These briefings drop on Tuesday and Friday mornings. If you missed the last briefing, you’re in luck, because you can find it…
CybExer Tasked With Enhancing Luxembourg’s Cyber-Defense Capabilities
Cybersecurity firm CybExer Technologies has announced it has been tasked with building a cyber-range for the Luxembourg Directorate of Defense in order to grow the skills of its current and future cyber-personnel.
The cyber-range is essentially an IT-systems simulation environment that aims to improve organizations’ cyber-defense capabilities by conducting regular training and testing.
The company has been awarded a three-year contract by the NATO Support and Procurement Agency (NSPA) to deliver the range, which will utilize CybExer’s management tools and offer realistic and flexible training environments. The platform will primarily be used by the NSPA and Luxembourg Directorate of Defense, but may also be shared with allies and partners.
This follows the recent decision by the Directorate of Defense of the Grand Duchy of Luxembourg to develop its cyber-defense capabilities. In order to grow the skills of its security staff, the directorate is working with the NSPA to purchase new training capabilities.
As part of the agreement, CybExer will also provide a series of dedicated training sessions as well as have responsibility for the operation and maintenance of the range throughout the period of the contract.
Andrus Kivisaar, CEO of CybExer Technologies, commented: “We have been focusing on building and improving cyber-ranges for years and are glad that our dedication and expertise in the field has been recognized at NATO level. We see that the cybersecurity environment is getting more and more complex. It is good to work with a client who shares our vision and demands a sophisticated cyber-range solution.”
Ben Fetler, cybersecurity project manager at the Luxembourg Directorate of Defense, added: “Luxembourg has become a key ICT actor in the European Union. We have invested massively in connectivity and IT infrastructures over the last years, with the aim of becoming a ‘smart nation’ and one of the most dynamic digital economies in Europe. All of this requires protection and with our national cybersecurity strategy we are aiming, together with NSPA and CybExer, at building a highly capable training environment that can prepare our cybersecurity teams for the most advanced threats.”
For IT leaders, the transition to remote work has been tantamount to opening thousands of branch offices. A recent CanadianCIO virtual roundtable shed light on how organizations are dealing with the challenges of a distributed workforce. “We’ve found that individuals at home are just like branch offices,” said Jack Lumley, National Sales Manager Networking with…
The post CIOs stepping up to the challenge of managing IT everywhere first appeared on IT World Canada.
A new version of the Mount Locker crypto-ransomware strain is specifically targeting victims’ TurboTax files. As reported by Bleeping Computer, Advanced Intel’s Vitali Kremez came across a new Mount Locker sample that specifically sought out files used by the TurboTax tax preparation software. In particular, Kremez observed the sample going after files bearing the “.tax,” “.tax2009,” […]… Read More
The post New Mount Locker Ransomware Version Targeting TurboTax Files appeared first on The State of Security.
Symantec is reporting on an APT group linked to China, named Cicada. They have been attacking organizations in Japan and elsewhere.
Cicada has historically been known to target Japan-linked organizations, and has also targeted MSPs in the past. The group is using living-off-the-land tools as well as custom malware in this attack campaign, including a custom malware — Backdoor.Hartip — that Symantec has not seen being used by the group before. Among the machines compromised during this attack campaign were domain controllers and file servers, and there was evidence of files being exfiltrated from some of the compromised machines.
The attackers extensively use DLL side-loading in this campaign, and were also seen leveraging the ZeroLogon vulnerability that was patched in August 2020.
Interesting details about the group’s tactics.
Faith App Pray.com Exposes Millions Through Cloud Misconfig
A popular Christian faith app has unwittingly exposed the personal data of up to 10 million users dating back several years, after misconfiguring its cloud infrastructure, researchers have warned.
Santa Monica-headquartered Pray.com claims to be the “#1 App for daily prayer and biblical audio content” and has been downloaded over a million times from the Play Store.
Researchers at vpnMentor discovered four misconfigured AWS S3 buckets belonging to the company.
Although it had made private around 80,000 files, it failed to replicate these security measures on its Cloudfront CDN, which also had access to the files. This means a hacker could have compromised personal information on as many as 10 million people, most of whom were not even Pray.com users.
