Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for May 2016

TeslaCrypt Authors Deliver Public Decryption Key

TeslaCrypt Authors Deliver Public Decryption Key

In more good news for ransomware victims, the cyber–criminals behind the infamous TeslaCrypt variant have made public the decryption key for the malware.

Eset claimed in a blog post yesterday that it contacted TeslaCrypt’s authors after spotting a message announcing they were closing their ‘project.’

“On this occasion, one of ESET’s analysts contacted the group anonymously, using the official support channel offered to the ransomware victims by the TeslaCrypt’s operators, and requested the universal master decryption key,” it explained.

“Surprisingly, they made it public.”

This gave the security vendor all it needed to produce a free decrypting tool with the ability to unlock files affected by all variants of TeslaCrypt.

The news follows Kaspersky Lab’s efforts to unlock files for victims of the CryptXXX ransomware.

In a cat-and-mouse game typical of the security industry’s battles with the black hats its initial efforts led to the development of a new version, CryptXXX 2.0.

However, the Russian AV firm was able once again to crack the code and has produced the RannohDecryptor to tackle the latest version of this ransomware family.

However, the advice from most commentators is for firms to take preventative measures to mitigate the risk of being infected – after all, not many such tools exist and it’s in no way assured that even paying a ransom will lead to the victim’s files being unlocked.

Trend Micro recommends a layered protection approach involving a combination of web/email gateway, endpoint, server and network security.

The firm said it stopped a massive 99 million ransomware threats for its customers between October 2015 and April 2016 – although admitted the actual figure for real infections globally is likely to be many times this number.

Other sound security advice includes network segmentation to prevent ransomware moving laterally inside an organization encrypting as it goes, and user education programs so that staff know not to open suspicious emails or click on dubious looking links.

Source: Information Security Magazine

Security Experts Warn Government Over Driverless Car Plans

Security Experts Warn Government Over Driverless Car Plans

The UK government reaffirmed its commitment to developing driverless and electric vehicles in the Queen’s Speech yesterday, but security experts cautioned that protections must be engineered into systems to ensure privacy and deflect hacking attempts.

In a brief allusion to the government’s current projects, the Queen had the following:

“My ministers will ensure the United Kingdom is at the forefront of technology for new forms of transport, including autonomous and electric vehicles.”

In fact, the Tories have already trailed such developments over recent months.

In February they announced £20m of funding for eight new projects in the sector which will see driverless cars trialed on the streets of Bristol, Coventry and Milton Keynes, and Greenwich and on designated tracks at Heathrow airport.

These include the The UK Connected Intelligent Transport Environment (UKCITE) project which involves Jaguar Land Rover, Siemens, Vodafone Group and others. Driverless pods will also be trialed in Greenwich and Milton Keynes.

“Our cars of the future will be equipped with the technologies that will make getting from A to B safer, faster, and cleaner,” business secretary, Sajid Javid said at the time. “They will alert drivers of accidents ahead and be able to receive information from their surroundings about hazards, increasing the safety of drivers, passengers and pedestrians.”

However, there remain concerns over security and privacy – particulary in terms of the amount of data potentially collected by such vehicles.

“An extraordinary amount of digital infrastructure is needed to store the data generated by the vehicles. Indeed, Tesla’s fleet of cars records 1.5 million miles worth of data every single day,” argued Nimble Storage director, Paul Scarrott.

“With this already mammoth amount of data set to increase rapidly as driverless cars become more popular, it’s important that greater consideration is given to how and where this data will be stored and shared, especially with the GDPR and Privacy Shield on the horizon.”

Others warned that autonomous or even connected cars could theoretically be hacked and remotely controlled, as was demonstrated in a well-publicized Black Hat presentation last year from Miller and Valasek.

The pair showed how attackers could move laterally inside the embedded computing systems of a 2014 Jeep Cherokee until they get to the CAN bus which controls the major steering, braking and other functions of the vehicle.

By reverse engineering firmware code, they could then modify, reflash and reboot it to execute arbitrary code – effectively giving the car instructions to override the driver.

Gordon Morrison, director of government relations at Intel Security, alluded to the research.

“It is crucial that in its pursuit of innovation, the government doesn’t neglect the security essentials which will guarantee not only the success of these new technologies, but also the safety of its users,” he argued.

