Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for June 2016

Swift Could Ban Banks with Weak Security

Swift Could Ban Banks with Weak Security

Global financial messaging provider Swift is mooting the idea of dropping banks with weak security off its network, in a hardline approach which could force its clients to improve their response to recent cyber attacks.

Speaking ahead of the release of the organization’s “dedicated customer security program” last week, Swift CEO Gottfried Leibbrandt told the FT that the sophistication of these attacks – one of which resulted in the theft of $81m from Bangladesh Bank – had “changed the game completely.”

He told the paper:

“We could say that if the immediate security around Swift is not in order we could cut you off, you shouldn’t be on the network. There are pros and cons to that. The pros are that it provides clarity that if you are on the Swift network you need minimum standards. I think the con is if you do it too heavy handed you could drive people to unsafe channels.”

In a bid to head of criticism of its handling of the incidents, for which it 100% blames banks’ internal IT security, Swift has released a new set of guidelines for its clients designed to improve baseline security.

This will involve Swift asking for more information on attacks from its customers and sharing more back with them; stronger requirements for customer-managed software; increased remote monitoring of customer environments; roll-out of 2FA and other tools to harden Swift products; and the development of audit standards and certifications for the secure management of Swift messages by client banks.

Also mooted are the creation of tools to detect anomalies on the Swift network, and other technologies designed to recall transfers quickly if they come from fraudulent messages.

Swift also promised to “foster … a secure ecosystem” of third party consultancies, hardware and software providers, fraud detection specialists and the like.

Right at the top of the priority list will be expanding information sharing efforts inside and outside of the network, and “forensic analysis on products and services related to SWIFT connectivity at affected banks.”

Since the $81m cyber heist from Bangladesh’s central bank, it has emerged that several other financial institutions were also targeted by hackers using a similar MO.

Security giant Symantec claimed recently that the attackers shared malware with those behind the Sony Pictures Entertainment hack – thought by some to be linked to North Korea.

Source: Information Security Magazine

Liberty Survey Finds British Opposition to Snoopers Charter

Liberty Survey Finds British Opposition to Snoopers Charter

Nine in ten Brits are against the mass surveillance powers contained in the Investigatory Powers Bill.

According to a survey of 1,003 British adults by Liberty, 90% either say that it is only acceptable for the Government to access their communications data or online activity if they are suspected of or have committed a crime, or that this practice is never acceptable. Also, 72% of respondents claimed not to know anything about the Investigatory Powers bill, while 54% claim to have never heard of the plans to introduce the bill into law.

Liberty, who believe that targeted access to communications data based on suspicion, with a robust system of independent judicial oversight, is important in preventing and detecting serious crime, claimed that the sold called “Snoopers Charter” would force telco companies and internet service providers to store every person’s communications data for a year, which could be accessed by dozens of public bodies with no need for suspicion of criminality.

Bella Sankey, director of policy for Liberty, said: “In its effort to expand the surveillance state, the Government is already ignoring technology experts, service providers and three cross-party parliamentary committees – but the views of the British public will be harder for even the Home Secretary to dismiss.

“This Bill would create a detailed profile on each of us which could be made available to hundreds of organizations to speculatively trawl and analyze. It will all but end online privacy, put our personal security at risk and swamp law enforcement with swathes of useless information.

“The vast majority of people know nothing about this Bill but, when asked, overwhelmingly reject this approach – MPs must listen to those they represent, vote against this rotten legislation and give us the effective, targeted system the British people want, need and deserve.”

In a blog, the Open Rights Group said that the idea of “passive” retained records, that lie unexamined until someone comes to the attention of the authorities, will lie dead.

“The data becomes an actively checked resource, allowing everyone’s potential guilt to be assessed as needed,” it said.

“The filter creates convenience for law enforcement queries, and pushes practice towards the use of intrusive capabilities. It lowers the practical level on which they are employed. Techniques that today would be used only in the most serious crimes, because they require thought and care, tomorrow may be employed in run of the mill criminal activity, public order, or even food standards, as the bill stands.”

Home Secretary Theresa May is set to make more concessions on the controversial Investigatory Powers Bill which could boost privacy protections for UK citizens, ahead of a parliamentary debate on the proposed legislation this week.

May is set to include a new clause in the bill which will ensure any authorizations for intrusive surveillance and the like will only be granted if the information cannot be obtained by less intrusive means, according to The Guardian.

