Author Archives: Vibhooti Bhatnagar

Cryptojacking becomes top malware in some countries

Cryptojacking, the unauthorized use of another’s hardware to mine cryptocurrency, has become the biggest cyber threat in many parts of the world, Bloomberg reported December 14.

According to research from cyber security research firm Kaspersky Lab, cryptojacking overtook ransomware as the biggest cybersecurity threat particularly in the Middle East, Turkey, and Africa. In Afghanistan and Ethiopia over one out of four detected malware are cryptocurrency miners, according to Kaspersky’s data.

As cited by the Bloomberg, Kaspersky’s research “shows crypto mining attacks have risen almost fourfold in the region, from 3.5 million in 2017 to 13 million this year.” The cybersecurity firm reportedly also claimed that cryptojacking incidents are “likely to continue given the increased use of digital currencies.”

A report released by Kaspersky in November declares that the reason for the rise of cryptojacking malware compared to ransomware may “be due to the fact that people from developing markets are not so eager to pay a ransom.”

Not only PC but also smartphone users are targeted by unauthorized mining software — from the 2016-2017 period to the 2017-2018 period, these kinds of attacks reportedly increased by 9.5 percent.

Fabio Assolini, Kaspersky’s Senior Security Researcher, told Bloomberg that “the [Middle East, Turkey, Africa] region is becoming more appealing to cyber-criminals, with financial and malicious cryptomining attacks taking center stage.” Assolini also claimed that such attacks are becoming increasingly popular because they are “less noticeable” than ransomware.

Still, the increase in the popularity of this kind of malware has not been global. For instance, this year it registered a decrease of 15 percent in Zambia and 11 percent in Uzbekistan, according the cybersecurity firm. The report concludes: “Last year we asked what tips the scales for cybercriminals? Today, this is no longer a question. Miners will keep spreading across the globe, attracting more people.”

100,000 windows users hit in China by new ransomware

Ransomware attacks may have dwindled since the destructive days of WannaCry and NotPetya last year, but a new one has struck mobile-centric China and it's asking for ransom through one of the country's most popular methods of payment.

The hackers are distributing rigged apps, disguised as social media apps, on different forums and local websites to infect the users. Many reports claim that one such app goes by the name “Account Operation V3.1” — a Chinese app that helps users manage multiple QQ accounts (a popular Chinese instant messaging service).

The ransomware strain is spreading as a result of supply chain attack which is targeting Chinese users starting from December 1 and has infected more than 100,000 Windows computers till now. The ransomware, that encrypts personal files, demands 110 yuan (~$16).

The digital wallet is one of two that are most commonly used in China. But the internet is unfazed.

The ransomware is not only encrypting the system files, but it is also capable of stealing login credentials of popular Chinese online services such as Taobao, Baidu Cloud, NetEase 163, Tencent QQ, Jingdong, and Alipay.

Velvet security researchers who analyzed the ransomware variant found that the attackers added malicious code to easy language programming software, SDK and the malicious code will be injected to various other software compiled with it.

In total more than 50 software poisoned with the malicious code, and the ransomware operators using Chinese social networking Douban for C&C communication. The Ransomware also tracks the details of the software installed on the victim’s computer.

Also, over 20,000 computers have fallen victim to an unnamed ransomware that is demanding payment via WeChat Pay, local media reported today, adding that the number is still growing. WeChat Pay, owned by Chinese tech giant Tencent, is one of China's two most commonly used digital wallets in the country.

Cisco patched SQL injection vulnerability

Cisco Patched a critical SQL Injection Vulnerability in Cisco Prime License Manager which allows an unauthenticated remote attacker to execute arbitrary SQL queries.

SQL injection is a code injection technique, in which attackers take non-validated input vulnerabilities and inject SQL commands through web applications that are executed in the backend database.

The vulnerability with Cisco Prime License Manager is due to lack of proper validation with the user-supplied input SQL queries. An unauthenticated remote attacker could exploit the vulnerability by sending an HTTP post request that contains a malicious SQL query.

