Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for September 2017

Monero-Mining Campaign Takes the Easy Road to Cash Gains

Monero-Mining Campaign Takes the Easy Road to Cash Gains

A nefarious cryptocurrency mining operation has been going on since at least May 2017, with attackers infecting unpatched Windows 2003 webservers. So far, the bad actors have managed to net more than $63,000 worth of Monero on the backs of unsuspecting administrators whose machines have been enslaved for their processing power—all without putting too much effort into the proceedings. 

According to ESET, the bad actors have modified legitimate open-source Monero mining software and exploited a known vulnerability in Microsoft IIS 6.0, to covertly install the miner on unpatched servers. Over the course of three months, the crooks behind the campaign have created a botnet of several hundred infected victim endpoints. Together their computing power offers a powerful “drill” to uncover Monero (XMR), one of the newer cryptocurrency alternatives to Bitcoin.

Campaigns like this often don’t achieve the notoriety of flashier attacks, but they’re no less concerning.

“While the world is holding its breath, wondering where notorious cyber-criminal groups like Lazarus or Telebots will strike next with another destructive malware such as WannaCryptor or Petya, there are many other, less aggressive, much stealthier and often very profitable operations going on,” ESET researchers noted in a blog.

The choice of Monero is interesting too: It offers “features” that make it more attractive to criminals than the more venerable Bitcoin.

“While far behind Bitcoin in market capitalization, Monero has several features that make it a very attractive cryptocurrency to be mined by malware—untraceable transactions and a proof of work algorithm called CryptoNight, which favors computer or server CPUs and GPUs, in contrast to specialized mining hardware needed for Bitcoin mining,” ESET researchers explained, adding that the exchange rate has jumped up from $40/XMR to $150/XMR just in the past month, and seems to be averageing a healthy $100/XMR.

When creating the malicious mining software, the crooks took the path of least resistance: They didn’t apply any major changes to the original open source codebase. So, the distribution of the miner to victims’ computers is the hardest part of the operation, but even here, the attackers went for the easiest approach. Two IP addresses are conducting weekly simple brute-force scans for the CVE-2017-7269 vulnerability, present in Windows Server 2003 (which has reached end-of-life and is unsupported by Microsoft).

“This vulnerability is especially susceptible to exploitation, since it’s located in a webserver service, which in most cases is meant to be visible from the internet and therefore can be easily accessed and exploited by anyone,” ESET researchers said. They added that in this campaign, “We see that minimal know-how together with very low operating costs and a low risk of getting caught—in this case, misusing legitimate open-source cryptocurrency mining software and targeting old systems likely to be left unpatched—can be sufficient for securing a relatively high outcome.”

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit

Source: Information Security Magazine

Whole Foods Investigates Payment Card Breach

Whole Foods Investigates Payment Card Breach

Whole Foods Market has disclosed a point of sale (PoS) breach, where hackers were able to access payment card information for plastic used at the taprooms and full table-service restaurants located within some stores.

To be clear, the issue doesn’t affect the grocery shopping check-out systems at stores.

“These venues use a different point of sale system than the company’s primary store checkout systems, and payment cards used at the primary store checkout systems were not affected,” the company said in a statement. “When Whole Foods Market learned of this, the company launched an investigation, obtained the help of a leading cyber security forensics firm, contacted law enforcement, and is taking appropriate measures to address the issue.”

No word yet on how many locations or cards are affected, but John Suit, CTO at Trivalent, said via email that attacks like this could be prevented with a better security posture.

“The recent Whole Foods breach demonstrates the importance of rigorous transaction data protection technology to combat the growing sophistication of point of sale system attacks,” he said. “To get ahead of these risks, retailers and businesses must understand that traditional encryption is no longer enough. Next generation data protection solutions are immediately needed to ensure protection of personally identifiable information such as credit card details. These solutions secure data at the file-level, keeping it safe from unauthorized users—even in the event of a breach.”

The high-end organic food chain deserves kudos for its network segmentation, however—famously, it was a lack of this that led to the massive size of the Target breach.

“Companies face threats every day and breaches will occur. In a contested environment like this, segmenting the networks, like Whole Foods did with its unique restaurant and taproom environment, saves other parts of the business from also being breached,” said Michael Daly, CTO for the Raytheon cybersecurity business, via email. “Financial systems within the larger Whole Foods system were not affected. The climate and operations controls were not compromised protecting massive amounts of food and inventory.  Whether the segmented approach was happenstance or not, there is a lesson to be taken from today’s breach.”