Source: Information Security Magazine

Stolen Washington Redskins Laptop Had Thousands of Medical Records

Stolen Washington Redskins Laptop Had Thousands of Medical Records

They may have won the NFC East division last year, but the Washington Redskins really need to get their heads in the game. The security game, that is.

A trainer’s laptop has been stolen, containing thousands of records for the NFL team’s players going back 13 years, all containing password-protected, but unencrypted, medical data.

The situation is, alas, not uncommon; the theft of laptops containing unencrypted medical records is an ongoing problem and one of the top categories of HIPAA disclosures to the US Department of Human Health and Services.

“It seems almost inevitable that if you put unencrypted confidential data on a laptop it will be stolen,” Tim McElwee, president of Proficio, told Infosecurity. “The solution is simple—stop doing this.”

At the very least, if one must do this, then it’s important to follow best practices of encrypting all sensitive personal data as it enters a system, at rest, in use and in motion.

“This incident clearly indicates how important it is to encrypt data at rest, especially when mobile devices (laptop, tablets, phones) are involved,” Giovanni Vigna, Lastline CTO and co-founder said via email. “Password protection can prevent the occasional onlooker from accessing the data, but if a disk can be removed or a whole device stolen, only disk encryption can protect the data.”

Luther Martin, HPE distinguished technologist, HPE Security-Data Security, added, “The ability to neutralize a breach by rendering data useless if lost or stolen, through data-centric encryption, is an essential benefit to ensure data remains secure.”

Unfortunately, for the players, headaches are likely to ensue from the breach. “Medical information the new data gold mine for attackers,” Martin said. “The data is lucrative, often unprotected, and useful for all types of fraud including medical and identity fraud.”

As such, the hit was likely a very intentional one—rather than an opportunistic grab.

Michael Magrath, current chairman of the nonprofit Healthcare Information Management Systems Society (HIMSS) Identity Management Task Force, and director of Healthcare Business, VASCO Data Security, noted that “this is a clear example that healthcare breaches are not isolated to healthcare organizations. They apply to employers, including the National Football League. Teams secure and protect their playbooks and need to apply that philosophy to securing their players’ medical information.”

Photo © Stepan Kapl

Source: Information Security Magazine

Stuxnet-like Irongate Malware Emerges to Threaten Critical Infrastructure

Stuxnet-like Irongate Malware Emerges to Threaten Critical Infrastructure

A new ICS/SCADA-focused malware has been discovered that takes a few pages from Stuxnet in targeting critical infrastructure systems.

Snappily named “Irongate,” the malware targets specific processes within simulated Siemens control system environments, according to FireEye, and is likely a proof-of-concept. But its attributes are important to note for future threat intelligence.

“An important aspect of the Stuxnet story has to do with how the malware was discovered in the first place, which underscores the importance of sharing and reusing information in the cyber community,” said Ben Bernstein, CEO of Twistlock, via email. “The malware FireEye discovered was by scanning the VirusTotal/Google database, which are essentially crowdsourced databases of potentially malicious artifacts. The ability to find these kinds of important potential threats will only be possible if all of the actors in the cyber community are indeed encouraged to continue and share their data with the rest of the community for the common good.”

In this case, that’s especially true given Irongate’s resemblance to Stuxnet, which was deployed by the US and Israel to shut down Iran’s nuclear reactors. “While Irongate malware does not compare to Stuxnet in terms of complexity, ability to propagate or geopolitical implications, [it] leverages some of the same features and techniques Stuxtnet used to attack centrifuge rotor speeds at the Natanz uranium enrichment facility,” FireEye noted in an analysis. “it also demonstrates new features for ICS malware.”

To wit: Both Stuxnet and Irongate look for a single, highly specific process, and both replace DLLs to achieve process manipulation. Both also have advanced evasion techniques: Irongate detects malware detonation/observation environments, whereas Stuxnet looked for the presence of antivirus software.

In the “new features” column, Irongate actively records and plays back process data to hide manipulations.

Its key feature is a man-in-the-middle (MitM) attack against process input-output (IO) and process operator software within industrial process simulation. The malware replaces a legitimate DLL with a malicious DLL, which then acts as a broker between a PLC and the legitimate monitoring software. This malicious DLL records five seconds of “normal” traffic from a PLC to the user interface and replays it, while sending different data back to the PLC. This could allow an attacker to alter a controlled process unbeknownst to process operators.

