Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for the News Category

Lazarus Suspected of Targeting Russian Orgs

Lazarus Suspected of Targeting Russian Orgs

Foreign adversaries pose threats to US national security, but researchers at Check Point believe that the advanced persistent threat (APT) group known as Lazarus is now targeting Russian organizations.

In a February 19 blog post, Check Point revealed findings from research that suggests the North Korean APT known as both Lazarus and Hidden Cobra has launched the first attack on financial institutions in Russia.

“This incident represents an unusual choice of victim by the North Korean threat actor – these attacks tend to reflect the geopolitical tensions between the DPRK and nations such as the US, Japan and South Korea. In this case, though, it is Russian organizations who are the targets,” researchers wrote.

Researchers have been monitoring this coordinated attack on private, Russian-owned companies, calling it the first cyber-attack of its kind. Evidence suggests that the attack is the work of Lazarus, one of the most prevalent APT groups today, believed to be a North Korean–sponsored threat actor responsible for some of the world's largest security breaches.

Several documents in this campaign, all with the author name home and a Korean code page, were uploaded to VirusTotal from different Russian sources during the week of January 26–31, 2019, the blog noted. What researchers have identified is that the attack consists of three main steps in the infection chain:

  1. A ZIP file , which contains two documents: a benign decoy PDF document and a malicious Word document with macros [is opened].
  2. The malicious macro downloads a VBS script from a Dropbox URL, followed by the VBS script execution.
  3. The VBS script downloads a CAB file from the drop-zone server, extracts the embedded EXE file (backdoor) using Windows’ "expand.exe" utility, and finally executes it.

Interestingly, though, the tactics change at a certain point. The second step of the process is eliminated and "the malicious Word macros were modified to directly 'download and execute' the Lazarus Backdoor in stage three," researchers wrote.

Source: Information Security Magazine

Ransomware Revenue Earning Does Not Match Infection Decline

Ransomware Revenue Earning Does Not Match Infection Decline

There has been a decline in ransomware infections, but that does not mean that earned revenue has reduced for cyber-criminals.

According to the third instalment of the Check Point 2019 Security Report, threat actors are increasingly targeting public cloud and mobile deployments as they are determined to be the weakest and least protected points in an organization’s IT infrastructure. The research found that 18% of organizations globally had a cloud security incident in the past year; the most common incidents were data leaks/breaches, account hijacks and malware infections.

Also, 30% of IT professionals still think security is the responsibility of the cloud service provider.

Speaking at the launch of the report at the Check Point Experience conference in Vienna, Maya Horowitz, director of threat intelligence and research at Check Point, said that the first part of the research highlighted the rise of email-based attacks over web-based, and this was because of the reduction of exploitable vulnerabilities and more use of exploit kits.

Orli Gan, head of products and threat prevention at Check Point, added that 98% of attacks are aiming to earn money and cryptocurrency. “This is the first thing attackers go for and we expect this not to change going forward,” she said.

Gan also stated that ransomware revenue has stayed at the same level, and rather than sending mass emails campaigns, attackers in 2018 were targeting businesses as they were more likely to pay and the ransom request was dramatically higher.

Speaking to Infosecurity, Yaniv Balmas, group manager of security research at Check Point, said that we are seeing several cases of ransomware attacks on specific targets. “I wouldn’t say this is affecting all ransomware, but maybe two to three big families are doing this, but there is some shift in the trend happening now,” he said.

“Ransomware took us a bit of time to adjust to, and there are very good technologies which can practically prevent these sort of attacks, but perhaps the guys behind this ransomware are opportunistic and trying to make as much money as they can.”

Asked if he felt that there was more use of banking trojans with ransomware declining, as detected in recent research by Proofpoint, Balmas said that there had been a lot of change in the way banking trojans worked in the last five years, as today “they are doing everything: stealing credentials, injecting into your browser, but they are mainly delivering other malware.” He speculated that banking trojans may be a sideway to make some money, but they are more of a distribution network.


Infosecurity’s Online Summit will take place on March 26-27, with live sessions including “The Death of Ransomware: Long Live Other Malware” and “The Persistence of Legacy Systems.” Registration is now open, and CPE credits are offered for the 14 sessions across the two days.


Source: Information Security Magazine

Half of UK Firms Admit to Unknown Network Devices

Half of UK Firms Admit to Unknown Network Devices

Almost three million UK businesses could be exposing themselves to cyber-threats by having unknown devices on their network, according to new Forescout research.

The security vendor polled over 500 IT decision makers in the UK to better understand their exposure to IoT threats.

