Category Archives: Expert Comments

80 Percent Of Spear Phishing Attacks Involve Brand Impersonation

Following the news that cybersecurity firm Barracuda Networks has published a report on spear phishing which reveals that over 80% of attempts involve brand impersonation, Corin Imai, Senior Security Advisor at DomainTools commented below.

Corin Imai, Senior Security Advisor at DomainTools:

“Unfortunately, aside from investing in an efficient email filtering software, there is little that organisations and private individuals can do to keep phishing emails out of their inbox. Criminals have learnt that the best way to get victims to click on links or to disclose personal information is to elicit an emotional response, which is why they often choose to impersonate recognised and trusted brands that the receiver is likely to have a connection with. Additionally, when a language of urgency is used, people are instinctively brought to take action and are more prone to letting their guard down and respond to whatever call of action the email prompts. Recognising that this is how malicious actors operate is the starting point to counteract spear phishing campaigns. Organisations should aim to protect themselves by investing in awareness programmes that teach employees to recognise the markers of an attack and warn them against sharing personal information online.” 


The ISBuzz Post: This Post 80 Percent Of Spear Phishing Attacks Involve Brand Impersonation appeared first on Information Security Buzz.

Russian Hackers Target EU Elections

It has been reported today that Russian hackers have targeted European government systems ahead of the EU parliament election.According to researchers, two state-sponsored hacking groups, APT28 and Sandworm, used spear phishing — the practice of sending out emails designed to look like they’re from a trusted party — in an attempt to obtain government information.  

Anjola Adeniyi, Technical Manager for EMEA at Securonix: 

“The attacks on the EU elections are yet another example of phishing being used as a method to obtain sensitive government information and attack high value targets. As a result, it is vital that all EU government employees are empowered to mitigate these scams. 

Hackers will carry out reconnaissance on their targets to make their scams look legitimate, so even if employees are confident that an email is genuine, it is better to practice caution and be safe, rather than sorry. 

Impersonating a given domain is a common method used for phishing and other malicious activities – DMARC protects against this type of phishing attack, which the European government should consider if it hasn’t already done so.” 



The ISBuzz Post: This Post Russian Hackers Target EU Elections appeared first on Information Security Buzz.

Fake CDC Emails Warning Of Flu Pandemic Push Ransomware

A new malspam campaign is being conducted that is pretending to be from the Centers for Disease Control and Prevention (CDC) about a new Flu pandemic. Attached to the emails are a malicious attachment that when opened will install the GandCrab v5.2 Ransomware on the target’s computer. 

First discovered by MyOnlineSecurity, these emails are being sent from email addresses that are impersonating the “Centers for Disease Control and Prevention” and have a subject line of “Flu pandemic warning”. These emails state that there is a flu pandemic and that recipients should read the attach document to help prevent its spreading.

Roy Rashti, Cyber-security Expert at Bitdam:

“These kinds of attacker always attempt to reach as many end-user inboxes as possible as some of the targeted end-users will not actually receive the malicious attachment, and out of those that do, not all of them will open it. To overcome this and bypass the variety of security solutions that are familiar with macro-attacks currently in the market, attackers try to be as creative as possible.” 

“In order to protect from this kind of attack, cyber education and awareness is essential. People need to treat any email they receive with suspicion. However, the creativity and sophistication of social engineering methods used by attackers means that they are usually one step ahead of their targets, so a security solution that is able to detect a wide variety of attacks must be used to prevent them from appearing in the inbox in the first place.” 


The ISBuzz Post: This Post Fake CDC Emails Warning Of Flu Pandemic Push Ransomware appeared first on Information Security Buzz.

Bank Payment Scams Claim 84,000 Victims

The BBC has today reported that scams in which criminals trick bank customers into paying them money out of their bank accounts jumped by 45% in the second half of last year. Over the whole of last year, more than 84,000 bank customers fell victim, some losing tens of thousands of pounds. Banks say scam merchants are shifting their attention from trying to penetrate banking systems to conning members of the public directly. Business are being targeted as well, with a similar sharp rise to £209m in suspicious transfers unwittingly authorised by staff members. 

Lisa Baergen, Director at NuData Security:

“The magnitude of these losses can’t help but have a dampening effect on the UK economy. It’s also bad news for customers, who often bear the brunt of many direct costs (especially in account takeover and identity theft). Fraud is becoming a tempting promise of high reward and low prosecution rates. Emboldened cybercriminals are becoming more technology savvy and are increasingly posing as banks or suppliers and then duping customers into revealing their personal details. These scams have also proved effective in targeting commercial organisations, as senior executives have been tricked into revealing sensitive information which enables access to a company network. The increasing volume of attacks globally has also been attributed to more data available on the black market and more financial institutions and merchants vulnerable to attacks. 

To detect out-of-character and potentially fraudulent transactions before they can create a financial nightmare for consumers – and for companies – many institutions are adopting new authentication methods that hackers can’t deceive. Multi-layered solutions based on passive biometrics and interactional signals are leading the way to provide more safety for consumers and less fraud in the marketplace. These solutions identify machines from humans, and legitimate users from fraudsters by looking at their inherent behaviour – instead of relying on the static data presented. This process lets organisations fast-track the known and low-risk users for an optimal experience, saving the friction and traditional authentication methods for the highest risk users. These layers validate the user through information that hackers can’t replicate, securing the good user’s transaction at every step.” 

The ISBuzz Post: This Post Bank Payment Scams Claim 84,000 Victims appeared first on Information Security Buzz.

Police Federation Breach

It has been reported that the Police Federation of England and Wales (PFEW) has confirmed that it has been dealing with a ransomware attack on its computer systems. The PFEW was able to respond quickly to an alert from its cyber-security n Saturday 9th March, with cyber experts rapidly reacting to isolate the malware to stop it from spreading to PFEW branches. 

Expert Comments Below:  

Anjola Adeniyi, Technical Leader at Securonix: 

“The attack on the Police Federation shows that anyone can become a victim of a ransomware attack. Based on available information, thePolice Federation has isolated the malware, which is a good step in preventing it spreading deeper into the network. To prevent these types of attacks, organisations should teach practise good cyber hygiene, and enable their organisation to avert social engineering attacks.” 


Tim Erlin, VP of Product Management & Strategy at Tripwire:

“Every organization should have a plan in place for a successful ransomware attack. While prevention is preferred, the reality is that no security control is perfect. The key to responding to a ransomware attack is to detect quickly, limit the spread and restore systems back to a trusted state. Functional backups are key to recovery, but so is a clear understanding of how systems are configured. Finally, restoring from backups is only useful if you can close the attack vector that allowed the ransomware to gain a foothold in the first place.” 



The ISBuzz Post: This Post Police Federation Breach appeared first on Information Security Buzz.

Experts Comments: Facebook Employees Has Access To Hundreds Of Millions Of User Passwords In Plain Text For Years

The passwords of millions of Facebook users were accessible by up to 20,000 employees of the social network, it has been reported. 

Security researcher Brian Krebs broke the news about data protection failures, which saw up to 600 million passwords stored in plain text. 

Experts Comments Below: 

Paul Biscoff, Privacy Advocate at Comparitech:

“Storing passwords in plaintext seems like a rookie mistake for one of the largest internet companies in the world. Hashing and salting passwords so they are not readable and cannot be turned back into a readable format has been standard practice for many years. 