Successful exploitation of the vulnerability could allow an attacker to delete or modify arbitrary data or to gain privilege access as Postgres user. The vulnerability can be tracked as CVE-2018-15441 and Cisco released software updates to address the vulnerability.

The vulnerability affects Cisco Prime License Manager Releases 11.0.1 and above, Cisco Unified Communications Manager and Cisco Unity Connection Releases 12.0 and later are not affected, as the License Manager not included in these versions.

Cisco released a patch ciscocm.CSCvk30822_v1.0.k3.cop.sgn for Cisco Prime License Manager and can be applicable to Cisco Unified Communications Manager and Cisco Unity Connection 11.5(1) only, the customer who uses earlier release should update for 11.5(1) reads the Cisco Security advisory.

The patch file along with the instructions can also be downloaded.

Wireshark 2.6.5 released with fixes

The most popular and widely used network protocol analyzer Wireshark released a new version Wireshark 2.6.5, that comes with the fix for a number of security vulnerabilities that could crash Wireshark by injecting a malformed packet or reading malformed packet trace file.

wnpa-sec-2018-51 – The Wireshark dissection engine could crash.

wnpa-sec-2018-52 – The DCOM dissector could crash.

wnpa-sec-2018-53 – The LBMPDM dissector could crash.

wnpa-sec-2018-54 – The MMSE dissector could go into an infinite loop.

wnpa-sec-2018-55 – The IxVeriWave file parser could crash.

wnpa-sec-2018-56 – The PVFS dissector could crash.

All these vulnerabilities could be exploited by the attacker injecting a malformed packet or by reading a malformed packet trace file. These vulnerabilities affected the following Wireshark versions 2.6.0 to 2.6.4, 2.4.0 to 2.4.10, fixed with 2.6.5, 2.4.11 or later.

wnpa-sec-2018-57 – The ZigBee ZCL dissector could crash. Affected version 2.6.0 to 2.6.4, fixed with 2.6.5.

Other Bug Fixes – Wireshark 2.6.5

VoIP Calls dialogue doesn’t include RTP stream when preparing a filter.

Wireshark installs on macOS with permissions for /Library/Application Support/Wireshark that are too restrictive.

Closing Enabled Protocols dialogue crashes Wireshark.

Unable to Export Objects → HTTP after sorting columns.

DNS Response to NS query shows as a malformed packet.

Encrypted Alerts corresponds to a wrong selection in the packet bytes pane. Wireshark crashes/asserts with Qt 5.11.1 and assert/debugsymbols enabled.

ESP will not decode since 2.6.2 – works fine in 2.4.6 or 2.4.8.

text2pcap generates malformed packets when TCP, UDP or SCTP headers are added together with IPv6 header.

Wireshark tries to decode EAP-SIM Pseudonym Identity.

Infinite read loop when extcap exits with error and error message.

MATE unable to extract fields for PDU.

Malformed Packet: SV.

OPC UA Max nesting depth exceeded for a valid packet.

Also, the new version comes with the updated protocol support, Capture File Support and Interfaces support, reads the release notes. The new version can be downloaded from here.

Dell says hackers tried to steal customer info

Global computer maker Dell Technologies released a customer update on its website on November 28 acknowledging that hackers tried to break into its customers’ account on November 9 as it detected "unauthorised activity" on its network this month. However, the company warded off the attack and no Dell products or services were affected, the company said.
The hackers tried to extract customer names, email addresses and “hashed” passwords which are hard to decipher. It’s not, however, clear how successful the effort was. The credit card information and “other sensitive information” were not impacted. “Since this is a voluntary disclosure, and there is no conclusive evidence that customer account information was extracted, it would be imprudent to publish potential numbers when there may be none.”

The customer update says it found no proof that any information was compromised, but a separate press release by the American computer giant on its website about the incident words it a little differently, saying, “Though it is possible some of this information was removed from Dell’s network, our investigations found no conclusive evidence that any was extracted.”

