Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for July 2017

Anthem Medicare Patients Hit with Breach

Anthem Medicare Patients Hit with Breach

Just days after being ordered to pay $115 million in a settlement over the 2015 data breach that affected nearly 80 million Americans, Anthem has been hit again.

Medicare patients on its insurance roster may be affected by identity theft, thanks to a potentially malicious employee at a third-party company that provides insurance coordination for the health care giant.

That third party, LaunchPoint Ventures, said in a statement that it discovered the employee’s activities in April; the employee in question emailed a file with information about Anthem companies’ members to his personal email address on July 8, 2016. It included the protected health information (PHI) of various members, including Social Security Numbers, Health Plan ID numbers (HCID), Medicare contract numbers, ID numbers and dates of enrollment, and in some cases, last names and dates of birth were also included.

It’s unclear how many consumers are affected.

After hiring a forensics team, it also learned that some other, non-Anthem data may also have been misused by the employee.

The employee has been incarcerated and is under investigation by law enforcement for matters unrelated to the emailed Anthem file, it added. Even so, LaunchPoint said that it doesn’t know yet if the email was related to a legitimate work purpose, or whether the information was used for nefarious purposes.

“Collaboration and the use of third-party contractors are necessary, but we have seen them be the weak link in a number of recent high-profile breaches,” said Vishal Gupta, CEO of Seclore, via email. “The problem lies in that organizations typically focus on protecting the perimeter. While this is important, security can’t stop there—what happens if the bad guy is already inside the network, or when the data travels outside the organization?”

He added, “This is a perfect example of why data itself is the new perimeter, and IT teams need to focus on securing the actual information, as opposed to the hardware that stores it. Taking a data-centric approach to security is a necessary last line of defense when all other security measures fail.”

Source: Information Security Magazine

International Threat Intelligence and Info-Sharing Surges in 2017

International Threat Intelligence and Info-Sharing Surges in 2017

With cybersecurity a global issue, organizations worldwide are sharing information and threat intelligence—which usually requires language translations. In the last year, those translations have surged by triple digits, indicating robust information-sharing practices amid several notable cybercrime incidents.

A new examination by One Hour Translation shows that there is a dramatic rise in the volume of knowledge that foreign organizations are tapping from the English-speaking world. An analysis of around 71,000 cyber-related translation projects uncovered a 280% surge in cybersecurity translations from English in the first half of 2017. On top of that, there was a sharp rise in the demand for cyber-related translations to some surprising languages.

The most popular target languages for translations from English were: Danish (21% of the projects); German (19%); French (11%); Simplified Mandarin (10%); Italian (9%); Dutch, Japanese and Russian (5% each); European Spanish (4%); Turkish, Traditional Mandarin (3% each); Brazilian Portuguese (2%); Korean and Latin American Spanish (1% for each language).

One Hour Translation found that most languages saw a growth in the number of translation projects in the second half of 2016, which continued into 2017. The number of projects translated from English to Danish for instance grew a whopping 1,636%, with others standing out: Dutch (899%); Japanese (784%); Russian (634%); Italian (609%); Korean (412%); German (391%); Simplified Mandarin (382%) and French (145%).

The firm said that, interestingly, the surge in the demand for translations into Danish is linked to the Danish Defense Minister’s warning that Danish hospitals and energy infrastructure are exposed to cyber warfare from Russia. In April 2017, the Danish government’s Center for Cybersecurity reported that Danish Foreign and Defense Ministries email accounts and servers were under constant cyber-attacks in 2015 and 2017. Another prominent Danish incident was the Petya ransomware, which paralyzed Danish transport and logistics giant Maersk.

As for Dutch, one unusual factor behind the surge in the demand for cybersecurity translations was the Global Threat Intelligence Report, published by NTT Security in April 2017. The report estimated that 38% of the world’s phishing attacks come from the Netherlands. Another factor was a wave of DDoS attacks by groups of Turkish hackers in March 2017 on prominent Dutch websites such as NL Times, Rumag and Versio hosted sites; and a credential compromise that affected 20,000.