Although Facebook says there were no signs of abuse, it seems unlikely that none of the alleged 20,000 employees with access to those passwords even once poked around where they shouldn’t have. Facebook says it won’t require password resets until it does find signs of abuse, but I would recommend changing your account password, anyway. Be sure to use a password that’s at least 12 characters, uses a combination of numbers, symbols, and upper- and lower-case letters, and is unique to your Facebook account.” 

Adam Laub, SVP Product Management at STEALTHbits Technologies:

“If everyone leveraged strong, unique passwords and changed them frequently, this type of news might not be treated quite the same. However, in all likelihood, whether these passwords were around for 10 minutes or 10 years, the username and password combinations would still be valid. If not on Facebook, then almost assuredly on some other site.  

“This is just another example of why password hygiene matters. If compromised, this dataset would have likely led to the identify theft of at a minimum thousands, if not many, many millions of people.” 

Colin Bastable, CEO at Lucy Security:

“We keep hearing that encryption will fix the problems of cyber insecurity – but this surely demonstrates why that is a pipe dream. Someone decided to leave these passwords in the clear, probably for convenience. People can always find a reason not to deploy encryption, and all it takes is one weak link to break the chain of trust. 

So anyone still relying on Facebook, or any social media business, to guard their passwords and PII data is terminally optimistic. 

The bigger picture is that it’s clear that hundreds of millions of consumers value likes, up-votes, faux friends and convenience over privacy.  

Millions recycle the same three, four or five passwords between all social media accounts as well as their bank and employer accounts. 

With so many passwords and usernames being traded by cybercriminals on the Dark Web, and with so much personal information being voluntarily made public by consumers, businesses must assume that they are vulnerable to attack via their employees’ email and work-time online presence. The employees of third parties such as consultancies also introduce significant risks. Employers large and small should deploy MFA, test and train all staff relentlessly, and have a plan for when they get hacked.”.

Stephen Cox, Chief Security Architect at SecureAuth:

“The discovery is just another indication that our continued reliance on passwords is not sustainable and fails consumers. Decades of experience shows us that the password is an archaic method of authentication, often not under the control of the user, and simply isn’t enough to satisfy today’s threat landscape. Not only are many organizations using poor hygiene when storing passwords, a large portion of these passwords are already widely available on the dark web due to previous massive breaches. The reality is that people reuse passwords across multiple websites and password leaks can have far reaching consequences. 

“With the trend of password leakage and the resulting credential misuse on the rise, organizations must evolve and adopt modern approaches to identity security, one that improves security posture but takes care to keep the user experience simple. We need to move beyond the password, and basic two-factor authentication methods, to modern adaptive risk-based approaches that leverage real-time metadata and threat detection techniques to improve end-user trust. The goal should be rendering stolen credentials useless to an attacker.”  

Emmanuel Schalit, CEO at Dashlane:

“Passwords are to the digital age, what seatbelts were to the auto industry. They protect your identity, finances, and other critical personal information now that most of this information resides in the Cloud. 

“Although Facebook claims that the internal exposure of these passwords means that they were not compromised, the fact remains that they were not encrypted and exposed for years. Because the impact is still unknown, we would recommend changing your password on Facebook immediately. In fact, all Facebook users should take this opportunity also make sure all of their passwords are strong across all of their accounts. In practice the ideal password is one that is a unique and random string of letters and numbers that can be randomly and securely generated. 

“You may not be able to control the security architecture of the digital services you use every day and that hold so much of your data, but you can take measures to make sure you have optimal password hygiene. This is the digital version of the “containment” doctrine. One example is using a password manager with a Password Changer capability, this can be easily done, and used to instantly generate and change your passwords with a single click – ensuring proper and regular cyber hygiene. 

“As demonstrated here, you never know when your account may have been exposed and your information vulnerable – regular and proper password hygiene is not just for breaches.” 

Sam Curry, Chief Security Officer at Cybereason:

Passwords in a flat file for anyone to read?! Are you kidding me? Give me a break! Everyone, including Facebook, have tech debt and security debt that piles up. But that’s not an excuse any longer.Facebook is starting to look like critical social infrastructure, where there responsibility is to the public. It’s past time to go back and clean the skeletons out of the closets. How can we trust this platform to get bigger and get more connected under the hood if they can’t do the basis blocking and tackling right? Facebook needs a security strategy for the 21st century not the 20th century. “  

Pravin Kothari, CEO at CipherCloud: 

Pravin Kothari“Personal information such as passwords should be encrypted and protected, absolutely never stored in the clear. With all of the emerging regulations on data protection and privacy of individuals, such as EU GDPR (The General Data Protection Regulation)  and California Consumer Privacy Act of 2018 which takes effect in 2020, exposing such PII data may open the organization to violations and penalties.




The ISBuzz Post: This Post Experts Comments: Facebook Employees Has Access To Hundreds Of Millions Of User Passwords In Plain Text For Years appeared first on Information Security Buzz.

ZOLL Medical Device Data Breach Caused By Third Party

Medical device company ZOLL has announced a data breach of patient information involving a third-party provider, stating: 

On January 24, 2019, ZOLL learned of a data security incident that impacted the personal and medical information of some patients. As a precaution, ZOLL is providing this notice to make potentially affected patients aware of the incident and provide information on actions ZOLL has taken in response, resources available to impacted patients, and steps they can take to protect themselves. ZOLL’s email is archived by a third-party service provider to comply with record retention and maintenance requirements, policies, and procedures. Some personal information was included in the email communications stored by the third-party service provider.  

Matan Or-El, CEO at Panorays:

“This latest data breach illustrates the importance of monitoring the cybersecurity posture of third parties that do business with healthcare providers. These providers hold some of our most sensitive and confidential data: personal and demographic information, financial statements, health details and insurance policies. Attackers can use this information for identity theft, insurance fraud, financial gain, or even blackmail. 

Often the best way for hackers to reach this information is through third parties, who have access to healthcare organizations’ data but lack adequate security to guard it. 

For this reason, assessing and continuously monitoring healthcare organizations’ third-party security is critical.” 



The ISBuzz Post: This Post ZOLL Medical Device Data Breach Caused By Third Party appeared first on Information Security Buzz.

Windows, Netflix Users Hit By Targeted Phishing Campaigns

In response to reports from Windows Defender Security Intel that AmEx and NetFlix customers are being hit with well-crafted phishing campaigns to get their credit card information, an expert with Centripetal Networks offers thoughts. 

Colin Little, Senior Threat Analyst at Centripetal Networks: 

Phishing emails are one of the highest-risk intrusion methods to date. They are easy to craft, easy to deploy; they are aimed at our broadest, weakest attack surface: The endpoint, and its user. They are designed to make us afraid that if we don’t click on that link or open that attachment something bad will happen. Cyber criminals have been extremely successful at both designing the lure and monetizing their success, despite their re-use of techniques and themes such as threatening our Netflix accounts or suggesting something may be amiss with our credit or identity. Some contemporary security and awareness tips to keep in mind:   

First, there are many places in the phishing kill chain for our own security intelligence, tools and TTPs to keep these malicious emails away from our user. These tools are a strong Enterprise mitigation. 

Also, a security awareness program that trains users to how and why to identify phishing emails is both essential and fundamental. If our users are the broadest attack surface, their preparation for this attack is our best defense.   

And if you or your users are just not sure if an email is legitimate or not, address the potential issue in a separate dialogue.  Start a new email chain (such as to the Netflix help desk, in this example) using an address you obtain from the site.  Address the inquiry in a different media, such as calling their vendor support line. Or, the recipient can open the applicable app (if one’s available) on their smart phone if and check their credit or account status. 



The ISBuzz Post: This Post Windows, Netflix Users Hit By Targeted Phishing Campaigns appeared first on Information Security Buzz.

