Category Archives: Cyber warfare

Czech Police and Intelligence agency dismantled Russian Spy ring on its soil

Czech police and intelligence services have identified a Russian espionage network operating having a nerve center in its Prague embassy.

Czech police and intelligence services have dismantled a Russian espionage network operating that was operating via its Prague embassy.

The officials were helped by peers at the National Organised Crime Centre (NCOZ).

According to the official, the cyberspies were setting up a structure to hit targets in Czech and abroad.

Michal Koudelka, head of the Czech Republic’s BIS intelligence service, confirmed that the authorities busted the cyber espionage ring that is allegedly part of a larger organization set up by Russia and operating in other European countries.

“The network was completely destroyed and decimated,” Michal Koudelka, said in parliament, quoted by the Czech CTK news agency.

“It was created by people with links to Russian intelligence services and financed from Russia and the Russian embassy,”

In August, a parliamentary committee in the Czech Republic revealed that the National Cyber and Information Security Agency blamed a foreign state for a cyber attack that targeted the Czech Foreign Ministry.

The committee did not reveal the name of the state allegedly involved in the attack. Daily N, the Czech independent daily, has accused Russia multiple times for the attacks against the foreign ministry which took place in June.

According to a report published in September by the NUKIB Czech Intelligence agency, China carried out a major cyber attack on a key government institution in the Czech Republic last year.

The report issued by the NUKIB agency states that the attack “was almost certainly carried out by a state actor or a related group,” and “a Chinese actor” is the main suspect.

Pierluigi Paganini

(SecurityAffairs – Russia, Czech police)

The post Czech Police and Intelligence agency dismantled Russian Spy ring on its soil appeared first on Security Affairs.

UK/US investigation revealed that Russian Turla APT masqueraded as Iranian hackers

A joint UK and US investigation has revealed that the Russian cyber espionage group Turla carried out cyber attacks masqueraded as Iranian hackers.

According to the Financial Times, a joint UK and US investigation revealed that Russia-linked cyberespionage group Turla conducted several cyber attacks in more than 35 countries masqueraded as Iranian hackers. The use of false flag operations in cyberspace is not a novelty, but this is the first time that Turla APT is adopting a similar strategy.

In 2018, the US intelligence agencies reported that Russian state-sponsored hackers used false flag attacks to hit the Winter Olympics in Pyeongchang, South Korea. At the time the hackers introduced lines of code in their malware associated with North-Korea linked Lazarus Group.

The Turla APT group (aka SnakeUroburosWaterbugVenomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

Experts involved in the investigation believe that the Turla group hijacked the tools of notorious Iran-linked APT group Oilrig since at least 2014. Its attacks are aligned with the strategic interests of Iran, the group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries.

Multiple attacks targeting of Middle Eastern financial, energy and government, lead FireEye to assess that those sectors are a primary concern of APT34

“The so-called Turla group, which has been linked with Russian intelligence, allegedly hijacked the tools of Oilrig, a group widely linked to the Iranian government, according to a two-year probe by the UK’s National Cyber Security Centre in collaboration with the US’ National Security Agency.” reported the FT.

The two-year investigation was conducted by the UK’s National Cyber Security Centre in collaboration with the US’ National Security Agency.

The experts believe that the Iranian cyberespionage group was unaware that its hacking methods have been hacked and used by another threat actors to hit military establishments, government departments, and universities across the world.

Paul Chichester, director of operations at NCSC explained that this is a major change in the Turla TTPs aimed at making it hard the attribution of the attacks.

“We have never seen this done to the level of sophistication that we are seeing here,” Mr Chichester said. “It’s unique in the complexity and scale and sophistication. It’s actually really hard masquerading [as another entity].” “This is becoming a very crowded space and we do see people innovate quite rapidly in that domain,”

The Russian Government did not respond to a request for comment from the Financial Times, it always denied its involvement in cyber attacks on other states.

In June, Symantec researchers revealed that Russia-Linked cyberespionage group Turla used a new toolset and hijacked command and control infrastructure operated by Iran-Linked OilRig APT.

Experts at Symantec observed in the last eighteen months at least three distinct campaigns, each using a different set of hacking tools. In one campaign the attackers used a previously unseen backdoor tracker as Neptun (Backdoor.Whisperer), the malicious code is deployed on Microsoft Exchange servers and passively listen for commands from the attackers.

Experts noticed that in one attack, Turla hackers used the infrastructure belonging to another espionage group tracked as Crambus (aka OilRigAPT34).  

The three recent Turla campaigns targeted governments and international organizations worldwide.

Unfortunately, Turla and other sophisticated APT groups have the cyber capabilities ùto hijack other state-sponsored groups making it impossible the attribution of the attacks.

Pierluigi Paganini

(SecurityAffairs – Turla, OilRig)

The post UK/US investigation revealed that Russian Turla APT masqueraded as Iranian hackers appeared first on Security Affairs.

Security Affairs newsletter Round 236

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

A new Mac malware dubbed Tarmac has been distributed via malvertising campaigns
Alabama Hospital chain paid ransom to resume operations after ransomware attack
Charming Kitten Campaign involved new impersonation methods
Imperva explains how hackers stole AWS API Key and accessed to customer data
Is Emotet gang targeting companies with external SOC?
Privacy advocates criticize Apple for sharing some users browsing data with Tencent
Talos experts found 11 flaws in Schneider Electric Modicon Controllers
Click2Mail suffered a data breach that potentially impacts 200,000 registrants
Global Shipping and mailing services firm Pitney Bowes hit by ransomware attack
sudo flaw allows any users to run commands as Root on Linux
Winnti Group was planning a devastating supply-chain attack against Asian manufacturer
Adobe out-of-band security updates address 82 flaws in 3 products
Approaching the Reverse Engineering of a RFID/NFC Vending Machine
Chinese-speaking cybercrime gang Rocke changes tactics
Signature update for Symantec Endpoint protection crashed many device
Critical and high-severity flaws addressed in Cisco Aironet APs
Cryptocurrency miners infected more than 50% of the European airport workstations
Graboid the first-ever Cryptojacking worm that targets Docker Hub
International operation dismantled largest Dark Web Child abuse site
M6 Group, largest France private multimedia group, hit by ransomware attack
China-linked cyberspies Turbine PANDA targeted aerospace firms for years
Pitney Bowes revealed that its systems were infected with Ryuk Ransomware
Researcher released PoC exploit code for CVE-2019-2215 Android zero-day flaw
Systems at Ingredients provider Ingredion infected with a Malware
Trojanized Tor Browser targets shoppers of Darknet black marketplaces
A critical Linux Wi-Fi bug could be exploited to fully compromise systems
Emsisoft released a free decryption tool for the STOP (Djvu) ransomware
Hundreds of millions of UC Browser Android Users Exposed to MiTM Attacks. Again.

Pierluigi Paganini

(SecurityAffairs – iCloud, zero-day)

The post Security Affairs newsletter Round 236 appeared first on Security Affairs.