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit

Source: Information Security Magazine

Though Companies Lag in Compliance, Brexit Not (Totally) Derailing UK GDPR Plans

Though Companies Lag in Compliance, Brexit Not (Totally) Derailing UK GDPR Plans

When it comes to how prepared UK businesses are to comply with the EU’s General Data Protection Regulation (GDPR) May 2018 deadline, they’re roughly in line with their US counterparts—meaning that companies on both sides of the pond are lagging in their efforts. And for the UK, Brexit’s effect is not as widespread as feared.

With only eight months to comply with the GDPR, the most sweeping change to data protection in decades, companies all over the world are determining how to best adjust their internal systems and processes in order to address compliance requirements.

TrustArc together with Dimensional Research surveyed 203 UK and 204 US IT professionals at companies with more than 500 employees, and found that while privacy and data protection is becoming increasingly important foci for IT departments (96% US; 94% UK), GDPR compliance efforts are lacking across the board.

Among both UK and US privacy professionals, more than 60% of respondents have not begun their GDPR implementation, and 90% said they need to invest in additional capabilities to comply with the new standard. Just over half are investing in technology and tools to automate and operationalize data privacy (55% US; 57% UK).

Interestingly, more US than UK companies expect to invest significant amounts of money to comply with GDPR: About 83% of US companies expect GDPR spending to be at least $100,000, whereas only 69% of UK companies expect to spend the same amount (74,000 GBP). Further, almost a quarter (23%) of large US companies (over 5,000 employees) expect to spend more than $1 million (740,000 GBP) as compared to 19% of large UK companies.

Also, despite fears to the contrary, for UK companies, Brexit is not derailing their GDPR efforts, at least not entirely. Three-quarters of respondents in the UK (74%) said they are not reducing their GDPR budgets due to Brexit. However, a quarter (26%) of UK respondents said they are reducing their investment in GDPR remediation and another quarter (26%) indicated that they were putting their GDPR programs on hold until they could determine the impact of Brexit and the proposed UK Data Protection Bill on the GDPR. Only 32% of UK respondents indicated that Brexit has had no impact on their GDPR programs at all.

“The findings from both the US and UK surveys are in line with what we’re hearing from our clients about the increased complexity of privacy management and the critical role of technology investments for complying with GDPR and for establishing an accountability program that is easy to implement and manage,” said Chris Babel, CEO of TrustArc. “Regardless of their location, companies are under extreme pressure to efficiently comply with the growing number of regulations like GDPR, and as a trusted partner, we are committed to empowering privacy professionals with the resources they need.”

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit

Source: Information Security Magazine

Uber London Ban Sees Rise in Malicious Taxi Apps

Uber London Ban Sees Rise in Malicious Taxi Apps

Security researchers have warned of a rise in malicious apps masquerading as legitimate taxi-hailing services, as cyber-criminals look to capitalize on Transport for London (TfL)’s recent decision to ban Uber.

TfL issued its controversial decree last Friday, immediately leading to strong calls from all sides to have the private hire company reinstated. A petition has so-far accrued over 820,000 signatures from irate users of the service.

As with most things, it appears as if the black hats are already trying to coat-tail on the news, in a bid to lure Uber users looking for an alternative way to get around London.

Official apps for Addison Lee, Gett and MyTaxi saw downloads collectively soar by 159% over the week, according to App Annie figures seen by the BBC.

However, RiskID said it looked at five taxi hailing apps and found 56 instances of each app with the company’s brand in the title.

“These apps were on average found in 20 different app stores, with an average of two apps per brand that are flagged as serving adware or directing to known bad sites,” warned EMEA VP, Fabian Libeau. “Users need to be aware of their existence and potential growth in number.”

He urged users to visit only official app stores when downloading apps, and to check the developer to make sure they’re legitimate.

“Checking out the number of downloads and reviews it has received will also help. Finally, inspect the permissions the app is asking for,” he concluded. “While a taxi app will require more than others, beware of requested permissions that don’t seem necessary. For example, during our initial insight, we saw camera or Bluetooth access, as well as admin privileges and download without a notification.”

