Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for June 2016

Top Russian Site Exposes Millions to Info-Stealing Malware

Top Russian Site Exposes Millions to Info-Stealing Malware

Sprashivai, a popular Russian Q&A and social networking site similar to Yahoo! Answers, has been compromised by an actor attempting to silently redirect users to the RIG Exploit Kit via an injected iFrame.

Forcepoint’s research division, Forcepoint Security Labs, analyzed the campaign.

“The RIG Exploit Kit operators are looking to maximize their profit by compromising a very popular site in Russia,” said Carl Leonard, ‎principal security analyst, Forcepoint. “By executing the SmokeLoader malware on Sprashivai[.]ru, threat actors are able to compromise users' machines silently in the background without any user interaction necessary.”

The SmokeLoader malware is a trojan which downloads other components (i.e. click-fraud, credential stealers etc.), and it’s being dropped by the RIG EK. SmokeLoader's primary purpose is to download plug-ins which contain malicious functionality such as credential stealers and click-fraud components.

Sprashivai logs around 20 million visitors each month.  “This current threat could affect hundreds of thousands of users by simply taking advantage of outdated browser components, such as an old Adobe Flash Player, meaning that it is vital to ensure that all software is up to date, especially browsers and associated plug-ins,” said Leonard.

He added, “Threat actors will always continue to compromise popular sites and develop new and unique ways to try and stay undetected. These criminals do not always need to resort to malvertising to tap into a pool of millions of potential victims. While crypto-ransomware remains one of the most popular weapons of choice, we are seeing that malware developers and distributors also continue to use downloaders like SmokeLoader to ultimately steal data.”

The Forcepoint team also discovered that the malware’s multi-stage technique is what is making it difficult for anti-virus solutions to detect, because NSIS files themselves are legitimate and the scripting ability makes them extremely versatile.

Unfortunately, the site continues to be dangerous. “Sprashivai has been compromised since at least June 23 and was still compromised when we checked again on June 29. We notified Sprashivai of the compromise on June 27 but have not heard anything back,” said Nicholas Griffin, senior security research at Forcepoint.

Photo © Michael Rosskothen

Source: Information Security Magazine

Faster Response Times Needed to Combat Cyber Threat

Faster Response Times Needed to Combat Cyber Threat

New research from the BCI has revealed substantial differences among organizations when it comes to response times following a cyber-breach.

Whilst an impressive 31% of the 369 business continuity and resilience professionals polled said they react to cyber incidents within 60 minutes, a concerning 19% admitted it can take them four hours or more to take any action, with almost half taking more than two hours to respond.

According to the BCI, two-thirds of respondents were hit by at least one incident in the previous year and 15% said they experienced as many as 10 in the same time period. The frequency of these attacks highlights how important it is for organizations to have plans in place to mitigate against these kind of threats or to lessen their impact, a large part of which comes down to having a quick response strategy.

“Incident response plans are one of the most critical elements of an organization’s security strategy,” Matthew Aldridge, solutions architect at Webroot, told Infosecurity. “Unfortunately, we are in a time where a breach of some form is almost inevitable so being able to act quickly to mitigate it and minimize the impact could make all the difference to a business, and its customers.”

“The longer that the breach remains undetected the more significant the damage – in both the long and short-term,” added Stephen Love, security practice lead EMEA at Insight.

“An effective allegory is that of a damaged water pipe; the longer it is left to leak the more damage occurs. Consider data your water – the longer a breach lies unnoticed, the more data you lose.”

Of course, there are attacks that are of such a nature that even when an organization wants to respond quickly, they may be rendered unable to do so.

Phishing and social engineering were found to be the top causes of cyber disruption with over 60% of companies being hit by these, whilst 45% suffered malware and 24% denial of service attacks. All of these use different ways to make a company’s own network either contaminated or inoperable, which can force them to have to switch off their internet connection until they can secure themselves from further risk.

