Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for May 2017

#WannaCry Profits Finally Hit $100,000

#WannaCry Profits Finally Hit $100,000

The infamous WannaCry ransomware has finally generated over $100,000 in payments over a week after it first landed, but profits remain relatively low considering the vast number of global users affected by the incident.

The campaign first landed on Friday May 12, with the black hats behind it demanding $300 in Bitcoin from victims in return for the decryption key for their files. That sum doubles to $600 if the ransom isn’t paid within 72-hours.

However, it appears from a Bitcoin tracker set up to monitor the digital wallets tied to the attack, that users are following the advice of security experts and law enforcers.

At the time of writing, the total raised by the cyber-criminals had reached just over $109,000.

This is a minute percentage of the hundreds of thousands of victims said to have been infected around the world.

Europol chief Rob Wainright claimed just two days after the ransomware landed that it had affected more than 200,000 netizens in 150 countries.

Some estimates now claim that figure is closer to 300,000.

Their decision may have been influenced by a few factors; not least getting hold of the digital currency itself and reports that those that paid up had not received their decryption key.

It will also lend weight to the argument that those behind the campaign were nation state hackers rather than financially motivated cyber-criminals, although the North Korea-linked Lazarus Group mentioned by some as potentially involved has previous launching both destructive, disruptive attacks and money-grabbing raids.

WannaCry infections have now dropped to virtually zero, but newer variants are emerging to try and ride on its coat tails, using the same NSA exploits, according to some experts.

There are even attempts to DDoS the kill switch domain registered by UK security expert Marcus Hutchins, aka @MalwareTechBlog, according to reports.

Source: Information Security Magazine

Breaches Set to Grow in 2018 but Security Investments Stall

Breaches Set to Grow in 2018 but Security Investments Stall

More than half (53%) of UK executives think data breach attempts will grow next year but less than half will increase cybersecurity investments, according to Ovum.

The analyst was commissioned by analytics company FICO to better understand the level of preparedness of UK and US organizations to deal with online threats.

Unfortunately, the UK was found wanting, with 41% of respondents claiming to have a tested data breach response plan, compared to 52% in the US.

However, the UK fared better on having things like monitoring, scoring and reporting services in place (63%), and board-level reporting (71%).

Over half (58%) of UK cybersecurity leaders said breaches had risen in the past 12 months and most expected a rise next year, with respondents from telecoms firms (75%) particularly braced for more attacks.

One standout industry that is planning to increase investment appears to be financial services, where 67% of respondents claimed they’d step-up cybersecurity funding.

“A data breach can be a make-or-break moment for a company,” said Andrew Kellett, principal analyst for IT security and research author at Ovum.

“Your speed of response and your ability to maintain your customers’ trust determines the extent of both financial and reputational loss. If you haven’t tested your response plan, you are putting your firm at greater risk.”

The long roll call of UK firms caught out in data breach incidents already this year, from Wonga to Debenhams Flowers, highlights the need for organizations to invest in incident response plans.

Having a comprehensive organization-wide plan in place can limit the damage following a breach by catching an attack as early on in the kill chain as possible, and communicating with customers in a transparent and timely manner so they're less inclined to boycott the organization.

Investment is even more important in this area given the EU GDPR is now a year away, and will mandate the notification of any breaches within 72 hours to the ICO.

Source: Information Security Magazine

Questions Raised After Reporter Fools Bank Biometrics

Questions Raised After Reporter Fools Bank Biometrics

Security experts have warned about the limitations of biometric authentication systems after a BBC reporter’s twin brother was able to access his HSBC account via the bank’s voice ID service.

Reporter Dan Simmons’ non-identical twin Joe logged in as his brother using the biometric security system launched by the lender in 2016.

After inputting account details and date of birth, the user is required to say "my voice is my password” in order to access their account.

However, Simmons was apparently allowed seven attempts at cracking his brother’s voice before getting it right on the eighth.

The bank is set to restrict user log-in attempts in future to three.

It’s important to note that access to the account did not allow Joe Simmons to withdraw funds; only view balances and transactions and make transfers. A real fraudster would also be unlikely to know the voice patterns of the person they’re trying to rip off.

HSBC claimed its Voice ID system was still a “very secure method of authenticating customers.”

"Twins do have a similar voiceprint, but the introduction of this technology has seen a significant reduction in fraud, and has proven to be more secure than PINS, passwords and memorable phrases", it added in a statement.

Alex Mathews, lead security evangelist at Positive Technologies, argued the report proves that using voice biometrics alone isn’t enough.

“As is always the case with security, a layered approach is best,” he added. “Rather than relying on it as a sole authentication method, it should be used as an additional tool, in tandem with other security practices."