The dramatic surge in translations into Japanese is also not coincidental, the firm said. For example, a Kyodo News survey found that in 2016 alone, cyberattacks on Japanese companies caused 12.6 million leaks, compared to 2.07 million in 2015. At least 600 targets in Japan were hit by the massive WannaCry ransomware attack that hit more than 200,000 computers in 150 countries in May 2017; the severity of the threat was further illustrated when at the end of June, Honda Motor announced that it was forced to temporarily shut down operations at the Sayama Automobile Plant near Tokyo (which produces the Honda Accord, Odyssey and Step Wagon) because of WannaCry’s damage to Honda’s computer network.

Meanwhile Russia, which is considered the source of many cyber-attacks, is itself seeing increased incidents. For example, at the end of June 2017, Group IB, a Russian cybersecurity company, reported that a large Petya ransomware attack had hit major Russian targets including airports, banks, and Russia’s largest oil producer Rosneft.

Another illustration of the close connection between dramatic political events and cyber-security translations can be seen in Turkey. The failed coup attempt against Turkey's President Erdogan resulted in the administration taking a series of steps to consolidate his regime and Turkey's physical and digital infrastructures—a move that has been reflected in a significant investment in cyber-defense, including  a move by the National Intervention Center Against Cyber Attacks (USOM) to recruit thousands of highly skilled young people.

"Our survey shows that governments and companies from all over the world are equipping themselves with the best insights available in the English-speaking world in order to prepare for the rise in cybersecurity threats,” said Yaron Kaufman, co-founder and CMO of One Hour Translation. “This is reflected in the geographic distribution of demand for translations. When countries are particularly affected by cybersecurity incidents, or where cyber-events are prominent in national public discourse, such as in Denmark, the Netherlands, Japan and Russia, we have seen that these countries have dramatically increased the demand for translations that will help them tackle the cyber-defense challenges.”

Source: Information Security Magazine

Hackers Leak Game of Thrones After HBO Hack

Hackers Leak Game of Thrones After HBO Hack

Hackers have hit HBO, allegedly leaking the script for the fourth episode of this season’s Game of Thrones and claiming to publish upcoming episodes of Ballers and Room 104.

The thieves, who also claim to have made off with 1.5 terabytes of content in all from the premium cable network, also promised that more leaks are “coming soon.”

“HBO recently experienced a cyber-incident, which resulted in the compromise of proprietary information,” the network said in a press statement. “We immediately began investigating the incident and are working with law enforcement and outside cybersecurity firms. Data protection is a top priority at HBO, and we take seriously our responsibility to protect the data we hold.”

This morning, HBO chairman and CEO Richard Plepler sent an email to employees, obtained by Entertainment Weekly, with a bit of a pep talk:

“As most of you have probably heard by now, there has been a cyber incident directed at the company which has resulted in some stolen proprietary information, including some of our programming,” he wrote. “Any intrusion of this nature is obviously disruptive, unsettling and disturbing for all of us. I can assure you that senior leadership and our extraordinary technology team, along with outside experts, are working round the clock to protect our collective interests. The efforts across multiple departments have been nothing short of herculean. It is a textbook example of quintessential HBO teamwork. The problem before us is unfortunately all too familiar in the world we now find ourselves a part of. As has been the case with any challenge we have ever faced, I have absolutely no doubt that we will navigate our way through this successfully.”

This is the latest in a string of hacks on entertainment companies that stretch back to 2014’s massive Sony Pictures Entertainment compromise—the biggest breach of that year. More recently, episodes of Orange Is the New Black were leaked online in April ahead of the summer debut of Season 5; and in 2015, the first four episodes of Game of Thrones were released online before the season premiere—an incident that was traced to the review copies that were sent to reviewers.  

