Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for February 2017

Necurs is Back and Ready to DDoS Someone

Necurs is Back and Ready to DDoS Someone

The Necurs botnet has resurfaced, with some new tricks. Notably, it’s taking a page from Mirai, and setting itself up to act as infrastructure for DDoS attacks.

According to Anubis Networks, the bot showed up about six months ago communicating with a set of IPs on a different port that the usual port 80. It also uses what appears to be a different protocol.

It’s also loading a new module—indicating that it can add new capabilities at any time.

“Necurs is a malware that is mainly known for sending large spam campaigns, most notably the Locky ransomware,” said Anubis, in an analysis. “However, Necurs is not only a spambot, it is a modular piece of malware that is composed of a main bot module, a userland rootkit and it can dynamically load additional modules (besides the spam module).”

While decrypting the C2 communication of the a Necurs bot, Anubis observed a request to load two different modules, each with a different parameter list. The first one was the spam module for which Necurs is most known, and the parameters are the C2 addresses from which it can receive new spam campaigns. The second one was an unknown module that seemed responsible for the communications Anubis saw to the new port.

Upon examination, the firm discovered that the new module issued commands that would cause the bot to start making HTTP or UDP requests to an arbitrary target in an endless loop, in a way that could only be explained as a DDsS attack.

“This is particularly interesting considering the size of the Necurs botnets (the largest one, where this module was being loaded, has over 1 million active infections each 24 hours),” the company noted. “A botnet this big can likely produce a very powerful DDsS attack.”

Source: Information Security Magazine

Security Awareness Training to Explode in Next 10 Years

Security Awareness Training to Explode in Next 10 Years

Security awareness training is the most underspent sector of the cybersecurity market, but it’s poised to become a multi-billion-dollar industry in 2017.

That’s according to a report from Cybersecurity Ventures, which also said that the market will top $10 billion by 2027.

According to Steve Morgan, founder and editor-in-chief at Cybersecurity Ventures, Fortune 500 and Global 2000 corporations will consider security awareness training as fundamental to their cyber-defense strategies by 2021, with small businesses following shortly thereafter.

Organizations of every size are starting to recognize that inside threats are as significant as outside threats, the research postulates, and users will be a crucial part of any organization’s information security program. So, training those users to recognize the overtures of malicious actors will be critical to hardening the “people layer,” also known as the last line of defense against cyberattacks.

Awareness training that combines interactive training in the browser with frequent simulated phishing attacks straight into the user’s email inbox has “proven to be very effective in creating a human firewall, a company’s last line of defense,” said Stu Sjouwerman, CEO of report sponsor KnowBe4. “New-school security awareness training has by far the best ROI of any security layer. Users see phish-prone percentages go from an average of 15 to 20% down to 1% or 2% after a year.”

Source: Information Security Magazine

Email Compromises, Phishing Top Insider Threats

Email Compromises, Phishing Top Insider Threats

Security and risk (S&R) pros have the challenging task of using finite resources (including budget, time, and people) to protect their businesses from every possible attack type. But they can zero in on the employee threat, given that more than a third of firms have experienced some information loss, theft or attack via email within the past two years, with phishing attacks being most common.

According to Forrester Consulting research, S&R decision-makers face threats from three groups of insiders—compromised accounts (internal accounts that have been compromised by external attacks), careless misuse (internal policy violators and those who accidentally leak or expose data or systems) and malicious insiders (insiders who purposefully take or misuse data or exploit systems).

Nearly two-thirds of the firms in our study had experienced a security incident involving a compromised account in the past two years, while 57% had an incident stemming from careless misuse and 41% from a malicious insider in that same period. Tellingly, only 1% said they had no incidents involving insiders.

But email remains a critical component of day-to-day business activity, and a significant channel through which employees interact with one another and the outside world. It’s no surprise then that email also represents one of the most significant, ongoing security vulnerabilities for many enterprises.

The survey, commissioned by Mimecast, found that almost every firm (99%) experienced some form of insider security incident within the past two years, with more than four out of 10 firms reporting a phishing attack during that time. The effects of successful phishes are significant: Three -quarters of respondents said compromised accounts had a significant or moderate financial impact, and 68% said they had a significant or moderate productivity impact.

