Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for April 2016

Locky Ransomware Morphs as Spam Attacks Spike

Locky Ransomware Morphs as Spam Attacks Spike

Locky, an emerging ransomware threat that first burst on the scene in February, has already started to mutate and morph into new variants. The changes come just as researchers observe a fresh spike in propagation.

Locky is distributed via email attachments, specifically Word documents disguised as invoices. The docs contain macros which download and install the ransomware. When originally discovered, the botnet behind the spam mail was found to be the same as that which delivers the majority of emails containing the infamous Dridex trojan. Locky is also spread via exploit kits.

As for the ransomware itself, Locky encrypts files based on their extension, and replaces the desktop background with the ransom message. Victims are told to visit one of a choice of .onion or tor2web links to buy Bitcoin, send them to a specific address, and wait for their decryptor download.

According to Check Point researchers, new characteristics related to Locky’s communication have now been observed in the wild, as a part of a new distribution campaign. Initially, Locky’s communication mechanism was well known across the community for displaying a particular communication pattern; however, since March 22, Check Point said that it has encountered a major drop in logs.

“Assuming that Locky probably didn’t go silent all of a sudden, we tried to actively uncover changes in its activity and discover new findings,” the researchers said in a short analysis. At first, a change in headers was uncovered, and then the communication path changed a second time.

“In the midst of our ongoing research of exploit kits, we encountered a second change in the Locky variant delivered by the Nuclear EK,” researchers said. “This time the changes were more drastic, both in the downloader dropped by the EK, and in the C&C key exchange protocol.”

At the same time, FireEye Labs is detecting a significant spike in Locky ransomware downloaders due to a pair of concurrent email spam campaigns impacting users in over 50 countries. The US, Japan and South Korea are the most-affected.

“Prior to Locky’s emergence in February 2016, Dridex was known to be responsible for a relatively higher volume of email spam campaigns,” FireEye researchers said. “However, as shown in Figure 3, we can see that Locky is catching up with Dridex’s spam activities. This is especially true for this week, as we are seeing more Locky-related spam themes than Dridex. On top of that, we also are seeing Dridex and Locky running campaigns on the same day, which resulted in an abnormal detection spike.”

Photo © Ton Snpei

Source: Information Security Magazine

Cognitive Biometrics Goes Commercial with Behavior ID

Cognitive Biometrics Goes Commercial with Behavior ID

In a continuation of the behavior-based, cognitive biometrics trend, a new approach to verifying “individualism” has hit the market.

It’s a well-known fact that biometric sensors can be fooled—animated gifs have gotten past facial recognition, and latex facsimiles have sailed through fingerprint scanners. TeleSign Behavior ID aims to use a multi-layered approach to create a picture of a person that can’t be replicated. It collects and evaluates a complex mix of mouse dynamics, keystrokes, graphical user interface (GUI) interaction and advanced behavioral algorithms to establish a unique user profile.

The purpose of the product is to thwart account takeover attempts, even if a hacker is in possession of a user's correct account credentials. Account takeover (ATO) occurs when unauthorized access is gained to a web or mobile end-user account ­ often due to stolen credentials, weak passwords or bot-based attacks. The opportunity for fraud from ATO is especially significant, considering the average consumer has 24 online accounts protected by reused passwords. And with the recent increase in data breaches resulting in stolen account credentials proliferating across the black market, account takeover has quickly become one of the most prevalent types of cybercrime ­ and every online account is susceptible, from banking and email accounts to social media and retail accounts.

“Assessing the legitimacy of an identity claim remains one of the top digital business and fraud challenges organizations face today,” said Avivah Litan, vice president and distinguished analyst at Gartner, in a recent research note.

Accordingly, Behavior ID brings its profiles to bear on online accounts or mobile applications. It delivers a ‘similarity score’ based on the behavioral biometric traits that are collected from initial account creation through ongoing access and usage of an account. This profile is then used to calculate a similarity ratio between the user's current behavior and the historical, expected behavior, thus streamlining the user experience for known good users, while providing the basis for challenging potentially bad or fraudulent users with re-verification, or two-factor authentication.

“With Behavior ID, our customers can immediately increase the level of identity assurance for every user account they have, without adding friction,” said Steve Jillings, CEO at TeleSign. “The power of Behavior ID is its ability to adapt to the user, transparently producing a digital fingerprint from a user's behavior to confirm their identity and develop an ongoing authentication without requiring the consumer to do anything. Best of all, these unique biometric patterns are extremely accurate, from the way we move our hand on a mobile device screen or with a mouse, it is virtually impossible to precisely imitate another person's behavior.”