New Carbanak Malware Attacks

ZDNet is reporting that the notoriously well-known threat group Fin7, also known as Carbanak, is back with a new set of administrator tools and never-before-seen forms of malware.  Fin7 has been active since at least 2015 and since the group’s inception has been connected to attacks against hundreds of companies worldwide.   

Byron Rashed, Vice President of Marketing at Centripetal:  

“Fin7 demonstrates how highly organized cyber gangs have become. The group has successfully infiltrated a number of business sectors where they can monetize their malicious activity. Many of these gangs are structured like Fortune 500 companies, with a CEO, CFO and members that specialize in various forms of malware, ransomware, phishing schemes, etc. Usually these gangs are 

multinational and reside in countries where there are no extradition treaties, which in turn gives them freedom from prosecution. 

Since their attacks are highly sophisticated, it is best to block certain geo regions where these threat actors are located. Many organizations are hesitant to block IPs and domains because they believe it will interfere with the operation of their business. However, in reality, it is easy to unblock trusted sources that could have once been malicious while erring to the side of caution. Despite the capture of some members, Fin7 will continue to be one of the most sophisticated, successful and innovative cyber gangs.” 


The ISBuzz Post: This Post New Carbanak Malware Attacks appeared first on Information Security Buzz.

MyPillow And Amerisleep Hit By Magecart

Cybersecurity researchers at RiskIQ discovered the two newly identified Magecart attacks targeting the bedding retailers MyPillow and AmerisleepMagecart is a term used to describe different hacking groups specialised in implanting malicious code on the e-commerce websites. The Magecart injected the digital card skimmer on their websites to steal payment information at the checkout page. 

Expert Comments Below:  

Rusty Carter, VP Product Management at Arxan Technologies:  

“The MyPillow and Amerisleep breaches are another two to add to the long list of businesses continuing to fall victim to Magecart and web vulnerabilities that turn eCommerce sites into delivery mechanisms for data stealing malware. In these particular cases, the Magecart hackers were on their websites for several months, with MyPillow first being hacked on 26th October, and Amerisleep being first accessed by hackers almost two years ago, in April of 2017, according to RiskIQ’s research. 

Consumers continue to become the victims of theft due to web vulnerabilities, especially those running in the browser, and go undetected by businesses for extensive periods of time, as demonstrated by both MyPillow and Amerisleep. The long-lasting effects of theft against consumers is met with minimal corrections from many businesses and a lack of accountability.  

With GDPR and other privacy and data protection regulations coming into effect, it is disappointing to see breach after breach affecting consumers and their private information, but it shows that the traditional security approaches are insufficient to properly protect consumers and their data. Businesses need to protect the applications that customers interact with, where they are most vulnerable (in the user’s machine / browser) and not just in the datacentre. If businesses want to sleep well at night and know they are keeping consumer data safe, they need to be bumping website and application security to the top of their agenda.” 


The ISBuzz Post: This Post MyPillow And Amerisleep Hit By Magecart appeared first on Information Security Buzz.

Google Photos Bug Exposed The Location & Time Of Users’ Pictures

It has been reported that a vulnerability in the web version of Google Photos allowed websites to learn a user’s location history based on the images they stored in the account. The flaw affected the Google Photos search endpoint that allows users to quickly find pictures based on aggregated metadata, such as geo-location and date of creation, an artificial intelligence algorithm that can recognize objects and people’s faces after they’ve been tagged. 

For the attack to work, victims need to be lured to load a malicious website while they are logged into Google Photos. This is hardly an obstacle, considering how many people use Gmail and that a Google Account signs you into all Google services. 

Expert Comments:

Paul Bischoff, Privacy Advocate at Comparitech:

“Although this vulnerability has now been patched, geo-tagging photos can still be a physical security risk. Adding geo-tags to photos you post online can alert criminals to your whereabouts, which can lead to burglaries, among other crimes. The best way to avoid this is by removing the location permission from both your camera app and the Google Photos app. To strip location info from a photo you already took, open the photo in the Google Photos app and click the three dots in the top right corner, then tap Info. Scroll down to view and remove the geo-tag from a photo.”

The ISBuzz Post: This Post Google Photos Bug Exposed The Location & Time Of Users’ Pictures appeared first on Information Security Buzz.

New Mirai Botnet Is Coming For Your Connected Screens

A strain of the botnet malware Mirai has emerged focused on a wider set of embedded internet-connected devices. Researchers at Palo Alto this week stated that a variant of the notorious Internet-of-Things infector is now looking to hijack TVs and projectors designed to display information and adverts, as well as the usual broadband routers, network-attached storage boxes, and IP-enabled cameras and digital video recorders. 

Tim Mackey, Senior Technical Evangelist at Synopsys:

“When deploying an IoT device of any type, the three most important questions need to be:

  • Have we configured strong credential access?
  • What is our update strategy for firmware changes?
  • What URLs and IP address does the device need for its operation?

The Mirai botnet works by exploiting known vulnerabilities within the toolchain or operating framework of the IoT device and weak credentials. When IoT devices are deployed within a business environment, best practice dictates a separate network segment known as a VLAN should be used. This then allows for IT teams to monitor for both known and unknown traffic impacting the devices. It also allows teams to ensure that network traffic originates from known locations. For example, if a conference room projector is accessible via WiFi, the network the device uses should be restricted to only internal and authenticated users. Public access to the device should always be restricted. Following this model, exploit of the device would then require a malicious actor to first compromise a computer belonging to an authenticated user. Regular IT audits of IoT networks should then be performed to ensure only known devices are present and with the devices identification mapped back to an asset inventory containing a current list of firmware version and a list of open source components used within that firmware. This open source inventory can then be used to understand when an open source vulnerability impacting a library used within the firmware has a published vulnerability. Armed with this information, a proactive update and patching model can be created for corporate IoT devices.”


The ISBuzz Post: This Post New Mirai Botnet Is Coming For Your Connected Screens appeared first on Information Security Buzz.

UK Unprepared For Cyber Attacks Against CNI

It has been reported that according to the National Audit Office (NAO), the UK government has “failings” in the way it is planning to protect the UK’s critical infrastructure from cyber-attacks.The warning came in a National Audit Office (NAO) assessment of the UK’s national cyber-defence plan. The government is increasingly worried that these essential sectors will be targeted by foreign states seeking to disrupt UK life. Modern life was now “totally dependent” on cyber-security, said one expert.  

Andrea Carcano, Co-Founder and Chief Product Office at Nozomi Networks:

“These findings are representative of the challenges organisations are facing with regards to protecting operational technology, not just within CNI. The scale of the challenge should not be underestimated.  

The skills shortage in engineering and particularly cyber security within the Operational Technology space plays a significant role in the inability to effectively secure the problem. Organisations must quickly understand what technology they have in their environment and how that ecosystem functions. Once an organisation has this information they can prioritise controls to preserve the availability of essential services. 

It is also true that if existing protection mechanisms are inadequate, then in the short-term organisations should ensure they achieve a high level of visibility into their networks in order to identify threats that are active in the network.  

The recent NIS directive should begin to help drive organisations to implement continuous improvement programs for cyber security. The key is to ensure organisations correctly interpret their obligations with regards to NIS and are equipped to be effective in controlling security risks.” 



The ISBuzz Post: This Post UK Unprepared For Cyber Attacks Against CNI appeared first on Information Security Buzz.

