Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for July 2016

Adwind RAT Resurfaces—with a Zero Detection Rate

Adwind RAT Resurfaces—with a Zero Detection Rate

The Adwind remote access Trojan (RAT) has resurfaced, after a few months, in a series of targeted attacks. It’s not your usual RAT—it can bypass antivirus altogether and claims a zero detection rate.

It has been spotted over the weekend in several targeted attacks against Danish companies, according to Heimdal Security. But given that the malicious email employed to deceive victims is in English, the attackers will most likely not stop at Danish borders.

“The RAT was last seen a few months ago, after having been apparently taken down in 2015,” explained Andra Zaharia, security specialist at Heimdal, in an analysis. “It infected almost half a million people and organizations worldwide. Now it has surfaced again, proving that cyber-criminals are not ready to give up on using it.”

Adwind, which is a Java-based malware, is often associated with APT campaigns. Heimdal calls it “cross-platform, multifunctional and plain destructive.”

As such, it has a dual purpose: To exfiltrate data from the compromised organizations, and to open a backdoor which allows attackers to feed more malware into the affected machines. Successful Adwind infections give online criminals a backdoor into PCs running Windows, OS X, Linux and even Android. Once the RAT is on the system, the attackers can remotely control the PC and gather key logs, webcam feeds, capture the audio feed, take screenshots and more.

In the observed attacks, if the Adwind code is executed, the infected computer also will be immediately recruited into a botnet.

Any machine that runs Java is potentially vulnerable, but the online criminals behind Adwind are part of a trend towards more targeted attacks that require a smaller infrastructure to carry out.

“This means less resources put into building infrastructure and a potentially bigger return on investment because of the targeted nature of the strike,” Zaharia said. “Avoiding large-scale campaigns also means they have a higher chance of going undetected. This gives them more time to sit on the infected systems and extract more data from them.”

She added that the months spent between these resurges of Adwind could also signal that attackers are taking their time to prepare their strikes, to maximize their chances for success.

As far as protection measures go, admins should build data security in layers, and counsel employees on how to recognize malicious mail. Adwind is being spread by unsolicited mails with the subject line, “Quotation request.”

Photo © alexskopje

Source: Information Security Magazine

FBI Says No Criminal Charges for Hillary Clinton Over Emails

FBI Says No Criminal Charges for Hillary Clinton Over Emails

The FBI has recommended that no criminal charges be brought against Hillary Clinton over her use of private email while she was Secretary of State.

FBI Director James Comey said that although she was "extremely careless" with classified information, "no reasonable prosecutor" would pursue a criminal case against the Democratic presidential hopeful. Attorney General Loretta Lynnch said that she would follow the recommendation—meaning that Clinton is officially in the clear.

FBI agents interviewed Clinton for more than three hours over the long US Independence Day weekend, grilling her about her email habits. The FBI said that it found more than 100 emails that were classified on her private server, which showed up in multiple email chains. However, the information hadn’t been flagged as classified, and the FBI concluded that the information was not sent intentionally. If there had been intent, then there would have been grounds for criminal charges.

The recommendation concludes an investigation that began a year ago and which involved the detailed examination of multiple servers, 30,000 emails and dozens of people. It all started with a request by the House Select Committee on Benghazi to see correspondence between Clinton and other officials surrounding the September 2012 attack on the diplomatic outpost in Benghazi, Libya, that killed four Americans. In the course of that process, it was discovered that Clinton had used a personal email address for some communications, routing the messages through private server at her home in Chappaqua, N.Y.

Comey did chastise the presumptive Presidential nominee, saying that “There is evidence to support a conclusion” that she “should have known an unclassified system was no place” for handling sensitive information, and that she should have known better.

His comments echoed the tone of an independent audit by the Inspector General which found that Clinton and her team ignored “clear guidance” from the State Department about email security while she was Secretary of State.

Predictably, Republican presidential contender Donald Trump characterized Clinton as compromising national security, and called the decision "unfair."