Meanwhile, about 64% said malicious insiders caused a significant or moderate financial impact, and 57% said it had a significant or moderate productivity impact, with careless misuse creating financial issues for 61% and productivity impacts for 54%.

“Internal threats, specifically ones that use email, must be taken seriously by S&R decision-makers,” the survey concluded. “Fortunately, firms recognize the danger and are responding by investing in technology that can help defend against these threats. However, too many S&R professionals are focused on basic defensive capabilities, thereby potentially missing out on advances in security technologies that are more suited to defend against today's threats.”

Source: Information Security Magazine

Russia Admits Major Info Warfare Mission

Russia Admits Major Info Warfare Mission

Russia has admitted for the first time its significant investment in information warfare.

Defense minister, Sergey Shoigu, made the claims when addressing the lower house of the country’s parliament (Duma) this week, according to local reports.

He said a cyber army had been established within the Russian military, according to the state-controlled TASS news agency.

"The information operations forces have been established, that are expected to be a far more effective tool than all we used before for counter-propaganda purposes," he said. "Propaganda should be smart, competent and effective.”

This tallies very much with the allegations of state-backed interference in the US elections. It is alleged by the US security services that Russian spies stole and then released sensitive Democratic Party officials’ emails to undermine the result and push it in Donald Trump’s favor.

This kind of activity was labelled “cyberpropaganda” by Trend Micro in its 2017 predictions report, The Next Tier.

It also includes state agents posting propaganda to social media accounts, taking advantage of the limited checks many such platforms have on fake news and the like.

“The upcoming elections in France and Germany, including subsequent movements similar to the United Kingdom’s withdrawal from the European Union (EU) … will be influenced by what is being shared and done using electronic media. We will likely see more sensitive information used in cyberpropaganda activities stem from espionage operations such as PawnStorm,” noted the report.

“Entities that are able to navigate public opinion using this means in a strategic manner will be able to produce results that favor them. In 2017, we will see much more use, abuse, and misuse of social media.”

The Russian tactics were also dissected by ThreatConnect, which pointed to a rise in so-called “faketivism” – that is, state spies who create the personas of lone hacktivists in order to spread sensitive hacked material online for political ends.

This is what “Guccifer 2.0” did prior to the US presidential election, using WikiLeaks as a platform to legitimize its actions.

One of the hardest things for the white hats to come to terms with is that this step-up in Russian cyber aggression is usually not intended to promote a Russian ideology – as per the Cold War – but rather to undermine Western democracy, so that voters and citizens don’t know who to trust anymore.

News organizations and social media sites are beginning to respond, with initiatives such as CrossCheck, designed to ensure “hoaxes, rumors and false claims are swiftly debunked.”

But with the current US president denouncing legitimate media as “fake news” and the social media echo chamber effect amplifying any fake news to credulous netizens, they have their work cut out.

Source: Information Security Magazine

Tech Firms Urge Government to Cut Encryption Red Tape

Tech Firms Urge Government to Cut Encryption Red Tape

Technology trade association techUK has called on government ministers to cut export red tape on products incorporating encryption in order to make the UK more competitive, as a separate white paper urges the European Commission to revise its stance on cybersecurity export controls.

With the digital economy responsible for roughly a quarter of the UK’s exports, the nation’s firms can’t afford the lengthy license approvals process needed for many products containing encryption, techUK argued.

With export procedures significantly more “liberal” in other countries, this is impacting the competitiveness of UK firms, according to the body.

It argued for an “Open General Export Licence” to cover specific comms equipment alongside clear guidance to help industry better understand which items require licensing.

The news comes as industry group Digital Europe launched a new positioning paper calling on the European Commission to modify its proposals to tighten restrictions on the export of so-called “dual-use” technologies.

Like the Wassenaar Arrangement, the proposals are designed to limit the export of technologies such as intrusion software, to repressive regimes which may use them to monitor dissidents and activists.

However, the Commission’s proposals could create legal uncertainty and problems for harmonization across Europe thanks to poor definitions for terms like “cyber-surveillance” technologies, “licensing criteria,” and “Intangible Technology Transfers,” techUK argued.