“Cloudfront allows app developers to cache content on proxy servers hosted by AWS around the world – and closer to an app’s users – rather than load those files from the app’s servers. Doing so speeds up the app’s performance considerably,” vpnMentor explained.
“Pray.com seemingly overlooked installing proper security measures on its CloudFront account. As a result, any files on the S3 buckets could be indirectly viewed and accessed through the CDN, regardless of their individual security settings.”
After notifying the company repeatedly through early October, vpnMentor finally received a one-word response from Pray.com CEO, Steve Gatena: “Unsubscribe.”
While most of the misconfigured buckets’ 1.8 million files featured corporate content, those 80,000 exposed files represented a serious privacy and security risk.
They contained uploaded profile pics from app users, CSV files from churches using the app, with the names, home and email addresses, phone numbers and other info on churchgoers and PII of individuals donating to churches via the app.
Perhaps most damaging was a feature which uploads the entire phonebook of any user who gives the app permission to invite their friends to join. These “phonebooks” contained hundreds of contacts, with info including name, phone number, email, home and business address.
Many of the files also contained log-ins from private accounts, the report continued.
This data went all the way back to 2016.
The researchers warned that individuals caught up in the leak, some of whom had .gov and .mil email addresses, were at risk from follow-on phishing, identity fraud and account takeover.
The vpnMentor team noted that regulators for the CCPA and GDPR may want to investigate further. Five weeks after initial contact was made with Pray.com, the offending files were removed, although the S3 buckets apparently remain exposed.
Today's podcast reports on a new offensive cyber squad set up in the U.K., a bug found in GO SMS Pro messaging app, and updates for Cisco Webex Meetings, Chrome and Firefox browsers are now available
The QakBot banking trojan has dropped the ProLock ransomware, they are now opting for the Egregor ransomware in their operations.
Group-IB, a global threat hunting and intelligence company headquartered in Singapore, has discovered that QakBot (aka Qbot) operators have abandoned ProLock for Egregor ransomware. Egregor has been actively distributed since September 2020 and has so far hit at least 69 big companies in 16 countries. The biggest ransom demand detected by Group-IB team has been at $4 million worth of BTC.
During recent incident response engagements Group-IB DFIR (Digital Forensics and Incident Response) team has noticed a significant change in QakBot operators’ tactics, the gang started to deploy a new Egregor ransomware family. This ransomware strain emerged in September 2020, but the threat actors behind already managed to lock quite big companies, such as game developers Crytek, booksellers Barnes & Noble, and most recently a retail giant Cencosud from Chile.
ProLock = Egregor
The analysis of attacks where Egregor has been deployed revealed that the TTPs used by the threat actors are almost identical to the ones used by the ProLock operators, whose campaigns have been described in Group-IB blog post in May. First, the initial access is always gained via QakBot delivered through malicious Microsoft Excel documents impersonating DocuSign-encrypted spreadsheets. Moreover, Egregor operators have been using Rclone for data exfiltration – same as with ProLock. Same tools and naming convention have been used as well, for example md.exe, rdp.bat, svchost.exe. Hence, all of the above considered, Group-IB experts assess it’s very likely that QakBot operators have switched from ProLock to Egregor ransomware.
Geography and victims
The gang behind Egregor followed in Maze’s footsteps, who called it quits not long ago. Egregor operators leverage the intimidation tactics, they threaten to release sensitive info on the leak site they operate instead of just encrypting compromised networks. The biggest ransom demand registered by the Group-IB team so far was at $4 million worth of BTC.
In less than 3 months Egregor operators have managed to successfully hit 69 companies around the world with 32 targets in the US, 7 victims in France and Italy each, 6 in Germany, and 4 in the UK. Other victims happened to be from the APAC, the Middle East, and Latin America. Egregor’s favorite sectors are Manufacturing (28.9% of victims) and Retail (14.5%).
While TTP’s of Egregor operators are almost identical to that of ProLock, the analysis of Egregor ransomware sample obtained during a recent incident response engagement revealed that the executable code of Egregor is very similar to Sekhmet. The two strains share some core features, use similar obfuscation technique. Egregor source code bears similarities with Maze ransomware as well. The decryption of the final payload is based on the command-line provided password, so it is impossible to analyze Egregor if you don’t have command-line arguments provided by the attacker. Egregor operators use the combination of ChaCha8 stream cipher and RSA-2048 for file encryption.