However, details in this case to what exactly was compromised and whether the alleged Game of Thrones script is the real deal were not forthcoming. These claims are not always legitimate, as demonstrated by the hoax against Disney in May, when a hacker falsely claimed to have stolen Pirates of the Caribbean: Dead Men Tell No Tales.

Source: Information Security Magazine

FireEye Dismisses Compromise Claims over #LeakTheAnalyst Operation

FireEye Dismisses Compromise Claims over #LeakTheAnalyst Operation

FireEye has refuted claims about compromise of its systems, after an employee’s social media accounts were defaced.

In a statement, a FireEye spokesperson said: “We are aware of reports that a Mandiant employee’s social media accounts were compromised. We immediately began investigating this situation, and took steps to limit further exposure. Our investigation continues, but thus far it, we have found no evidence FireEye or Mandiant systems were compromised.”

As featured by The Next Web, the LinkedIn profile of Mandiant analyst ‘Adi Peretz’ was hacked and defaced. The profile has since been taken down.

An email was sent early on Monday morning to media claiming to be from Peretz from an Israeli Hotmail account, which claimed to have a “major business critical data leak from FireEye and Mandiant by hacking into their Senior Threat Intelligence Analyst, Mr. Adi Peretz”. It claimed that the leak includes information about personal credentials, contractor details, top secret domains and business emails, and was published ‘under underground operation #LeakTheAnalyst.’

A Pastebin document (https://pastebin.com/6HugrWH4) claimed that initial access was achieved in 2016, with final access in 2017 to Mandiant, its parent FireEye, and ‘high profile personnel’.

It claimed that the breach included: Mandiant internal networks and client data; credentials; full access over a LinkedIn profile; full access over a victim’s private windows machine and OneDrive, as well as FireEye licenses and ‘favorite password patterns’.

A statement read: “Nobody understands the amount of dedication it takes to break into a highly secured network, to bypass every state of the art security measure installed to make a targeted network unbreakable, to code and hack not for the money but for the pleasure of being somewhere no one can be in, to be addicted to pain.”

Special thanks were given to APT1, APT29 and APT32, all of which were detailed by Mandiant and FireEye.

The statement concluded by claiming that the ‘leet’ hackers tried to avoid analysts “whom trying to trace our attack footprints back to us and prove they are better than us”, and the point of the #LeakTheAnalyst operation was to track the analysts on social media and “trash their reputation in the field”.

FireEye acquired Mandiant for $1 billion at the end of 2013.

Source: Information Security Magazine

Facebook COO: Undermining Encryption Would Force Terrorists onto Other Platforms

Facebook COO: Undermining Encryption Would Force Terrorists onto Other Platforms

Facebook COO Sheryl Sandberg has again defended her company’s use of end-to-end encryption, implying that forcing tech providers to undermine security would result in terrorists migrating to similar platforms in unregulated countries.

Facebook and its WhatsApp business have come under intense criticism from the UK government, with Prime Minister, Theresa May, arguing for greater internet regulation to “deprive the extremists of their safe spaces online”.

When it comes to end-to-end encryption, the call from an increasing number of governments is for platform providers to allow law enforcers access to such communications, which would effectively involve building a backdoor into services which could undermine security for hundreds of millions of law-abiding customers.

Speaking on BBC Radio 4's Desert Island Discs program, Sandberg implied that police should be glad that Facebook hands over metadata when requested for investigations, arguing that it’s better than nothing.

“The goal for governments is to get as much information as possible, so when there are message services like WhatsApp that are encrypted, the message itself is encrypted but the metadata is not,” she explained.

“If people move off those encrypted services to go to encrypted services in countries that won’t share the metadata, the government actually has less information not more.”

The Investigatory Powers Act actually allows the authorities to force service providers to provide access to end-to-end encryption services, although it’s highly unlikely that the likes of US-based WhatsApp would agree to engineering a backdoor in its service and there’s no way the government could ban its use.