It found that half (49%) of respondents have unknown third-party devices on their networks. That represents over 2.8 million businesses at official 2018 levels. The figure is up slightly in percentage terms on the vendor’s April 2018 findings, although it could represent as many as 110,000 extra firms using the same extrapolation.

The findings come despite a vast majority of IT decision makers (85%) admitting that a lack of visibility and control of devices on their network poses a security risk.

These challenges are only set to increase as enterprises witness an explosion of IoT endpoints. Gartner predicts that there will be over 20 billion connected things in use worldwide by 2020, with business spend representing nearly half of the total, at over $1.4tn.

According to Forescout, 69% of organizations say they now have over 1000 smart devices, whilst a fifth (19%) claim they run more than 10,000 IoT devices on their network.

Over half (58%) of those it spoke to for this research agreed that by centralizing management and oversight of IT and OT, they can eradicate the dangerous security blind spots that convergence of the two functions is creating.

However, this can be easier said than done, with cultural and other barriers often getting in the way. That might account for why just half (49%) of responding IT leaders claimed to have followed such an approach.

Unfortunately, IoT security is still not being given the attention it deserves in many organizations: sometimes because devices are brought in without the knowledge of the IT department.

A Trend Micro poll of 1150 global IT and security decision-makers last year found that 43% regard IoT security as an afterthought, and only 38% get security teams involved in the implementation process for new projects.

Source: Information Security Magazine

Microsoft: Russians Hacking Again Ahead of Euro Elections

Microsoft: Russians Hacking Again Ahead of Euro Elections

Russian state hackers are targeting NGOs, think tanks and other government-linked organizations ahead of the European Parliament elections in spring, according to Microsoft.

The tech giant said it had observed 104 accounts in Belgium, France, Germany, Poland, Romania and Serbia come under fire from Fancy Bear (APT28, Strontium). This is the group blamed for the 2016 attacks on the Democratic National Committee (DNC) which many believe helped Donald Trump to power.

The attackers are using classic spear-phishing techniques to try and gain access to employee credentials and deliver malware, said Microsoft corporate VP, Tom Burt.

“These attacks are not limited to campaigns themselves but often extend to think tanks and non-profit organizations working on topics related to democracy, electoral integrity, and public policy and that are often in contact with government officials,” he added.

“The attacks we’ve seen recently, coupled with others we discussed last year, suggest an ongoing effort to target democratic organizations. They validate the warnings from European leaders about the threat level we should expect to see in Europe this year.”

Some of the organizations targeted in this latest campaign include the German Council on Foreign Relations and European offices of The Aspen Institute and The German Marshall Fund.

To help non-profits and other organizations which may not have the resources to defend themselves from state-level attacks, Microsoft is offering its AccountGuard service across Europe, free to Office 365 customers.

It helps protect corporate and personal email accounts and offers best practice security guidance on email and network security, according to Burt.

Last week former NATO secretary-general, Anders Fogh Rasmussen, warned of a major Kremlin effort to disrupt the upcoming European elections to spread disinformation and undermine confidence in the democratic process.

He joined 14 current and former leaders in calling for those running in the election to pledge not to spread fake news or use stolen data in their campaigns, and to train staff in cybersecurity, among other things.

Source: Information Security Magazine

Swedish Privacy Snafu Affected More Companies

Swedish Privacy Snafu Affected More Companies

A major Swedish privacy leak revealed this week is even worse than at first thought, with several other companies and over 100 additional servers exposed, according to new findings.

Security vendor Outpost24 investigated service provider Applion, sister company to Voice Integrate Nordic AB, which hosts data for the affected firms on its web servers.

In the original case, the NAS storage unit at nas.applion was found to have exposed 2.7 million patient calls to a medical hotline stored on behalf of Swedish healthcare contractor MediCall.

However, Outpost24 posted a screenshot showing that this same exposed web server also hosted data from other firms including Swedish telephony firm iTell and patient transportation service provider Prebus.

The server itself, Apache 2.4.7, is also several years old and riddled with vulnerabilities.

In total, Applion had around 120 servers exposed to the public internet with no password protection, according to Outpost24.

Martin Jartelius, CSO of Outpost24, argued that the firm appears to have paid scant regard to best practice security.

“Looking at the breach, it is not only due to [lax] security, but a complete lack of any form of protection. The same company also exposed other outdated and very weakly protected services to internet, some so outdated a modern system would not even be able to connect to them,” he said.

“When looking at the company’s [Apache] server, you can see the system has been exposed for a long period of time. The device is a NAS device, and rather outdated on software. Other examples include unencrypted administration of an exposed router, exposed log management solutions and much more."