The use of CobaltStike and QakBot is to watch when hunting for Egregor. More threat hunting and detection tips from Group-IB DFIR team as well as a detailed technical analysis of Egregor operations are available in Group-IB’s blog.
“Tactics, techniques and procedures observed are very similar to those seen in the past Qakbot’s Big Game Hunting operations,” comments Oleg Skulkin, senior DFIR analyst at Group-IB. At the same time, we see that these methods are still very effective and allow threat actors to compromise quite big companies with high success rate. It’s important to note, that the fact many Maze partners started to move to Egregor will most likely result in the shift in TTPs, so defenders should focus on known methods associated with Maze affiliates”.
Would you like to learn more about ransomware operations and TTPs in 2020, register now for Group-IB’s signature Threat Hunting and Intelligence conference, CyberCrimeCon. The eighth edition of the iconic event, held on November 25-26, will traditionally unite cybersecurity professionals from the financial and tech sectors, retail and industrial giants, as well as law enforcement agencies and will, in addition to two major streams — analytical and technological — contain a Threat Hunting Game. The conference’s speaker lineup includes representatives of Europol EC3, leading banks, FMCG companies, and independent researchers.
Media registration is open here https://bit.ly/3lDifKa.
Group-IB is a Singapore-based provider of solutions aimed at detection and prevention of cyberattacks and online fraud. The company also specializes in high-profile cyber investigations and IP protection services.
Group-IB is a partner of INTERPOL, Europol, and has been recommended by the OSCE as a cybersecurity solutions provider.
(SecurityAffairs – hacking, QakBot)
The post QakBot Big Game Hunting continues: the operators drop ProLock ransomware for Egregor appeared first on Security Affairs.
VMware has patched critical vulnerabilities affecting its ESXi enterprise-class hypervisor and has released a security update for its SD-WAN Orchestrator, plugging a handful of serious security holes. Vulnerabilities in ESXi hypervisor exploited during a hacking competition During the Tianfu Cup Pwn Contest that was held in Chengdu, China, earlier this month, Xiao Wei and Tianwen Tang, two researchers from the Qihoo 360 Vulcan Team, exploited two previously unknown vulnerabilities to thoroughly compromise VMWare’s ESXi hypervisor: … More
The post VMware patches serious vulnerabilities in ESXi hypervisor, SD-WAN Orchestrator appeared first on Help Net Security.
Facebook has addressed a security vulnerability in its Messenger for Android app that could have allowed attackers to spy on users.
Facebook has addressed a major security issue in its Messenger for Android app that could have allowed threat actors to spy on users by placing and connecting Messenger audio calls without their interaction.
The vulnerability was discovered by white-hat hacker Natalie Silvanovich, from Google’s Project Zero team.
The flaw resides in the Session Description Protocol (SDP) of WebRTC protocol, which is implemented in the Messenger app to support audio and video calls.
The SDP protocol handles session data for WebRTC connections, and Silvanovich discovered that is possible to use an SDP message to approve WebRTC connections without any user interaction.
“However, there is a message type that is not used for call set-up, SdpUpdate, that causes setLocalDescription to be called immediately. If this message is sent to the callee device while it is ringing, it will cause it to start transmitting audio immediately, which could allow an attacker to monitor the callee’s surroundings.” reads the report published by Silvanovich.
Silvanovich also published a PoC code that was tested on version 218.104.22.168.119 of Facebook Messenger for Android.
The issue, which is subject to the Google 90 day disclosure deadline, was reported to Facebook in October, and the social network giant addressed ii on November 17, 2020. Facebook released an update to its Messenger for Android app on November 19, 2020.
“It would then trigger a scenario where, while the device is ringing, the caller would begin receiving audio either until the person being called answers or the call times out. To exploit this issue, an attacker would have to already have the permissions to call this particular person by passing certain eligibility checks (e.g. being friends on Facebook). They’d also need to use reverse engineering tools to manipulate their own Messenger application to force it to send a custom message.” reads the post published by Facebook. The company also awarded $60,000 the bug as part of its bug bounty program.
The good news is that Silvanovich is a myth and has chosen to donate the payout to GiveWell, a non-profit that coordinates various charity activities.