Photo © Chekman

Source: Information Security Magazine

FIDO Alliance Passes 150 Post-Password Certified Products

FIDO Alliance Passes 150 Post-Password Certified Products

The FIDO Alliance has seen rapid growth over the last three months, with now more than 150 FIDO Certified biometric and two-factor authentication products in the hopper.

The growth marks a 50% increase in the last quarter—in January, it announced that it had passed 100 post-password certified solutions. The growth is mainly coming from Asia-Pacific.

“Fifty percent growth in certified products in just three months is further evidence that the FIDO specifications are increasingly accepted as the new standard for strong authentication technology,” said Brett McDowell, executive director of the FIDO Alliance. “You can see from the companies listed in today’s announcement that the Asia Pacific region is one of the fastest growing markets for FIDO authentication, largely driven by early demand from financial services and mobile network operators. This reinforces that the demand for simpler, stronger FIDO authentication is truly global.”

The FIDO Alliance is devoted to boosting online security with open standards for simpler, stronger authentication that moves beyond passwords (with an eye to eliminating them altogether). Taken together, the FIDO specifications, which were finalized in late 2014, define an open, scalable, interoperable set of strong authentication mechanisms that reduce the reliance on single­-factor username and password login. They take into account devices, servers and client software, including browsers, browser plugins and native app subsystems.

This latest round of certifications comes after the FIDO Alliance hosted its first Korean-based interoperability testing event, which garnered the largest number of FIDO-implementing companies to date. Organizations attending these events are able to test and validate their FIDO implementations to prove that their certified products truly interoperate with each other—a necessity for achieving the vision of universal and interoperable strong authentication.

Organizations with new FIDO Certified products include: BTWorks Inc., Crosscert, CrucialTec, Dayside, Inc., eWBM Co., Ltd., FacialNetwork Inc., GOTrust Technology Inc. (GO-Trust), HANCOM Secure Inc., INITECH Co., Ltd., International Systems Research Co., KICA Inc. (Korea Information Certificate Authority), KT, Open Security Research, Inc., SECUVE, SGA Solutions, SK Planet, SK Telecom Co.

“Certification of serious security components and sub-systems is absolutely essential as we have come to realize how much is at stake when authentication systems don’t perform as expected. With major data breaches escalating, so is demand for strong authentication,” said Steve Wilson, vice president and principal consultant at Constellation Research. “Moreover, demand for certified authentication solutions is also rising. A standards based authentication solution is only as good as its conformance to those standards.”

The growing collection of FIDO Certified products and services are part of the larger global trend: FIDO authentication is now enabled on devices from the top five global handset manufacturers. Additionally, service providers including Google, PayPal, Samsung, Bank of America, NTT DOCOMO, Dropbox and GitHub have made FIDO authentication available to protect hundreds of millions of end-users’ desktop and mobile apps, while RSA and eBay have launched FIDO-compliant solutions for enterprise and commerce deployment, respectively.

Samsung, for instance, has implemented the FIDO-based S3 Authentication Suite into its Samsung Galaxy smartphone line, to enable mobile payments via an integrated fingerprint sensor/biometric. So, users can authenticate to any FIDO-ready application with the existing security capabilities of their device.

Photo © alphaspirit

Source: Information Security Magazine

Google Patches 39 Bugs in Android Update

Google Patches 39 Bugs in Android Update

Google has patched a whopping 39 flaws in its latest security update round, including eight critical fixes for components such as libstagefright and Mediaserver.

The Nexus Security Bulletin for April will as usual be released over-the-air for Google’s own handsets and was made available to its hardware partners in mid-March for them to work on their own fixes.

The update noted the following:

“The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.”

In fact, there are 15 critical flaws in total fixed in the update, 11 of which are RCE – seven of these relating to Mediaserver.

The remaining three are elevation of privilege flaws, with one each in the Qualcomm Performance Module and the Qualcomm RF Component.

There are 10 high severity elevation of privilege flaws and four high severity information disclosure flaws in Mediaserver.

The remaining fixes are for a mix of moderate elevation of privilege, denial of service and information disclosure bugs.

Google has certainly been making strides to improve the security of the Android ecosystem of late.

In June 2015, for example, it launched the Android Security Rewards program, offering to pay for each step required to fix a security bug in Nexus devices, including patches and tests.