Poorly defined “catch-all” controls and technical assistance will actually work to restrict the ability of firms to export tools to enhance cybersecurity without safeguarding human rights around the world, it added.

What’s more, the proposals aren’t even in line with the Wassenaar Arrangement, and feature a newly created category, Annex 1 category 10, which will make it difficult for exporters to align with the countries they’re dealing with, the tech group said.

This area continues to prove a major stumbling block around the world, with the negotiators failing to find a breakthrough last year in discussions on the 41-country Wassenaar pact – despite the US leading efforts to agree on new language.

Source: Information Security Magazine

Google Research Brings End to SHA-1

Google Research Brings End to SHA-1

Google has announced research that it hopes will begin the sunset process on the SHA-1 encryption hash.

Released alongside the CWI Institute in Amsterdam, the “Shattered research” culminates two years’ work to create a practical technique for generating a collision. In a blog post, the project which was authored by Google’s Marc Stevens and Elie Bursztein, who collaborated on making Marc’s cryptanalytic attacks against SHA-1 practical using Google infrastructure.

“Our findings emphasize the necessity of sunsetting SHA-1 usage,” the blog read. “Google has advocated the deprecation of SHA-1 for many years, particularly when it comes to signing TLS certificates. As early as 2014, the Chrome team announced that they would gradually phase out using SHA-1. We hope our practical attack on SHA-1 will cement that the protocol should no longer be considered secure.”

Google follow the likes of Microsoft  and Mozilla in announcing that their web browsers will end support for SHA-1 certificates.

SHA-1 is used for digital signatures and file integrity verification, and protects a wide spectrum of digital assets, including credit card transactions, electronic documents, open-source software repositories and software updates. Google claimed that its research shows that it is “now practically possible to craft two colliding PDF files and obtain a SHA-1 digital signature on the first PDF file which can also be abused as a valid signature on the second PDF file.

“Today, many applications still rely on SHA-1, even though theoretical attacks have been known since 2005, and SHA-1 was officially deprecated by NIST in 2011. We hope our practical attack on SHA-1 will increase awareness and convince the industry to quickly move to safer alternatives, such as SHA-256.”

SHA-1 certificates are not issued by any Certification Authority abiding by the CA/Browser Forum anymore. Google announced support for SHA-1 certificates would end with Chrome 57, which was released in January 2017.

David Chismon, senior security consultant at MWR InfoSecurity, said: “The SHA-1 algorithm has been known to be weak for some years and it has been deprecated by NCSC, NIST, and many vendors. However, until today no real world attacks have been conducted. Google's proof of concept, and the promise of a public release of tools may turn this from a hypothetical issue to a real, albeit expensive one.

“Hopefully these new efforts of Google of making a real-world attack possible will lead to vendors and infrastructure managers quickly removing SHA-1 from their products and configuration as, despite it being a deprecated algorithm, some vendors still sell products that do not support more modern hashing algorithms or charge an extra cost to do so. However, whether this happens before malicious actors are able to exploit the issue for their benefit remains to be seen.”

Source: Information Security Magazine

Most Hackers Can Compromise You in 12 Hours or Less

Most Hackers Can Compromise You in 12 Hours or Less

More than two-thirds of hackers can break through cybersecurity defenses and into the systems they target within 12 hours. A full 81% say they can identify and take valuable data with 24 hours.

That’s according to The Black Report, assembled by Chris Pogue, CISO of Nuix. At DEFCON, he gathered a room full of hackers and handed them a paper survey with the intent to help CISO/CSOs and enterprise security teams understand which security countermeasures really do have an impact and which did not.

The results are concerning: When it comes to the cybersecurity arms race, many countermeasures that you think will to stop an attacker won’t even slow them down. And other defensive techniques that you think are totally arbitrary actually have a tremendous impact on security posture.

For instance, defensive countermeasures typically focus on indicators of compromise (IOCs), or known specific activities or programs that are associated with an attack pattern. Now, that would be an effective strategy if attack patterns either never changed, or only changed some of the time.

“Exactly 50% of our respondents changed their attack methodologies with every target. A further 38% changed things at least every six months,” the report noted. “The smallest grouping (5%) said they changed things every 12 months or more … maybe these are the same people who keep getting caught?”