Payment Service Directive (PSD2) And Security

The Payment Services Directive (PSD2) will go into effect with some new rules in September of 2019 and could have some unexpected consequences according to a report from iovation and Aite Group. The report says the new, stricter requirements for fraud prevention, could push more fraud towards the US. 

Ryan Wilk, VP of Customer Success at NuData Security:

“Regardless of PSD2 regulations, every financial organization around the globe should be reassessing their processes and security layers as fraud becomes more sophisticated and more successful. Consumer privacy is also a top priority with more organizations caring about consumer data, protection, and data sharing. Leveraging behavioral biometrics in a layered security authentication framework is a way to identify customers by their online behavior instead of credentials and thus protecting customer’s identity. This authentication framework ensures a smooth and easy customer experience while blocking fraudulent transactions.” 


The ISBuzz Post: This Post Payment Service Directive (PSD2) And Security appeared first on Information Security Buzz.

Top London Attractions Suffered Over 100 Million Attacks

Following the news that London’s top tourist attractions, such as Kew Gardens and the Natural History Museum, have been hit by over 100 million cyber attacks in the past few years, please see a comment below from Jake Moore, cyber security specialist at ESET.

Jake Moore, Cyber Security Specialist at ESET:

“Hackers may assume that popular tourist attractions will have weaker cyber security, with less money spent on keeping their data safe than other institutions such as banks or large technology businesses. 

The tourism industry hosts a huge amount of personally identifiable information, and if there is potentially less security, it makes for a highly profitable target for criminal gangs to penetrate. 

Moreover, businesses that have not inherently been focused on cyber security since their foundation typically tend to be on the backfoot when it comes to increasing their protection and are more likely to fall victim to attacks.” 


The ISBuzz Post: This Post Top London Attractions Suffered Over 100 Million Attacks appeared first on Information Security Buzz.

SSH Client PuTTY Security Patches

It has been reported that SSH client PuTTY has received numerous security patches. The fixes implemented on PuTTY over the weekend include new features plugging a plethora of vulns in the Telnet and SSH client, most of which were uncovered as part of an EU-sponsored HackerOne bug bounty. 

Gavin Millard, VP of Intelligence at Tenable:

“Initiatives, such as the EU’s sponsored bug hunt on a ubiquitous piece of software like PuTTY, are so important. While the bugs discovered appear to be relatively tame or restricted to unreleased versions of the software, the value from the code having been reviewed cannot be underestimated.  

“Often open source projects are run by a small group of volunteers who are bogged down in the detail which often means identifying flaws is difficult. Having an external audit not only improves the code and experience for the people using the program, but also helps the creators learn where weaknesses are introduced that can be transferred to the next project.” 





The ISBuzz Post: This Post SSH Client PuTTY Security Patches appeared first on Information Security Buzz.

Gnosticplayers Drops 4th Round Of Stolen Records On DreamMarket

In response to the news that the hacking group Gnosticplayers has just dropped a 4th round of stolen records on the dark web market DreamMarket, experts with OneSpan, Centripetal Networks and CyberSaint offer perspective.

Byron Rashed, VP of Marketing at Centripetal Networks:

“This is a classic example of a highly skilled and motivated threat actor that has successfully infiltrated networks and exfiltrated high value data for sale in the underground economy. There are actually two issues. The first is organizations that fail to block or identify malicious IPs and domains. Network infiltration can be greatly mitigated by blocking these malicious sources. The second is the failure to protect [encrypt] data with strong encryption.Data not encrypted or weakly encrypted enables the threat actor to fully monetize the caches he is selling, making it highly profitable and more attractive to potential buyers.”

John Gunn, CMO at OneSpan:

The frequent and recurrent instances of anonymous hackers selling large quantities of stolen identities emphasizes the profound impunity of these crimes. Using modern hacking tools, criminals can operate with little risk of being caught or ever brought to justice and the result is billions of dollars of losses. To me, this is a strong argument in favor of allowing counter attacks against these anonymous parties by state and private organizations.


George Wrenn, CEO at CyberSaint Security:

“After four rounds of user records being put up for sale by this entity, there is a clear pattern that speaks to the way we utilize personal data today. This data — 26M records — was obtained within just the past few months. This is not a small incident, as mass amounts of individuals’ personal data is being sold. If anyone had any doubts before, this example should convince them that data truly is the new currency.”   


The ISBuzz Post: This Post Gnosticplayers Drops 4th Round Of Stolen Records On DreamMarket appeared first on Information Security Buzz.

On Norsk Hydro Cyber Attack

One of the world’s biggest aluminium producers has switched to manual operations at its Norwegian smelting facilities following a cyber-attack. Hydro, which employs more than 35,000 people in 40 countries, says the attack began on Monday night and is ongoing. A spokesman told the BBC that he could not yet confirm what type of cyber-attack the Norwegian firm was facing, or who was behind it.

Experts Comments Below: 

Tim Mackey, Senior Technical Evangelist at Synopsys: 

I sincerely hope that Norsk Hydro details the attack methods and nature of the cyberattack they are experiencing. Given they are shutting down operations at some of their plants implies those plants had control system access from the internet or from computers connected to the internet. Minimally, this attack provides a lesson in the value of both network segmentation and ensuring that threat models are created, assuming the threat comes from an internal source. With increasingly sophisticated attacks, organizations must assume attackers could compromise internal systems as easily as they might attempt to breach a firewall into a production system.

Piers Wilson, Head of Product Management at Huntsman Security:

“The attack on Norsk Hydro highlights the risks faced by all parts of national critical infrastructure and major industry – from energy to manufacturing. The attack could potentially affect resource production in Norway, Qatar and Brazil – meaning the attackers have been able to cause maximum disruption on a global scale for, potentially relatively little effort. This is a stark reminder that it doesn’t matter what your line of business is, you are still reliant on IT systems and could still be on a hackers ‘hit list’.

“We now live in an era where traditional defences – firewalls, anti-virus etc. can’t provide full coverage when faced with determined or targeted attack: there is often no easy way to block every potential threat at the perimeter or in key IT server systems, and trying to do so will just result in teams becoming overwhelmed by the sheer volume of potential attacks. Businesses need to go beyond blocking attackers; and augment this with intelligent and rapid detection, containment and mitigation. This means having first class, automated threat and security intelligence capabilities that can manage the deluge of potential problems with intelligent analytics – sorting real threats from the background noise of systems and network operation, and freeing up security analysts to deal with the issues as effectively and efficiently as possible.”

Tom Kranz, Head of Cyber Lab at 6point6:  

Having switched to manual operations, it would appear at this stage to be an IoT attack that has gone for their control equipment. Yet while we often discuss IoT attacks in terms of botnets, the cyber attack on Norsk Hydro throws into sharp relief that we do not put enough focus on the supply chain disruption that can be caused. In this case, not just aluminium smelting, but the construction of actual components for wider industry has been shut down. With the global push towards “Just in Time” manufacturing and more efficient mass-production processes, an IoT attack of this scale against a single company has the potential to have a disruptive and harmful impact to multiple industries on a worldwide scale.

Machines and devices across the Industrial Internet of Things (IIoT) network need to be treated in the same way as any other untrusted, insecure device; namely as a segregated network, with ingress and egress filtering and monitoring. There should be no direct access to the general Internet, and indirect access must use encryption with a high level of logging and monitoring to mitigate risks of cyber attack. As IIoT devices have such simple communications and data flows, configuring SIEM and TVM solutions to keep closer scrutiny on the IIoT segregated network and it’s data flows is also essential. Security must be front and centre, especially when it comes to inter-reliant industries and production lines.