However, Digital Guardian security advocate Thomas Fischer, argued that biometrics are a step in the right direction.

“The BBC is certainly not the first to research ways to fool voice recognition systems or bypass fingerprint sensors, but this is no mean feat and depends on the quality of the original biometric imprint,” he explained.

“Brute force cracking weak passwords, on the other hand, can be done with relative ease. Biometrics are certainly not perfect, but anything we can do to make it more difficult for attackers to win and easier for consumers has to be a good move."

Source: Information Security Magazine

#WannaCry Didn’t Start with Phishing Attacks, Says Malwarebytes

#WannaCry Didn’t Start with Phishing Attacks, Says Malwarebytes

The WannaCry ransomware threat didn’t begin with malware-infected phishing emails as first suspected, according to a new analysis from Malwarebytes.

The security vendor claimed it had been “an easy mistake to make”, but that in reality, the now-infamous campaign began by scanning for vulnerable SMB ports exposed to the public internet.

The NSA’s EternalBlue exploit was then used by attackers to get on the target network and the DoublePulsar backdoor employed to gain persistence, allowing for the installation of additional malware, like WannaCry.

“Without otherwise definitive proof of the infection vector via user-provided captures or logs, and based on the user reports stating that machines were infected when employees arrived for work, we’re left to conclude that the attackers initiated an operation to hunt down vulnerable public facing SMB ports, and once located, using the newly available SMB exploits to deploy malware and propagate to other vulnerable machines within connected networks,” explained Malwarebytes senior malware intelligence analyst, Adam McNeil.

“Developing a well-crafted campaign to identify just as little as a few thousand vulnerable machines would allow for the widespread distribution of this malware on the scale and speed that we saw with this particular ransomware variant.”

As for takeaways, they remain pretty much the same: regular and timely patching of systems; migration to newer, supported operating systems where possible; disabling of unnecessary protocols like SMB and network segmentation.

McNeil also agreed with Microsoft president, Brad Smith, who called out the NSA and others for stockpiling exploits. The WannaCry incident is in many ways the perfect example of what can happen when government-developed exploits get into the wrong hands.

As for WannaCry, it appears as if the original threat is no longer infecting users, but newer variants have taken over.

Cryptomining threat Adylkuzz was flagged last week as one potential new threat which uses the same NSA exploits to spread.

Source: Information Security Magazine

#WannaCry BT Phishing Scam Spotted

#WannaCry BT Phishing Scam Spotted

Fraud experts are warning UK netizens of a sophisticated new phishing scam which uses the recent WannaCry ransomware attack campaign in an attempt to trick users into clicking on malicious links.

ActionFraud issued an alert late last week, claiming to have already received several reports of the BT-branded scam email.

“After analyzing the email, the domains appear very similar and this could easily catch out those who are concerned about the security of their data after the global attack”, the fraud prevention organization warned.

The message itself is pretty convincing, urging recipients in near flawless English to click on a “confirm security upgrade” button to re-establish full access to a BT account it claims has been restricted following the WannaCry outbreak.

“If you receive one of these emails do not click on any links and follow our advice on how to stay safe. Instead, go to the BT website directly and log in from there,” Action Fraud advised.

“We are also aware that companies are sending out legitimate emails of reassurance in connection with the recent cyber-attack, if in doubt contact them directly on a method other than the email you have received.”

Phishing attacks are becoming increasingly popular among the black hat community: the tactic was present in a fifth (21%) of attacks last year, up from just 8% the previous year, according to Verizon.

Separate data from the Anti-Phishing Working Group for 2016 points to over 1.2 million recorded phishing attacks worldwide, up a whopping 65% from 2015.

A template called 'Message from Administrator' had the highest average click rate of 34%, according to Wombat Security’s State of the Phish 2017 report, showing that work-related lures are most successful in getting clicks.

However, newsworthy events and popular brands like this BT scam are also popular among cyber-criminals, who use them as the initial lure, especially for consumer-based campaigns.

Source: Information Security Magazine

Android Security Gets a Boost with Google Play Protect

Android Security Gets a Boost with Google Play Protect

In a timely move given the rash of trojanized apps showing up in the official Google Play store of late, the internet giant has debuted Google Play Protect.

The biggest piece of this is the news that, using machine learning, Google said that it now scans more than 50 billion apps every day to hunt for risks and potentially harmful code. Automated remediation is also part of the enhancement.

“Whether you’re checking email for work, playing Pokémon Go with your kids or watching your favorite movie, confidence in the security of your device and data is important,” said Edward Cunningham, product manager for Android Security, in a blog. “Play Protect is built into every device with Google Play, is always updating, and automatically takes action to keep your data and device safe, so you don’t have to lift a finger.”