The company has also hired a digital forensics firm to conduct an independent investigation and engaged law enforcement. "On November 9, Dell detected and disrupted unauthorised activity on our network that attempted to extract Dell.com customer information, limited to names, email addresses and hashed passwords. Upon detection, we immediately implemented countermeasures and began an investigation," the tech giant said in a statement.

The Texas-based company has also involved the authorities and took the precautionary measure of resetting all Dell.com customer pas swords. It is also recommending that if your Dell password is the same or similar to what you use on other websites, then you should change it with those services as well.

“In this age of highly sophisticated information security threats, Dell is committed to doing all it can to protect customers’ information,” the company said in a release, adding, “Dell will continue to invest in its information technology networks and security to detect and prevent the risk of theunauthorised activity.”

North Korean hackers are coming for your bitcoin

After reports of North Koreans using Bitcoin to evade sanctions and hackers involved in stealing half a billion dollars in cryptos from exchanges emerged, now experts say, they are targeting individual investors.

North Korean hackers have taken to stealing cryptocurrency from individual investors as part of a new strategy by Pyongyang to blunt the impact of international sanctions targeting its illicit nuclear weapons programme.

A number of experts have previously shared that North Korea continues to use bitcoin to evade US sanctions. Just last month a report by Russian cybersecurity company Group IB stated that Lazarus, an infamous hacking group of North Korea stole about half a billion dollars in cryptocurrencies.

The targeting of individuals holding virtual currencies such as bitcoin marks a departure from its previous methods, which have targeted exchanges and financial institutions.

This group reportedly was also behind the 14 hacks on cryptocurrency exchanges since January 2017. Previously, the hackers tend to target exchanges and financial institutions but this time it’s individual investors.

“Previously, hackers directly attacked exchanges,” Simon Choi, the founder of the cyber warfare research group IssueMakersLab, said. “They targeted staff at the exchanges, but now they are attacking cryptocurrency users directly.”

This shift could be due to the strengthening of security by exchanges and financial institutions as he shares, “They’ve already had successes and are continuing to progress, but during that time, the exchanges have become used to the attacks and boosted their security somewhat. Direct attacks on exchanges have become harder, so hackers are thinking about alternatively going after individual users with weak security,” Chois added.

South China Morning Post quoted Choie as saying, “With the US, the UN and others imposing sanctions on the North Korean economy, North Korea is in a difficult position economically, and cryptography has come to be seen as a good opportunity.”

NATO readies for growing cyberthreats

It’s hard to believe we’re not far away from the 20th anniversary of the dreaded Y2K bug that put fear into every technology professional’s life at the turn of the millennium. The Y2K bug was initially thought to be a major safety threat because experts claimed there were significant flaws in the software of computers that controlled many critical systems such as air traffic control, the electric grid, banking, traffic lights and other key resources. In hindsight, the threat was over-hyped. None of the dire predictions came true – partly due to preparation, but mostly because such systems were not so heavily automated and had human intervention to prevent catastrophe.

Unfortunately, no vertical market has remained immune from the harmful aftermath of a successful cyber-attack or data breach. The situation is only exacerbated with regards to the Internet of Things (IoT), as the sheer volume of these devices continues to grow with each passing year. The IoT device explosion has seen a proportionate growth of the cyber threat landscape due to the new attack vectors that many insecure IoT devices can introduce into the ecosystem. Furthermore, the industrial markets that comprise our critical infrastructure have routinely found themselves in the crosshairs of potential cyber-criminals and data thieves.

Recently, the U.S. Undersecretary of Defense Marcel Lettre declared that cyberattacks that result in the destruction of critical infrastructure or serious economic impact should be closely evaluated as to whether or not they would be considered an act of war. NATO too wants to be ready to respond to the attacks on critical infrastructure.

A three-day annual exercise, dubbed Cyber Coalition, is pulling together officials from the North Atlantic Treaty Organization and its partners in Estonia, which suffered what's widely believed to be the first state-sponsored cyber assault on another country in 2007 amid a row with Russia over relocating a Soviet-era monument. They're playing out fictional scenarios in which alliance networks and civilian systems are under assault.