For anyone interested in drawing their own conclusions, WikiLeaks has launched a searchable archive of 30,322 emails and email attachments sent to and from Hillary Clinton's private email server while she was Secretary of State. The 50,547 pages of documents span from June 30, 2010 to August 12, 2014, and include 7,570 documents that were sent by Hillary Clinton herself. The emails were made available in the form of thousands of PDFs by the US State Department as a result of a Freedom of Information Act request. The final PDFs were made available on February 29.

Photo © Joseph Sohm/Shutterstock.com

Source: Information Security Magazine

EU Ploughs $500 Million into Cybersecurity R&D

EU Ploughs $500 Million into Cybersecurity R&D

The European Commission is set to plough €450 million ($500m) into a new public-private partnership designed to encourage the development of innovative new cyber security products.

The initiative comes under the remit of the EU’s research and innovation program Horizon 2020, with security “market players” – represented by the European Cyber Security Organisation (ECSO) – set to contribute three times the amount pledged by the Commission.

Details remain vague at the moment but the plan is to spur co-operation between governments, research centres, private sector and academia to build out security solutions for various sectors including health, energy and finance.

The European Commission is also looking at improving cross-border co-operation in the event of a major cyber incident; developing a Europe-wide certification framework for ICT security products; and making it easier for start-ups to access finance to scale-up operations.

It’s unclear whether the UK organizations will benefit from these schemes, although the country’s status within the block is still technically unchanged until it triggers Article 50. The UK is also still contributing around £170m per week to Brussels, once one takes into account rebates and money coming the other way.

Securing online identities and protecting cloud infrastructure are just some of the suggestions made by the Commission on where the €450m in funding should go.

But Venafi chief security strategists, Kevin Bocek, argued that other areas should be considered.

“They need to recognize the need to secure the identities of machines, software, devices and the foundation of the internet itself, not just people,” he said. “Already software dwarfs the human population and knowing what is good or bad friend or foe when it comes to machines, software, devices will be only more important. We have to stop applying our anthropomorphic thinking, and think like those that want to threaten our way of life and economy in the 21st century.” 

The way in which entities trust the internet has not changed in over 20 years, but with keys and certificates increasingly being used and abused by the black hats, more focus is needed on developing solutions in this area, Bocek added.

“It is critical that government and business now look to strengthen the foundation, building in an immune system to protect us to know what is good or bad, friend or foe, and take immediate action to fix and repair when needed,” he concluded.

Source: Information Security Magazine

Second ‘Celebgate’ Hacker Pleads Guilty

Second ‘Celebgate’ Hacker Pleads Guilty

A second man has pleaded guilty to illegally accessing hundreds of iCloud and Gmail accounts including many belonging to big-name Hollywood celebrities.

Edward Majerczyk, 28, who lives in Chicago and Orland Park, signed a plea agreement in return for a lenient sentence, confessing to one count of “unauthorized access to a protected computer to obtain information” under the Computer Fraud and Abuse Act.

He sent classic phishing emails spoofed to come from the victims’ ‘internet service providers’ which ultimately gave him access to their Gmail and iCloud accounts, according to the Department of Justice. He then trawled these accounts for personal information including private photos and videos.

Majerczyk is said to have accessed a whopping 300 accounts from November 2013 to August 2014, around 30 of which belonged to celebrities.

“This defendant not only hacked into e-mail accounts – he hacked into his victims’ private lives, causing embarrassment and lasting harm,” said Deirdre Fike, assistant director in charge of the FBI’s Los Angeles Field Office.

“As most of us use devices containing private information, cases like this remind us to protect our data. Members of society whose information is in demand can be even more vulnerable, and directly targeted.”

Although he still faces a statutory maximum sentence of five years in federal prison, Majerczyk will be hoping for something more like the sentence handed down to 36-year-old Pennsylvania man Ryan Collins.