US Army stopped using floppy disks as storage for SACCS system that manages nuclear weapons arsenal

The news is quite curious, the US military will no longer use 8-inch floppy disks in an antiquated computer (SACCS) to manage nuclear weapons arsenal.

It’s official, the US strategic command has announced that it has replaced the 8-inch floppy disks in an ancient computer to receive nuclear launch orders from the President with a “highly-secure solid state digital storage solution.”

The use of the 8-inch floppy disks was revealed back in 2014 by the CBS “60 Minutes” TV show.

“At long last, that system, the Strategic Automated Command and Control System or SACCS, has dumped the floppy disk, moving to a “highly-secure solid state digital storage solution” this past June, said Lt. Col. Jason Rossi, commander of the Air Force’s 595th Strategic Communications Squadron.” reported c4isrnet.com.

The Strategic Automated Command and Control System (SACCS) is used by US nuclear forces to send orders from command centers to field forces in case of crisis. It is considered totally secure because it is completely isolated from the internet, even if researchers worldwide have demonstrated that there are many ways to breach into an air-gapped network.

The Strategic Automated Command and Control System (SACCS) is a United States Strategic Command command and control system to coordinate the operational functions of United States nuclear forces (ICBMs, nuclear bombers, and SLBMs).

“You can’t hack something that doesn’t have an IP address. It’s a very unique system — it is old and it is very good,” Rossi added.

In June, the US Air Force has replaced the floppy disks in the SACCS nuclear weapons management system with a “highly-secure solid state digital storage solution.”

The system has been operating since 1968 running on an IBM Series/1 mainframe and using 8-inch floppy disks as storage support.

The use of 8-inch floppy disks was also confirmed by a report published by the US Government Accountability Office (GAO).

“Coordinates the operational functions of the United States’ nuclear forces, such as intercontinental ballistic missiles, nuclear bombers, and tanker support aircrafts. This system runs on an IBM Series/1 Computer—a 1970s computing system— and uses 8-inch floppy disks.” states the report.

“The agency plans to update its data storage solutions, port expansion processors, portable terminals, and desktop terminals by the end of fiscal year 2017.”

One of the military working for Lt. Col. Rossi, Robert Norman, a civilian Air Force employee with more than four years of experience fixing the electronics on SACCS, explained that every issue on the ancient system request a dedicated maintenance e often the damaged components are repaired by experts like him.

“Any electronic repair is going to take a lot of work. I shouldn’t say it’s difficult, [but] unfortunately a lot of the newer electronics are plug and play,” he said, explaining that when electronic components like motherboards or microchips break on newer systems, the common practice is to throw out them out and replace them.” Norman told c4isrnet.com. “On SACCS, all of those pieces are repaired — which for maintainers could mean spending hours spent under a microscope, slowly but deliberately replacing a copper wire laced throughout a circuit board, for example. The challenges get a little larger when we’re actually repairing them down to component level,”

Experts pointed out that even if the hardware used by the SACC antiquate, its software is constantly refreshed by young Air Force programmers.

The problem of security for critical defense systems was approached by the US Government several times, According to a report published by the Government Accountability Office (GAO) in October 2018, almost any new weapon systems in the arsenal of the Pentagon is vulnerable to hacking.

According to the 50-page report published by the GAO, several vulnerabilities in the weapon systems were never fixed.

Pierluigi Paganini

(SecurityAffairs – SACCS, hacking)

The post US Army stopped using floppy disks as storage for SACCS system that manages nuclear weapons arsenal appeared first on Security Affairs.

Charming Kitten Campaign involved new impersonation methods

Iran-linked APT group Charming Kitten employed new spear-phishing methods in attacks carried out between August and September.

Security experts at ClearSky analyzed attacks recently uncovered by Microsoft that targeted a US presidential candidate, government officials, journalists, and prominent expatriate Iranians. Microsoft Threat Intelligence Center (MSTIC) observed the APT group making more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers and then attack 241 of those accounts.

ClearSky researchers pointed out that these attacks represent a shift in the group tactics because this is the first time that the Charming Kitten group attempted to interfere in the elections of a foreign country.

The experts said, with medium-high confidence, that the campaign uncovered by Microsoft is the same campaign they observed over the past several months.

“We evaluate in a medium-high level of confidence, that Microsoft’s discovery and our findings in our previous and existing reports is a congruent operation” reads the report published by ClearSky, “based on the following issues:

  • Same victim profiles
  • Time overlapping
  • Similar attack vectors”

Iran-linked Charming Kitten group, (aka APT35, PhosphorusNewscaster, and Ajax Security Team) made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011. 

As part of the recently observed campaign, the state-sponsored hackers used three different spear-phishing methods:

  • Ending an email message leveraging social engineering methods.
  • Impersonating social media websites, such as Facebook, Twitter and Instagram, as well as using these social media to spread malicious links. Experts also has observed a few social media entities that used social media to contact their victims in order to trick them into visiting malicious websites.
  • Sending SMS messages to the cellular phone of the victim. The messages include a link and claim to inform the recipient of an attempt to compromise their email account. The link points to a malicious phishing website.

Experts have identified more than eight new and unknown domains, all of which bear the ‘.site’ TL, that were involved in the attacks.

Other technical information, along with indicators of compromise (IoCs) are included in the report.

Pierluigi Paganini

(SecurityAffairs – Charming Kitten, Iran)

The post Charming Kitten Campaign involved new impersonation methods appeared first on Security Affairs.

Security Affairs newsletter Round 235

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Hacker is auctioning a database containing details of 92 million Brazilians
Iran-linked Phosphorus group hit a 2020 presidential campaign
UK NCSC agency warns of APTs exploiting Enterprise VPN vulnerabilities
D-Link router models affected by remote code execution issue that will not be fixed
Data from Sephora and StreetEasy data breaches added to HIBP
PoS malware infections impacted four restaurant chains in the U.S.
US will help Baltic states to secure baltic energy grid
Developer hacked back Muhstik ransomware crew and released keys
Experts found a link between a Magecart group and Cobalt Group
Hackers continue to exploit the Drupalgeddon2 flaw in attacks in the wild
MS October 2019 Patch Tuesday updates address 59 flaws
Users reported problems with patches for CVE-2019-1367 IE zero-day
Hackers compromised Volusion infrastructure to siphon card details from thousands of sites
Multiple APT groups are exploiting VPN vulnerabilities, NSA warns
Researchers discovered a code execution flaw in NSA GHIDRA
Twitter inadvertently used Phone Numbers collected for security for Ads
vBulletin addresses three new high-severity vulnerabilities
Amnesty claims that 2 Morocco rights advocates were targeted by NSO Group spyware
Attor malware was developed by one of the most sophisticated espionage groups
iTunes Zero-Day flaw exploited by the gang behind BitPaymer ransomware
Ops, popular iTerm2 macOS Terminal App is affected by a critical RCE since 2012
SAP October 2019 Security Patch Day fixes 2 critical flaws
Tor Project is going to remove End-Of-Life relays from the network
Hacker breached escort forums in Italy and the Netherlands and is selling user data
Researchers released a free decryptor for the Nemty Ransomware
Sophos fixed a critical vulnerability in Cyberoam firewalls
Tens of million PCs potentially impacted by a flaw in HP Touchpoint Analytics
Top cybersecurity certifications to consider for your IT career
FIN7 Hackers group is back with a new loader and a new RAT
Leafly Cannabis information platform suffered a data leak
SIM cards used in 29 countries are vulnerable to Simjacker attack

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 235 appeared first on Security Affairs.