However, Sandberg didn’t rule out the prospect, when asked.

“As technology evolves, these are complicated conversations. We’re in close communication working through the issues all around the world,” she said.

“These are so complicated and there’s so much work to do, but the goal is very clear. Our goal is to make sure not only is there no terrorism on Facebook, no violence, but that we do our part as part of the broader society to work with governments, with NGOs, with counter-speech with people who are going against terrorism.

Facebook has announced several recent initiatives designed to crackdown on terrorists’ use of its platforms, as outlined in this blog post

Source: Information Security Magazine

Verticals Vary Widely When it Comes to Prioritizing Cyber

Verticals Vary Widely When it Comes to Prioritizing Cyber

About 60% of directors and senior management in finance and insurance consider cybersecurity a very high priority—in stark contrast to the hospitality and food sectors, where only 15% do.

SavoyStewart.co.uk analyzed data from Gov.uk and found that the finance and insurance sectors have the highest concern over cybersecurity amongst the analyzed sectors. About half of those in education, health or social care consider cybersecurity as a very high priority, and in the entertainment, service and membership industries about a fifth (21%) do.

Yet, figures show that nine out of ten businesses across the board don’t have an incident management plan in the event of a cyberattack/breach.

With 83% of UK businesses online, these results dovetail with other research to form a concerning picture. For instance, data from Beaming revealed that 2.9 million UK firms suffered cybersecurity breaches last year (2016), costing firms an alarming £29.1 billion.

And, the consequences of a cyber-attack/breach can be devastating. According to Cisco, disruption to the operations of an organization (36%) is the most common result of a cyberattack/breach. After operations, impacts include finances (30%), brand reputation (26%), customer retention (26%) and intellectual property (24%).

“The calamity caused by recent cyber-attacks/breaches emphasises the need to take cyber security very seriously,” said Darren Best, MD at SavoyStewart.co.uk. “With threats, likely to intensify as cyber criminals become more ruthless, businesses cannot rest on their laurels. Business leaders cannot afford to be just concerned or treat it as another risk management exercise. They need to effectively understand, carefully manage and thoroughly assess the security of their IT estate to continually get the basic defenses right. On top of this, adequate governance and employee education on cybersecurity can go a long way in protecting a business’s key capabilities and functions” 

Source: Information Security Magazine

North Korea Turns Cyber-Attention to Hacking for Profit

North Korea Turns Cyber-Attention to Hacking for Profit

North Korea’s gaggle of state hackers appears to have a new objective: Money.

The hermit kingdom’s cadre of cyber-spies—estimated by South Korea to number around 1,700—are working overtime to steal cash from flush targets like international banking systems, according to a report from the South Korean government-backed Financial Security Institute. While attacks like the one on Sony Pictures have been retaliatory, and ongoing political spy campaigns are still the norm, hacking for profit has become a top focus area as the impoverished country looks to accumulate foreign currency to pay for imports. With harsh sanctions from the US looming, the country's cash position is set to decline even further.  

The report said the theft of $81 million from Bangladesh’s central bank can be traced back to North Korea, as can recent attacks on Polish banks. Also, there are indications that they planned to steal money from more than 100 other organizations. Meanwhile they’re involved in stealing bank-card data to drain accounts, selling stolen data on the Dark Web and developing malware to cheat at online gambling, the report said.

Kaspersky Lab in April tied the bank attacks to an offshoot of Lazarus, an APT group believed to be affiliated with the North Korean government. That offshoot, known as Bluenoroff, also has a cousin dubbed Andariel, according to the Financial Services Institute, that is behind at least seven hacking attacks on banks, defense contractors and others in South Korea over the last two years.

”Bluenoroff and Andariel share their common root,” the report said, as reported in the New York Times. “If Bluenoroff has attacked financial firms around the world, Andariel focuses on businesses and government agencies in South Korea using methods tailored for the country…Andariel is believed to focus on earning hard currency.”