Andrea Carcano, Co-founder and CPO at Nozomi Networks:

“As industrial organisations continue to modernise infrastructure and introduce internet-enabled technology into plants to improve efficiencies, security requirements are changing and must be a top priority.

While these new digital processes can offer significant benefits to industrial organisations, they also provide new opportunities for attackers, as potential entry-points into networks.

As industrial organisations automate and digitise plant floors, the security of these new processes must be forethought to reduce the risks of potential attacks.”

Adam Vincent, CEO at ThreatConnect:

“This latest attack is proof that Britain’s manufacturing industry faces a serious challenge. Manufacturing is often targeted by both opportunist and targeted hackers, looking for an easy target or a specific set of intellectual property. In 2018, for example, it was reported that nearly half of UK manufacturers were hit by a cyber security incident.

“Digital transformation is increasingly visible on the factory floor, and IP-connected robots are increasingly replacing manned and manual workflows. That means that the average facility now has countless more potential access points for cyberattacks – and a successful breach can halt production in its tracks for many hours, causing serious financial and reputational damage.

“Nevertheless, across the manufacturing sector, awareness of the cybersecurity challenge and the implementation of appropriate preventive measures are highly varied.  Manufacturers need to ensure that their cybersecurity capabilities are not just an afterthought.

“We’re firm believers in an ‘all for one, one for all’ approach towards cyber security. We need to see an increase in intelligence-sharing between businesses so they can collectively combat the common cyber-enemy. It’s essential that potential targets understand as much as they can about the threats they face. The more you know, the better you’ll be able to respond to a new threat.

“With comprehensive information-sharing and process automation in place, manufacturers can rest assured that their valuable IP and production lines are still well defended.”

Spencer Young, RVP EMEA at Imperva:

“While the source of this attack has not been identified, local media in Norway have reported that the attack is likely due to a relatively new form of ransomware known as LockerGoga.

As is the case with any ransomware attack, there is no guarantee that if you pay the ransom your data will be recovered.

Planning ahead and being prepared for attacks will make organisations much more resilient and able to cope if the worst should ever happen. However, the reality is that the odds are in the attacker’s favour, and a lot of times – like this incident, they are successful in their intrusions.

Hydro’s next steps will be critical in determining the extent of impact this attack has on the company’s databases, files and cloud applications. The company should focus primarily on identifying and quarantining impacted users, devices and systems so as to control the data breach proactively.

Having a strategy that takes into account what happens when a cyberattack occurs, whether it’s ransomware or another method, is essential to resiliency, especially in industries where information is critical and downtime can have significant global impact.

Attacks such as this one bring to light the importance of protecting your data. Organisations – no matter the size or industry – should have robust technology solutions in place that are able to sense ransomware file access and curb potential attacks before they take place, so access and downtime can be limited.”

Chris Morales, Head of Security Analytics at Vectra:

“While the situation for Norsk Hydro is severe as the entire worldwide network is down, which means the attack was able to propagate internally very quickly, I do at least commend Norsk Hydro’s incident response process.

The important thing here is that breaches happen, and for manufacturing and energy who are large adopters of industrial internet of things, ransomware has become an unfortunate problem that can easily knock a manufacturing or energy plant offline. Norsk Hydro is not the first to suffer from a ransomware attack in the energy sector. Ideally it would be good to be able to detect and respond to attacks before they cause damage, but many companies simply are not in that state of capability yet.

From a response process, it is good that Norsk Hydro executive management immediately, within 24 hours, reached out to the public and have been open about their current state. Norsk Hydro had a backup plan to keep operating using manual processes. It is also fortunate that Norsk Hydro has backups of all their data to recover to their original state once they can recover from this attack.

Granted, when they recover is the biggest factor here. With an attack this widespread impacting the entire global network, they could be down for days.”

Tim Erlin, VP at Tripwire:  

“Right now, there’s a lot of missing information on this attack. The things we don’t know outweigh the things we do know, and that generally means there will be a lot of speculation. 

After the last couple of years, no one should doubt that a cyberattack can directly impact your business. This is another reminder to spend the time and money on preparation and prevention. If you are an executive at any business, ask yourself what your organization would be doing right now if you were Hydro.” 

Nozomi Networks Labs’ Analysis:

What is LockerGoga?  

LockerGoga is a ransomware able to encrypt files having any of the specific extension listed below: 

doc, dot, wbk, docx, dotxdocbxlm, xlsx, xltxxlsbxlw, ppt, pot, pps, pptx, potxppsxsldx, pdf 

The extension types are an indicator that the main goal of the threat actor is to encrypt files containing important data for the users. In fact, at the end of the encryption phrase a file called README-NOW.txt is dropped inside the filesystem containing the following message: 

  • Greetings! 
  • There was a significant flaw in the security system of your company. 
  • You should be thankful that the flaw was exploited by serious people and not some rookies. 
  • They would have damaged all of your data by mistake or for fun. 
  • Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. 
  • Without our special decoder it is impossible to restore the data.  
  • Attempts to restore your data with third party software as PhotorecRannohDecryptor etc. 
  • will lead to irreversible destruction of your data. 
  • To confirm our honest intentions. 
  • Send us 2-3 different random files and you will get them decrypted. 
  • It can be from different computers on your network to be sure that our decoder decrypts everything. 
  • Sample files we unlock for free (files should not be related to any kind of backups). 
  • We exclusively have decryption software for your situation 
  • DO NOT RESET OR SHUTDOWN – files may be damaged. 
  • DO NOT RENAME the encrypted files. 
  • DO NOT MOVE the encrypted files. 
  • This may lead to the impossibility of recovery of the certain files. 
  • To get information on the price of the decoder contact us at: 
  • The payment has to be made in Bitcoins. 
  • The final price depends on how fast you contact us. 
  • As soon as we receive the payment you will get the decryption tool and 
  • instructions on how to improve your systems security 

The message states that in order to have the files back, the user is forced to pay a ransom using Bitcoin cryptocurrency. 

How does it Work? 

The malware encrypts the files with the targeted extension and soon after drop the ransom note inside the filesystem, providing the user with the steps  he/she must take in order to get the files back. It follows the classic approach present in most ransomware malware. 

The malware is not able to spread itself to other targets. It seems to implement some anti-analysis techniques in order to hide itself from analysts; for example, it seems to detect the presence of a Virtual Machine and have the capability to delete itself from the filesystem trying to avoid the sample collection. 

Considering the fact that the attackers were not interested in adding custom and complex capabilities (C&C, DNS beaconing, etc.) we can assume the scope was merely disruptive and did not have an espionage intent. 

Some researches suggested (Nozomi Networks Labs has not confirmed) that the attackers could have used Active Directory as a mechanism for spreading the malware: [possible scenario] an attacker that was already able to infect a targeted system registered in the Domain Admin Group could have placed the malicious executable in the Netlogon directory so that could be automatically propagated to every Domain Controller (lots of firewalls accept by default Active Directory) —NorCERT confirmed this. 

How do you know if you’re infected with it? 

The targeted files will be encrypted and the extension .locked will be appended at the end of the filenames. 

Other notes 

This particular incident (with Hydro) is a great lesson from an incident response prospective, they made a live stream with a brief on the attack and they’re keeping all informed using their Facebook channel  

Please note: Some of the technical info reported above has been extracted doing Nozomi Networks Labs preliminary analysis of the sample with the SHA256: 


Chris Doman, Security Researcher at AT&T Cybersecurity: 

“NOR-CERT is publicly reporting the malware responsible is LockerGaga, which was recently in the news for an attack against an Engineering firm. The description of the attack from NOR-CERT so far sounds like the attackers manually deployed the malware after gaining access to the networks. The take-down of a number of different geographic locations is reminiscent of the kind of damage seen in incidents like NotPetya.” .