However, users may be shooting themselves in the foot by failing to keep up-to-date with the latest software versions.

A Duo Security report analyzing around one million devices at the start of the year found that a staggering 90% were running old versions of Android.

More concerning still, around a third of Android handsets used in enterprises today are running version 4.0 or older of the OS, leaving them even more exposed to vulnerabilities like Stagefright.

Source: Information Security Magazine

Whaling Attacks Jump Again in Q1

Whaling Attacks Jump Again in Q1

Three-quarters of UK IT professionals have seen an increase in whaling attacks this year designed to trick staff into transferring funds outside the organization, according to new research from email security firm Mimecast.

The vendor polled over 400 IT experts in the US, UK, South Africa and Australia in March 2016 to ask them about the state of play in the first three months of the year.

In the UK, the number of respondents who saw an increase in such incidents rose from 55% in December 2015 to 75% in March this year.

Also gaining in popularity are similar scams in which fraudsters look to elicit confidential information like HR or tax records. Some 38% of UK respondents claimed they saw an increase over the period.

When it comes to global figures, 67% of respondents said they saw a jump in the number of whaling incidents designed to defraud them of revenue, while 43% saw an increase in attacks looking for sensitive corporate information.

Whaling, or Business Email Compromise (BEC), typically involves a cyber scammer using a spoofed domain to pose as a company CEO or CFO.

They’ll often request a senior member of the finance team transfer funds out to an external bank account – so the attack relies for a large part on social engineering.

The FBI warned back in February of a sharp rise in BEC incidents, generating as much as $2 billion over the past two years and $800m in the previous six months alone.

To combat this growing threat, Mimecast has released a new cloud service designed to monitor for specific domain names and keywords like ‘wire transfer’ and ‘tax form’ – and alert IT teams to any suspicious activity.

Impersonation Protect enables security teams to block such emails or display additional security warnings to raise employee awareness.

“Whaling attacks have been growing around the world as cyber-criminals change their tactics to circumvent traditional email security techniques,” explained Mimecast security product manager, Steven Malone.

“Even the smartest employees can fall victim to these malware-less attacks designed to steal money or confidential data. Employee education and rigorous business processes play an important role but at Mimecast we believe advanced pattern recognition can play a larger role in identifying social engineering attacks.”

Source: Information Security Magazine

Turkish Identity Breach May Affect 50 Million

Turkish Identity Breach May Affect 50 Million

A breach of the Turkish national database has confirmed that it contains personal information of around 50 million people.

Although the leak has been claimed to contain data from 2008, and it contains no new records beyond that year, it has also been claimed that the data was leaked and decrypted by researcher Cthulhu back in February.

According to Business Insider, the data included: the National Identifier (TC Kimlik No); first name and last name; mother’s and father’s first name; gender; date and city of birth; and full address.

The Turkish national ID number system is used to enable access to a number of government services, like taxation, voting, education, social security, health care, and military recruitment, reported The Guardian.

At the time of writing, the validity of the data has not been confirmed, but it could go down as one of the largest data breaches in history for some time, said Alex Cruz Farmer, VP of cloud at NSFOCUS IB.

“Governments are often the most targeted for cyber-attacks and, as we have learned, it only takes one single field on a website to compromise an entire infrastructure. We remind all communities to be vigilant and alert at all times, and maintain security policies and technologies. Security must stop being an afterthought, and be the first thing any CIOs consider.”

Robert Capps, VP of business development at NuData Security, said: “Those behind the data dump imply it was politically motivated against Turkey’s controversial president."

“While it appears that Turkey’s controversial president Recep Tayyip Erdogan was the instigation for this breach, the real collateral damage will be to the millions of Turkish citizens who have had their identity compromised.  In most cases, the most common result of such a breach is fraudulent account creation or existing consumer account takeover, something we have seen borne out year over year among our clients."

“With the level of information released in the recent Turkish breach, criminals have solid profiles on individuals that can be used to create new bank accounts, access existing accounts, or acquire false Government issued identification documents in order to perpetuate all manner of malfeasance, including financial crimes and terrorism.”

Source: Information Security Magazine

US and Canadian Governments issue Ransomware Warnings

US and Canadian Governments issue Ransomware Warnings

The US and Canadian Governments have issued a joint alert about ransomware infections in the wake of more hospital infections.

After the FBI issued a statement where it recommended victims do not pay the ransom and backup files, the US Department of Homeland Security and the Canadian Cyber Incident Response Center joint statement highlighted “its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate against ransomware.”