Google has also implemented a “Find My Device” feature (something Apple has had for iPhone for quite some time), which allows users to locate, ring, lock and erase Android devices remotely—including phones, tablets and watches.  

The news comes after several instances of bad apps showing up in Google Play. For instance, HummingWhale, a new variant of the HummingBad malware, was found hiding in more than 20 apps on Google Play in January; the infected apps were downloaded several million times by unsuspecting users before the Google Security team removed them. Similarly, The FalseGuide malware was found in April to be infesting 40+ guide apps in the Google Play store; these were uploaded to the app store as early as November 2016, meaning they hid successfully for five months, accumulating an alarming 2 million infected users.

“All Google Play apps go through a rigorous security analysis even before they’re published on the Play Store—and Play Protect warns you about bad apps that are downloaded from other sources too,” Cunningham said. “Play Protect watches out for any app that might step out of line on your device, keeping you and every other Android user safe.”

Source: Information Security Magazine

#WannaCry Exploit Now Being Used to Spread Spy Trojan

#WannaCry Exploit Now Being Used to Spread Spy Trojan

Threat actors are using the same EternalBlue exploit employed by WannaCry to deliver other malware—specifically, a remote access trojan (RAT) typically used to spy on people’s activities or take control of their computers.

During the recent pandemic attack, CyphortLabs discovered a similar attack to one of its honeypot servers.

“We initially thought this is WannaCry, but upon further investigation, we discovered a stealthier RAT,” researchers said, in an analysis. “Unlike WannaCry, this threat infects only once and does not spread. It is not a worm.”

The RAT has plenty of spy features, the firm said, including screen and keyboard monitoring, audio and video surveillance, the ability to transfer, download or delete files and data, and general control of the infected machine. It also takes care to block the exploit from being used for other malware.

“The threat actors probably did not want other threats mingling with their activity,” CyphortLabs said. Researchers added, “At first glance, the threat we discovered may not appear to be as destructive as the WannaCry ransomware, but it may be equally dangerous if not more, depending on the attacker’s intent.”

Interestingly, the analyzed sample was first seen on VirusTotal on April 2—and since then, there have been 12 other similar samples reported. “This is an indication that they might have been using the EternalBlue exploit well before the WannaCry outbreak on May 12,” CyphortLabs said.

It added: “WannaCry ransomware delivered a strong message to the world by being noisy and destructive,” the researchers said. “It seems that the message is clear now; that there are many systems out there that are vulnerable to cyberattacks….In addition, if WannaCry did not happen, we may not be aware of a number of systems that are vulnerable to exploits whether they are zero-day, disclosed or undisclosed, and that makes this type of stealthy threat more dangerous. What will hurt you the most are those things that you did not see coming.”

The researchers believe that the group behind the attack is the same group that spreads Mirai via Windows (which Kaspersky discovered in February), due to several similarities in the indicators of compromise (IOCs).

"We believe at this point there are parallels with a group who has been building up the Mirai botnet and is now using EternalBlue to spread,” said Mounir Hadad, senior director of Cyphort Labs, via email. “We see the same C2 servers being used as the actors portrayed [by Kaspersky]. Given the previous uses of the Mirai botnet in mounting spectacular DDoS attacks, we can only speculate that the botnet is likely very large."

Source: Information Security Magazine

Sony Files Wide-ranging Suite of Piracy Suits in Moscow

Sony Files Wide-ranging Suite of Piracy Suits in Moscow

Sony Interactive Entertainment is looking to permanently block several Russian ISPs, with a slew of piracy lawsuits filed in the Moscow City Court.

In the seven complaints, Sony’s UK division said that the ISPs are streaming its gaming properties without permission, and it is seeking the blocking of 20 different specific sites.

According to Muscovite outlet Izvestia, copyright action has been taken against the ISPs before (the ISPs have not been publicly named)—and that opens the door for what Russian law terms “eternal lock.” This is a punishment reserved for repeat piracy offenders, and involves a permanent ISP blockade.

“Positive changes in legislation aimed at protecting rightsholders, plus greater attention by state bodies to intellectual property rights violations, allows us today to begin to fight against piracy on the Internet,” said Sergey Klisho, general manager of Playstation in Russia.

Any blockade would be enacted under the Russian telecom regulator, Roskomnadzor. The problem, of course, is that specific applications can simply be moved to a new streaming platform, resulting in a game of whack-a-mole for piracy regulators and content owners.

“I do not believe that Roskomnadzor can block any application,” Russian Internet Ombudsman Dmitry Marinichev told Izvestia. “You can prevent Google Play or Apple’s iTunes from distributing them. But there is still one hundred and one ways left for these applications to spread. Stopping the application itself from working on the device of a particular user is a daunting task.”