In reality, there’s no rush to find a new app. Uber is still allowed to operate in the capital while it prepares its appeal and won’t be officially banned until the current license expires on September 30 2018.

The ban was levied due to concerns over Uber’s approach to reporting serious driver offences, driver safety and medical checks, and its use of controversial Greyball software to evade TfL officials.

However, many have leaped to the defense of the service, which is used by an estimated 40,000 drivers and 3.5 million customers in London. Many punters complain London’s black cabs are expensive, slow, dirty and unsafe.

Source: Information Security Magazine

ICANN Postpones Major Internet Security Update

ICANN Postpones Major Internet Security Update

Internet oversight body ICANN has postponed plans to change the cryptographic key that protects the global Domain Name System (DNS), claiming that some infrastructure operators aren’t ready.

Changing the key involves generating a new cryptographic key pair and distributing the new public component to Domain Name System Security Extensions (DNSSEC)-validating resolvers.

However, newly-obtained data appears to show that a 'significant' number of resolvers used by ISPs and network operators aren’t yet ready, potentially affecting as many as 750 million netizens.

ICANN claimed there could be multiple reasons why resolvers aren’t ready for the key rollover, including misconfigured resolver software.

ICANN said it is reaching out to its Security and Stability Advisory Committee, the Regional Internet Registries, Network Operator Groups and other stakeholders to try and fix the issues.

“The security, stability and resiliency of the domain name system is our core mission. We would rather proceed cautiously and reasonably, than continue with the roll on the announced date of 11 October," said ICANN president and CEO, Göran Marby.

"It would be irresponsible to proceed with the roll after we have identified these new issues that could adversely affect its success and could adversely affect the ability of a significant number of end users."

The so-called “key signing key” (KSK) rollover was slated for October 11 but will now be postponed. ICANN's Office of the Chief Technology Officer is hoping to reschedule for the first quarter of 2018, but that will depend on how easy the problem is to fix.

In the meantime, Marby suggested network operators use the extra time to get their systems in order, using ICANN’s testing platform to ensure their resolvers are properly configured with the new key.

The KSK rollover is part of a process to make the internet more secure which began all the way back in May 2016.

Source: Information Security Magazine

Phishers Use Private Banking Messages to Lure Victims

Phishers Use Private Banking Messages to Lure Victims

Security experts are warning of a new phishing campaign designed to trick private banking clients into downloading covert malware onto their machines.

The spoof emails employ classic phishing techniques to socially engineer their targets, including the use of legitimate-looking banking domains and secure messages of the sort often received by private banking customers.

“This is appealing to criminals because the targets are of high value and already trust intimate communications from their banks,” explained Barracuda Networks. “Criminals also like that in order for targets to act on these messages, they need to be connected to the internet because the viewing happens in a web portal, which means that they are now vulnerable to downloading malicious content.”

The security vendor claimed to have seen many variations on the same theme over the past month, targeting multiple lenders including Bank of America and TD Commercial Banking.

“In some instances, these messages have an attached Word document that contains a malicious script that will rewrite the files in the users’ directory on Windows machines once the victim opens the document,” it added.

“Depending on the script in the attachment, there’s a potential for typical anti-virus software to miss the threat altogether because the Word documents contained in these ‘secure messages’ could be benign and allowed to be downloaded or opened when they’re first received.”

Once downloaded, attackers can update the script to something far more malicious such as ransomware or an info-stealer, the vendor claimed.

User training and awareness alongside layered security featuring advanced sandboxing and anti-phishing capabilities will help mitigate the threat.

Phishing remains the most commonly exploited attack vector, according to a new study out this week.

Staff are most often victims of spoofing and impersonation (67%), followed by branded (35%) and seasonal (31%) attacks, according to IronScales.

Staff training has long been a part of best practice security, but research from Accenture Security this week revealed that over half (55%) of UK employees can’t remember even having been given training: a sure sign it’s not working.

Source: Information Security Magazine

Dark Web Drug Suspect Cuffed On Way to Beard Contest

Dark Web Drug Suspect Cuffed On Way to Beard Contest

A suspected dark web drug kingpin has been arrested in the US on the way to a beard-growing contest, it has emerged.

Gal Vallerius, 38, was cuffed in Atlanta International Airport at the end of August en route from his home in France to the competition in Austin, Texas.