US-CERT recommends that users and administrators take preventive measures to protect their computer networks from ransomware infection, including: employing a backup and recovery plan; using application whitelisting; applying patches and keeping anti-virus up to date; filtering email attachments and web links; and restricting users’ permissions to install and run unwanted software applications, and applying the principle of “Least Privilege” to all systems and services.

In recent incidents, The Hollywood Presbyterian Medical Center declared an “internal emergency” on Friday 5 February after “significant IT issues” were reported by CEO Allen Stefanek, while a group of German hospitals were reduced to swapping handwritten notes instead of emails after an infection.

Last week, healthcare provider MedStar Health was forced to disable its network after ransomware infected several systems while Brian Krebs reported on the Henderson, Kentucky-based Methodist Hospital placing a scrolling red alert on its homepage this week, stating that “Methodist Hospital is currently working in an Internal State of Emergency due to a Computer Virus that has limited our use of electronic web based services.”

Brian Spector, CEO of MIRACL, said: “Public institutions like hospitals are a key target for hackers because they hold such a treasure trove of personal data. In the US, the potential bounty is even larger, due to the additional layer of financial transactions taking place, but that’s not to say that UK hospitals are safe."

“Hospital IT systems are notoriously fragmented and complex, with networks crossing wards, laboratories and offices. They are also among the most vital and important in any organization – because if their systems go down, people’s lives may be at risk. For this reason, criminals may believe hospitals are more likely to succumb to ransomware demands than other organizations, and target them more as a result.”

Research done by DataGravity CISO Andrew Hay showed the cost of cleaning the ransomware infection. For the Methodist Hospital, with a total revenue of $425,196,926 and an average net income per day of $97,124 and being locked down for five days, he estimated the average net income lost was $485,620.

For the Hollywood Hospital with a total revenue of $970,317,733 and an average net income per day of $57,479, based on the ransom demand of $17,000 the cost was $229,918.

“Those with a lot to lose, a lot of money to pay and poor backups are most likely to be targets. In the case of hospitals, the loss of information isn’t merely a financial cost but can be a matter of life or death for lots of people. This makes it much more likely that a hospital will be willing to pay up if they lose crucial patient data and cannot recover it,” said Luke Jennings, Head of Research and Development at Countercept by MWR InfoSecurity.

“It’s difficult to accurately locate the location of the human attacker behind the keyboard, and therefore these attacks. Even if a server involved is located in a particular country, that does not mean the operator of it is located in that same country. Additionally, ransomware authors often make use of Tor and digital currencies to further hide themselves.”

Source: Information Security Magazine

Mergers and Acquisitions Put Orgs at Greater Risk of Attack

Mergers and Acquisitions Put Orgs at Greater Risk of Attack

A company’s security infrastructure is more vulnerable during the Mergers and Acquisition (M&A) process, according to new research from Digital Shadows

In its report ‘Cyber Threats Targeting Mergers and Acquisitions’, the firm investigate the cyber risks or possible degradation to a company’s security that can occur as a result of M&As. The research outlines the various stages that make up the M&A procedure, and more interestingly, how security threats develop and change as these steps progress.

Whilst it is quick to point out that M&As can be exciting, often bringing about the expansion and improvement of businesses, Digital Shadows highlights the fact that as periods of significant change, adjustment and stress, failure to secure sensitive information constitutes an added threat to the organization and an opportunity for threat actors.

According to Rick Holland, vice-president of strategy at Digital Shadows, cyber-criminals appear to view the M&A period as an ideal time to attack a company, doubling down their efforts to capitalize on this window of opportunity.

“There is demonstrable evidence to suggest that companies going through the M&A process have been targeted by malicious actors,” he told Infosecurity.

“Failure to secure sensitive information during an M&A process opens the door to threat actors looking to profit by exploiting financial markets and proprietary intellectual property and it’s imperative that organizations are aware of this threat.”

Holland suggests that internal threats play a significant role in the increased risks companies face during M&As, citing factors such as employees’ attitudes to possible redundancies or undesirable change as potential breading grounds for data leaks.

“Certainly, employees are a demonstrable risk when disenfranchised. Additionally, as M&A reaches its final stages and due diligence is in full flow, the amount of data that is shared increases dramatically and so does the risk of a data breach. As such, organizations may well experience an increase in spear-phishing attempts as attackers strive to take advantage of a surge in valuable data that exchanges hands during this process.”