Russia passed comprehensive anti-piracy law covering films and TV in 2013, with a major expansion to include music, books and software (including games) in 2015.

Source: Information Security Magazine

Research Finds IT Professionals Lack Company Loyalty

Research Finds IT Professionals Lack Company Loyalty

In a survey of 113 companies who had suffered a breach 71% of IT practitioners claimed that brand protection was not their responsibility, while 70% do not believe their companies have a high-level ability to prevent breaches.

The research, by Centrify and the Ponemon Institute, found that 67% of chief marketing officers worry about reputation, but 63% of IT practitioners worry about their jobs. For those IT practitioners that had experienced a data breach, the most negative consequences were: significant financial harm (52%), greater scrutiny of the capabilities of the IT function (51%) significant brand and reputation damage (35%) and decreased customer and consumer trust in their organization (35%).

Cybersecurity consultant Dr Jessica Barker told Infosecurity that she felt that the disconnect between IT and CMOs was most interesting, and it shows we still have a long way to go to get joined up working actually happening in organizations and for people "to truly see that cybersecurity is a business issue, not just an IT one."

Speaking on a roundtable to launch the research, Bill Mann, senior vice-president of products and chief product officer at Centrify, said that some organizations do a good job of dealing with breaches, but some do a bad job. Asked if there was not a buy-in from IT into the company culture, Mann said: “There’s a disconnect on what they do on a day-to-day basis and what sells depending on stock price.

“It is not really about strategically running strategies across organizations, and not about more investment in a company, but more about alignment and communication within organizations.”

Mann said that every board meeting should ask ’are we getting better’ and it’s not happening, and he said that from his point of view, companies should be asking and educating all members of staff on the impacts on the brand.

Asked if third-party consultants who were not part of the company were part of the problem, Mann said that this could be improved by being better managing consultants to know what their priorities are. “If you’re an Oracle DBA that’s your world, but how you reach them about what is important and a lot of communications from management are on priorities and that’s even more difficult with outsourcing”, he added.

In an email to Infosecurity, consultant Brian Honan said that in many cases, he finds IT professionals who have a primary focus on technology do not worry about company loyalty. “To them the focus is on the technology and the type of technical projects they may get involved,” he explained.

“The more successful IT professionals and security professionals tend to be those who have an active interest in the business and understand the business goals and strategies of the organization.”

Honan said that if the third party is seen as taking core and/or interesting work away, then IT professionals can feel threatened. “However, if mundane or routine tasks are outsourced or key hard to find skills are brought in, then many see this as an opportunity to focus on interesting projects and to enhance their own skills,” he said. “So companies need to be careful in how they outsource so they get the balance right.”

The research also found that those companies who were breached had suffered a 5% average drop in the stock price.

Mann said: “It’s clearly a blind spot for the C-suite and it’s time leadership recognize that protecting data is no longer just an IT problem, but a bottom-line business concern that needs a holistic and strategic approach to protecting the whole organization.”

Source: Information Security Magazine

#SecureTour17: Business Nightmare Scenarios Detailed a Week Since #WannaCry

#SecureTour17: Business Nightmare Scenarios Detailed a Week Since #WannaCry

Speaking on the theme ‘The threats that should be keeping you awake at night’ at the FourSys SecureTour in London, independent computer security researcher Graham Cluley described the three main areas of concern for businesses in 2017.

Claiming that it is not about giving the audience nightmares, and not about nation-state hackers who "target private firms", Cluley said that the three main problems were: ransomware, insider threat and business email compromise.

Focusing on last weekend’s WannaCry ransomware outbreak, Cluley said that this was ransomware "on a scale never seen before", and "it hit so hard it took some hours before people came up with a logo!"

He added: “WannaCry did traditional things with Bitcoin, so what made it so different? It was not traditional ransomware; it was distributed by a worm-like feature and exploited a component in Microsoft Windows vulnerability and exploited the SMB protocol to spread very rapidly indeed.”

He went on to claim that ransomware has "truly been a threat over last few years" highlighting other instances of the NHS being hit, as well the San Francisco rapid transport being shut down, and it is also hitting mobile devices.

In the other cases, Cluley said that in the case of business email compromise, where an attacker poses as a CFO and typically targets a junior member of staff but instead of sending malware, they just send an email to try to trick a person into sending money.

“People do this and as soon as they click on the send button, it is too late”, he said. Highlighting cases affecting major companies, Cluley said that this is effectively good social engineering.

Looking at insider threat, Cluley highlighted cases of what appears to be trusted employees, where just by wearing a Red Dwarf or Iron Maiden T-shirt they are able to gain access to an IT department and network.

“We’re working together to make the internet a safer place, so don’t have nightmares."

Source: Information Security Magazine