6 cyber-espionage campaigns since 2013 attributed to PKPLUG China-linked group

Security experts linked a number of cyber-espionage campaigns observed over the years to the same Chinese threat actor, tracked as PKPLUG.

Security experts linked a number of cyber-espionage campaigns observed over the years to the same Chinese threat actor, tracked as PKPLUG. The name comes from the threat actor using PlugX inside ZIP archives containing the ASCII magic bytes “PK” in the header.

“For three years, Unit 42 has tracked a set of cyber espionage attack campaigns across Asia, which used a mix of publicly available and custom malware. Unit 42 created the moniker “PKPLUG” for the threat actor group, or groups, behind these and other documented attacks referenced later in this report.” reads the report published by Palo Alto Networks. “We say group or groups as our current visibility doesn’t allow us to determine with high confidence if this is the work of one group, or more than one group which uses the same tools and has the same tasking.”

Hackers targeted entities in the Southeast Asia region, most of the victims were in Myanmar, Taiwan, Vietnam, and Indonesia. Experts believe the PKPLUG also targeted other countries in Asia, including Tibet, Xinjiang, and Mongolia. 

The China-linked APT group has been active for at least six years, it used both custom-made and publicly available malware.

Researchers at Palo Alto Networks’ Unit 42 reported that some of the tools used in the campaigns were also involved in attacks carried out by other threat actors.

The experts observed the threat actor mainly delivered the PlugX backdoor, but the attackers also used the HenBox Android malware, the Farseer backdoor for Windows, the 9002 and Zupdax trojans, and Poison Ivy RAT.

Below the timeline of the PKPLUG attacks over the years:

PKPLUG aPt

The first campaign associated with the PKPLUG was observed in November 2013, when the group targeted Mongolian individuals with PlugX RAT. In April 2016, researchers from Arbor Network uncovered a campaign aimed at delivering the Poison Ivy to targets in Myanmar and other countries in Asia. A month later, Unit 42 researchers spotted another campaign that targeted entities from Myanmar, the Uyghur minority, Tibet, Vietnam, Indonesia, and Taiwan with the 9002 Trojan.

In March 2017, the Hong Kong-based cybersecurity company VKRL spotted a campaign targeting entities in Mongolia. One year later, on March 2018, Unit 42 experts spotted a campaign involving a new Android malware family named “HenBox.” Hackers targeted primarily the Uyghurs minority.

Early 2019, Unit 42 researchers discovered a previously-unknown Windows backdoor Trojan called Farseer that was used by the threat actors in attacks against targets in Myanmar. Experts noticed overlaps between the infrastructure and the malware used in different campaigns.

“Overlaps between the different campaigns documented, and the malware families used in them, exist both in infrastructure (domain names and IP addresses being reused, sometimes in multiple cases) and in terms of malicious traits (program runtime behaviors or static code characteristics are also where relationships can be found or strengthened).” continues the analysis.

In at least four of the six campaigns, the threat actors used a shared set of IP addresses as command and control (C2) infrastructure.

Researchers also discovered that attackers used the same registrant for various domain names hosted at those addresses.

“Based on what we know and what we’ve gleaned from others’ publications, and through industry sharing, PKPLUG is a threat group, or groups, operating for at least the last six years using several malware families — some more well-known: Poison Ivy, PlugX, and Zupdax; some are less well-known: 9002, HenBox, and Farseer.” concludes the analysis. “Unit 42 has been tracking the adversary for three years and based on public reporting believes with high confidence that it has origins to Chinese nation-state adversaries.”

Pierluigi Paganini

(SecurityAffairs – PKPLUG, China)

The post 6 cyber-espionage campaigns since 2013 attributed to PKPLUG China-linked group appeared first on Security Affairs.

Teheran: U.S. has started ‘Cyber War’ against Iran

Iran ’s Passive Defense Organization chief Gholamreza Jalali declared that the US government has started its cyber war against the country.

Gholamreza Jalali, Iran’s Passive Defense Organization chief, announced that that “America has started its cyber war against Iran, without providing more details.

The news was reported by the ISNA news website on October 1, Jalali also added that Iran “decisively will resort to cyber defense.”

Jalali is an Islamic Revolution Guard Corps (IRGC) brigadier general, in November 2018 he announced that government experts have uncovered and neutralized a new strain of Stuxnet.

“Recently we discovered a new generation of Stuxnet which consisted of several parts … and was trying to enter our systems,” Jalali was quoted as saying by the semi-official ISNA news agency at a news conference marking Iran’s civil defense day

In May, Jalali had accused the U.S. of carrying out psyops operations through social media aimed at influencing Iranians’ sentiment on specific topics. The official also revealed that Iran is targeted by 50,000 cyberattacks, the cyber defense of the country suffers eight major attacks annually.

Last week, Iran’s oil minister, Bijan Namdar Zanganeh, ordered companies operating in the energy sector to be on ‘full alert’ to the threat of “physical and cyber” attacks.

“it is necessary for all companies and installations the oil industry to be on full alert against physical and cyber threats,” reads a statement published on the oil ministry’s Shana website.

Iran fears a retaliation of Western countries that are accusing it to carry out physical and cyber attacks against their infrastructure and countries in the Middle East.

Military and intelligence experts believe that western coalition, driven by the US could carry out a series of cyber attacks against Iranian critical infrastructure. A few days after the drone attacks, some western media reported destructive cyber attacks against infrastructures in the Iranian oil sector, but Iran denied it.

Pierluigi Paganini

(SecurityAffairs – Iran, cyberwar)

The post Teheran: U.S. has started ‘Cyber War’ against Iran appeared first on Security Affairs.

Iran’s oil minister orders ‘Full Alert’ for oil sector on against attacks

Iran ‘s oil minister on Sunday ordered representatives of the energy sector to be on ‘full alert’ to the threat of “physical and cyber” attacks.

Iran’s oil minister, Bijan Namdar Zanganeh, ordered companies operating in the energy sector to be on ‘full alert’ to the threat of “physical and cyber” attacks.

it is necessary for all companies and installations the oil industry to be on full alert against physical and cyber threats,” reads a statement published on the oil ministry’s Shana website.

Iran fears a retaliation of Western countries that are accusing it to carry out physical and cyber attacks against their infrastructure and countries in the Middle East.