Reports emerged this week that around 170,000 hours of calls to Sweden’s 1177 Healthcare Guide (Vårdguiden) service dating back to 2013 had been exposed by MediCall. Some of these calls included saved phone numbers and mentioned social security numbers.

The initial web server issue has apparently now been remedied, but it’s unclear whether the additional 120 exposed servers Outpost24 discovered have been protected.

Source: Information Security Magazine

Palo Alto SOARs into Agreement with Demisto

Palo Alto SOARs into Agreement with Demisto

A definitive acquisition agreement between Palo Alto Networks and Demisto, announced today, is expected to close during the fiscal third quarter for Palo Alto Networks. The acquisition of Demisto will be finalized for a total purchase price of $560 million, according to a press release.

The total purchase, to be paid in cash and stock, is subject to adjustment, and the final deal is contingent upon customary closing conditions, including satisfactory regulatory approvals.

Demisto will bring its strength in the security orchestration, automation and response (SOAR) space to Palo Alto Networks’ existing cybersecurity offerings. By adding in the use of AI and machine learning, Palo Alto Networks will be able to automate significant parts of the customer’s security operations.

For current Demisto customers and partners, the products will continue to be available after the deal closes.

Commenting on how the acquisition of Demisto will accelerate Palo Alto Networks Application Framework strategy, Nikesh Arora, chairman and CEO of Palo Alto Networks, said, “We are delighted to welcome Demisto into the Palo Alto Networks family. Coupled with our Application Framework, Demisto will help us strengthen our commitment to security teams by delivering a platform that provides higher levels of integration, automation, and innovation to prevent successful cyber-attacks."

Automation has been a key focus for Demisto, “because we believe that relying on people alone to combat threats will fail against the scale of today's attacks,” said Slavik Markovich, CEO of Demisto. "Palo Alto Networks' strategy resonates with our own vision, and we have found a like-minded team that shares our conviction that the future of security is all about automation and AI. We're thrilled to be joining them to help make it a reality."

The acquisition will enable Palo Alto Networks to deliver more immediate threat prevention and response for security teams.  

Source: Information Security Magazine

Web Application Security Poses Greatest Risk

Web Application Security Poses Greatest Risk

The majority of vulnerabilities in 2018 were associated with network vulnerabilities, while less than 20% were associated with web applications and APIs, according to the fourth annual Vulnerability Stats Report from Edgescan.

When it comes to breaches, though, web application security remains the area of greatest risk. “The percentage of high and critical risks combined, compared to all discovered risks is still high at 19.2% for public internet-facing (external) applications and 24.9% for non-public or internal applications,” the report said.

The report looked at vulnerability metrics from known common vulnerabilities and exposures (CVEs) and found that the rate of known vulnerabilities being exploited in the wild remains high, particularly with cross-site scripting (XSS). XSS, both reflected and stored, accounted for 14.69% of web (layer 7) vulnerabilities in 2018. One issue of great concern with layer 7 vulnerabilities is that “it takes time to fix vulnerabilities, and it can be difficult to avoid repeating the same mistakes,” said Eoin Keary, founder, Edgescan.

Another worrisome layer 7 vulnerability was in SQL injection, which represented nearly 6% of all web vulnerabilities. These database attacks have the potential to be devastating, because they can easily be used to exploit entire systems and the average time to fix a vulnerability discovered in the application layer is 77.5 days.

While 2018 saw many breaches, the study found that there is no sign of the level of global breaches slowing down in 2019. “The high-risk density score of 24.3% for internal-facing applications is worrisome given many studies cite the 'insider threat' as a significant issue,” the study said.

Insider threats posed risks to infrastructure security in 2018, with nearly half (44.7%) of the most common infrastructure vulnerabilities resulting from TLS and SLS versions and misconfiguration issues.

Among the top threats in public internet facing systems, “33.33% of all high and critical risk vulnerabilities discovered in 2018 were in relation to unsupported Windows Server 2003 systems (no patching, support, end-of-life systems). Systems running PHP and Apache also contributed to the Top 10 due to weak component security and traditional patch management of exposed systems,” the report said.

Source: Information Security Magazine

Student Data Exposed at Stanford University

Student Data Exposed at Stanford University

The private data of students at Stanford University was exposed after someone changed a numeric ID in a URL that had been distributed to students who requested access to review their own files, according to The Stanford Daily.

In total, 93 students have been notified that their privacy was compromised. According to the report, a university student made a Family Educational Rights and Privacy Act (FERPA) request to view their admissions documents, not at all unusual.

A Stanford student reportedly found the vulnerability in a third-party system called NolijWeb, a content management system that the university has used to host scanned files since 2009.