The ISBuzz Post: This Post On Norsk Hydro Cyber Attack appeared first on Information Security Buzz.

Kathmandu Clothing Retailer Probes Possible Card Skimming Data Breach

Outdoor clothing retailer Kathmandu announced that it is investigating a potential breach of customer card data harvested from its websites. In a statement posted to the New Zealand Exchange (NZE), the firm said it was notifying potentially affected customers directly, advising them to contact their banks and card providers: “Kathmandu has recently become aware that between January 8, 2019 NZDT and February 12, 2019 NZDT, an unidentified third party gained unauthorized access to the Kathmandu website platform,” it said. “During this period, the third party may have captured customer personal information and payment details entered at check-out.” 

Although the cause is still unlear, several reports note the fact that card data appears to have been taken from customers as details were entered in at check-out aligns with Magecart-based attacks.  

Matan Or-El, CEO at Panorays:

“Once again, a possible Magecart cyberattack illustrates just how quickly and easily hackers can steal customers’ personal information and payment details. Such attacks also demonstrate what can happen without effective and comprehensive risk management. For this reason, it’s crucial for businesses to assess and continuously monitor not just their own systems, but those of their third parties as well.” 


The ISBuzz Post: This Post Kathmandu Clothing Retailer Probes Possible Card Skimming Data Breach appeared first on Information Security Buzz.

UK Cybersecurity Efforts In Protecting Critical Infrastructure Criticised By Audit Office

The BBC has reported today that the government has been told there are “failings” in the way it is planning to protect the UK’s critical infrastructure from cyber-attacks. The warning came in a National Audit Office (NAO) assessment of the UK’s national cyber-defence plan. The government is increasingly worried that these essential sectors will be targeted by foreign states seeking to disrupt UK life. 

Israel Barak, Chief Information Security Officer at Cybereason:

Risks to critical infrastructure such as industrial control systems can be minimised and managed. However, threats against this industry in particular will never be completely eradicated. In the past, the cyber criminals Cybereason has observed attacking networks in this industry would have been stopped with a combination of well-designed ‘defence in depth’ strategies and an active, attentive SOC. When focusing on the criminal element, their capabilities tend to be far more manageable from a defensive standpoint and that is perhaps the biggest takeaway. The larger portion of the threat to critical infrastructure is something that security products and practitioners are good at combating. By paying attention to hygiene and best practices, companies running ICS can greatly reduce their risk despite the threats they face. 

“In general, most countries are highly vulnerable to cyber-attacks on critical infrastructure because the systems are generally old, poorly patched and managed, and designed before cyber threats were a significant concern. This means the ability to cause damage is significant, if the attacker knows what they are doing. Power grids are interconnected and thus vulnerable to cascading failures. If an attacker knows which substation to take offline or cause a surge in, they can take down significant portions of the grid without conducting a large number of intrusions. Beyond power generation, there are significant localised effects a hacker can create by going after sewage/water treatment, industrial chemical production, or the transportation system. In general, these systems are also poorly defended and have the largest capacity for real world effects via cyber.” 



The ISBuzz Post: This Post UK Cybersecurity Efforts In Protecting Critical Infrastructure Criticised By Audit Office appeared first on Information Security Buzz.

MySpace’s Data Migration Data Loss

MySpace has lost over 50 million songs that were uploaded to the site between the years of 2003-15, due to a server migration error.   

Gijsbert Janssen van Doorn, Technology Evangelist at Zerto:

“The news that MySpace has lost over 50 million songs as a result of a server migration is shocking. For any organization that is looking to move data and workloads confidently, implementing an IT resilience plan is crucial. Wherever data is moving to, owners will expect it to be transparent and fast, while allaying any risk to the data that is being moved. That’s it; that’s all you need to do. 

Companies, like MySpace, need to start looking outside of traditional backup capabilities to develop an IT resilience strategy that can face the many challenges that are coming hand-in-hand with digital transformation. It’s imperative that businesses choose a modern, risk-free platform that can utilize continuous data protection. Combining this with the ability to move data and other applications freely across servers or cloud environments can help organization to deliver an always-on customer experience, even while undergoing major changes to its infrastructure, and ensure that all data is protected at all costs.” – Gijsbert Janssen van Doorn, Tech Evangelist at Zerto 



The ISBuzz Post: This Post MySpace’s Data Migration Data Loss appeared first on Information Security Buzz.

IMAP Attacks

Cybercriminals are leveraging Internet Message Access Protocol (IMAP) for password-spray attacks to compromise cloud-based accounts according to Proofpoint.

Justin Jett, Director of Audit and Compliance at Plixer:

“Password-spraying attacks are extremely dangerous because they often allow hackers to brute force attacks without being locked out or triggering an alert to the IT team. Two-factor authentication inherently can’t work with IMAP, and so it is automatically bypassed when authenticating. Additionally, IT teams should be sure they have network traffic analytics enabled across their network to spot credential misuse. Because password-spraying attacks don’t generate an alarm or lock out a user account, a hacker can continually attempt logging in until they succeed. Once they succeed, they may try to use the credentials they found for other purposes. Ideally, organizations using Office365 should disable IMAP, and other legacy protocols, completely for the domain. While this may mean fewer clients are supported, it means that accounts on the network will not be susceptible to these password-spraying attacks. For organizations with in-house email, if disabling IMAP isn’t possible, the connections to the server should be carefully monitored. If you notice a large number of connections from a similar source, you may have a password-spraying attack taking place. Network traffic analytics can give you the details you need to spot these and other attacks so your users and the business aren’t compromised.”

The ISBuzz Post: This Post IMAP Attacks appeared first on Information Security Buzz.

National Cyber Security Programme Faces Criticism

Following the news that the National Cyber Security Programme is facing criticism over the way it was set up in 2016, and therefore is unlikely to meet its targets, Jake Moore, Cyber Security Specialist at ESET commented below. 

Jake Moore, Cyber Security Specialist at ESET:

“In 2016, £1.9billion may have sounded like a huge financial injection but cyber security needs a constant flow of resources, both people and financial support. If this money were to simply dry up in 2021 then over a short period of time all the good work done thus far could unravel. Admittedly, the government set itself some tough goals but they were achievable and it has been largely successful. Great Britain has been no safe haven for cyber criminals and the NCSC is known across the world as a solid force against cyber criminality. 

However, cyber security requires a multi layered approach and shouldn’t be left to the NCSC alone. We all need to adapt to this rapidly changing digital space and must remember that cyber security is an investment, not an expense.” 


The ISBuzz Post: This Post National Cyber Security Programme Faces Criticism appeared first on Information Security Buzz.

Cambridge Analytica Scandal – One Year On

In light of the one-year anniversary of the Cambridge Analytica scandal on Sunday 17th March, please see below for a comment from Jasmit Sagoo, senior director at Veritas. Jasmit explains how in the last year, the way consumers create and share data has changed, as have their expectations of how businesses should use their data.  

Jasmit Sagoo, Senior Director at Northern Europe, Veritas Technologies: 

“Have businesses learnt the lesson about responsible data collection and usage, one year on from the Cambridge Analytica scandal that shook the world? 

“Over the last year, the way that consumers create and share data has changed – and so has the way that they expect businesses to store and process it. High-profile breaches, scandals, and the introduction of the GDPR last May have made consumers more cautious about what data they share, where it’s being stored and who it’s being accessed by.   