Searching his laptop, border officials apparently found hundreds of thousands of dollars in Bitcoin, a Tor browser, and PGP keys linked to an “OxyMonster”.

That name is used by an administrator and senior moderator on Dream Market: a typical darknet drugs marketplace.

According to a DEA affidavit filed in Florida, the authorities have been investigating the site for around 18 months, buying small amounts of drugs to gain the trust of the admins.

They found OxyMonster listing 11 controlled substances including OxyContin and Ritalin for sale and shipment anywhere in the world from France, with a profile listing 60 prior sales.

Following a Bitcoin address for “tips” from satisfied customers, they followed it back to a account registered to Gal Vallerius, according to the Miami Herald.

They then found Vallerius on Twitter and Instagram and noted stark similarities between his writing style and that of OxyMonster’s.

Vallerius is expected to be transferred to Miami soon, where he will face a conspiracy indictment that could land him up to life in prison if found guilty.

The case is yet another example of the inroads law enforcers are making into so-called dark web sites; usually by capitalizing on mistakes made by those arrested.

In July, two major international law enforcement operations led to the takedown of AlphaBay and Hansa: two of the dark web’s biggest marketplaces sites responsible for the trading of over 350,000 illicit commodities.

An FBI-DEA operation tracked the founder and administrator of Alpha Bay – a Canadian citizen – to Thailand where he was arrested on 5 July and millions of dollars in crypto-currency seized.

Source: Information Security Magazine

Europol: Over Two Billion EU Records Compromised Last Year

Europol: Over Two Billion EU Records Compromised Last Year

Ransomware has “eclipsed” most other global cybercrime threats over the past 12 months, with critical infrastructure (CNI) particularly vulnerable and urgent work needed to combat social engineering, according to Europol.

The regional police network claimed in its 2017 Internet Organised Crime Threat Assessment (IOCTA) that the first half of 2017 saw ransomware fired out on an unprecedented scale, with WannaCry and NotPetya indiscriminately infecting those with poor digital hygiene.

“The extent of this threat becomes more apparent when considering attacks on critical infrastructure. Previous reports have focused on worst-case scenarios, such as attacks on systems in power plants and heavy industry,” the report continued.

“However, it is clear that a greater variety of critical infrastructures are more vulnerable to ‘every-day’ cyber-attacks, highlighting the need for a coordinated EU law enforcement and cross-sector response to major cyber-attacks on critical infrastructure.”

These ‘everyday’ attacks include DDoS launched via booters/stressers; the most common, with over 20% of countries reporting incidents to law enforcement. Vulnerable IoT devices such as those compromised by Mirai have made life even easier for the attackers in this regard, the report argued.

Elsewhere, Europol warned that while law enforcement and industry action had helped to halt the spread of exploit kits, this has forced the black hats to lean more heavily on spam bots and social engineering to distribute threats.

“The success of such attacks is demonstrated by the trend of large-scale data breaches,” claimed Europol. “In a 12-month period, breaches relating to the disclosure of over two billion records were reported, all impacting EU citizens to some degree.”

Europol claimed CNI firms need to be “better educated, prepared and equipped to deal with these attacks”, using the GDPR and NIS Directive to improve baseline security. It added that law enforcement’s “prevention and awareness” strategies needed to adapt to the growth of social engineering as an "essential tactic".

Ilia Kolochenko, CEO of High-Tech Bridge, argued that ransomware will be around for at least another decade.

“Many organizations and individuals have abandoned machines they have not updated for years for various reasons, from overt negligence to complicated business processes and compliance. Worse, many large companies and governmental organizations don’t even have a comprehensive and up-to-date inventory of their digital assets, and are not even aware that such systems exist,” he added.

“Professional cyber-criminals also start leveraging recent vulnerabilities and advanced exploitation and encrypting techniques in their campaigns, making ransomware a headache even for companies with well-managed cybersecurity.”

Kirill Kasavchenko, principal security technologist at Arbor Networks, argued that botnets are the fuel that fires many large-scale cyber-attacks today.

“To stop criminals from seeing cybercrime as a lucrative source of income, there must be collaboration and intelligence sharing to ensure hackers are not able to hold organisations to ransom and disrupt critical industries,” he added.

Source: Information Security Magazine

Norway Joins Global Cyber-Defense Hub

Norway Joins Global Cyber-Defense Hub

Furthering the trend of global knowledge-sharing, Norway said this week that it plans to join the NATO Cooperative Cyber Defence Centre of Excellence.