New Linux trojan can disable your antivirus and steal root passwords

Malware targeting Linux users may not be as widespread as the strains targeting the Windows ecosystem, but Linux malware is becoming just as complex and multi-functional as time passes by.

The device on the Linux operating system a new Trojan striking-miner is able to remove employees in the system of anti-virus software reported on the website of the company “Doctor Web”, a Russian antivirus maker that was able to track the malware for an extended period time. This malware can install bitcoin miners on systems. The malware has over 1,000 lines of code and is more complex than most other Linux malware.

Linux is known to be a much safer OS compared to other desktop alternatives, but it is nowhere near perfect.

Trojan also installs a rootkit and another strain of malware that can execute Distributed Denial of Service (DDoS) attacks.

The malware called by its generic detection name of Linux.BtcMine.174 when run, scans your system and looks for the folder where it can upload other malicious modules from the server. Then the computer loads one of the versions of the Linux backdoor.BackDoor.Gates.9. It allows hackers to execute commands on the infected device and carry out a DDoS attack.

After this malware is looking for other miners in the system and disables them and then removes all files and directories operating on computer antivirus. After Linux.BtcMine.174 launches its own miner designed for mining cryptocurrency Monero. The virus is updated with the command and control server every minute.

The trojan is capable of infecting Linux systems and writes permissions into disks to access user systems. The Linux malware is capable of disabling any installed antivirus programs and steal root passwords. It takes advantage of the infamous Dirty COW exploit and can get attackers complete access to the OS. According to Dr Web, “the Trojan launches and maintains as a Monero (XMR) miner. In an infinite loop, the script checks for updates on a remote server so that it can download and install them if they become available.”

US Postal Service fixed a year old vulnerability

The US Postal Service says it has fixed a security weakness on usps.com for sometime that let anyone see the personal account info of its users, including usernames and street addresses. The open vulnerability was reportedly identified over a year ago by an independent researcher but USPS never patched it until this week, when information security reporter Brian Krebs on Security flagged the issue after he received a tip from an anonymous security researcher. The USPS fixed the error within 48 hours after then.

The flaw exposed personal data for 60 million 'Informed Visibility' accounts.

“It was caused by an authentication weakness in the site’s application programming interface (API) that allowed anyone to access a USPS database offered to businesses and advertisers to track user data and packages. The API should have verified whether an account had permissions to read user data but USPS didn’t have such controls in place.”

Users were not simply exposed by sending and receiving mail, only becoming potentially compromised should they have conducted business on the site which required a user name. The user names were also exposed by the vulnerability, along with attending addresses. So if you have been one of the many users who have utilized USPS services online, hackers may have gathered some of your private information.

Users’ personal data including emails, phone numbers, mailing campaign data were all exposed to anyone who was logged into the site. Additionally, any user could request account changes for another user, so they could potentially change another account’s email address and phone number, although USPS does at least send a confirmation email to confirm the changes.

The United States Postal Service has recently been in the news due to another price increase on stamps and other delivery services. Those increases were the result of yet another year of financial woes, struggles which have left the USPS deeper in debt. It is reasonable to imagine that every aspect of the service is struggling, not just the information technology division.

Pedophiles are using Chinese apps to groom underage girls into porn: Experts

Social video apps have been gaining favour in India recently. We're not talking about YouTube here, but apps focusing on ultra-short clips of about 15 seconds.

A clip was seen where a young girl, not more than 12 years old is dressed in a bright pink lehenga and a royal blue velvet blouse. She is standing in the middle of a field and swaying her body, shaking her hips, her chest heaving as she dances to a popular Hariyanvi number that goes Meri jalti jawani maange paani paani. It’s a 15-second clip on a short video app called Kwai popular in India. There’s another video of the girl in the same setting and clothes dancing with a boy about the same age, thrusting their bodies at each other in another song.

In another video, a girl about 10, looks directly at the camera, smiles sheepishly and parrots this couplet like she has just memorized the lines: Chadar odh kay sona, takiya modd kay sona, meri yaad aye, toh jagah chhod kay sona. A man’s voice behind the camera prods her: “Aur, aur suna (sing more, more)”.