“We’ve seen what can happen when this trust is broken, for both the user and the business they shared their data with. Our research has found that poor data protection can have a dire commercial impact on companies – 56% of consumers would dump a business that fails to protect their data, and 47% would abandon their loyalty and turn to a competitor. 

“Over the past year, consumers have grown far warier of what data they are giving away and how it is safeguarded, even if they feel like they are getting something in return. This means that for businesses built on data, caution is the watch word of today. 

“In the modern data economy, businesses have two responsibilities: firstly, to understand their customers, and secondly, to properly protect their data. The businesses that fail to do so will find themselves a cautionary tale.” 


The ISBuzz Post: This Post Cambridge Analytica Scandal – One Year On appeared first on Information Security Buzz.

Gearbest Misconfiguration Exposes 1.5M Records

News broke that Gearbest, a Chinese online shopping giant, exposed 1.5 million records on an Elasticsearch server that was not protected with a password, allowing anyone to search the database. The exposed information includes names, addresses, phone numbers, email addresses, customer orders, products purchased, and in some cases, passport numbers and other national ID data. Gearbest ranks as one of the top 250 global websites, and serves top brands, including Asus, Huawei, Intel and Lenovo. 

The researcher that discovered the exposed Elasticsearch server also found a separate exposed web-based database management system on the same IP address, allowing anyone to manipulate or disrupt the databases run by Gearbest’s parent company, GlobalegrowGearbest has a large presence in Europe, with warehouses in Spain, Poland, and Czech Republic, and the U.K., where EU data protection and privacy laws apply. This is the second security issue at Gearbest in as many years. In December 2017, the company confirmed accounts had been breached after what was described as a credential stuffing attack.

Expert Comments Below: 

Brian Johnson, CEO and Co-founder at DivvyCloud: 

Gearbest’s data leak of over 1.5 million customer records adds to a growing list of organizations that have suffered security lapses in 2019 due to misconfigured Elasticsearch servers. However, Gearbest’s incident stands out since passport numbers, national ID numbers and full sets of unencrypted data, including email addresses and passwords were among the exposed information. This data could allow hackers to easily steal Gearbest’s customers’ identities by cross-referencing with other databases, and allow malicious actors access to online government portals, banking apps, health insurance records, and more. 

Organizations like Gearbest must learn to be diligent in ensuring data is protected with proper security controls. Automated cloud security solutions would have been able to detect the misconfiguration in the Elasticsearch database and could either alert the appropriate personnel to correct the issue, or trigger an automated remediation in real-time. These solutions are essential to enforcing security policies and maintaining compliance across large-scale hybrid cloud infrastructure.” 

Stephan Chenette, CTO and Co-founder at AttackIQ: 

“This breach could have been easily prevented if Gearbest had put in place basic password protection to this database, and applied the learnings from a similar breach just over a year ago to improve their security practices and policies. All too often, companies suffer similar breaches because they don’t fully understand the cause of the previous breach, and how to recover. Organizations that have systems in place to proactively test the efficacy of their security controls are not only better protected, but can improve over time as they find and remediate gaps in their security program.” 

Ben Goodman, VP of Global Strategy and Innovation at ForgeRock: 

“The hacking of yet another huge trove of personally identifiable information reminds us of the responsibility that organizations that hold such data have and the resulting low security value of this data as a result of these breaches. Like so many previous hacks, this data will quickly make its way to the dark web where it will be used for identity theft, synthetic identity creation and robotic account takeovers. Now, more than ever, organizations must use modern behavioral analytics, Know Your Customer and identity proofing tools during account originations and during email and password reset to fight against these well-armed fraudsters. 

Anurag Kahol, CTO at Bitglass: 

“It’s concerning when it takes an organization months, or even years, to recognize that a misconfigured server has enabled a breach or a leak. As a global e-commerce provider that ships to over 250 countries and territories, ranks in the top 100 websites in almost 30 percent of said regions, and has subdomains in 18 different languages, Gearbest must adopt a flexible security platform that proactively detects and responds to new threats as they arise. Allowing a server to remain misconfigured for a prolonged period of time increases the odds that a malicious actor can find it and exploit the information therein for their own nefarious purposes.

Throughout 2018 and 2019, misconfigurations have grown in popularity as an attack vector across all industries. This highlights the reality that organizations are struggling with limited IT resources and, consequently, are susceptible to careless and reckless mistakes like misconfigurations. As such, companies must turn to flexible and cost-effective solutions that can help them to defend against data leakage. For example, leading cloud access security brokers (CASBs) provide cloud security posture management (CSPM), data loss prevention (DLP), user and entity behavior analytics (UEBA), and other capabilities that can give an organization confidence that its data is truly safe.” 

Tim Mackey, Senior Technical Evangelist at Synopsys:

“Today, organisations simply cannot afford to neglect the security of their applications, especially in industries like retail and banking where processing and storing payment card and financial data is standard operations. In the latest mega-breach uncovered by VPNMentorGearbest has demonstrated that even the most obvious cyber-attack targets can fail to maintain basic security hygiene. 

In this instance, the entire database for Gearbest’s global operations, and those of its sister companies, were left completely unsecured. This means that not only is personal information available to attackers, but also critical information like order history and payment details are readily available. Armed with this information, it’s possible to create a targeted profile of any users which includes personal preferences. While Gearbest has privacy statements indicating they don’t collect certain PII and what PII they do collect is secured, what VPNMentor uncovered shows a clear disconnect between the policy and its implementation. 

This incident has clear lessons for anyone operating a website which collects or processes personal information: 

  1. Follow OWASP guidelines and ensure all systems are properly secured 
  2. Review privacy regulations not only for your jurisdiction, but also where your customers and users reside 
  3. Do not collect or retain any information which doesn’t serve a clear purpose for your customers and users 
  4. Ensure that any system which shouldn’t be accessible from the Internet can’t be 
  5. Implement a security and incident response process which is responsive to issues the ethical hacking community uncovers” 



The ISBuzz Post: This Post Gearbest Misconfiguration Exposes 1.5M Records appeared first on Information Security Buzz.

New PoS Malware Discovered Targeting The Hospitality And Entertainment Industry

Researchers have uncovered a new cybercrime campaign that is targeting restaurants, cinemas and other retailers in the entertainment and hospitality industries with point-of-sale (POS) malware, with the aim to steal credit card information from customers. Going by the name of DMSniff, the malware is thought to have originated in 2016 but has managed to keep a low profile since. The key targets of DMSniff are small- and medium-sized companies that rely heavily on card transactions, such as the food, hospitality and entertainment industries.   

What makes this malware unique is its ability to use a domain generation algorithm (DGA) to create command-and-control domains on the fly, helping it to resist takedowns and bypass simple blocking mechanisms. This is beneficial for the attackers because if domains are taken down by law enforcement or hosting providers, the malware can still communicate with the compromised POS device — and continue to transfer stolen data.  

Expert Comments Below:  

Javvad Malik, Security Advocate at AT&T Cybersecurity: 

Javvad Malik“Cybercriminals will often try to maximise their return on investment by going after mid-sized companies. Such companies usually have enough cash flowing through their systems to make the attack financially viable, and many times mid-sized companies do not invest enough incybersecurity controls either due to lack of budget or because it is not a priority. 

It is essential for small and mid-sized companies to look at the threats they face seriously and invest in the appropriate security controls to protect, detect, and recover from any attacks. Where capabilities are not available in-house, a third party such as an MSP can be engaged to fill the gap.”  