In October, 2018, Silvanovich discovered a similar vulnerability in WhatsApp that could have been exploited by attackers to crash victims instant messaging app simply by placing a call. The vulnerability was a memory heap overflow issue.
(SecurityAffairs – hacking, Facebook Messenger)
The post A flaw in Facebook Messenger could have allowed spying on users appeared first on Security Affairs.
Microsoft Announces Pluton Processor for Better Hardware Security
Microsoft has announced the launch of a security processor designed to provide stronger hardware and software integration for Windows PCs to remove entire vectors of attack.
Named the Pluton and built in collaboration with AMD, Intel and Qualcomm, Microsoft claimed the processor will improve the ability to guard against physical and/or hardware attacks targeting identity and encryption keys to steal sensitive information, monitor firmware and verify the integrity of the system, and streamline firmware updates through the cloud (via Windows Update).
A “chip-to-cloud” security technology, this has been pioneered in Xbox and Azure Sphere. Microsoft said its vision for the future of Windows PCs is security at the core, built into the CPU, for a more integrated approach where the hardware and software are tightly integrated, ultimately removing entire vectors of attack.
Windows PCs using the Pluton architecture will first emulate a Trusted Platform Module (TPM), which works with the existing TPM specifications and APIs, allowing customers to immediately benefit from enhanced security for Windows features that rely on TPMs like BitLocker and System Guard.
The processor will protect credentials, user identities, encryption keys and personal data by storing sensitive data securely within the Pluton processor, which is isolated from the rest of the system
Pluton also provides the unique Secure Hardware Cryptography Key (SHACK) technology that helps ensure keys are never exposed outside of the protected hardware, even to the Pluton firmware itself, providing an unprecedented level of security for Windows customers.
Also, Pluton will provide a flexible, updateable platform for running firmware that implements end-to-end security functionality that is authored, maintained and updated by Microsoft. Pluton for Windows computers will be integrated with the Windows Update process in the same way that the Azure Sphere Security Service connects to IoT devices.
David Weston, director of enterprise and OS security at Microsoft, said: “We believe that processors with built-in security like Pluton are the future of computing hardware. With Pluton, our vision is to provide a more secure foundation for the intelligent edge and the intelligent cloud by extending this level of built-in trust to devices and things everywhere.
“Our work with the community helps Microsoft continuously innovate and enhance security at every layer. We’re excited to make this revolutionary security design a reality with the biggest names in the silicon industry as we continuously work to enhance security for all.”
Asaf Shen, senior director of product management at Qualcomm Technologies, said: “Qualcomm Technologies is pleased to continue its work with Microsoft to help make a slew of devices and use cases more secure. We believe an on-die, hardware-based Root-of-Trust like the Microsoft Pluton is an important component in securing multiple use cases and the devices enabling them.”
US Senate Approves New Deepfake Bill
US legislation mandating government research into deepfakes took a step closer to becoming law this week after it passed the Senate by unanimous consent.
Sponsored by Democrat senator for Nevada, Catherine Cortez Masto, the Identifying Outputs of Generative Adversarial Networks (IOGAN) Act recognizes the need for such research as nation states and cyber-criminals hone their tools.
“This bill directs the National Science Foundation (NSF) and the National Institute of Standards and Technology (NIST) to support research on generative adversarial networks. A generative adversarial network is a software system designed to be trained with authentic inputs (e.g. photographs) to generate similar, but artificial, outputs (e.g. deepfakes),” noted a summary of the bill.
“Specifically, the NSF must support research on manipulated or synthesized content and information authenticity and NIST must support research for the development of measurements and standards necessary to accelerate the development of the technological tools to examine the function and outputs of generative adversarial networks or other technologies that synthesize or manipulate content.”
Just this week, Europol, the UN and Trend Micro warned in a new report of the malicious use of deepfakes.
The tech offers cyber-criminals and state actors opportunities to extort high profile figures through pornographic and other content with their faces superimposed, undermine governments through misinformation and could also be used in quasi-BEC attempts to persuade corporate victims to make large wire transfers.
The latter technique has already been used by attackers with an audio clip, in which a British CEO was tricked into sending £200,000 to his attackers.