She shies away saying, “Aur yaad nahi (don’t remember more).” The videos — and there are at least 560 more of them — were posted on the account, 'Gaon ki Bachchiya' (Village Girls), which has nearly 98,000 followers. Some of the videos are of girls as young as two or three, lip-syncing and dancing in an age-inappropriate manner, or doing chores like cooking and drawing water from a well. The comments are mostly from men, complimenting the girls on their bodies or asking to see more skin.

Much of the content featuring children come from accounts that are aggregators of such content or managed by parents or relatives of the children. Children think they are completing a challenge or a contest, not understanding what they are doing.

Worryingly though, experts say the apps are being abused, and are turning into a paedophile's heaven.

What seems to be happening here is that the girls are being exploited for borderline child pornography. Nitish Chandan, a project manager for anti-child porn non-profit Cyber Peace Foundation, agrees. "Short video apps are the new ground to groom underage girls for child pornography," he tells the publication. He says that, in the past year, their group has found a significant uptick in cases of child sexual abuse, harassment, and blackmail, where the predator found their victim on social apps like Kwai.

Mac users using Exodus wallet hit by spam

Security researchers at F-Secure have recently uncovered a small spam campaign aimed at delivering spyware to Mac users that use Exodus cryptocurrency wallet.

The campaign leverages Exodus-themed phishing messages using an attachment named “Exodus-MacOS-1.64.1-update.zip.” The messages were sent by accounts associated with the domain “update-exodus[.]io”, the attackers used it to trick victims into believing that it was a legitimate domain used by the Exodus organization.

The malware poses itself as a fake Exodus update, it is using the subject “Update 1.64.1 Release – New Assets and more”. Experts pointed out that the latest released version for Exodus is 1.63.1.

The zip archive includes an application created earlier this month that contains a Mach-O binary with the filename “rtcfg”.The researchers analyzed the code and found several strings and references to the “realtime-spy-mac[.]com” website, a cloud-based remote spy software for Mac systems.

“From the website, the developer described their software as a cloud-based surveillance and remote spy tool. Their standard offering costs $79.95 and comes with a cloud-based account where users can view the images and data that the tool uploaded from the target machine.” states the blog post published by F-Secure. “The strings that were extracted from the Mac binary from the mail spam coincides with the features mentioned in the realtime-spy-mac[.]com tool.”

Experts searching for similar instances of the Mac keylogger in the F-Secure repository and found other applications, including taxviewer.app, picupdater.app, MacBook.app, and launchpad.app.

“Based on the spy tool’s website, it appears that it does not only support Mac but Windows as well,” concludes F-Secure. “It’s not the first time that we’ve seen Windows threats target Mac. As the crimeware threat actors in Windows take advantage of the cryptocurrency trend, they too seem to want to expand their reach, thus also ended up targeting Mac users.”

Further details about the campaign, including IoCs are reported in the analysis published by F-Secure.

Vision Direct hack affects 16,300 customers, exposes payment details

Vision Direct says a hack attack on its website earlier this month has exposed thousands of its customers' personal and financial data including payment card numbers, expiry dates and CVV codes. Europe's largest online seller of contact lenses and eye care products said anyone who entered their details into its site between 3 and 8 November could have been affected.

Vision Direct stated on its website:

“The personal information was compromised when it was being entered into the site and includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV.”

The breach took place between 00:11 GMT on 3 November and 12:52 GMT on 8 November, said Vision Direct. Customers who logged in during those times to update their accounts, or anyone creating a new account will have been affected.

The hack is expected to have affected 16,300 customers. A spokeswoman for Vision Direct told the BBC that 6,600 customers were believed to have had details including financial data compromised, while a further 9,700 people had personal data but not card details exposed.

The contact lens retailer said a fake Google Analytics script hidden within its websites' code was the apparent cause of the hack and that its UK site was involved as well as local versions for Ireland, the Netherlands, France, Spain, Italy and Belgium.