“The government must ensure that, as part of its innovative work with the automotive industry, cybersecurity remains a top priority.”

Paul Farrington, senior solution architect at Veracode, warned that the security of driverless cars will come down to code.

“Findings from a recent IDC report indicated that there could be a lag of up to three years before car security systems are protected from hackers,” he claimed. “With over 200 million lines of code in today’s connected car, not to mention smartphone apps linked to the car, we must ensure they are developed with security at the heart of the strategy, rather than as an afterthought.”

One organization which is working towards improving the security of embedded computing systems such as those in connected cars is the non-profit prpl Foundation.

It recently released a guidance document for the industry in which it proposed a solution to the problems highlighted by Miller and Valasek, involving SoC virtualization to achieve security-by-separation at a chip level, and a “root of trust” anchored in the silicon, ensuring firmware can’t be overwritten by a third party.

Source: Information Security Magazine

SEC Calls Out Financial Sector for Poor Security

SEC Calls Out Financial Sector for Poor Security

The US Securities and Exchange commission has called out the major trading exchanges and financial clearinghouses for being reckless in their cybersecurity postures.

SEC Chair Mary Jo White told the Reuters Financial Regulation Summit in Washington D.C. that a recently concluded investigation showed that security policies that are in place fail to take into account the threat landscape as it is today.

“What we found, as a general matter so far, is a lot of preparedness, a lot of awareness but also their policies and procedures are not tailored to their particular risks,” she said, adding that SEC examiners are proactively assessing broker-dealers and investment advisors on their security implementations. “As we go out there now, we are pointing that out. We can’t do enough in this sector.”

A former member of the World Bank’s security team, Tom Kellermann (now CEO at investment firm Strategic Cyber Ventures), told Business Insider that her frankness is “a historic recognition of the systemic risk facing Wall Street.”

Dave Amsler, president and founder of Raytheon Foreground Security, told Infosecurity that the financial services industry cannot afford to ignore the warning.

“Financial services organizations feel increased pressure from stakeholders to bolster their cybersecurity posture as cybercriminals target their networks and regulatory challenges increase,” he said. “For cybercriminals, the business of money remains a prime target. When the malicious actors are more sophisticated groups or nation states, the risk escalates as they eye financial market manipulation or severe damage.”

This is playing out in real life: In February, a bug in SWIFT banking software was exploited to allow hackers to make off with $81 million from Bangladesh’s central bank.

He added, “The recent SWIFT heist demonstrates that financial institutions cannot afford to wait and react; they have to proactively hunt for these persistent and determined threats within their environments.”

Photo © g0d4ather/

Source: Information Security Magazine

Operation Groundbait Hooks Victims in Ukraine

Operation Groundbait Hooks Victims in Ukraine

Security experts have discovered yet another cyber campaign in the Ukraine, but this time targeting both anti-government separatists in the East and Ukrainian politicians and government officials.

Operation Groundbait was given its name because some of the malware-laden emails sent out by the attackers contained a decoy document which inexplicably displayed a pricelist of fishing groundbait.

Other emails featured more standard attachments relating to the war in Donbass or the general geopolitical situation in Ukraine.

The malware in question, detected by Eset as Win32/Prikormka, has lain hidden from researchers since at least 2008.

It arrives in the form of a classic spearphishing email, complete with “appealing filename” and the aforementioned decoy documents to lure victims into opening them, the security firm claimed in a new blog post.

“From a technical perspective, the malware features a modular architecture, allowing the attackers to expand its functionality and steal various types of sensitive information and files from the cyber-surveillance targets,” wrote Eset researcher Robert Lipovsky.

But while Eset concluded that the campaign is most likely politically motivated, it was puzzled by the choice of targets.

“Any further attempt at attribution would at this point be speculative,” it concluded. “It is important to note that in addition to separatists [in Donetsk and Luhansk], the targets of this campaign include Ukrainian government officials, politicians and journalists. The possibility of false flags must be considered too.”

The discovery marks the third major cyber-attack campaign in the region, following the infamous BlackEnergy attacks which crippled Ukrainian power stations just before Christmas, and the so-called Operation Potato Express.

The latter campaign featured a trojanized Russian version of encryption software TrueCrypt, which the attackers used on occasion to serve up information-stealing malware to their victims.

The Win32/Potao malware mainly targeted victims in Ukraine, Georgia, Russia and Belarus.