He got a term of 18 months after pleading guilty to a similar phishing scheme in March, although his activities appear to have been more limited – apparently restricted to around 50 iCloud accounts and 72 Gmail accounts.

Like the Collins case, Majerczyk was caught thanks to an FBI investigation into the so-called “Celebgate” leaks. However, no evidence has been uncovered linking either man to the actual publication or dissemination of the photos online.  

Source: Information Security Magazine

Global Firms Could Pull Data Out of Post-Brexit UK

Global Firms Could Pull Data Out of Post-Brexit UK

Data sovereignty is set to become an even more important issue for IT professionals as the UK negotiates its way out of the EU in the shadow of the GDPR, according to consultancy CNS Group.

The firm polled over 200 attendees at the Infosecurity Europe show in London last month and found 92% thought it “very” or “fairly” important that data is stored, accessed and backed up in the UK.

However, disappointingly, only a quarter (27%) claimed they were “very certain” this is the case.

Still, the forthcoming major changes to Europe’s data protection laws in the form of the EU GDPR is likely to focus minds on the issue, according to CNS Group CEO, Shannon Simpson.

She claimed that, irrespective of size, UK organizations will have to know where their data is stored and managed, and even post-Brexit they’ll still have to comply with the GDPR if they want to trade with the bloc, which will mean paying closer attention to such matters.

Specifically, they’ll need to know where data is stored and backed-up; who has access to it; and how it’s encrypted, CNS Group argued.

The spectre of Brexit is likely to create “clearer lines of data sovereignty,” with UK firms keeping data in the UK and EU and global firms keeping it in EU countries, according to Simpson.

“For British firms the weaker pound will make off-shoring costs more expensive. Depending on the data they hold – i.e. if its only UK citizen data and not that of European citizens – they may wish to ensure their data is in the UK to avoid additional EU regulation,” Simpson told Infosecurity.

“The new GDPR means that there will be more stringent data transference rules to moving EU data out of the EU, hence to the UK. The cost of this additional regulation, audit and scrutiny may be enough to convince firms that keeping the data in Europe is more cost effective.”

Simpson’s comments echo those of legal and data security experts, who have warned in the past that if the UK fully exits Europe and fails to create a legal framework mirroring that of the GDPR then its digital economy could be decimated. 

Source: Information Security Magazine

Identity Theft Jumps 57% as Fraudsters Target Social Media

Identity Theft Jumps 57% as Fraudsters Target Social Media

The number of victims hit by identity theft jumped a hefty 57% last year, according to figures from fraud prevention service Cifas.

The firm’s research found that fraudsters are particularly targeting younger internet users with around 24,000 people aged 30 and under suffering identity fraud in 2015, up from 15,766 in 2014 and more than double the 11,000 victims in this age bracket in 2010.

Identity fraud commonly occurs as a result of a cyber-criminal masquerading as an innocent individual and buying products or taking out loans in their name, with victims often completely oblivious to the fact they have been targeted until they receive a bill or have problems with their credit rating.

To be successful, fraudsters need to gain access to personal information such as name, date of birth, address, and bank details which they then use to piece together someone’s identity. Whilst they do this in a variety of ways, social media sites such as Facebook, LinkedIn and Twitter (to name just a few) are proving to be common hunting grounds for identity thieves to gather the data they need, with Cifas stating that 86% of all identity frauds last year were carried out online.

When you take into account just how many young internet users are on social media these days, it comes as no great surprise that identity fraud has seen such a leap in the 30 and under age group.

"Social media sites are a goldmine of information for those with malicious intent,” said John Lord, managing director at identity data intelligence firm GBG. “Your name, your first school and even your mother's maiden name are now just a few clicks away for a fraudster. We all have a responsibility in preventing incidents of fraud, and for the user, thinking about what information you want to be publicly available is a good start. However, once that information has been compromised, what then?”