The Nordic country will bring the total number of nations cooperatively working within the NATO-accredited knowledge hub to 21.

Located in Tallinn, Estonia, the NATO CCD COE is a research institution, and training and exercise center. Considered an international military organization, its community of nations provides a 360-degree look at cyber-defense, with expertise in the areas of technology, strategy, operations and law.

“Potential enlargement of our multinational team proves that our Centre continues to be attractive for Allies," said Merle Maigre, director of the NATO CCD COE. “We all win from being open to collaboration among like-minded nations in the cyber-domain. We welcome the decision of Norway, one of the founding allies of NATO, as this further strengthens our Centre's cyber-defense expertise.”

Norway seeks to join the Centre as a sponsoring nation, which is a membership status available to all NATO allies.

NATO CCD COE is home of the Tallinn Manual 2.0, the most comprehensive guide on how international law applies to cyberoperations. The Centre also organizes the world’s largest and most complex international technical live-fire cyber-defense exercise, Locked Shields, and hosts the International Conference on Cyber Conflict, aka CyCon.

The Centre is staffed and financed by its sponsoring nations and contributing participants. Belgium, the Czech Republic, Estonia, France, Germany, Greece, Hungary, Italy, Latvia, Lithuania, the Netherlands, Poland, Slovakia, Spain, Turkey, the United Kingdom and the United States are signed on as sponsoring nations of NATO CCD COE. Austria, Finland and Sweden have become contributing participants, a status eligible for non-NATO nations.

Source: Information Security Magazine

Sonic Drive-In Hit By Breach, Millions of Cards Potentially Affected

Sonic Drive-In Hit By Breach, Millions of Cards Potentially Affected

Sonic Drive-In, the US fast-food chain where car-hops are still a thing, is the latest victim of a security breach affecting an unknown number of store payment systems—but it could be millions of victims.

Sonic has confirmed that they have been investigating unusual payment card activity since being informed by their credit card processor last week.

First disclosed by independent researcher Brian Krebs, the compromise came to light via a pattern of fraudulent transactions on cards that had previously been used at one of Sonic’s 3,600 locations.  

“I began hearing from sources at multiple financial institutions,” Krebs noted in a post. Those cards were then found to be part of a cache of five million credit and debit card accounts that were first put up for sale in mid-September on a dark web site called Joker’s Stash, all indexed by city, state and ZIP code. They're going at a premium, too: between $25 and $50 per card.

“I should note that it remains unclear whether Sonic is the only company whose customers’ cards are being sold in this particular batch of five million cards at Joker’s Stash,” Krebs said. “There are some (as yet unconfirmed) indications that perhaps Sonic customer cards are being mixed in with those stolen from other eatery brands that may be compromised by the same attackers.”

Christi Woodworth, vice president of public relations at Sonic, confirmed the incident and told Krebs that the investigation hasn’t yet uncovered how many cards or which of its stores may be impacted.

The attack on Sonic is the latest fast-food hack, following the Wendy’s data breach earlier this year. It’s also part of a pattern in other ways.

 “The Sonic breach is another in a long line of retail breaches stemming from an attack on a third-party,” said Fred Kneip, CEO at CyberGRX, via email. “The Target hackers accessed data through an HVAC vendor, Home Depot and Hilton Hotels were breached through a point-of-sale vendor, and now hackers have breached Sonic by exploiting a credit card processing vendor. Organizations with expansive digital ecosystems need to understand that their attack surface extends to third parties and that they will bear the financial and reputational consequences of vulnerabilities across their network of vendors, partners and suppliers. By performing proper risk assessments on third parties within their digital ecosystem, merchants can uncover weak security controls and work with the vendor to remediate these issues before vulnerabilities are exploited.”

Those that recently visited a Sonic Drive-In should keep an eye out for suspicious account behavior, monitor financials regularly, check bank statements often and look out for transactions that one doesn’t recognize.

“Be proactive after hearing about a breach. Don’t wait to be notified by a company whose services you use, if they suffer a data breach. Take matters into your own hands. If you think a company you use has seen customer data compromised, contact your bank and look through your records to see if you were affected,” Gary Davis, chief consumer security evangelist at McAfee, said via email.

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit

Source: Information Security Magazine