It should be reiterated that this is, for now, a theoretical threat. FireEye researchers found the Irongate samples on VirusTotal while researching droppers compiled with PyInstaller — after testing, the Siemens Product Computer Emergency Readiness Team (ProductCERT) confirmed that Irongate is effective only in simulated environments, and is not viable against operational Siemens control systems. Irongate has also not been associated with any campaigns or threat actors in the wild, so it could be a test case, proof of concept or research activity for ICS attack techniques.

Photo © Poznyakov

Source: Information Security Magazine

Ransomware Sends Phishing Volumes up Almost 800%

Ransomware Sends Phishing Volumes up Almost 800%

In a testament to the fact that we have seen a profound shift in criminal tactics, most (as in 93%) phishing emails now are pushing ransomware.

According to PhishMe, its analysis of phishing email campaigns from the first three months of 2016 has seen a 6.3 million increase in raw numbers, due primarily to a ransomware upsurge against the last quarter of 2015. That is a staggering 789% jump.

“Thus far in 2016, we have recorded an unprecedented rise in encryption ransomware attacks, and we see no signs of this trend abating. Individuals, small- and medium-sized businesses, hospitals, and global enterprises are all faced with the reality that this is now one of the most favored cyber-criminal enterprises,” explains Rohyt Belani, CEO and co-founder of PhishMe.

The firm’s Q1 2016 Malware Review has identified three key trends previously recorded throughout 2015, but have come to full fruition in the last few months: Encryption ransomware; soft targeting by functional area; and downloader/ransomware, the one-two combination.

When it comes to soft targeting in phishing, malicious emails are typically accompanied with Microsoft Office documents laden with malware or the ability to download the same.

“In contrast to both broad distribution and the careful targeting of one or two individuals via spear phishing emails, soft targeting focuses on a category of individuals based on their role within any organization anywhere in the world,” said Belani. “Criminals target this subset with content relevant to their role.”

Towards the end of 2015, PhishMe’s Research team hinted toward the growing prevalence of JavaScript downloader applications as a malware delivery mechanism. During the first three months of 2016, most notably through its prolific use by the distributors of Locky, this prediction did indeed materialize as expected.

“During the first quarter, JavaScript applications even surpassed Office documents with macro scripts to become the most common malicious file type accompanying phishing emails,” Belani said. “JSDropper applications were present in nearly one-third of all phishing email analyses performed by PhishMe.”

Of course, whether threat actors execute encryption ransomware attacks via phishing messages, deliver personalized messages to a functional area of an organization, combine Dridex or Locky with JSDropper or Office documents with macros for delivery, the impact on the victimized organization is significant.

“They have to expend scarce incident response resources on the clean-up effort, manage a potential public relations nightmare, and in some cases even cave in to hacker demands of paying the ransom being demanded,” the report noted.

Belani added, “As the frequency and magnitude of such phishing attacks increase, the importance of empowering humans to avoid and report them, and giving incident response teams the ability to rapidly react to such reports has never been more acute.”

Photo © Nicescene

Source: Information Security Magazine

Ping Identity Set to be Acquired by Vista Private Equity

Ping Identity Set to be Acquired by Vista Private Equity

Identity-defined security provider Ping Identity is set to be acquired by Vista Equity Partners.

A private equity firm focused on software, data and technology-enabled businesses, Vista has previously acquired both Solera Networks and TIBCO. The transaction is expected to close in the third quarter of this year. Financial terms were not disclosed.

The concept of Ping Identity is to provide secure access to enable the right people to access the right things, seamlessly and securely; Vista said that the acquisition will enable Ping Identity to stimulate growth and innovation through strategic acquisitions and focused investment in its enterprise Identity-as-a-Service (IDaaS) capabilities.

Andre Durand, CEO of Ping Identity, said: “This is a great day for Ping Identity as the investment validates what we’ve built: the leading Identity and Access Management platform.

“Enterprises require a partner who can effectively integrate every technology stack and cloud platform to provide secure access for their users. With Vista, we can now accelerate our vision of creating a borderless world secured through identity. The Ping team is excited to begin this next phase for Ping Identity and to broaden its reach into new markets.”

In an email to Infosecurity, 451 Research Enterprise Security senior analyst Garrett Bekker said that IAM is a massive sector with lots of private equity acquisition activity – with BeyondTrust, Courion, SailPoint and now Ping Identity acquired by private equity shops.

“I think it was a logical outcome,” he said. “Ping had been identified (pun intended) as an IPO candidate for some time, but with the tech IPO window all but closed and tech M&A off to a really slow start this year, a private equity exit was likely the best alternative for them.