In the first instance, continued Lord, identity thieves will use the real identity of an individual and thereafter, create synthetic identities compiled from elements of the data stolen from a user. Taking a ‘sledgehammer’ approach to blocking the original identity to avoid the identity theft is often a waste of time as fraudulent activity usually only happens for less than a month after the crime has occurred.

“Organizations, therefore, need to use more data, analytical insights and triangulation of multiple identity proofing techniques when identity theft occurs, to minimize the effects for both the user and the businesses serving them,” he added.

GBG has provided consumers the following three top tips on how to keep their personal identities safe:

•    Think before you share: Is your Facebook profile private? Always be mindful about what you post online as it can be easy for a fraudster to piece together different pieces of information from multiple websites.

•    Be vigilant: Are you aware of where your address, phone number or date of birth are stored online? Do you keep track of where you put in your bank details? Knowing where your information resides is crucial. If you’re in doubt, ask an organization what it is actually doing with your data.

•    Make sure you know who you are speaking to: Don’t just think about online activity; is that telephone call really from your bank or is it another scam? Your identity opens a lot of doors for fraudsters and closes plenty more for you. From losing money to being turned down for a mortgage, the consequences can be disastrous. Remember your identity is priceless!

Source: Information Security Magazine

Security the Winner as Airlines Plan Big Investments

Security the Winner as Airlines Plan Big Investments

Some 91% of airlines plan to invest in cybersecurity over the next three years as IT budgets rise and planes become more connected than ever before, according to a major new study.

SITA’s annual Airline IT Trends Survey features the opinions of senior IT decisions makers in each of the world’s top 200 passenger carriers.

The majority expect budgets to increase over the coming year, up from just one-third last year, with software development moved in-house and operations increasingly outsourced.

Also, the number of respondents who claimed they’re making “advanced preparations to manage cyber risks” jumped from 47% to 91%.

The focus on security can be linked to the uptick in Internet of Things (IoT) development in the industry, as more and more aircraft are fitted with embedded computing systems to support things like media streaming to passenger devices and internet connectivity.

Over two-thirds (68%) of airlines are investing in IoT programs in the next three years, up from 57% this time last year. 

As aircrafts become ‘smarter’ and more connected, the chances of them being hacked increases, so it’s right that IT bosses are focusing on cybersecurity.

Security researcher Chris Roberts has done a lot of work in this area.

Last year the FBI famously accused him of effectively hacking a plane, enabling him to make it fly sideways for a period.

Roberts was also detained for questioning after sending a now infamous tweet about his activities which got him kicked off a United Airlines flight in April.

However, manufacturer Boeing claimed in a statement that what he’s accused of doing is impossible, because the plane’s flight and navigation systems are separated from its in-flight entertainment computers – through which he's said to have gained access.

Many of the security issues associated with embedded computing could be solved by cryptographically signing the chip firmware and anchoring it in the silicon so it can’t be wiped or over-written.

Source: Information Security Magazine

Zepto Ransomware Soars

Zepto Ransomware Soars

Security researchers are warning users of a spike in spam emails containing a variant of the infamous Locky ransomware, known as Zepto.

Cisco’s Talos team spotted 137,731 emails in just four days, containing over 3300 unique samples, according to technical lead, Warren Mercer.

Most of the emails used simple social engineering, asking the user to look at an attached document they had ‘requested.'

Emails are also crafted to appear more convincing by greeting the recipient by first name, he explained.

Once opened, the malicious JavaScript will run in the background, encrypting all files on a user’s machine with the .zepto extension.

Some samples only contacted one C&C server whilst others communicated with up to nine domains, the researcher continued.

Once the encryption has been done, the malware will display a message for the victim, demanding payment.

“The email attack vector will continue to be used as email is an everyday occurrence now and the ability to generate large lists of emails for spam campaigns like this is growing easier. The breaches which occur include email data which is actively sold to bidders on the underground for this type of campaign,” said Mercer.