David James-Brown FBCI, chairman of the BCI, added:

“This piece of research is one of the most timely, insightful and relevant the BCI has ever produced. Cyber-attacks tend to target the weakest links of an organization, and this calls for a greater awareness of ‘cybercrime’. As the cyber threat evolves, it is crucial to stay on top of it, building long-term initiatives and regularly updating recovery plans.”

Source: Information Security Magazine

China’s Censorship Tsar Steps Down

China’s Censorship Tsar Steps Down

The head of the Cyberspace Administration of China (CAC), also known informally as the country’s powerful censorship tsar, has stepped down to be replaced by his deputy.

Lu Wei, who was appointed only three years ago, has been a high profile defender of China’s right to control online content within its borders – sometimes referred to ironically as the Chinese intranet.

During his tenure there has been a noticeable tightening of online controls in what is already one of the most tightly regulated countries in the world.

This has included a crackdown on VPNs, strict punishment for the spreading of “rumors” online – especially on micro-blogging sites – real name registration policies, and more.

It was even alleged by rights organization Greatfire.org that the CAC was responsible for a massive DDoS attack against GitHub and its own site intended to take offline content banned inside China.

Also, it was claimed that the same government agency launched, or sanctioned, Man in the Middle attacks in an effort to censor encrypted sites which switched on HTTPS in a bid to outwit the Great Firewall.

The CAC is responsible for the Chinese Internet Network Information Center (CNNIC), which was also blamed by Google for issuing unauthorized TLS certificates for several of its domains, which were subsequently used in man-in-the-middle (MITM) attacks.

Given the lack of media scrutiny of Chinese politics and especially the internal vagaries of the Communist Party, it’s still unclear whether Lu has been promoted or fallen foul of his one-time advocate Xi Jinping.

According to reports the 56-year-old still holds the powerful position of deputy head of the Communist Party’s Central Publicity Department – an indication that he may have left his current role en route to even bigger and better things in the Xi administration.

He’ll be replaced at the Cyberspace Administration of China by deputy Xu Lin.

Greatfire.org co-founder Charlie Smith speculated that Lu may have been removed from his post because he still wasn’t good enough at scrubbing every piece of negative content about Xi and the Party from the web.

“Regardless of the reasons for Lu Wei’s dismissal, I do not think that the authorities will veer off the course that Lu has set,” he told Infosecurity by email. “If Xu Lin handles information control on the Chinese internet the same way the authorities handle information control in Tibet then the situation could even get worse.”

Source: Information Security Magazine

Clinton/DNC Hacks Part of Wider Kremlin Campaign – Report

Clinton/DNC Hacks Part of Wider Kremlin Campaign – Report

The Russian state-sponsored APT28 group targeted presidential hopeful Hillary Clinton and the Democratic National Committee (DNC) as part of a much broader info-stealing campaign aimed at military, journalists and targets in former Soviet states.

That’s the view of Dell SecureWorks, whose Counter Threat Unit (CTU) has just released a new report on the work of the group, also known as Threat Group-4127, Sofacy, Sednit, Fancy Bear and Pawn Storm.

It claimed with “moderate confidence” the group is operating on behalf of the Russian government, meaning “the information is credibly sourced and plausible but not of sufficient quality or corroborated sufficiently to warrant a higher level of confidence.”

Those at greatest risk of attack from APT28 are inside Russia and the former USSR, although high-profile targets in the US and others in Western Europe have also been hit.

Russia subject matter experts; those portraying Russia in a negative context; government, defense and related supply chain organizations; US politicians; and former military or government personnel are all at risk, Dell’s CTU said.

The researchers linked the attacks against Clinton and the DNC and this wide sweep of other targets via a broad spearphishing campaign dating back to last year aimed at over 1800 Google accounts.

Attacks began with a classic phishing email containing a link to the “accoounts-google . com” domain.

Clicking the link would present victims with a fake Google Account log-in page via which the black hats could harvest their log-ins and access said account.