The potential for political disruption perhaps accounts for the Senate’s unanimous approval of IOGAN.
“In 2019, a deepfake video that went viral in Malaysia involved a political aide who appeared to confess to having had homosexual relations with a cabinet minister,” noted the Europol report.
“Additionally, the video included a call to have the minister investigated for alleged corruption. While the motive behind the video (beyond character defamation) remains unclear, it succeeded to wreak havoc politically and destabilize the coalition government.”
The US bill must now pass through the House of Representatives.
Apple is slashing developer fees on one end and putting fires out in the other, and the Solomon Islands is looking at banning Facebook.
Like most things in life, starting early gives you an advantage, even when it comes to cybersecurity. Today’s...
A recently uncovered vulnerability in a class of Amazon Web Service APIs can be exploited to leak AWS Identity and Access Management user and arbitrary accounts, according to Palo Alto Networks' Unit 42.
While the global banking and financial industry has made strides in protecting its data from malware such as Trojans, cyberthreats such as network intrusion, ransomware and criminal gang cooperation are presenting fresh challenges, according to the Carnegie Endowment for International Peace.
Black Friday Alert as E-Commerce Attacks Surge in 2020
Security researchers are warning of a spike in cyber-attacks against retailers this year which may impact the coming Black Friday and holiday season shopping spree.
Imperva’s State of Security Within e-Commerce report was compiled using data from its various security products.
It noted several attack trends this year likely to have been influenced by the greater numbers of shoppers heading online during COVID-19 lockdowns.
First, it claimed that e-retailers experienced more than twice as many account takeover (ATO) attempts than any other industry this year — 62% of login pages were hit versus 25%. Nearly 79% of retailers suffered credential stuffing, where previously breached credentials are used in automated attacks across large numbers of sites.
This chimes with an Akamai study which found that retail accounted for over 90% of the 64 billion credential stuffing attempts detected over 2018-2020.
Bots are used to power such attempts, and indeed 98% of the attacks featured in Imperva’s report originate from automated bot activity. While many are used by cyber-criminals, bots can also be deployed by retailers for price scraping and inventory tracking of competitors, the report claimed.
Elsewhere, API attacks have surged past usual levels this year, with cross-site scripting (42%) and SQLi (40%) together accounting for the majority as attackers sought to access customer databases.
However, XSS only accounted for 16% of the total volume of attacks on retailer websites this year: more common were remote code execution (21%) and data leakage (20%) raids, with 49% aimed at US sites by attackers using anonymizing tools.
DDoS attacks have also increased in volume and intensity this year. Imperva monitored an average of eight application layer attacks per month against online retail sites, with a significant peak occurring in April 2020, when major lockdowns came into force.
This all bodes ill for e-commerce players this Black Friday, when traffic is expected to be higher than ever.
“The holiday shopping season is a crucial revenue period for retailers every year, but in 2020, they face a two-pronged threat: managing unprecedented levels of human and attack traffic to their websites and APIs,” said Edward Roberts, application security strategist at Imperva.
“Amid this historic holiday shopping season, the retail industry is likely to experience a peak in human traffic that exceeds anything measured this year and unlike anything in recent memory. The question is, how many attackers are going to hide within this expected traffic spike?”
This week, I've finally got a workable mobile setup with sufficient quality audio and video. As I explain in the video, this is ultimately achieved by the Sigma lens feeding into the Sony DSLR then via micro HDMI to the Elgato Cam Link 4K into my laptop via USB which then wifis over to my boat shed access point connected via ethernet over power to the server room and into the network. This seems unnecessarily hard... yet here we are. I'll be travelling from an extended period starting in a few weeks' time so let's see how this all goes on the road. For now, here's this week's update from my backyard:
- The Cit0day collection of breaches is... big (you really have to listen to this week's video to understand the complexities behind showing more contextual data)
- I've had to deal with a lot of crap after loading this breach as well (that's a tweet that's gotten a lot of likes and it shows how thankless it can sometimes be running a free service)
- I'm not against 2FA, it's just a pain in the arse and has a heap of problems (that's a piece I wrote a couple of years ago on the challenges various implementations have)
- Sponsored by: Join the Microsoft Reactor community for workshops and events to expand your skillset across a range of technologies and topics