Source: Information Security Magazine

Experts Warn of Super-Stealthy Furtim Malware

Experts Warn of Super-Stealthy Furtim Malware

Security experts are warning of newly discovered credential-stealing malware which prioritizes stealth, scoring a 0% detection rate in VirusTotal.

Furtim, a Latin word meaning “by stealth,” was first spotted by researcher @hFireF0X and consists of a driver, a downloader and three payloads, according to enSilo researcher Yotam Gottesman.

The payloads are: a power-saving configuration tool which ensures a victim’s machine is always on and communicating with Furtim’s C&C server; Pony Stealer – a powerful commercial credential stealer; and a third file that communicates back to the server but has yet to be fully analyzed.

Interestingly, Furtim goes to great lengths to stay hidden, going well beyond most malware in checking for the presence of over 400 security tools on the targeted PC, Gottesman claimed.

It blocks access to nearly 250 security-related sites by replacing Windows’ hosts file, and avoids DNS filtering services by scanning and replacing any known filtering nameserver to public nameservers.

Once installed, it will override any reboot policy to ensure downloaded payloads will run; disable Windows notifications and pop-ups; and block the user from accessing the command line and task manager, so they can’t kill any malicious processes, the enSilo researcher continued.

Also, the C&C server will only send the payload once to a specific machine, to avoid researchers trying to collect samples from the server.

It’s still not clear what purpose Furtim serves, although the Pony Stealer component would work well in the lateral movement stage of a targeted attack, it is claimed.

“Given the defense measures that Furtim takes, we can imagine that Furtim is more than a downloader used by common fraudsters. The threat actors behind Furtim were dedicated, knowing that it’s worth to remain stealthy, even on the expense of hitting more targets, than being revealed,” concluded Gottesman.

“We do know that the C&C server is hosted at a Russian domain, which resolves to several Ukrainian IP addresses. Additionally, communications are configured to accept Russian.”

Ben Johnson, chief security officer at Carbon Black, claimed hackers are more akin to secret agents than bank robbers today, in building malware to circumvent traditional filters.

“This is precisely why it’s so vital that organizations have continuous monitoring running on all endpoint devices, as that’s the only sure-fire way to capture the entire ‘kill chain’ of a successful attack so it can be traced back to where it came in and shut out completely,” he added.

“It’s also another reminder of why we need to get out there and start proactively threat hunting, so we can identify any similar breeds of sneaky malware sitting on our systems undetected.”

Source: Information Security Magazine

Experts in Game of Thrones Malware Warning

Experts in Game of Thrones Malware Warning

RiskIQ is warning Game of Thrones fans looking to catch up on the popular HBO TV show without paying for more than they bargained for.

The threat management firm claimed it had spotted more than 450 pirated content websites serving up malware to those looking to illegally stream or download the fantasy drama.

It conducted its research over a 10-day period in May in the US, UK, Germany, France and Netherlands, running simple Google searches for download or streaming sites and clicking through the links.

The vendor claimed its virtual user technology would have prevented any infections.

However, the dangers of pirated content aren’t just a consumer risk – if users attempt to illegally download shows at work or use personal devices to access corporate systems, then malware could infect the enterprise IT environment.

RiskIQ VP Emea, Ben Harknett, claimed the firm found a mix of exploit kits, malicious redirects, trojans, spyware and phishing sites, scareware and toolbars.

“Many of these could potentially impact the organization, not just the device user,” he told Infosecurity by email. “We know that Game of Thrones has been the most pirated show over the past four years, so it’s patent that bad actors are cashing in on the trend.”

In addition, of the malicious web pages analyzed, over a third (34%) spread malware via malicious ads.

So-called malvertising is an increasingly popular tactic among cybercriminals to ensure as many users as possible are exposed to their malware.

Just last month, Fox-IT claimed to have found another major campaign, targeting nearly 300 of the most popular websites in the Netherlands, affecting potentially tens of millions.

“End-users often assume that the IT within their organization will provide adequate security measures, regardless of their actions. Or worse, don’t even consider the risks that their actions might create,” Harknett concluded.

“A critical consideration of IT managers is really around ensuring much greater awareness and education on the changing nature of threats today and how each of us can unwittingly compromise our organizations.”