The process starts with a users submitting a FERPA request. Then students are directed to a “Student Admission Documents” link on Stanford’s information portal. Once in the portal, users are directed to NolijWeb, where they must enter their personal student IDs in order to search for their personal documents.

These scanned documents include sensitive personal information such as Social Security numbers, home addresses, ethnicity and personal essays, along with citizen and criminal statuses.

“When a user views one of their files, the browser performs a network request. However, a student may use tools like Google Chrome’s 'Inspect Element' – commonly used by programmers to debug websites – to view that network request’s URL and modify it to give them access to another student’s files,” The Stanford Daily wrote.

“Because URLs and files are linked through numeric IDs, the NolijWeb vulnerability did not allow students to retrieve documents by name nor by any other identifying information. Instead, incrementing file ID numbers in URLs allowed access to arbitrary students’ files.”

News of the exposed data was not reported until Stanford University was able to secure a breach, and the individual who disclosed the vulnerability did so on condition of anonymity so that the student would not face legal consequences.

That the student data was accessed by making a change to a numeric IDs in a URL suggests that the number in question was sequential (not random) and therefore could easily be guessed, according to privacy advocate Paul Bischoff of Comparitech.

“The fact that these records were not better secured is a failure of Stanford's IT staff to properly vet third-party software NolijWeb. Students whose records were accessed were put at a high risk of identity theft and fraud. The contents of the files included Social Security numbers, so anyone affected by the breach should immediately place a credit alert on their credit report.”

Source: Information Security Magazine

#CPX360: Attackers Are Delighted by the Expanding Attack Surface

#CPX360: Attackers Are Delighted by the Expanding Attack Surface

Ethical hackers have to “pretend and think like a criminal” as attackers think in the opposite way that a defender thinks. 

Speaking at Check Point Experience in Vienna, ethical hacker and Cygenta co-founder Freaky Clown (FC) said that he is driven by trust issues, and stated he “trusts nothing unless I understand it fully, and I untrust everything to the nth degree, and then I trust it.”

FC pointed to security companies, saying you “cannot trust them to create secure software” and referenced cross-site scripting vulnerabilities, which have been present for the past 20 years. “It's really important to ensure every part of your security works together. You can spend millions, but if it does not work together you won’t have security in your building and hackers will find that flaw and use time and resources to get in,” he said.

With more and more devices connected, FC added that the scale of attacks has changed and while the future sees more integration of AI and machine learning, the introduction of driverless cars “is fascinating to me [as a hacker].”

However, he concluded by pointing out that there are too many negatives in cybersecurity, and asked “should we give up and go home?”

He said: “We’ve been doing this for 20 years and it is not working and it's looking more and more bleak. Not quite, we have talked about how generational threats have progressed, and we’ve flipped it at Cygenta.” This followed the introduction of a line of milestones, which Cygenta co-founder Dr Jessica Barker first displayed in her keynote at BSides Scotland last year. 

FC said: “We are winning this, but it is a bit slow.”

Source: Information Security Magazine

Europe Intros Global IoT Security Standard

Europe Intros Global IoT Security Standard

Experts have welcomed the introduction of a new globally applicable European standard designed to drive improvements in baseline security for consumer-grade IoT products.

Introduced today by the European Telecommunications Standards Institute (ETSI), the standard will hopefully encourage manufacturers to improve built-in privacy and security protections whilst providing consumers with a way of differentiating between products on the market.

The ETSI TS 103 645 standard came from a UK government proposal based on a code of practice it introduced last year. It also comes a year after the British Standards Institution (BSI) introduced a kitemark for consumer and business-grade IoT devices.

Among the requirements for IoT manufacturers keen to gain accreditation with the ETSI standard include implementation of a vulnerability disclosure policy and prohibition of any universal default passwords.

However, ETSI director-general, Luis Jorge Romero, clarified that the specification “was outcome-focused, rather than prescriptive, giving organizations the flexibility to innovate and implement security solutions appropriate for their products.”

Ollie Whitehouse, global CTO at NCC Group, welcomed the UK’s leadership role in helping to make the European standard a reality.

“We have long held the view that some market failures can only be addressed through the right regulatory frameworks and incentives. It is welcome that ETSI’s standard reflects how the adoption of its principles can help organizations achieve compliance with global regulatory regimes, from GDPR and cybersecurity certification in Europe to the IoT Cyber Security Improvement Act in the US,” he added.

“As global standardization moves ahead, manufacturers in every country need to understand that an international supply chain is no longer an excuse to ignore good security practice. Manufacturers around the world should take the right steps now to build an appropriate level of security into their products.”

Source: Information Security Magazine