Iran’s oil ministry said that the Government of Washington has launched a full-scale economic war” against the Islamic republic.

In the middle-September, drone attacks hit two major oil facilities run by the state-owned company Aramco in Saudi Arabia, one of them is the Abqaiq site.

Iran-backed Houthi rebels in Yemen claimed responsibility for the attacks on the Abqaiq plant, according to a spokesman for the group in Yemen, it had deployed 10 drones in the attacks.

The group is threatening Saudi Arabia of further attacks. The Iran-aligned Houthi rebel movement fights the Yemeni government and a coalition of regional countries led by Saudi Arabia that fights the rebels since 2015, when President Abdrabbuh Mansour Hadi was was kicked out of Sanaa by the Houthis.

Secretary of State Mike Pompeo blamed Iran for coordinated the attacks, it added that we are facing an unprecedented attack on the world’s energy supply.

Riyadh, Berlin, London, and Paris also blame Teheran for attacks that caused severe damages to the Saudi oil sector on September 14.

Iran denied any involvement in the attacks. Immediately after the attacks, US President Donald Trump announced that his country was preparing a response. President Trump opted out for an intensification of economic sanctions against Teheran.

Military and intelligence experts believe that western coalition, driven by the US could carry out a series of cyber attacks against Iranian critical infrastructure. A few days after the drone attacks, some western media reported destructive cyber attacks against infrastructures in the Iranian oil sector, but Iran denied it.

“Contrary to Western media claims, investigations done today show no successful cyber attack was made on the country’s oil installations and other crucial infrastructure,” reads a statement published by the government’s cyber security office.

Despite the statement, security experts believe that a cyber offensive against Iranian infrastructure is onoing.

Pierluigi Paganini

(SecurityAffairs – Iran, oil sector)

The post Iran’s oil minister orders ‘Full Alert’ for oil sector on against attacks appeared first on Security Affairs.

Security Affairs newsletter Round 233

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs



Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Once again thank you!

0patch will provide micropatches for Windows 7 and Server 2008 after EoS
Critical flaws affect Jira Service Desk and Jira Service Desk Data Center
Facebook suspends tens of thousands of apps from hundreds of developers
Campbell County Memorial Hospital in Wyoming hit by ransomware attack
Portugues hacker faces hundreds of Charges in Football Leaks case
Portuguese hacker faces hundreds of Charges in Football Leaks case
Privilege Escalation flaw found in Forcepoint VPN Client for Windows
Thinkful forces a password reset for all users after a data breach
TortoiseShell Group targets IT Providers in supply chain attacks
A new Fancy Bear backdoor used to target political targets
APT or not APT? Whats Behind the Aggah Campaign
Hacker discloses details and PoC exploit code for unpatched 0Day in vBulletin
Microsoft released an out-of-band patch to fix Zero-day flaw exploited in the wild
North Korea-linked malware ATMDtrack infected ATMs in India
Adobe Patches two critical vulnerabilities in ColdFusion
Czech Intelligence ‘s report attributes major cyber attack to China
Heyyo dating app left its users data exposed online
US Utilities Targeted with LookBack RAT in a new phishing campaign
Airbus suppliers were hit by four major attack in the last 12 months
Botnet exploits recent vBulletin flaw to protect its bots
Emsisoft releases a free decryptor for the WannaCryFake ransomware
Study shows connections between 2000 malware samples used by Russian APT groups
USBsamurai for Dummies: How To Make a Malicious USB Implant & Bypass Air-Gapped Environments for 10$. The Dumb-Proof Guide.
Checkm8: unpatchable iOS exploit could lead to permanent jailbreak for iOS devices running A5 to A11 chips
DoorDash Data Breach exposes data of approximately 5 million users
Emsisoft released a new free decryption tool for the Avest ransomware
Magecart 5 hacker group targets L7 Routers
After SIMJacker, WIBattack hacking technique disclosed. Billions of users at risk
German police arrest suspects in raid network hosting Darknet marketplaces
Malware-based attacks disrupted operations of Rheinmetall AG and Defence Construction Canada
Nodersok malware delivery campaign relies on advanced techniques

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 233 appeared first on Security Affairs.

Study shows connections between 2000 malware samples used by Russian APT groups

A joint research from Intezer and Check Point Research shows connections between nearly 2,000 malware samples developed by Russian APT groups.

A joint research from Intezer and Check Point Research shed light on Russian hacking ecosystem and reveals connections between nearly 2,000 malware samples developed by Russian APT groups.

The report is extremely interesting because gives to the analysts an overview of the Russian hacking community and their operations.

The experts also published an interactive map that gives a full overview of this Russian hacking ecosystem.

Since the first publicly known attacks by Moonlight Maze, in 1996, many Russian hacking groups have emerged in the threat landscape, their operations involved highly sophisticated malware and hacking techniques.

“Russia is known to conduct a wide range of cyber espionage and sabotage operations for the last three decades. Beginning with the first publicly known attacks by Moonlight Maze, in 1996, the Pentagon breach in 2008, Blacking out Kyiv in 2016, hacking the United States elections in 2016, and including some of the largest, most infamous cyberattacks in history, targeting an entire nation with NotPetya ransomware.” states the report.

“This led us to gather, classify, and analyze thousands of Russian APT malware samples in order to find connections not only between samples, but also between different families and actors.”

Russian APT Map

The Russian hacking ecosystem characterized by Russian APT groups is very complex, security firms have collected a huge quantity of information related to single threat actors, but not of them provided a global picture of the ecosystem.

Give a look at the “Russian APT Map,” that illustrates the connections between different Russian APT malware samples, malware families, and threat actors.

Russian APT MAP

Experts analyzed approximately 2,000 samples that were attributed to Russian APT groups, the researchers found 22,000 connections between the samples, in addition to 3.85 million non-unique pieces of code that were shared. The study classified the samples into 60 families and 200 different modules.

“Every actor or organization under the Russain APT umbrella has its own dedicated malware development teams, working for years in parallel on similar malware toolkits and frameworks. Knowing that a lot of these toolkits serve the same purpose, it is possible to spot redundancy in this parallel activity.” continues the report.

“These findings may suggest that Russia is investing a lot of effort into its operational security. By avoiding different organizations re-using the same tools on a wide range of targets, they overcome the risk that one compromised operation will expose other active operations.”

Experts also released a signature-based tool to scan dubbed Russian APT Detector a host or a file against the most commonly re-used pieces of code used by the Russian APT groups in their operations.

Enjoy the report!

Pierluigi Paganini

(SecurityAffairs – Russian APT, hacking)

The post Study shows connections between 2000 malware samples used by Russian APT groups appeared first on Security Affairs.

Czech Intelligence ‘s report attributes major cyber attack to China

The Czech Intelligence agency blames China for a major cyber attack that hit a key government institution in the Czech Republic in 2018.

According to a report published by the NUKIB Czech Intelligence agency, China carried out a major cyber attack on a key government institution in the Czech Republic last year.