In terms of their offense, the preconceptions hold up better. During the reconnaissance stage of an attack, 72% of pentesters use some aspect of social engineering to gather information about their targets. Only 15% claimed they never used this tried-and-true attack method.

During the next stage of reconnaissance, 86% of hackers used vulnerability scanning to identify potential vulnerabilities in their targets; 24% said they did it frequently and 22% said they always did it.

That said, if security decision-makers think attackers use commercial tools or private exploit kits to carry out their attacks, the Nuix data indicates otherwise. Only 10% used a commercial tool set such as the Core IMPACT exploit framework or the Cobalt Strike threat emulation package. An even smaller number owned up to using private exploit kits (5%) or exploit packs (4%).

Instead, a large majority of respondents used open-source tools (60%) or created their own custom tools (21%). This shows that the tools required to hack are easily acquired without having to pay large fees or frequent suspect websites.

Meanwhile, direct server attacks were the most popular method for breaking into systems, favored by 43% of attackers. Phishing attacks were also popular at 40%, while drive-by and watering-hole attacks came in at roughly 9% each.

“What’s very much lacking is a solution that ties everything together and allows you the flexibility to respond to all of the threats your organization faces,” the report noted. “The majority of our respondents say they change attack tactics regularly or even with every engagement; why would you want to combat that with a rigid, outdated approach to security? You’ll never come out on top. We need to understand that security is more than just a policy on a piece of paper, an antivirus program or a group of professionals sitting in a room scanning log events. It’s all of the above, and it’s piecing everything together in a way that makes sense.”

Source: Information Security Magazine

950,000 Coachella Festival Credentials For Sale on Dark Web

950,000 Coachella Festival Credentials For Sale on Dark Web

A Dark Web data trader claims to be selling more than 950,000 user accounts for the website of popular US music festival Coachella, including email addresses, usernames and hashed passwords. It opens the door for a rash of follow-on phishing attacks.

Motherboard is reporting that the data is being sold for a mere $300 on the Tochka marketplace.

"Coachella complete database dump from this month," said the hacker, who uses the handle Berkut, in his or her listing. Berkrut said that 360,000 of the accounts relate to the main Coachella website, and another 590,000 concern the message board, with the latter including user IP addresses.

Motherboard gained a sample of more than 10,000 accounts, and was able to independently verify the data by attempting to create new accounts on with a random 30 of the provided email addresses—each one was already linked to a current account on the site. The good news is, payment information was not included.

Coachella is held annually in the spring in Indio, Calif., just outside Palm Springs in the desert. It regularly draws big names, like Dr. Dre & Snoop Dogg, Guns n Roses, Radiohead, and, this year, Beyoncé.

“The Coachella breach goes to show you that it isn’t only Fortune 500 companies and government agencies being targeted by cybercriminals—it’s any website that collects email credentials,” said Tony Gauda, CEO of ThinAir, via email. “Consumers who reuse email credentials are especially at risk during these attacks.”

While hacking larger organizations may be more lucrative, their defenses are also far more advanced, which has led hackers to increasingly target lower hanging fruit, he added.

Anyone with an account with Coachella should be extra-vigilant when it comes to dodgy emails.

“Anyone who registered for the music festival is now a target for highly customized phishing campaigns, opening the door for subsequent attacks and additional breaches. Until organizations take steps to secure their customers' information with the same level of security they apply to their physical assets, breaches such as this one will persist.”

Source: Information Security Magazine

One-Quarter of Americans Have Had Medical Info Stolen

One-Quarter of Americans Have Had Medical Info Stolen

One in four US consumers (26%) have had their personal medical information stolen from technology systems, according to results of a survey from Accenture.

The findings show that half (50%) of those who experienced a breach were victims of medical identity theft and had to pay approximately $2,500 in out-of-pocket costs per incident, on average.

In addition, the survey found that the breaches were most likely to occur in hospitals—the location cited by more than one-third (36%) of respondents who experienced a breach—followed by urgent-care clinics (22%), pharmacies (22%), physician’s offices (21%) and health insurers (21%). 