“Vista has a track record of making follow-on acquisitions to help their companies diversify – they did so with Websense, helping them purchase next-generation firewall technology to fill a hole in their portfolio. Ping Identity has a pretty broad portfolio already, but there are a few areas I could see them putting more attention to: risk-based or adaptive authentication, more support for mobile and IoT use cases, and customer-facing identity management.”

Bekker doubted that this would have a big impact on the sector, other than maybe to set the stage for more private equity activity in the IAM space.

Robert F. Smith, founder, chairman and chief executive officer of Vista, said: “Identity is the new strategic imperative for winning in the digital economy. With the Internet of Everything upon us, it is more important than ever to protect and secure access to any application through identity.

“Vista recognizes the power of Ping’s platform and the strength of Ping’s business model, and we’re looking forward to working with Andre to support Ping’s growth in the dynamic and strategic field of identity management.”

Source: Information Security Magazine

Experts Warn of Fake FIFA and UEFA Adware Apps

Experts Warn of Fake FIFA and UEFA Adware Apps

Security experts are warning football fans to be on their guard after spotting fake Android apps looking to cash in on some major sporting tournaments taking place this summer.

The Copa América Centenario kicks off today, while the much anticipated UEFA European Championship starts in a week’s time.

Unsurprisingly, the scammers have been out in force, flooding the official Google Play Store with phoney titles designed to imitate the popular FIFA app, according to Avast virus analyst, Jan Piskacek.

He spotted four apps in particular filled with adware. Despite being uploaded under different developer names, they all tie back to one person, having the same dex files and manifests, Piskacek explained.

On opening for the first time they all request the user to agree to receive ads from the Airpush advertising network. Doing so will mean details like device ID, IP address, and installed apps could be collected.

Airpush will also monitor geolocation, browser history and email address details thanks to the permissions granted to the app, Avast claimed.

“Additionally, when you click ‘Ok’ to these terms you give your consent for Airpush to associate the Google advertiser ID from your device with other information it collects about your device, including persistent device identifiers and/or personally identifiable information,” explained Piskacek.

“You’re probably thinking ‘Just click ‘Cancel’ to avoid giving away your personal information to Airpush, but more importantly, to avoid the annoying ads!’. I hate to disappoint, but even if you click ‘Cancel’ a Sky entertainment ad appears as soon as you start a game.”

The four apps are of poor quality and saturated with ads which block the user’s view of the game, he continued.

One particular pop-up on one of the gaming apps tries to trick the user into buying another app, by claiming their device is riddled with malware and that they need the new app to clean it up.

Sporting tournaments have long been a lure for black hats and scammers looking to cash in on heightened public interest.

Last month, Kaspersky Lab warned users to remain on their guard after spotting fake lottery win notifications spoofed to come from the Brazilian government and the International Olympic Committee (IOC).

To claim their ‘prize’ users are urged to fill in their personal details – a classic phishing tactic.

Researchers also warned of an uptick in fake ticketing sites ahead of the Olympic Games this summer.

Source: Information Security Magazine

Dridex Spam Bursts Reveal New Threat Tactics

Dridex Spam Bursts Reveal New Threat Tactics

The infamous banking trojan Dridex sputtered back to life at the end of May after a quiet month with new capabilities designed to trick users into opening a malicious attachment and bypass security filters.

The trojan was unusually inactive during most of last month, before reappearing in a new wave of spam emails, according to Trend Micro researchers Michael Casayuran, Rhena Inocencio, and Jay Yaneza.

These emails show the threat actors behind the campaign have changed tactics slightly, using a different kind of social engineering designed to trick users into opening the malicious attachment.

The subject line of the spam bears the message “account compromised” while the main body of the email contains details of a supposed suspicious logon attempt, including an IP address to make it look legitimate.

The attachment supposedly has the full report of this spoofed incident, Trend Micro said.

“The spammed message is almost believable except for that one missing crucial detail. It doesn’t have any information on what type of account (email, bank, social media accounts etc.) is compromised,” it added in a blog post.

“Based on our research, the spam runs of Dridex have semblances with Locky ransomware with its use of macros and identical email templates.”

Another new feature is the use of Certutil and Personal Information Exchange (.PFX) files – the latter typically used by software certificates to store public and private keys.

“When you open the .ZIP file attachment and the word document, a .PFX file is dropped. However, this won’t necessarily run on your system because it’s encrypted,” Trend Micro explained. “This is where Certutil comes in, decoding a base64-text file to convert the .PFX file to .EXE file. When the .PFX file is finally converted into an executable file, DRIDEX infects your system.”