The report issued by the NUKIB agency states that the attack “was almost certainly carried out by a state actor or a related group,” and “a Chinese actor” is the main suspect.

In August, 2019, a parliamentary committee in the Czech Republic revealed that the National Cyber and Information Security Agency blamed a foreign state for a cyber attack that targeted the Czech Foreign Ministry.

The committee did not reveal the name of the state allegedly involved in the attack. A government source told Reuters that Czech authorities suspected the attacks originated from Russia. The Czech experts discovered the security breach early January 2017.

Interior Minister Jan Hamacek told the CTK news agency that the government infrastructures have been dealing with the cyber attack for several months.

Czech intelligence warns of cyber attacks launched by both China and Russia threat actors.

“The Czech cabinet is due to discuss the findings on Monday.” reported the AFP press. “NUKIB spokesman Radek Holy told AFP the watchdog would not make the report public until then.”

Pierluigi Paganini

(SecurityAffairs – Czech Intelligence, hacking)

The post Czech Intelligence ‘s report attributes major cyber attack to China appeared first on Security Affairs.

A new Fancy Bear backdoor used to target political targets

Security experts at ESET have uncovered a new campaign carried out by Russia-linked Fancy Bear APT group aimed at political targets.

Security researchers at ESET have uncovered a new campaign carried out by Russia-linked Fancy Bear APT group (i.e. APT28, Sednit, Sofacy, Zebrocy, and Strontium) aimed at political targets.

In the recent attacks, the hackers used a new set of malicious payloads, including a backdoor written in a new language.

The Fancy Bear APT group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

“On August 20th, 2019, a new campaign was launched by the group targeting their usual victims – embassies of, and Ministries of Foreign Affairs in, Eastern European and Central Asian countries.” reads the analysis published by ESET.

“As predicted by other fellow researchers, the Sednit group added a new development language in their toolset, more precisely for their downloader: the Nim language. However, their developers were also busy improving their Golang downloader, as well as rewriting their backdoor from Delphi into Golang.”

The threat actors used phishing messages containing a malicious attachment that launches a long chain of downloaders, ending with a backdoor.

Fancy Bear
Figure 1. Chain of compromise overview – Source ESET

The phishing messages come with an attachment document that is blank and references a remote template, wordData.dotm hosted at Dropbox. Once the victim has opened the document in Word it will trigger the download wordData.dotm and incorporate it into the associated document’s working environment, including any active content the template may contain.

“The wordData.dotm file contains malicious macros that then are executed. (Depending on the Microsoft Word version, the VBA macros are disabled by default and user action is required to enable them.) It also contains an embedded ZIP archive that the macros dropped and extracted.” continues the report.

The attacks analyzed by ESET have involved several downloaders written in different languages, including a new one dubbed Nim. Nim is a statically typed compiled systems programming language. It combines successful concepts from mature languages like Python, Ada and Modula.

The downloader written in Nim is quite light in terms of its data-gathering capabilities, compared with previous Golang downloaders.

In August, threat actors also used for the first time a new backdoor written in Golang, the malware has many similarities with the Delphi beckdoors used in previous attacks.  

Experts pointed out that six modules are fetched in the attack chain before the final Golang backdoor. The malware is able to steal sensitive data from the infected machine and take screenshots every 35 seconds during the first few minutes of infection. The backdoor is also able to install additional payloads.

“It seems that the Sednit group is porting the original code to, or reimplementing it in, other languages in the hope of evading detection,” ESET concludes. “It’s probably easier that way and it means they do not need to change their entire TTPs [Tactics, Techniques and Procedures]. The initial compromise vector stays unchanged, but using a service like Dropbox to download a remote template is unusual for the group.”

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

The post A new Fancy Bear backdoor used to target political targets appeared first on Security Affairs.

TortoiseShell Group targets IT Providers in supply chain attacks

Symantec spotted a new threat actor, tracked as TortoiseShell, that is compromising IT providers to target their specific customers.

Symantec researchers spotted a new threat group, tracked as TortoiseShell, that is compromising IT providers to target their specific customers. The group was first spotted in 2018, but experts speculate that it has been active for a longer time.

Symantec has identified a total of 11 organizations hit by the threat actor, most of them are based in Saudi Arabia, for two of them, the attackers gained domain admin-level access.

“A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers.” reads the analysis published by Symantec.

In two attacks carried out by the TortoiseShell group, the threat actor infected hundreds of hosts, this is an anomalous behavior that suggests it was searching for specific machines of interest.

https://twitter.com/threatintel/status/1174427878089351168

The group used both custom malware and off-the-shelf hacking tools for its campaigns, such as the Syskit custom backdoor that was discovered on August 21.

The Syskit is simple backdoor that can download and execute additional payloads and commands, it was written in both Delphi and .NET.

The malicious code collects machine’s info (i.e. IP address, operating system name and version, and Mac address) and sends them to the C&C is Base64 encoding. The malware supports several commands, such as download other malware and launch PowerShell to unzip a file or run commands in the Command Prompt console.

The group was observed using other publicly available tools, including:

    • Infostealer/Sha.exe/Sha432.exe
    • Infostealer/stereoversioncontrol.exe
    • get-logon-history.ps1

The two info-grabbing malware can collect details about the machine they landed on and “Firefox data of all users of the machine.”

Infostealer/stereoversioncontrol.exe downloads a RAR file, as well as the get-logon-history.ps1 tool. It runs several commands on the infected machine to gather information about it and also the Firefox data of all users of the machine. It then compresses this information before transferring it to a remote directory. Infostealer/Sha.exe/Sha432.exe operates in a similar manner, gathering information about the infected machine.” continues the report.

“We also saw Tortoiseshell using other dumping tools and PowerShell backdoors.”

Experts pointed out that the initial infection vector used by Tortoiseshell group to infect machine is not clear, but they speculate that attackers use to compromise web servers to gain access to the target network. In one case, the first indication of malware on the victim’s network was a web shell likely used to hack into the webserver.

“On at least two victim networks, Tortoiseshell deployed its information gathering tools to the Netlogon folder on a domain controller. This results in the information gathering tools being executed automatically when a client computer logs into the domain.” continues Symantec.

In one of the targeted organizations, Symantec experts observed the presence of Poison Frog, a PowerShell-based backdoor associated in the past with operations carried out by the Iran-linked OilRig APT group (a.k.a. APT34, HelixKitten).

However, the presence of Poison Frog is not sufficient to attribute the attacks to OilRIG because the source code of the backdoor was publicly released on April 2019, before the victim had been compromised.

“The targeting of IT providers points strongly to these attacks being supply chain attacks, with the likely end goal being to gain access to the networks of some of the IT providers’ customers.” concludes Symantec.

“This provides access to the victims’ networks without having to compromise the networks themselves, which might not be possible if the intended victims have strong security infrastructure, and also reduces the risk of the attack being discovered.”