Dell SecureWorks discovered a Bitly URL linking back to the same spoof Google domain used in the phishing attacks – and found the related Bitly account had been used to create more than 3000 shortened links.

Much of the campaign focused on gathering information from key players in the conflict in eastern Ukraine, such as the Ukrainian prime minister, as well as government and military personnel which may have info of use to Russia and authors and activists who’ve criticized the country.

The group even targeted Syrian rebel leaders in what appears to be an attempt to gain intelligence useful to the Bashar al-Assad regime.

Dell SecureWorks added:

“Of the accounts targeted once, CTU researchers determined that 60% of the recipients clicked the malicious Bitly. Of the accounts that were targeted more than once, 57% of the recipients clicked the malicious link in the repeated attempts. These results likely encourage threat actors to make additional attempts if the initial phishing email is unsuccessful.”

The researchers warned that such spearphishing attacks could not only lead to information theft but also allow determined hackers to penetrate victims’ networks.

It urged organizations to educate users about the risks of spearphishing and shortened links and recommended pasting Bitly URLs, appended with a plus sign, into the address bar of a web browser to reveal the full URL.

Source: Information Security Magazine

World-Check Terror Blacklist Leaked Online

World-Check Terror Blacklist Leaked Online

Anti-terrorism database World-Check has been leaked online, exposing more than two million records related to individuals and organizations accused of financial and other criminal offenses.

Noted security researcher Chris Vickery first broke the news, claiming that a two-year-old version of the database was being hosted unprotected by a third party.

World-Check aggregates law enforcement records, social media posts, media articles and other sources to provide a list of those suspected of terror and criminal links.

It’s mainly used by banks and government agencies and contains names and dates of birth – so the leak could have been a major privacy snafu.

However, Thompson Reuters – which runs the controversial service – sent the following statement to the BBC:

“We are grateful to Chris Vickery for bringing this to our attention, and immediately took steps to contact the third party responsible – as a result we can confirm that the third party has taken down the information. We have also spoken to the third party to ensure there will be no repetition of this unacceptable incident.”

Security experts were quick to point out the security challenges that surround protecting large data warehouses like this one.

Digital guardian EMEA general manager, Luke Brown, argued that organizations have a duty of care and a legal obligation to protect such data.

“It doesn’t matter if the contents of that data are good, bad or ugly. If you store it, you have to look after it,” he added. “A simple mistake like this can have life-altering effects for those caught in the middle and whilst businesses often recover, it’s the victims that continue to pay the price.”

Carbon Black national security strategist, Eric O’Neil, claimed the information could have been devastating if accessed by the wrong parties.

“The information stolen from the World-Check could be used by groups like ISIS to specifically focus their recruitment goals,” he argued. “These are ‘leads’ for Islamic State operatives seeking to recruit individuals to carry out lone-wolf style attacks such as what occurred in Orlando, or more coordinated attacks such as what we saw in Paris or Brussels.”

World-Check has been in the news before after featuring certain individuals incorrectly in its list – leading to their bank accounts being closed without redress.

Source: Information Security Magazine

Malware’s Role: Wildly Overstated as an Info-Stealing Tool

Malware’s Role: Wildly Overstated as an Info-Stealing Tool

Malware’s use in prolonged and persistent cyber-attacks has been wildly overstated, according to a recent report.

LightCyber’s Cyber Weapons Report 2016 found that while malware is the go-to tool for the initial compromise of a network, almost all (99%) of post-intrusion cyberattack activities use standard networking, IT administration and other tools to get the job of exfiltration, snooping and sabotage done.

Attackers use common networking tools in order to conduct “low and slow” attack activities while avoiding detection; these could be used by attackers on a directed or improvisational basis. Sophisticated attackers using these tools—rather than known or unknown malware—can typically work undetected for an average of five months.