Vision Direct's spokesperson provided further details on the cause of the breach to the BBC, saying:

"This particular breach is known as Shoplift and was already known to our technology team, who installed a patch provided by our web platform provider to prevent this form of malware. Unfortunately, this current incident appears to be a derivative against which the patch proved ineffective. We are continuing to investigate the breach and have made numerous steps to ensure this does not happen again."

Many ATMs can be compromised within 30 minutes

An extensive testing session carried out by bank security experts at Positive Technologies has revealed that most ATMs can be hacked in under 30 minutes, and even less, in certain types of attacks.

Cybercriminals are using various sophisticated methods including physical access and remote access by compromise the bank network in order to steal money from ATM.

The report said: “Experts tested ATMs from NCR, Diebold Nixdorf, and GRGBanking, and detailed their findings in a 22-page report published this week. The attacks they tried are the typical types of exploits and tricks used by cyber-criminals seeking to obtain money from the ATM safe or to copy the details of users' bank cards (also known as skimming). Experts said that 85% of the ATMs they tested allowed an attacker access to the network. The research team did this by either unplugging and tapping into Ethernet cables, or by spoofing wireless connections or devices to which the ATM usually connected to. Researchers said that 27% of the tested ATMs were vulnerable to having their processing centre communications spoofed, while 58% of tested ATMs had vulnerabilities in their network components or services that could be exploited to control the ATM remotely.”

Recent ATM based attacks targeted by malicious hackers stealing cash from cardless ATM using a new form of SMS phishing attack that force let user give away their bank account credentials into the phished website.

U.S. Secret Service also warned the new form of ATM skimming attack called “Wiretapping” targeting the financial institutions by creating a small size of the hole in the ATM machine and steal the customer data directly from card reader inside of the ATM Machine.

Also, attackers trying to inject the ATM malware families such as Alice, Ripper, Radpin and Ploutus, that is frequently available on the dark web market.

New variant of APT28 Lojax rootkit discovered

Hackers know a prime target when they spot one. Unfortunately, small-to-midsize businesses (SMBs) are often those prime targets. A lot of small business owners like to think that malicious attackers don’t have anything to gain by going after “the little guy,” or that they don’t have much to lose.

A new variant of the infamous APT28 Lojax (aka Double-Agent) has been discovered by the Cybaze ZLab – Yoroi team. It is the latest version of the well-known rootkit Double-Agent, previously analyzed by ESET researchers.

The behaviour of the Lojax sample seems to be similar to the previous versions and exploits the legitimate “Absolute Lojack” software to grant its persistence on the infected system. Lojack is an anti-theft and localization software developed by Absolute Software Corporation and it is pre-installed in the BIOS image of several Lenovo, HP, Dell, Fujitsu, Panasonic, Toshiba, and Asus machines. In the past, this software was known as “Computrace”.

Despite its legitimate purposes, the Absolute Lojack software acts like a rootkit (more precisely as a bootkit): its BIOS component forces the writing of a small agent named “rpcnetp.exe” into the system folder. The agent periodically contacts the Absolute server and sends to it the current machine’s position.

That’s simply not the case. Sixty-one percent of SMBs have been hit by cyberattacks, and the average cost of those breaches has exceeded $1,000,000. Here are some of the easy ways that hackers barge their way into small business networks – Malware, Phishing, Ransomware, Spoofing and Rootkit.

Malware is malicious software designed to infiltrate computer systems and extract any important information it might find. It comes in several different forms, including viruses, spyware, Trojans, rootkits, and worms.

The size of the malicious artefact is the same as the legitimate one, so the only manipulation seems to the modification of the C2C address, in according with other firms that previously analyzed the malware.

7 Meltdown and Spectre level vulnerabilities discovered

A research team—including many of the original researchers behind Meltdown, Spectre, and the related Foreshadow and BranchScope attacks—has published a new paper disclosing yet more attacks in the Spectre and Meltdown families. The team has discovered seven new Meltdown-BR exploiting the meltdown effect x86 bound instruction on Intel and AMD and Meltdown-PK exploiting the Meltdown-type effect on memory protection keys on Intel and five variants belonging to Spectre attack exploiting Spectre-PHT and Spectre-BTB attacks.