Pierluigi Paganini

(SecurityAffairs – APT, Tortoiseshell)

The post TortoiseShell Group targets IT Providers in supply chain attacks appeared first on Security Affairs.

Security Affairs newsletter Round 232

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Once again thank you!

A bug in Instagram exposed user accounts and phone numbers
Delaler Leads, a car dealer marketing firm exposed 198 Million records online
Drone attacks hit two Saudi Arabia Aramco oil plants
A flaw in LastPass password manager leaks credentials from previous site
Astaroth Trojan leverages Facebook and YouTube to avoid detection
Data leak exposes sensitive data of all Ecuador ‘citizens
France and Germany will block Facebooks Libra cryptocurrency
MobiHok RAT, a new Android malware based on old SpyNote RAT
Tor Projects Bug Smash Fund raises $86K in August
Australia is confident that China was behind attack on parliament, political parties
Backup files for Lion Air and parent airlines exposed and exchanged on forums
Experts found 125 new flaws in SOHO routers and NAS devices from multiple vendors
Experts warn of the exposure of thousands of Google Calendars online
Fraudulent purchases of digitals certificates through executive impersonation
Memory corruption flaw in AMD Radeon driver allows VM escape
More than 737 million medical radiological images found on open PACS servers
Skidmap Linux miner leverages kernel-mode rootkits to evade detection
United States government files civil lawsuit against Edward Snowden
At least 1,300 Harbor cloud registry installs open to attack
Emotet is back, it spreads reusing stolen email content
Smominru Botnet continues to rapidly spread worldwide
Commodity Malware Reborn: The AgentTesla Total Oil themed Campaign
Crooks hacked other celebrity Instagram accounts to push scams
Magecart attackers target mobile users of hotel chain booking websites
Two selfie Android adware apps with 1.5M+ downloads removed from Play Store
U.S. taxpayers hit by a phishing campaign delivering the Amadey bot
5 Cybersecurity Trends in the Professional Services Sector
Iran denies successful cyber attacks hit infrastructures of its oil sector
MMD-0063-2019 – Summarize report of three years MalwareMustDie research (Sept 2016-Sept 2019)
One of the hackers behind EtherDelta hack also involved in TalkTalk hack

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 232 appeared first on Security Affairs.

Iran denies successful cyber attacks hit infrastructures of its oil sector

In the last hours, some western media reported destructive cyber attacks against infrastructures in the Iranian oil sector, but Iran denied it.

Last week drone attacks have hit two major oil facilities run by the state-owned company Aramco in Saudi Arabia, one of them is the Abqaiq site.

Western Governments and Saudi Arabia blamed Iran for the attacks.

Immediately after Saudi Arabia oil attacks, experts speculated an escalation of cyber attacks against Iranian oil infrastructure as retaliation.

Today Iran denied that its oil infrastructure had been successfully hit by a cyber attacks.

“Contrary to Western media claims, investigations done today show no successful cyber attack was made on the country’s oil installations and other crucial infrastructure,” reads a statement published by the government’s cyber security office.

Despite the statement, security experts believe that a cyber offensive against Iranian infrastructure is onoing.

According to NetBlocks, an organization that tracks internet outages, the country suffered limited intermittent disruptions of internet connectivity.

The cause of the outage affecting online industrial and government platforms is not clear, but it could be consistent with a cyber attack.

“Data are consistent with a cyber attack or unplanned technical incident on affected networks as opposed to a purposeful withdrawal or shutdown incident,” it added.

In June, after media reported a cyber offensive launched by the US against Iran, Teheran announced that alleged cyber attack against its infrastructure has ever succeeded.

The Iranian telecommunications minister Mohammad Javad Azari Jahromi labeled the activity against its state as “cyber terrorism — such as Stuxnet — and unilateralism — such as sanctions”.

Pierluigi Paganini

(SecurityAffairs – Iran, hacking)

The post Iran denies successful cyber attacks hit infrastructures of its oil sector appeared first on Security Affairs.

Australia is confident that China was behind attack on parliament, political parties

Australia ‘s intelligence is sure that China is behind the cyberattacks that hit its parliament and political parties, but decided to not publicly accuse it.

According to the Reuters agency, Australia’s intelligence has evidence that the attacks that hit its parliament and political parties were orchestrated by China. Anyway the Australian government decided to not publicly accuse it to preserve trade relations with Beijing.

Reuters cited five sources within the Australian intelligence that attributed the attacks on its national parliament and three largest political parties before the general election in May to China-linked hackers.

“Australia’s cyber intelligence agency – the Australian Signals Directorate (ASD) – concluded in March that China’s Ministry of State Security was responsible for the attack, the five people with direct knowledge of the findings of the investigation told Reuters.” reported the Reuters.

“The report, which also included input from the Department of Foreign Affairs, recommended keeping the findings secret in order to avoid disrupting trade relations with Beijing, two of the people said.”

Australia Australian National University hack australian parliament house

Australia disclosed the attacks in February, at the time experts speculated the involvement of a nation-date actor without attributed the attacks to a specific threat actor.

China is Australia’s biggest trading partner and its not surprising that its government gathers intelligence on it. Beijing denied any involvement in the attacks and China’s Foreign Ministry pointed out that his country is also the target of numerous attacks.

“When investigating and determining the nature of online incidents there must be full proof of the facts, otherwise it’s just creating rumors and smearing others, pinning labels on people indiscriminately. We would like to stress that China is also a victim of internet attacks,” the Ministry told the Reuters.

“China hopes that Australia can meet China halfway, and do more to benefit mutual trust and cooperation between the two countries.”

When the Australian authorities discovered the attacks, the IT staff forced a password reset to every person working at the parliament.

According to information collected by Reuters, the hackers did access private emails and policy paper from members of the Liberal, National and Labor parties.

Australian experts shared their findings with the United States and the United Kingdom, the latter sent a team of cyber experts to Canberra to help investigate the attack.

“Australian investigators found the attacker used code and techniques known to have been used by China in the past, according to the two sources.” concludes the Reuters. “Australian investigators found the attacker used code and techniques known to have been used by China in the past, according to the two sources.”

Pierluigi Paganini

(SecurityAffairs – Australia, hacking)

The post Australia is confident that China was behind attack on parliament, political parties appeared first on Security Affairs.

Poland to establish Cyberspace Defence Force by 2024

Poland announced it will launch a cyberspace defense force by 2024 composed of around 2,000 soldiers with a deep knowledge in cybersecurity.

The Polish Defence Ministry Mariusz Blaszczak has approved the creation of a cyberspace defence force by 2024, it will be composed of around 2,000 soldiers with deep expertise in cybersecurity.

The news was reported by AFP, Blaszczak announced that the cyber command unit would start its operations in 2022.

“We’re well aware that in today’s world it’s possible to influence the situation in states by using these methods (cyberwar),” Mariusz Blaszczak told to local media at a military cyber training centre in Zegrze.