Source: Information Security Magazine

Ransomware Threat Hits Critical Mass

Ransomware Threat Hits Critical Mass

An overwhelming surge in ransomware extortion attacks has sparked a joint statement from the US Department of Homeland Security and the Canadian Cyber Incident Response Centre.

"Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist," the two governments said in the alert. "Paying the ransom does not guarantee the encrypted files will be released. It only guarantees that the malicious actors receive the victim's money, and in some cases, their banking information."

The victims are of late often in the healthcare sector. For instance, MedStar, the U.S. capital region's largest healthcare provider with 10 hospitals and more than 200 outpatient offices, shut down much of its computer network this week. Hackers had used ransomware to encrypt data on some computers and then demanded a ransom of $18,500.

Part of the reason for the outbreak is simple economics—the barriers to entry for carrying out the attacks have been lowered.

"The recent increase in ransomware attacks is being driven by a proliferation in ransomware toolkits,” said John Gunn, VP of communications at VASCO Data Security, in an email. “Anyone can buy the tools to conduct ransomware attacks for as little as $100 on the dark web. It’s a numbers game—more attackers equals more victims.”

Brian Laing, VP of products and development at Lastline, told us in an email that one of the biggest reasons why companies are unprepared is that they simply do not understand the impact. 

“Getting hit with ransomware is not as simple as dealing with machines being down for some length of time, because they'll be restored ultimately,” he explained. “Nor is it as simple as this years' product designs or other company and patient or customer data being leaked.  If an organization does not have backups of the files, they are down completely.”

The most effective defense against ransomware attacks still depends on human intelligence, said Gunn: “People have to stop clicking on links in malicious emails—they didn’t just win the lottery, they don’t have a huge refund coming, and a beautiful foreign lady does not want to date them."

Csaba Krazsnay, product manager, Balabit, added that industry participants from all sides need to wake up.

“This alert from the US and Canadian governments rings the bell,” he told Infosecurity. “Cybercriminals have found a new set of targets with a well-known attack, and neither the victims nor the authorities are well enough prepared.”

Photo © Amy Walters

Source: Information Security Magazine

Millions of Enterprise Users at Risk from Apple iOS Flaw

Millions of Enterprise Users at Risk from Apple iOS Flaw

A fresh attack vector for iOS has been uncovered, dubbed “SideStepper.” It could give threat actors control of devices, the data that resides on them, and even enterprise services, potentially impacting millions of iOS users worldwide.

The Check Point research team said that the issue resides in Apple’s iOS 9 security paradigm, and enables threat actors to stage a man-in-the-middle attack that hijacks communications between managed iOS devices and mobile device management (MDM) solutions.

At the heart of the issue is the use of enterprise certificates, which are certificates signed by Apple that developers can use for signing apps they create in XCode. Apps signed with this certificate can be installed on iOS devices without having to be vetted through the traditional App Store processes. This is done to help enterprises who may want to develop apps themselves and then distribute them to their employees without requiring that these employees install the app through the App Store.

In response to what amounted to a significant vulnerability to this ecosystem, as demonstrated by the Masque attack, Apple introduced new security measures for enterprise apps in iOS 9 to prevent hackers from making use of this situation to get around the App Store vetting process.

“For instance, when the enterprise app is initially downloaded, the user must go through a maze of settings screens to verify the app’s developer. Only after this verification process is complete can the app be executed,” Check Point explained in a paper on the issue. “Apple did leave a loophole, however. Enterprises use apps in myriad ways, and many users can’t handle the new workflow for actively trusting apps. So iOS natively trusts any app installed by MDM solutions, which are exclusively used by businesses. In fact, an app installed by an MDM will not show any indication of its origin.”

First, an attacker convinces a user to install a malicious configuration profile on a device by using a phishing attack. Once installed, this malicious profile allows an attacker to stage a MitM attack on the communication between the device and an MDM solution. The attacker can then hijack and imitate MDM commands that iOS trusts, including the ability to install enterprise apps over-the-air.

Malicious apps can be designed to: Capture screenshots, including screenshots captured inside secure containers; record keystrokes, exposing login credentials of personal and business apps and sites to theft; save and send sensitive information like documents and pictures to an attacker’s remote server; and control sensors like the camera and microphone remotely, allowing an attacker to view and capture sounds and images.

The best way to mitigate the threat is to not fall for the phishing attack in the first place. And, of course, users should always be extra vigilant when downloading apps onto their devices.

Photo © Hadrian/

Source: Information Security Magazine