These attacks are called a sound and extensible systematisation of transient execution.

All the seven attacks are affected by the three major processor vendors Intel, AMD and ARM that allows an attacker to gain access to vulnerable system data, fulfilling predictions made when the Spectre and Meltdown flaws were reported at the beginning of the year.

Back at the start of the year, a set of attacks that leveraged the speculative execution capabilities of modern high-performance processors was revealed. Since then, numerous variants of these attacks have been devised. In tandem, a range of mitigation techniques has been created to enable at-risk software, operating systems, and hypervisor platforms to protect against these attacks.

CPU slingers insist existing defences will stop attacks – but eggheads disagree. While some are mitigated by known mitigation techniques, others are not. That means further work is required to safeguard vulnerable systems.

The previous investigations into these attacks have been a little ad hoc in nature: examining particular features of interest to provide, for example, a Spectre attack that can be performed remotely over a network or Meltdown-esque attack to break into SGX enclaves. The new research is more systematic, looking at the underlying mechanisms behind both Meltdown and Spectre and running through all the different ways the speculative execution can be misdirected.

These processor security flaws can be exploited by malicious users and malware on a vulnerable machine potentially to lift passwords, encryption keys, and other secrets, out of memory that should be off-limits. To date, we're not aware of any software nasties exploiting these holes in the wild, but nonetheless, they have been a wake-up call for the semiconductor industry, forcing redesigns of silicon and changes to toolchains.

Cyberattacks and volatile weather top risks for Indian corporate: Study

Marsh, a global leader in insurance broking, and RIMS, the risk management society, collaborated on a study which revealed that large-scale cyber-attacks and extreme weather are the top risks for India Inc. In the study conducted across 19 industries, risk professionals, C-suites executives and others identified cyber-attacks as the topmost risk at 88%, data fraud or theft at 85%, volatile weather at 84%, severe energy price shock at 81% and major financial failure at 81%.

Titled ‘Marsh RIMS - State of Risk Management in India’, the report sheds light on the maturity of risk management functions in corporate India. It addresses areas such as the top risks Indian corporates face, the maturity level of risk management in organisations, the key areas of risk management that require improvement, the risks of adopting emerging technologies, and key recommendations for risk executives.

‘Excellence in Risk Management’ series is published by Marsh annually in several geographies. This report on Indian scenario was launched at the recent RIMS’ first risk management forum in India.

A little over a third (37%) respondents believed cyber-attacks are highly prevalent now due to India’s growing dependency on data and digitisation efforts. In May 2018, the Indian Computer Emergency Response Team (CERT-In) found that over 22,000 Indian websites, including 114 government portals, were hacked between April 2017 and January 2018.

Shedding light on the maturity of risk management functions in corporate India, this elaborate survey observed three separate time frames to assess the said risks; an already significant concern; will be a significant concern in one to three years; and a significant concern after three years.

A few other identified risks that are foreseen are financial crises in key economies, which stands at 80%, water crises and shortfall of critical infrastructure at 76%, and failure of urban planning and failure of national governance at 72%.

Huntsville Hospital job applicants’ information could be at risk after data breach

Huntsville Hospital in Alabama is reporting the information of job applicants who applied to the facility may be at risk after a breach at a recruiting firm it uses. The breach could affect thousands across the country, but if you've applied to the hospital it could impact you too.

The hospital’s online application vendor Jobscience is a cloud computing firm that helps to staff and recruiting organizations.

The hospital sent the following release Thursday afternoon: “Regrettably, we’ve learned that Jobscience, Inc., the vendor which we’ve used for online employment application services since 2006, had a data breach which may have involved information from individuals who applied for jobs at Huntsville Hospital. Because of this, notification letters are being sent to the affected persons.”