Poland Cyberspace Defence Force

The defence ministry is already looking for talent with the help of the HackYeah hackathon, it is already offering cash prizes to most skilled hackers. The HackYeah hackathon is one of the most important hacking events in Europe and according to the Polish government, it will attract the many talents and will incentive youngsters in a new profession.

The Ministry also added that Poland would have enough IT graduates by 2024 to provide the force with 2,000 personnel qualified in cyberdefense.

“Poland’s defense ministry is already looking for talent by partnering with the HackYeah hackathon to offer a total of 30,000 zlotys (6,900 euros, $7,650) in cash prizes for top hackers, according to a post the ministry’s website.” states the AFP agency.

Pierluigi Paganini

(SecurityAffairs – Poland, Cyberspace Defense Force)

The post Poland to establish Cyberspace Defence Force by 2024 appeared first on Security Affairs.

Major Web Hosting Hazards You Should Take Seriously

“I’ve read that my web hosting provider’s website that they have a good security solution in place to protect me against hackers.”

This is a pretty common answer that a lot of bloggers and small business owners gave me when I ask them if they know about how secure their web hosting is. Also, they often add that their budgets are pretty tight so they’ve chosen to go with “an affordable provider.” By “affordable,” of course, they mean ‘ridiculously cheap.”

Come on, people.

Do you really think that a cheap web hosting has everything in place to stop a website attack? Do you think that they will protect you from all types of hacker attacks?

While I don’t know everything about how web hosting providers choose security solutions, I can tell you with some confidence that a lot of them have laughable solutions.

If you don’t believe me, you can Google something like “Hacked website stories” and you’ll see that many web hosting companies, from some of the cheapest to even some well-known ones – don’t have adequate security solutions in place. As a result, lots of people have lost their websites. These horror stories are quite common, and even a simple Google search can return a lot of them.

Shocking Stats

Unfortunately, hackers are becoming more and more skilled at what they do, and stats support this. If you visit the live counter of hacked websites on Internet Live Stats, you’ll discover that at least 100,000 websites are hacked DAILY (for example, I visited the counter at 7:07 pm and it showed that 101,846 websites have been hacked since 12 am).

From what I saw on Internet Live Stats, I could tell that one website was hacked every second. This is horrible, and one of the bad things about this was that many of the owners of these websites thought that they were protected by their web hosting provider.

The next bad thing about all of this is that the number of websites hacked daily is getting higher. For example, there were about 30,000 websites hacked a day in 2013 according to this Forbes piece, but as we could see on the live counter, this number has more than tripled in 2019. If this negative trend continues, then we could easily see even more website owners losing their business on a daily basis very soon.

While this information is certainly alarming, website owners are typically to blame for the fact that their website was stolen from them (not trying to be rude here at all). If we dig a little bit deeper into the data on hacked websites, we discover that many use ridiculously simple passwords, poor hosting providers, outdated content management systems (CMS), and do other unwise things that help hackers get in.

For example, many bloggers want to focus on content writing, editing, and lead building rather than think about stuff like hosting. While content proofreading is something they could get help with by using numerous online tools like, Grammarly and Hemingway Editor, getting quality assistance with a hacked website is a whole new ballgame.

Next, there’s an issue with passwords. According to a recent survey by the UK’s National Cyber Security Centre (NCSC), 23.2 million web accounts they’ve analyzed had “123456” as a password. Moreover, about 7.7 million people relied on “123456789” for protection of their data, while “password” and “qwerty” were also quite popular with about 3 million users each.

While a password is something that could be changed in a matter of seconds to protect your site against brute force attacks, it may not protect you from most cyber threats. This is the responsibility of a hosting provider, and unfortunately, a lot of people disregard this requirement for web security.

That’s why we’re going to talk about hosting security issues that you should protect your site from.

How Web Hosting Affects the Security of Your Website

Before we talk about major web hosting hazards, let’s quickly discuss the connection between the security of your website and the web hosting you’re using. I’m going to say this right away: choosing a web hosting provider is one of the most important decisions you’ll make when setting up for your website, and the implications go way beyond security.

For example, if you’re a blogger or a business owner, you’ll get:

  • A high level of protection against hackers. “This means that you’ll be able to concentrate on content creation,” says Peter O’Brien, a content specialist from Studicus. “If I selected a poor host, I wouldn’t spend so much doing the creative stuff, that’s for sure”
  • A fast loading time. People don’t like to wait; in fact, Google claims that websites that load within 5 seconds have 70 percent longer visitor sessions, 35 lower bounce rates, and 25 percent higher viewability compared to websites that load between 5 and 19 seconds. That’s why Google has released the mobile-first indexing update and designed own PageSpeed Insights tool to help users optimize the performance of their websites
  • High reliability and uptime. Most web hosting companies claim that the websites they service are online for 99.9 percent of the time, but the real time can vary and depends on the quality of the provider.
  • Better security. This one means that different web hosting providers have different security packages, therefore the websites they power have different protection from hackers. Moreover, a good host can help you to recover quickly in case if you’ve suffered an attack.

Let’s talk a little bit more about the last bullet point. So, how can one tell that their hosting provider is poor? That’s pretty easy:

  • Slow loading times. If your website loads for more than five seconds, then chances are that its performance is affected by the hosting provider that has put a lot of sites into one server
  • Frequent security issues. If your website doesn’t have backups and suffers from various cyber attacks often, then you should definitely talk to your provider (make sure that your passwords aren’t the problem)
  • Regular unexpected downtime. A poor choice of a web hosting provider often leads to this problem, which, in turn, is often caused by overloaded servers. In other words, the provider simply can’t handle the volume of visitors that your website (and other websites hosted on that server) are experiencing.

So, to sum up, the quality of hosting is essential for the success of your online venture, and making a poor choice can lead to disappointing outcomes (just remember the figures from the live counter again). But with so many websites getting hacked on a daily basis, what do you need to know to protect your own one? Read the next section to know.

Beware of these Major Web Hosting Hazards

  1. Shared Hosting Issues

Sharing hosting is a tricky business, and you don’t know how many websites are on the server where your own one lives. It’s quite possible that the number is quite high, up to a thousand, and this could be one of the reasons why your website might be underperforming.

For example, this discussion threat had some interesting information on this. A person asked how many websites are typically served on one shared server, and some of the answers were astonishing! For example, one user responded by writing the following.

Can you believe it? 800 websites on one server! Talk about performance issues, right?

While I realize that a single server can host up to several thousand websites, can you imagine what would happen if at least ten of them are high-traffic ones? Think crashes, slow loading times, unplanned downtime, and lots of other issues.

Since people are always looking to save costs, chances are that shared hosting issues will continue to impact a lot of websites.

  1. Attacks that Exploit an outdated version of PHP

It’s a known fact that about 80 percent of all websites in 2018 ran on PHP. However, since the beginning of 2019, the support for PHP 5.6x will be ended, meaning that all support for any version of PHP 5.x is gone. In other words, the sites that fail to update won’t get any security patches, bug fixes, and updates.