“The new Cyber Weapons Report uniquely reveals that malware is not the mechanism that network attackers use once they circumvent preventative security and compromise a network,” said Jason Matlof, executive vice president, LightCyber. “Despite these increasingly well understood realities, our industry still has an unshakable obsession with malware.”

The highest frequency attacker activity found in the study was reconnaissance. To carry that out, once inside a network, an attacker must learn about the network that they’ve compromised and map its resources and vulnerabilities. So it’s no wonder that Angry IP Scanner, an IP address and port scanner, accounted for 27.1% of incidents from the top 10 networking and hacking tools observed in the study, making it the most common tool associated with attack behavior. That’s followed closely by Nmap, a network discovery and security auditing tool that can also be used for recon.

The next most-common attack behavior is lateral movement across the network, which triggers anomalies such as new admin behavior, remote code execution and reverse connection (reverse shell), among others. In this bucket, the report found that hackers really like SecureCRT, an integrated SSH and Telnet client. This topped the list of admin tools employed in attacks, representing 28.5% of incidents from the 10 most prevalent admin tools.

Command-and-control communication is the third most common activity. To this end, TeamViewer, a remote desktop and web conferencing solution, accounted for 37.2% of security events from the top 10 remote desktop tools. TeamViewer was associated with CnC tunneling behavior, while other remote desktop tools, such as WinVNC, primarily triggered lateral movement violations.

In addition to the tools highlighted here, the report shows that attackers may leverage ordinary end-user programs such as web browsers, file transfer clients and native system tools for CnC and data exfiltration activity. It just goes to show that the most mundane applications, in the wrong hands, can be used for malicious purposes.

“With the increasing incidence of successful data breaches and theft of company secrets, it’s clear that the conventional malware-focused security infrastructure is insufficient, and we must develop new techniques to find active attackers using their operational activities,” Matlof said.

Interestingly, more than 70% of active malware used for the initial intrusion was detected only on one site, indicating that it was polymorphic or customized, targeted malware.

Photo © Profit–Image

Source: Information Security Magazine

Threat Intel Watch: Vormetric Joins FireEye Coalition

Threat Intel Watch: Vormetric Joins FireEye Coalition

Information-sharing is a widely recognized key to helping stave off the cyber-scourge that’s cresting out there—but it doesn’t always happen in practice. Striking one for the good, Vormetric has joined the FireEye Cyber Security Coalition.

Vormetric has integrated detailed security intelligence information on file-level access to sensitive data with the FireEye Threat Analytics Platform (TAP). The partnership combines Vormetric’s encryption, access control and security intelligence capabilities with the analytic capabilities of FireEye TAP.

“The increasingly dangerous nature of cyber threats has made the work of security professionals even more difficult,” said Ed Barry, VP, Cyber Security Coalition, FireEye. “By teaming with Vormetric, our FireEye TAP customers gain access to the detailed data access information and pattern data that the Vormetric platform generates. The result is critical threat intelligence that allows organizations to detect, respond to and resolve threats, even when the attackers are inside enterprise and application perimeters.”

More specifically, the Vormetric Data Security Platform produces detailed security intelligence logs of file level access to sensitive data it protects. These logs produce an auditable trail of permitted and denied access attempts from users and processes, as well as privileged user escalation information, delivering insight into file access activities. Logging occurs at the file system level, removing the opportunity of stealthy access to sensitive data. When integrated with FireEye TAP, it can inform of unusual or improper data access and accelerate the detection of insider threats, hackers, and the presence of advanced persistent threats (APT) that are past the perimeter security.

“FireEye TAP applies threat intelligence, expert rules and advanced security data analytics against the problems of revealing suspicious behavior and generating alerts that matter, so that organizations can shut down threats before they cause damage,” said Arun Gowda, VP, business development, Vormetric. “With Vormetric now partnering to add data threat intelligence to FireEye’s already powerful capabilities, customers gain even better protection for their critical information and environments.”