Source: Information Security Magazine

Security Remains Prime Barrier to Cloud Adoption

Security Remains Prime Barrier to Cloud Adoption

Following industry predictions that the global cloud market will exceed $250 billion by 2020, Crowd Research Partners has found that security concerns top the list of barriers to cloud adoption today.

These fears are led by general security concerns (53%, up from 45% in last year’s survey), legal and regulatory compliance concerns (42%, up from 29%), and data loss and leakage risks (40%). The rise in specific concerns about compliance and integration suggests that companies are moving from theoretical exploration of cloud models to actual implementation.

The report also found that unauthorized access through misuse of employee credentials and improper access controls is the single biggest threat (53%) to cloud security, respondents felt. This is followed by hijacking of accounts (44%) and insecure interfaces/APIs (39%). One in three organizations say external sharing of sensitive information is the biggest security threat.

“As organizations look to cloud computing to reduce IT costs, increase agility and better support business functions, security of data and applications in the cloud remains a critical requirement,” said Holger Schulze, founder of the 300,000-member Information Security Community on LinkedIn. “The 2016 Cloud Security Report indicates that as organizations increase investments in cloud infrastructure, they are seeking a similar level of security controls and functionality to what’s available in traditional IT infrastructures.”

Further, the vast majority (84%) of respondents are dissatisfied with traditional security tools when applied to cloud infrastructure. Respondents say traditional network security tools are somewhat ineffective (48%), completely ineffective (11%), or can’t be measured for effectiveness (25%) in cloud environments. In a positive data point, 61% of organizations do plan to train and certify existing IT staff for cloud security.

“More than 56% of surveyed organizations use Active Directory on-premises to authenticate and authorize access to cloud applications, like Office 365,” said Alvaro Vitta, principal solutions consultant, Dell Systems and Information Management. “The failure to provide adequate on-premises Active Directory security controls leave cloud-based applications vulnerable to unauthorized access. Don’t let on-premises Active Directory be your hybrid directory environment’s Achilles’ heel.”

The cloud will bring back renewed relevance for some technologies, like encryption. “Once the ‘silver bullet’ of security, encryption has been ‘out marketed’ by other technologies that mostly focus on securing the perimeter and not securing the target of intruders,” added Bob Adhar, president, Randtronics. “A business that only encrypts their data is more secure than businesses with everything else.”

Photo © wk1003mike

Source: Information Security Magazine

Enormous Malware as a Service Infrastructure Fuels Ransomware Epidemic

Enormous Malware as a Service Infrastructure Fuels Ransomware Epidemic

The Check Point Research team has uncovered an operation that turns out to be one of the world’s largest attack infrastructures.

The malware-as-a-service (MaaS) play is being used by a cyber-criminal syndicate to use the Nuclear exploit kit to spread malware worldwide.

With 15 active Nuclear control panels, the likely Russian perpetrators behind the MaaS operation accumulates revenue of approximately $100,000 a month, according to Check Point’s estimates. In the last month alone, infrastructure was used to attack 1,846,678 machines. The success rate of these attacks was 9.95%, resulting in 184,568 newly infected machines.

EKs are a major part of the MaaS industry, which facilitates the execution of ransomware and banking trojans, among others. Their creators rent them to cyber-criminals who use them to attack unsuspecting users. Nuclear is one of the top EKs, Check Point noted, both in complexity and in spread.

“Nuclear’s infrastructure is not the work of a lone wolf,” the researchers said. “According to our findings, the leading developer is located in Krasnodar, Russia. Nuclear is rented to cyber-criminals for a few thousand dollars a month.”

The service provider owns the master server, which controls all of the attackers’ servers. Each attacker rents a server with a control panel from which he or she can manage his malware campaign, distributing any malware of choice. Each server has a number of landing page servers, to which unsuspecting users are directed to be infected. They can be directed there by malicious links in phishing mails, malvertising or hacked websites.

With the current ransomware trend, it’s not surprising to see that ransomware is the dominant payload for attackers at this moment in time. Nuclear served 110,000 Locky droppers in the inspected month, costing victims around $12.7 million.

The victims of this malicious campaign are located almost all over the globe: The researchers noted that Nuclear does not attack countries which belong to the Eastern Partnership, in order to avoid law enforcement activities against the developers.

The analysis efforts appear to have had a salubrious effect on the threat landscape. “The puppet masters were apparently startled by our findings,” the researchers said. “Following our previous publication, all known Nuclear servers were shut down.”