“Ensuring users are careful with email attachments, like the ones used in this campaign, will help in an attempt to null the effects of this and further spam campaigns. Talos recommend you ensure you have a good backup strategy should you be hit with ransomware and we strongly advise that payment is never made to these actors.”

Meanwhile the Locky ransomware continues to evolve, causing devastation to individuals and businesses as it goes.

When it first burst onto the scene earlier this year, the botnet distributing it was shown to be the same one spreading Dridex banking malware.

In March, FireEye noted a sharp spike in Locky spam with users impacted in over 50 countries.

Source: Information Security Magazine

Experts Warn of Malicious Brexit Spam

Experts Warn of Malicious Brexit Spam

Security experts are urging users to remain cautious online after seeing an uptick in Brexit-themed spam designed to trick recipients into downloading malware.

Cyber firm Digital Shadows told the Mail on Sunday that cyber-criminals are using classic social engineering techniques to create the kind of urgency among users that forces them into either clicking on a suspicious link or opening a malicious attachment.

That means jumping on the Brexit bandwagon and using its popularity at the moment to reel users in.

Subject lines might include “Brexit causes historic market drop,” the firm’s co-founder James Chappell explained.

“We advise all consumers to exercise caution,” he added. “Do not open attachments or click on links and delete this type of email straight away.”

It’s not the first time hackers have piggy-backed on popular current events in order to spread malware or trick users into divulging sensitive personal information.

Sporting tournaments are particularly popular for this purpose among the black hat community.

In 2014, for example, security experts identified numerous World Cup ticketing scams in which victims were sent emails containing malicious attachments masquerading as free tickets.

Interest in players like Neymar and Messi was also used as bait through email and social networking platforms.

Hackers have also extended their campaigns to the app sphere. Earlier this month Avast warned of a slew of Android apps on the official Google Play store designed to ape the popular FIFA app.

However, if downloaded, they contain limited functionality and will just bombard the user with ads.

The tactic will no doubt be in play again this summer ahead of the Rio Olympic Games.

As for Brexit, there have been concerns that leaving the European Union will make it harder for the UK to share threat intelligence with continental neighbors and recruit the best cybersecurity talent from abroad.

There are also fears that some large multi-nationals could start to move data out of the UK, potentially signalling job losses.

Source: Information Security Magazine

Majority of Orgs Still Don’t Know Value of Critical Data

Majority of Orgs Still Don’t Know Value of Critical Data

New research from IRM has revealed that almost two-thirds of companies don’t know the value of critical assets being targeted by hackers.

The firm’s Risky Business Report found as little as 28% of CISOs regularly carry out exercises to categorize and value the data within their IT estate to gain an understating of the risks linked to the loss of such information, and whilst 55% have taken partial action, 17% admitted to taking no action at all. 

As a result, more than a third of CISOs have no clear view of what assets their business has, or where they are kept on the network.

Charles White, founder and CEO of IRM, argued that without a transparent understanding of the value of your data, it is far more difficult to build an effective risk strategy and determine how much should be invested to protect it.

“The fact that more than a third of CISOs have no clear view of what assets they have in their networks is very worrying,” he said. “How can you plan your cybersecurity investment accurately if you don’t know what you are protecting and how much it is worth? It is essential to know the value of the data stored and what its loss would cost the company across criteria such as cost of replacement, lost productivity, lost business, and damage to reputation.”

However on a more positive note, 66% of those polled said they now rarely or never have trouble in engaging with the board on the cyber agenda, with 57% stating that identifying risks and vulnerabilities was their top priority for the next 12 months.

“It’s encouraging to see a greater level of engagement between security heads and executives at the top level,” added White. “CISOs still struggling to make their case to the board need to be able to clearly demonstrate the ROI of their cyber strategy so that the board can balance investment costs against potential risk. Being able to accurately quantify how much the data on the company’s systems is worth and the financial impact of any threat against it is an essential tool in making this change.”

Source: Information Security Magazine