Photo © Semisatch

Source: Information Security Magazine

Official UEFA Euro 2016 App Leaks User Data

Official UEFA Euro 2016 App Leaks User Data

The official UEFA Euro 2016 Fan Guide App is leaking users’ personal data, according to security researchers.

Analysis of the data traffic patterns from enterprise mobile devices by Wandera reveals that highly personal user credentials, including user names, passwords, addresses and phone numbers, are being transferred over an insecure internet connection. The app, which has more than 100,000 downloads, could therefore provide an access point for hackers to access, and potentially steal, valuable user data.

“While the public has been made aware of malware concerns associated with fake FIFA apps, it should be noted that even an official app such as the UEFA Euro 2016 Fan Guide App is not secure,” the company said in its report on the subject.

The issue affects both the iOS and Android versions, the firm said, adding, “these exposed vulnerabilities represent the tip of the iceberg in terms of the collective threat to enterprise mobiles brought about by the football tournament.”

More specifically, since the tournament started, Wandera has discovered 72% of recognized malicious websites and 41% of exposed passwords were detected on smartphones in France—a situation most likely linked to an increasing number of mobile ads.

Traffic related to online advertising almost doubled during Wandera’s investigation, and peaked in Portugal, Ireland, Turkey and Spain. News and sports website traffic also increased by 38%, and the use of social networks saw a 67% surge during the month-long period. All of this adds a greater chance for exposure to malicious actors’ gambits and traps.

“Increased data usage during the beginning of Euro 2016 will come as no surprise to anyone,” said Eldar Tuvey, CEO of Wandera. “What is clear however, is that football fans are travelling across Europe, accessing apps and websites that are unfamiliar to them to access the up-to-date information they crave. Our analysis proves that even so-called ‘trusted sources’ carry risk and vulnerability—something that enterprises must be equipped to deal with.”

The global hacking community isn’t just focused on France and the tournament, it should be noted. Wandera has also seen a significant phishing threat in Russia that has continued despite the start of Euro 2016. In fact, a staggering 73% of all phishing incidents occurred there during the time period.

“In February this year, reports were released about phishing attacks on Russian banks,” the report noted. “Russian hackers managed to steal over $27m from Russian banks, first by going after their clients, before moving on to the banks themselves. Following this and the practices put in place to prevent further attacks; we expected the threat actors to have moved on to other targets, particularly with the start of Euro 2016 and the upcoming Olympics. This is not the case however.”

Photo © Mathias Rosenthal

Source: Information Security Magazine

9.2 Million More US Healthcare Records Go Up for Sale on the Dark Web

9.2 Million More US Healthcare Records Go Up for Sale on the Dark Web

The Dark Overlord is lording it over the US healthcare industry once again. The hacker is offering a fresh trove of 9.2 million patient records on a Dark Web marketplace, for 750 Bitcoin (about $477,000).

The Dark Overlord (let’s shorten that to TDO, shall we?) is advertising the plaintext 2GB database as including names, addresses, emails, phone numbers, dates of birth and Social Security Numbers (SSNs) belonging to 9,278,352 Americans. He or she claims that the data was lifted using a zero-day exploit for remote desktop protocol (RDP).

In TDO’s listing on The Real Deal site, the hacker said: “This product is an extremely large database in plaintext from a large insurance healthcare organization in the United States. Ownership of this database will be exclusive and only a single copy will be sold.”

TDO added, “This has not been leaked anywhere and it has not yet been abused. If you are interested in purchasing this database and would like to make an offer other than what is listed, send a PM [private message]. Only serious offers will be entertained.”

IBTimes UK, which broke the news, said that it has not verified the authenticity of the database, it should be noted.

Just a few days ago TDO listed a different healthcare database containing 655,000 records, claiming to have sold some of the data for $100,000. When all is said and done, this breach could net TDO upwards of a half a million dollars—a stark reminder of just how valuable this type of information is. It can be used for fraud, identity theft, phishing, account compromises and more.