Interestingly, half (50%) of consumers who experienced a breach found out about it themselves, through noting an error on their credit card statement or benefits explanation, whereas only one-third (33%) were alerted to the breach by the organization where it occurred, and only about one in seven (15%) were alerted by a government agency.

In terms of what was compromised, half (50%) were victims of medical identity theft. Most often, the stolen identity was used to purchase items (cited by 37% of data-breached respondents) or used for fraudulent activities, such as billing for care (37%) or filling prescriptions (26%). Nearly one-third of consumers had their social security number (31%), contact information (31%) or medical data (31%) compromised.

 Unlike credit-card identity theft, where the card provider generally has a legal responsibility for account holders’ losses above $50, victims of medical identity theft often have no automatic right to recover their losses. Yet, response to the breach, nearly all (91%) of the consumers who were data-breach victims took some type of action. Some changed healthcare providers (cited by 25%), insurance plans (21%) or sought legal counsel (19%). Others took personal steps, such as changing login credentials (29%), subscribing to identity-protection services (24%) or adding security software to their computer (20%). Only 12% of data-breach victims reported the breach to the organization holding their data.

“Health systems need to recognize that many patients will suffer personal financial loss from cyberattacks of their medical information,” said Reza Chapman, managing director of cybersecurity in Accenture’s health practice. “Not only do health organizations need to stay vigilant in safeguarding personal information, they need to build a foundation of digital trust with patients to help weather the storm of a breach.”

Despite the myriad of breaches occurring, significantly more consumers still trust their healthcare provider (88%) and payer (82%) to keep their healthcare data secure than trust health technology companies (57%) or the government (56%) to do so. And while more than four in five consumers (82%) said they want to have at least some involvement in keeping their healthcare data secured, fewer than two-thirds (64%) said that they have such involvement today.

“Now is the time to strengthen cybersecurity capabilities, improve defenses, build resilience and better manage breaches so that consumers have confidence that their data is in trusted hands,” Chapman said. “When a breach occurs, healthcare organizations should be able to ask ‘How is our plan working’ instead of ‘What’s our plan?”

Source: Information Security Magazine

Hospitals Under Attack for Lucrative Patient Data

Hospitals Under Attack for Lucrative Patient Data

North American hospitals are the most exposed to cyber-threats in the world, according to a new Trend Micro study revealing a thriving black market in the Electronic Health Records (EHRs).

Its latest report, Cybercrime and Other Threats Faced by the Healthcare Industry, uses Shodan searches to reveal that patient data is at risk thanks to internet-connected but unsecured devices.

It revealed that Canada (53%) and the US (36%) are the two countries with the highest number of exposed healthcare organizations. It found over 1000 expired SSL certificates in the US alone.

Although the UK was fairly low down on that list (0.9%), its healthcare industry reported over 870 beach incidents to privacy watchdog the Information Commissioner’s Office (ICO) in 2016.

Also, separate research last year revealed that nearly half of all NHS Trusts in England had suffered a ransomware attack in the previous 12 months. 

Simon Edwards, European cybersecurity architect at Trend Micro, told Infosecurity that the volume of attacks targeting the NHS is “truly astounding.”

“In the most case these tend to be based around ransomware, and there have already been a number of hospital trusts who have had ransomware outbreaks which have impacted their ability to offer care to patients,” he added.

“One assumes that it is this need to provide vital services which makes them targets, for if a hospital A&E department is closed because of a cyber-attack, then people could die and so they will pay up. But it is also challenged by underfunding in cybersecurity projects and a lack of skilled and experienced security staff which makes them vulnerable.”

The Trend Micro report, which has a US bias, also revealed just how lucrative patient data can be for information thieves.

Complete EHR database can sell for as much as $500,000, it claimed.

Part of the attraction for cyber-criminals is that patient data typically includes a blend of information, including PII, medical, insurance and financial details.

Many of these are unique and can’t be reset if breached, allowing the hackers to reuse them multiple times and stitch pieces of stolen data together to commit follow-on identity fraud, the report claimed.

Fraudsters could technically use stolen information to get hold of prescription drugs, apply for medical insurance and even create birth certificates, it said.

Source: Information Security Magazine