The ISBuzz Post: This Post New PoS Malware Discovered Targeting The Hospitality And Entertainment Industry appeared first on Information Security Buzz.

New Malware Plaguing Hospitality & Entertainment Industries

A new, stealth, point-of-sale malware campaign has been discovered by Flashpoint that targets the hospitality and entertainment industries to skim credit card information. 

Don Duncan, Security Engineer at NuData Security: 

“The hospitality and entertainment industries have been hit particularly hard this year by cybercriminals. Point of sale (POS) devices on the network have been the bullseye for hackers who are skimming credit card information at an alarming rate and this stealth malware campaign is a prime example. While keeping POS machines updated is a good defense, cybercriminals are going to continue to find ways to break through. However, companies can mitigate the damage after the credit card data is stolen by identifying customers through their online behavior instead of credit card numbers. Analyzing online behavior combined with hundreds of other identifiers that hackers can’t imitate allows companies to stop fraud from a different angle. This can be combined with the new 3DS protocol that uses ten times more data to assess the validity of a transaction online, avoiding reliance on the credit card information, which could have been stolen”. 


The ISBuzz Post: This Post New Malware Plaguing Hospitality & Entertainment Industries appeared first on Information Security Buzz.

Red Team Project Set Up To Help Secure Open-Source Software

It has been reported that at this week’s Open Source Leadership Summit, the Linux Foundation announced the Red Team Project. This has been set up as an incubator for open-source Red Team security tools. These include programs that support cyber range automation, containerised pentesting utilities, binary risk analysis, and standards validation programs. 

Thomas Richards, Network and Red Team Practice Director at Synopsys:

This project is a great idea.  Red Teaming is becoming more important for organisations as their security program matures.  We are seeing more companies create in-house Red Teams to simulate adversaries attacking the organisation.  These simulations allow the organisation to improve their defence posture by validating if their security controls are functioning properly. Curating these tools and keeping them up to date will provide both blue and red teams the ability to improve themselves by bettering the testing activities and detection techniques.” 


The ISBuzz Post: This Post Red Team Project Set Up To Help Secure Open-Source Software appeared first on Information Security Buzz.

US IoT Cybersecurity Bill

Legislation was introduced Monday that would create cybersecurity standards for internet-connected devices, the “internet of things.” The Internet of Things (IoT) Cybersecurity Improvement Act of 2019, introduced in the Senate by Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.) and in the House by Reps. Will Hurd (R-Texas) and Robin Kelly (D-Ill.), would require established standards for government use of the devices. 

Kenta Yasukawa, Co-founder and CTO at Soracom:

“Security concerns represent the single biggest obstacle to IoT development and public adoption. It remains one of the biggest challenges in IoT, not because it can’t be done right but because projects often prioritize things like reducing cost and accelerating speed to market. 

The good news is, IoT is not inherently insecure. Clear standards remove uncertainty for developers, reassure consumers, and shift the Internet of Things toward the effective practices already in place in security-conscious industries like finance and transportation and across cellular data networks. 

Clear standards for device and network protection will help the entire industry focus on security, reassure consumers, and get it right.” 


The ISBuzz Post: This Post US IoT Cybersecurity Bill appeared first on Information Security Buzz.

Ransomware Attack On The US Committee For Public Counsel Services

A ransomware attack on the Committee for Public Counsel Services (CPCS), the agency overseeing public defenders in the US, has caused a major slowdown – disabling email systems, delaying some hearings, and holding up payments for the private attorneys who represent clients. 

They are not alone, Jackson County Georgia also reported paying out $400,00in ransom last week. 

Following this, Allan Liska, Senior Solutions Architect (and ransomware expert) at Recorded Future commented below, on why government agencies are attractive targets for cybercriminals.  

Allan Liska, Senior Solutions Architect at Recorded Future: 

“From library systems in South Carolina, to towns in Alaska, and even cities as big as Atlanta, local governments are being targeted for ransomware attacks. The public defender’s office in Boston is just the latest to report an attack, but they are not alone, Jackson County Georgia also reported paying out $400,000 in ransom this week. These ransomware attacks disrupt vital public services and, in some cases, can even put lives at risk. The worst part is that ransomware attacks against local governments are only going to increase in the coming year. Attackers behind ransomware campaigns know that local governments are the perfect storm of a target: limited security budget, overwhelmed IT/security staff and vital constituent services that need to be brought online as quickly as possible. The teams behind the RyukBitPaymer and CrySIS ransomware are targeting local governments and they are much more sophisticated than other types of ransomware campaigns meaning they see more success, cause more destruction and are harder to stop.” 

The ISBuzz Post: This Post Ransomware Attack On The US Committee For Public Counsel Services appeared first on Information Security Buzz.

Phishing Attacks Hook Half Of UK Organisation Over The Past Two Years

Research by Sophos has revealed that almost half of UK businesses have been compromised by phishing attacks in the last two years. 

The research explained that bigger firms (those with between 500 and 1,000 employees) are more likely to be affected by such attacks, despite 78% of them offering their staff enhanced cybersecurity training, compared to just 50% of businesses with 250 or fewer employees. 

Experts Comments below: 

Tim Sadler, CEO at Tessian: 

As this research demonstrates, cybersecurity training isn’t a solution in itself. While it can educate employees on the tell-tale signs of phishing emails, it can’t instil total vigilance or eradicate the factors that lead to mistakes, such as tiredness or getting distracted. These human weaknesses are inevitable and, as long as they remain unprotected, cybercriminals will find ways to exploit them. 

Moreover, training can’t prepare employees for advanced social engineering techniques that haven’t yet been seen. Malicious actors are evolving their methods at such a rate, and with such a level of creativity and organisation, that it can be difficult to prepare individuals for what is coming next.” 

Corin Imai, Senior Security Advisor at DomainTools: 

“Ultimately, this comes as no surprise; anyone who has an email account is likely to have received a phishing email of some kind and businesses, as inherently more profitable victims, are even more likely to find themselves targeted. 

The fact that larger businesses are at a greater risk also makes sense, as these organisations are likely to have employees of various levels of cyber-literacy, making it more likely someone will take the initial bait. 

Companies need to patch their human vulnerabilities by continuing to engage in robust training programmes, as well as investing in email filtering systems which can accurately identify phishing emails.” 



The ISBuzz Post: This Post Phishing Attacks Hook Half Of UK Organisation Over The Past Two Years appeared first on Information Security Buzz.

Independent Professor Comments On The Facts & Fiction

Seemingly, the next evolution of technology will hinge on the successful launch of 5G. Driverless cars, video communication, remote devices, instant streaming and smart cities– all rely on pervasive and constant internet connection. 

As we come to grips with a constantly connected world where all of our devices ‘talk’ to each other, industries will find new and innovative use cases. Yet, considering the number of hacks and data breaches that occur already, are we prepared for what 5G and this instant interconnection will bring? 

Former Ofcom Director and Senior IEEE Member, Professor William Webb, believes that 5G doesn’t inherently bring more benefits or security issues that we currently have.

Professor William Webb, Director at Ofcom  and Senior IEEE Member:

“Most of the benefits and threats remain the same as with 4G and other wireless technologies. Privacy issues are likely unchanged. However, 5G does introduce some new concepts such as virtualised (software-based) core networks and network slices, which might introduce new vulnerabilities into the network. In its early days, 5G might appear less secure than existing networks, but as these vulnerabilities are found and patched, 5G should settle down to being similar to previous generations.”



The ISBuzz Post: This Post Independent Professor Comments On The Facts & Fiction appeared first on Information Security Buzz.