In contrast, a Russian hacker going by the handle Tessa88 was recently selling a cache of 32 million Twitter records with account credentials for 10 Bitcoin on the Dark Web. That’s the equivalent of around $5,820, which works out to less than a cent per record.

So, given the laws of supply and demand, it’s likely that the healthcare industry will continue to be every hacker’s favorite cash cow, for the time being. But the nature of the information at stake also makes these organizations ripe for ransom attempts.

“Hospital IT systems are notoriously fragmented and complex, with networks crossing wards, laboratories and offices,” said Brian Spector, CEO of MIRACL, in an email. “They are also among the most vital and important in any organization—because if their systems go down, people’s lives may be at risk. This makes healthcare organisations the perfect victims [for a ransom play].”

The breaches supposedly come from various healthcare organizations scattered around the United States. TDO said that he has threatened each with a ransom demand, and is therefore not naming names—for now.

“The healthcare industry today is squarely at the intersection of security and risk,” said Joe Fantuzzi, CEO of RiskVision, via email. “Ransomware hackers are targeting the lucrative healthcare data opportunity primarily because of the scale of endpoint vulnerabilities that need to be monitored. But endpoint monitoring (security) without risk assessments is not enough, and creates opportunities for the bad guys. Best practices for healthcare companies today are to risk assess end point categories by things like asset criticality and business risk impact. Then companies can ‘find the needle in the stack of needles’ to marginalize these kind of attacks and ensure compliance with things like HIPAA and HiTech.”

Photo © kentoh

Source: Information Security Magazine

Over 40% of Firms Globally Now use Encryption ‘Extensively’

Over 40% of Firms Globally Now use Encryption ‘Extensively’

Organizations around the world finally seem to be responding proactively to the growing volume of security threats and privacy issues, with 41% now using encryption extensively, according to Thales e-Security.

The French data protection company claimed in its 2016 Encryption Application Trends Study that the leap in the number of firms using encryption was the biggest in the report’s 11-year history – up from just 7% last year.

Those in the Financial Services, Healthcare and Pharmaceutical, and Technology and Software sectors led the way, the report claimed.

The study, which polled over 5000 individuals across 14 industry sector and 11 countries globally, found database encryption increased from 42% to 61% since last year, while Big Data encryption more than doubled, from 15% to 32%, and use of the technology in internet comms soared from 37% to over half (58%).

The figures should be tempered by the fact that Thales e-Security is effectively an encryption company.

The report also revealed several frustrations and rising expectations associated with current encryption technologies.

For example, the biggest pain for nearly two-thirds of respondents (61%) was managing SSH keys and key for external services.

Performance and latency was rated as the most important feature of an encryption application, with support for cloud and on-premise deployments in second, as firms look to roll out hybrid clouds.

A potential solution to the pain associated with managing keys could be Hardware Security Modules (HSMs), according to Thales e-Security senior director of security strategy, John Grimm.

He told Infosecurity that the data owner should always keep control of the keys, according to best practice.

“HSMs help organizations enforce policy on the use of the keys, rather than relying solely on people and what are often manual processes,” he added.

“They are often thought of purely as security devices, but have been proven to bring a strong operational benefit on the key management side as well. The best advice? Control your encryption keys as the means to controlling your data.”

Despite their obvious security benefits for organizations and personal users, encryption technologies have proved something of a bête noire for certain governments in recent years.

The authorities in Washington and London in particular see the increasing use of the technology by mobile manufacturers like Apple and messaging firms like Facebook’s WhatsApp as a potential issue as it means law enforcers and security services can’t read vital data on suspects.

The issue is coming to a head in the Snoopers’ Charter currently working its way through parliament in the UK – which may try to enact an unworkable but de facto ban on the technology – and the tussle between the FBI and Apple over access to suspects’ iPhones.

Senators Richard Burr and Dianne Feinstein (D-Calif.) introduced a new bill earlier this year which would give sweeping powers to federal judges to demand access to encrypted data from tech companies.

Source: Information Security Magazine