Source: Information Security Magazine

Emotet Crimeware Adds Self-Propagation to the Mix

Emotet Crimeware Adds Self-Propagation to the Mix

The Emotet crimeware is upping its game thanks to recent samples containing internal network propagation capabilities and  the ability to scrape contact information from the victim’s Outlook.

It’s a recipe for potential virulence: As the recent Wannacry and Petya outbreaks have demonstrated, there’s immense potency involved in coupling malware with an on-board propagation component.

Emotet is a loader that has been observed in multiple campaigns globally, originally focused on credential theft, but also seen to have delivered banking trojans.

“It becomes an enterprise threat when it can propagate out, via mounted shares or the use of exploits or even both,” said researchers at Fidelis Threat Research, in an analysis. “The Wannacry and Petya campaigns have clearly demonstrated how inclusion of other techniques like credential dumpers (Mimikatz) and exploits (EternalBlue) can greatly accelerate propagation across enterprises…It stands to reason that crimeware authors have taken note of the broad impact observed in these particular events and are looking to incorporate spreader components in their toolkits.”

Emotet typically attacks via spam messages containing basic but effective social-engineering techniques.

“At first glance, these appear to be a fairly run-of-the-mill phishing campaigns complete with booby-trapped Word documents disguised as invoices,” said Barkly researchers, in a separate analysis. “But on further investigation, it appears Emotet is taking things a step further by scraping names and email addresses from victim Outlook accounts, then using that info to send out additional phishing emails from the compromised accounts.”

Barkly said that it specifically hones in on any email messages with an unread status, and collects the sender name and email address from each unread message. As a result, the emails in these campaigns look as though they've been sent from a contact the recipient knows and has emailed in the past, which naturally increases their effectiveness.

It gets worse: Emotet will continue the attack on the original infected device by stealing additional account credentials, including Google accounts and other web mail/messaging services, and FTP accounts saved in Internet Explorer.

Researchers from Fidelis have also observed recent variants of Emotet exercising internal network propagation capabilities, notably focused on credential brute-forcing.

“For over a month now we have had speculations that Emotet had a network spreader component, a technique that has recently gained in popularity for using leaked exploits involving the worming of multiple forms of malware that it was using primarily to spread in internal networks, with some notable exceptions scanning the internet as well,” the researchers said. “Tracking the Emotet deliveries over time, we finally discover a very odd standalone executable which is actually a self-extracting RAR file containing two files.”

That file is the spreader, containing a bypass component that enumerates network resources. It looks for servers, and for each one it finds it will try to brute the user accounts and the administrator account. To do this, it enumerates the normal user accounts with NetUserEnum, and with a list of usernames in hand it will then attempt to brute the passwords for each user with an onboard password list. If no successful accounts are bruted then the program will attempt the password list against the administrator account.

If an account is compromised, the program will then copy the service component over to the remote computer and add a new service using the account.

“If successful, this propagation technique significantly raises the impact of an Emotet infection. Rather than dealing with a single compromised machine, you could have infections throughout the organization to deal with,” Barkly noted. “Even if it isn't successful, because brute-forcing is involved, infections also introduce the risk of account lockouts en masse.”

This functionality should be seen as a sign of things to come as well.

Fidelis researchers concluded, “It seems to be a common trend lately for malware developers to add in functionality based on what’s in the news which recently has been filled with all things wormable, which could mean this might be a continued trend for malware in the future.”

Source: Information Security Magazine

German Police to Bypass Encryption by Hacking Devices

German Police to Bypass Encryption by Hacking Devices

German police are set to make use of new laws to hack the devices of criminal suspects in order to monitor communications, bypassing the need to force tech companies to provide encryption backdoors.

Local media reports referencing Interior Ministry documents claimed that law enforcers will be able to make use of new Remote Communication Interception Software (RCIS) to target Android, iOS and BlackBerry mobiles.