The reason why the Dridex authors have gone to this extra effort is that .PFX and Certutil apparently help to pass off the malicious file as a legitimate certificate.

Trend Micro urged users to mitigate the risk of Dridex infection by not opening attachments or enabling macros when receiving unsolicited emails.

“On the other hand, enterprises can create policies that will block off email messages with attachments from unknown sources,” the vendor concluded.

“It also recommended that they educate their employees about this type of security threat and what to do when they encounter one.”

Source: Information Security Magazine

CryptXXX Adapts Again to Outwit Decryptors

CryptXXX Adapts Again to Outwit Decryptors

Notorious ransomware family CryptXXX has morphed yet again to defeat decryption tools with a newly discovered variant: version 3.100, according to Proofpoint.

The security vendor claimed in a new blog post that CryptXXX 3.100 features new Server Message Block (SMB) functionality to scan for shared Windows drives on the corporate network before encrypting them one by one.

This renders the current CryptXXX decryption tool from Kaspersky Lab useless, and organizations should not count on another one being made available any time soon, Proofpoint argued.

“Even when possible, decrypting individual files is time-consuming and scales poorly, especially as CryptXXX begins encrypting many more files across network shares,” the firm said. “Similarly … the information stealing capabilities built into CryptXXX render organizations vulnerable even if they can recover critical files.”

These info stealing capabilities come in the form of StillerX – a credential stealing DLL which works as a plugin or standalone stealer.

It has been designed to target a wide range of potentially monetizeable information on a victim’s machine, including browser data, email/IM/VPN credentials, and even poker software log-ins.

CryptXXX 3.100 also features a simplified lock screen and a new more user-friendly payment portal hosted on an onion site.

Proofpoint claimed the ransomware family has become fairly widespread of late, even attracting black hats from TeslaCrypt.

“Because CryptXXX also includes robust information-stealing capabilities, multi-layered network and endpoint protection are also critical to prevent data exfiltration in case of infection,” the vendor concluded.

“CryptXXX updates have appeared very quickly over the last month and, without an available decryption tool, users and organizations must focus on detection and prevention.”

The scale of the ransomware problem is still difficult to gauge as many don’t report infections, but some reports suggest the FBI has estimated over $200m in losses in Q1 alone – way more than the $24m figure ascribed to 2015.

In addition, DNS firm Infoblox claimed this week that it had observed a 35-fold increase in new ransomware domains in Q1 compared to the final three months of 2015.

Source: Information Security Magazine

Russian Ransomware Bosses Make 13 Times the Average Wage

Russian Ransomware Bosses Make 13 Times the Average Wage

A five-month investigation [PDF] of an organized Russian ransomware campaign has revealed that the typical ‘ransomware boss’ makes an average annual salary of $90,000, or $7,500 per month. That’s 13 times the average current wages in Russia.

The report, from Flashpoint, shows how cyber-criminals are using ransomware as a service (RaaS) to successfully target victims, with the healthcare industry being identified as a priority target.

Once recruited by a crime boss, it then becomes relatively easy for newcomers, who become part of the boss’s affiliate network, to start spreading ransomware quickly, attacking corporations and users via botnet installs, email and social media phishing campaigns, compromised dedicated servers and file-sharing websites.

“Ransomware is clearly paying for Russian cyber-criminals,” said Vitali Kremez, cybercrime intelligence analyst at Flashpoint. “As RaaS campaigns become more widespread and accessible to even low-level cyber-criminals, such attacks may result in difficult situations for individuals and corporations not yet ready to deal with these new waves of attacks.”

As far as priority targets for these campaigns, Flashpoint found affiliate ransomware targeting hospitals and healthcare networks being advertised specifically on Dark Web forums and marketplaces. And while numerous users have purchased ransomware promoted specifically for targeting hospitals, Flashpoint analysts, who closely monitor these schemes, assess that cyber-criminals utilize such malware across a wide spectrum of industries.

Kremez added, “Corporations and users are unfortunately faced with a commensurately greater challenge of effectively protecting their data and operations from being held ransom, with no guarantee that sending a ransom payment will result in return of the stolen data.”

The report pointed out that there’s no end in sight: With recent, highly publicized ransomware attacks on several hospitals and health networks resulting in large payouts to retrieve critical files, cyber-criminals are clearly beginning to recognize that holding the data hostage is often more lucrative than simply stealing the data and selling it on the black market.

Photo © Carlos Amarillo

Source: Information Security Magazine