However, recent reports suggest that this news didn’t trigger any massive moves to the newer versions of PHP. For example, according to Threat Post, about 62 percent of all server-side programming websites are still using PHP version 5. Here are the full data.

Source: Threat Post

“These sites probably include old libraries that haven’t had the joy of an update…” the abovementioned Threat Post post cited a web security expert, as saying. “The libraries probably have bugs and security holes in themselves, never mind the hosting platform or the website code itself. In some cases library code can be updated easily, others not.”

For hackers looking for some business, this means that they have a lot of work to do. Can you imagine it: since the beginning of this year, more than 60 percent of websites stopped getting security updates!

“Faced with the urgent requirement to update the PHP version, a lot of websites owners will make a corresponding request for their web hosting providers,” shares Sam Bridges, a web security specialist from Trust My Paper. “This means that the latter will face a flood of support requests, which could translate into a slow pace of the update process.”

On top of that, some providers may not be willing to notify their users about the requirement to update their PHP versions, so a lot of websites may still be using outdated ones in the next few years.

Well, hopefully you’re not going to be one of them.

  1. More Sophisticated DDoS Attack Techniques

DDoS attacks are nothing new. However, they are still a common type of a cyberweapon used against websites that should be considered when choosing a hosting provider. In fact, the situation here is a lot more complicated than one thinks.

For example, the research suggests that the total number of DDoS attacks has decreased by 13 percent in 2018, which may seem like a positive signal by many.

The comparison of the number of DDoS attacks between 2017 and 2018. Source: Kaspersky

Unfortunately, the stats don’t provide the big picture here. According to Kaspersky, hackers are reducing the number of attempts to break into websites using DDoS attacks, but they are turning to more advanced and sophisticated attack techniques.

For example, it was found that the average length of attacks has increased from 95 minutes in the first quarter of 2018 to 218 minutes in the fourth quarter of 2018. While it means that the protection against this kind of attacks is getting better, it also suggests that the malefactors are becoming more selective and skilled.

 

For example, 2018 has seen the biggest DDoS attacks in history; one of these situations involved a U.S.-based website that reported a 1.7 TB/s assault (this means that the attackers overwhelmed the site with a massive wave of traffic hitting 1.7 terabytes per second!), according to The Register.

Source: The Register

Therefore, we may see an increase in unresponsive websites due to DDoS attacks in the next years (clearly, not a lot of websites can survive an attack like this one), as hackers deploy more sophisticated techniques.

Since a lack of DDoS-protected hosting is a major risk factor in this situation, make sure that your hosting provider has this protection in place.

Stay Protected

Web hosting is not the first thing that many website owners think about when setting up their businesses, but it’s definitely one that could make or break them. The success of your venture ultimately depends on the uptime, loading time, and overall reliability of your website, so being aware of the threats that you can face in the nearest future could help you to avoid losing your website and joining those 100,000+ unfortunate sites owners who get their sites hacked every day.

Hopefully, this article was a nice introduction to the importance of web hosting and the risks that come with it. Remember: if you want your data to be protected, pay attention to the existing and emerging risks right now and make appropriate decisions. Eventually, this’ll pay you nicely by maximizing uptime and reliability of your website.

 

Dorian Martin is a frequent blogger and an article contributor to a number of websites related to digital marketing, AI/ML, blockchain, data science and all things digital. He is a senior writer at WoWGrade, runs a personal blog NotBusinessAsUsusal and provides training to other content writers.

The post Major Web Hosting Hazards You Should Take Seriously appeared first on CyberDB.

The real impact: how cybercrime affects more of your business than you think

Some businesses – usually those that have never experienced any kind of major IT incident – think of cybercrime as an inconvenience. They may believe that if their company is hacked it will cause some disruption and perhaps an embarrassing news story, but that ultimately the breach will have only a minor effect.

However, the truth is that cybercrime can have a huge range of unexpected consequences. Here we take a lot of the real impact of a breach – cybercrime might affect you a lot more than you think.

It loses customer confidence

When you suffer a cyberattack it becomes common knowledge very quickly. Whether your site is taken offline or Google places a ‘hacked site’ warning against you, customers will learn fast that you have been compromised. And when a potential customer hears that you have been breached, they will immediately associate you with the attack, deeming your site to be unsafe to use.

Under the General Data Protection Regulation (GDPR) it is also a legal requirement for you to inform any customers whose data has been affected by the breach within 72 hours of becoming aware of the breach. This goes further to lose your confidence with those customers who have already used your services or bought from your site.

It costs you sales

No business wants to lose the confidence of its customers, mostly importantly because it will naturally have an effect on your sales. If – in the eyes of your customers – your site can’t be trusted, they will stop using it and move on to a competitor. This means that before you take anything else into account, you will be losing business simply due to the fact that you have been a victim of cybercrime.

Of course, if the cybercrime takes your website offline, you will also lose any potential transaction over that period – but the more crucial factor is the long-term effect of customers believing that you are not longer safe to buy from.

It costs a lot of money

Cyber attacks can be extremely costly for a variety of reasons. We have already talked about the kind of disruption to trading that will occur when any kind of cybercrime takes place, but it is actually a lot more complicated than that. Firstly, many forms of cybercrime will directly steal money from a business. This could come in the form of a phishing attack on a member of staff, or even a business email compromise attack.

However, there are also other costs to consider such as the financial ramifications of dealing with the hack and securing your business. And of course, any trust that is lost in your partners or suppliers can lead to you losing them.

It weakens your SEO efforts

You might not realise it, but cybercrime can have a serious impact on your search engine optimisation (SEO). There are many reasons for this – firstly, if Google believes your site is hacked, it can place a ‘hacked site’ warning in the listings. Additionally, many hacks will actually alter or steal content from your site, and website content is one of the most important ranking factors in the eyes of all search engines.

Another important factor is downtime. If Google sees that your website is down for a significant period of time, this is a negative ranking factor, and can see your site sliding. Any cybercrime will cause downtime, as you will need to take your site offline in order to fix the issues and return it to normal.

It causes problems with compliance

We have already mentioned the GDPR in this article, and how it can force you to disclose cyber breaches to any affected individuals. However, it is important to remember that compliance with the GDPR and regulations can become an issue if you suffer a cyberattack.

Under the GDPR, businesses are required to take appropriate steps to protect themselves against attacks, in order to secure the private information that they hold on customers. Failing to do can put you at risk of heavy fines from the ICO.

It loses your intellectual property

Another extremely common occurrence during a cyberattack is that intellectual property will be stolen. Given the incredible value of IP to some businesses, such as in technology or pharmaceutical firms, it can be easy to see how stolen IP could make a business unsustainable.

If your organisation relies upon the secrecy of its IP, then you need to make sure you are taking appropriate steps to defend that IP against cybercrime.

The post The real impact: how cybercrime affects more of your business than you think appeared first on CyberDB.