Photo © kentoh

Source: Information Security Magazine

US DoD: ‘China Ramped Up Cyber Warfare Capabilities in 2015’

US DoD: ‘China Ramped Up Cyber Warfare Capabilities in 2015’

The Chinese military is investing a huge amount of resources into developing its offensive and defensive cyber capabilities, believing them to be the key to seizing “information dominance” in the early stages of any future conflict, according to a new US government report.

The Defense Department’s annual Report to Congress on Chinese military and security was published on Friday and noted that for the first time last year, Beijing described cyberspace as “a new domain of national security and area of strategic competition.”

The Communist Party believes China’s cyber capabilities lag those in rival countries so it has ploughed considerable resources into developing them.

It views “information dominance” as a key strategy to effectively winning a military conflict in its early stages.

The report explained:

“The PLA would likely use Electronic Wardare, cyberspace operations (CO), and deception to augment counterspace and other kinetic operations during a wartime scenario to deny an adversary’s attainment and use of information. Chinese military writings describe informationized warfare as an asymmetric way to weaken an adversary’s ability to acquire, transmit, process, and use information during war and to force an adversary to capitulate before the onset of conflict.”

Cyber warfare capabilities help China in three areas, the DoD continued:

“First and foremost, they allow the PLA to collect data for intelligence and potential offensive cyberoperations (OCO) purposes. Second, they can be employed to constrain an adversary’s actions or to slow response time by targeting network-based logistics, communications, and commercial activities. Third, they can serve as a force-multiplier when coupled with kinetic attacks during times of crisis or conflict.”

The Department of Defense explained its networks had been on the receiving end of Chinese military espionage efforts over the past year, suggesting that the information gleaned could be used to benefit China’s own defense and hi-tech industries, and also to inform party officials about US leadership thinking on the Middle Kingdom.

It added:

“Targeted information could inform Chinese military planners’ work to build a picture of US defense networks, logistics, and related military capabilities that could be exploited during a crisis. The accesses and skills required for these intrusions are similar to those necessary to conduct cyberattacks.”

China has predictably reacted strongly to the report, claiming it has undermined trust between the two superpowers and “deliberately distorted” Beijing’s military policy.

Source: Information Security Magazine

UK Banks Moot Cyber Forum to Bolster Info Sharing

UK Banks Moot Cyber Forum to Bolster Info Sharing

Financial services body TheCityUK has called for the creation of a new Cyber Forum comprising key board members, CISOs and risk managers, to support the government’s attempts to improve information security.

The recommendation came in a new report from the group: Cyber and the City.

It suggests that the forum could be established as a committee of TheCityUK, with links into the BBA and other trade bodies.

It claimed a “steering group of board level cyber risk owners and a working group from the risk or CISO community” would help the financial services industry “mobilize itself around its own defense and to reinforce the goals of government.”

Specifically, a Cyber Forum could help improve information sharing in the industry via platforms such as CISP.

The report continued:

“Information-sharing works when contributors get something back – a committee structure will create peer pressure to contribute which will in turn make contributing more worthwhile. It will also help identify any barriers to contribution (such as customer anonymity or regulatory reaction) that need resolving. The information-sharing should be within the sector, but with links to and from the police and intelligence services to support offensive action against criminals.”

The group could also help to alleviate problems in the jobs market by encouraging apprenticeships and education programs for cybersecurity, as well as encouraging adoption of the government’s Cyber Streetwise and Cyber Essentials initiatives, the report claimed.

A Cyber Forum would also be instrumental in outreach to third parties such as regulators – by putting forward guidelines on cyber assessment – the Bank of England – engaging on risk management – and supporting the development of a UK cybersecurity sector.

The report also suggests that the government could effectively introduce tax breaks to offset the extra investment needed by the financial services sector in these new cyber initiatives – which may not be politically popular.

Andy Buchanan, area VP UK and Ireland for security vendor RES, welcomed the proposed creation of a Cyber Forum.

“For too long there has been a lack of knowledge sharing across all industries, including financial services. As the saying goes, knowledge is power,” he argued. “By sharing information banks would have better, smarter intelligence into how to shore up their defenses and innovate accordingly in the face of a determined, highly adaptive and sophisticated opponent.”

Source: Information Security Magazine