The idea is to hack into suspects’ devices in order to read communications at source. This would seem to be a neat way of monitoring targets without the need to engage with providers of services like WhatsApp, iMessage and Telegram.

Tech companies including Facebook and Apple have been steadfast in refusing to engineer backdoors for law enforcers – arguing that it would undermine security for millions of innocent users and businesses. As most are based in the US, it’s unlikely that the German government alone could do anything about it.

That’s why they’re working to install backdoors on targeted devices themselves.

Tom van de Wiele, principal security consultant at F-Secure, railed against misleading media reports claiming the encrypted messages themselves on platforms like WhatsApp could be hacked by police.

“The police are installing backdoors on suspect phones using phishing or other ways, as well as they should if they want to catch someone committing a crime or with ample evidence that that person requires further investigation,” he told Infosecurity Magazine. “If you control the phone then of course you control what was received and what is being sent from the phone, encrypted or not.”

The German parliament recently passed a new law expanding the power of the police to hack devices belonging to all criminal suspects and not just terror suspects.

This is in stark contrast to the situation in the UK, where the new Investigatory Powers Act grants police the power to hack devices irrespective of suspicion of criminal activity.

However, activists in Germany are still worried about the move, especially as the authorities have been revealed to have bought surveillance software from infamous provider FinFisher, as a back-up in case their own RICS 2.0 tools are leaked or get compromised.

By using third party provider tools, governments could skirt legal restrictions on what they can and can’t do, according to Deutsche Welle.

The European Commission claimed back in March that it was planning to give tech communications providers “three or four options” forcing them to make the communications of suspects available to police, ranging from voluntary measures to legislation.

In related news, rights groups have this month signed a joint open letter to EU member states urging more to be done to reform EU rules governing the export of surveillance equipment.

It claimed over 330 export license applications for such technology have been made to 17 EU authorities since 2014; with 317 granted and only 14 rejected.

Source: Information Security Magazine

Global Operation Ends in Arrest of US DDoS Suspect

Global Operation Ends in Arrest of US DDoS Suspect

Law enforcers in Australia, Canada and the US are celebrating the arrest of a 37-year-old Seattle man in connection with DDoS attacks on numerous businesses.

The two-and-a-half-year cross-border investigation began in early 2015, after a string of organizations in the three countries were hit with DDoS-related outages and follow-up extortion attempts from an individual.

On Wednesday, the FBI finally arrested a suspect in Seattle. The Iranian-born US citizen has been charged with various cyber offenses and is being detained in custody, according to the Australian Federal Police (AFP).

“This is a timely reminder to cyber-criminals that international law enforcement is a team sport. Our ability and willingness to work together at a distance and across borders has never been greater,” said AFP Cyber Crime Operations manager, commander David McLean.

“I would like to thank our international partners for their cooperation as well as for their patience and persistence in bringing about this result. I would also like to acknowledge the companies who were victims of the attacks for their ongoing co-operation.”

The success of this global law enforcement effort comes hot on the heels of the takedown of two of the world’s biggest darknet marketplaces: AlphaBay and Hansa.

That was described by Europol chief, Rob Wainright, as “one of the most sophisticated law enforcement operations against cybercrime that we’ve ever seen”.

The volume of global DDoS attacks actually decreased by 30% year-on-year in the first three months of 2017, according to Akamai.

However, with Mirai and similar malware offering attackers a relatively easy way to launch huge DDoS attacks, there remain challenges.

Unlike the above attacks investigated by Aussie, Canadian and US law enforcers, some are used by cyber-criminals and state hackers to mask information-stealing and other online raids, as they typically distract IT teams.

In December, Europol helped to co-ordinate an operation designed to target another source of attacks, “DDoS-for-hire” tools.

In that operation, 34 arrests were made, many of them young adults.

Source: Information Security Magazine