“Although we have no indication that any information has been misused in any way, out of an abundance of caution, we are offering identity theft protection to those job applicants whose Social Security Number may have been compromised. The hospital no longer uses the services of Jobscience," the hospital said in the release.

Huntsville Hospital sent out letters to employees and applicants letting them know that their information could have been breached and identity protection services are offered to anyone who may have been compromised by the incident.

Burr Ingram, a spokesperson for Huntsville Hospital, says there is no indication that any information has been misused in any way but there is a possibility.

Jobscience has not commented on this matter so far.

India saw 4.3 lakh cyber attacks from US, Russia, China, etc

According to a Finnish cybersecurity company, F-Secure's honeypot data, Russia, the US, China, the Netherlands and Germany targeted India with 436,090 attacks between January-June 2018. This is nearly 12 times more than which originated from India.

Russia accounted for most cyber attacks on India (255,589), followed by the US (103,458), China (42,544), the Netherlands (19,169) and 15,330 attacks from Germany. To track these cyber attacks, F-Secure has deployed 41 honeypots across the globe that "serve as sitting ducks for cybercriminals" and enables collection of the latest malware samples/shell scripts and new hacking techniques.
"Our public honeypots are a valuable source of threat intelligence and an integral part of the infrastructure that powers our various security offerings, including our Rapid Detection and Response Service," Mr Tasiemski said.

Honeypots are set up explicitly to grab the attention of attackers. They are basically decoy servers that emulate the real IT environment of a business enterprise. To the attackers, these look like actual servers of real companies with weaknesses and vulnerabilities. They are used to gain critical insights on attack types, popular targets, sources, volume and TTP (Tactics, Techniques and Procedures).

Interestingly, the top 5 countries that cyberattackers from India targeted were Austria, the Netherlands, the UK, Japan and Ukraine, with the number cumulatively tallying up to 35,563 in the said period, as per the report.

F-Secure gave the break-up: Austria (12,540), the Netherlands (9,267), the UK (6,347), Japan (4,701) and 3,708 attacks targeted Ukraine's businesses.

"The relatively higher number of inbound attacks on Indian honeypots reflects how the fast-digitising country is becoming more lucrative for global cybercriminals," Leszek Tasiemski, Vice President of cyber security products R&D at F-Secure, said in a statement on Sunday.

"We are gathering and analysing all the pertinent data to ensure that our customers stay protected given the dynamically evolving threat landscape," he added.

China is exporting digital surveillance methods to other governments

The U.S. trade war with China is focused on products ranging from agricultural goods to household appliances, but the United States and other democracies should worry about a different type of Chinese export: digital authoritarianism.

China has consistently been ranked by digital advocates as the world’s worst abuser of internet freedom. The country, however, isn’t just tightening online controls at home but is becoming more brazen in exporting some of those techniques abroad including in Africa, says a new report from the U.S.-based think tank Freedom House.

Using a mix of official training, providing technological infrastructure to authoritarian regimes, and insisting that international companies accept its content regulations even outside of China, Beijing is becoming adept at controlling information both inside and outside its borders. Together, these trends present “an existential threat to the future of the open internet and prospects for greater democracy around the globe,” the Washington DC-based non-profit said.

Officials in Beijing are providing governments around the world with technology and training that enable them to control their own citizens. As Chinese companies compete with their international counterparts in crucial fields such as artificial intelligence and 5G mobile service, the democratic norms that long governed the global internet are falling by the wayside. When it comes to internet freedom, many governments are eager to buy the restrictive model that China is selling.

A spy chief said in a speech released Tuesday, Oct. 30, 2018, that Australia’s critical infrastructure including electricity grids, water supplies and hospitals could not have been adequately safeguarded if Chinese-owned telecommunications giants Huawei and ZTE Corp. had been allowed to become involved in rolling out the nation’s 5G network.

As part of its Belt & Road infrastructure project, the Asian giant is also developing a “digital Silk Road” that will establish fibre optic networks across the developing world.

The study assessed developments related to internet freedom that took place between June 2017 and May 2018 in 65 countries across the world.