Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for March 2018

GoScanSSH Malware Avoids US Military, South Korea Targets

GoScanSSH Malware Avoids US Military, South Korea Targets

A new strain of malware that targets vulnerable Linux-based systems is loose in the wild, with an interesting habit of avoiding government and military networks.

Dubbed GoScanSSH (a mash-up of its hallmarks: its Golang-based coding, its ability to scan for new hosts from infected machines, and use of the SSH port), the malware is being used in a widespread campaign that includes more than 70 unique malware samples and multiple versions, indicating that this threat is continuing to be actively developed and improved upon by the attackers. The earliest instance of a variant dates back to last summer, so the campaign has been ongoing for at least nine months.

It’s main effort seems to be in infecting as many machines as possible, potentially creating a botnet for future use in more damaging attacks.

According to Cisco Talos researchers, bad actors gain access to targets using an SSH-credential brute-force attack against publicly accessible SSH servers.  

“In this particular series of attacks, the attacker was leveraging a word list containing more than 7,000 username/password combinations,” they explained in a posting. “Once the attacker has discovered a valid credential set that allows successful SSH authentication, a unique GoScanSSH malware binary is then created and uploaded to the compromised SSH server. The malware is then executed, thus infecting the system.”

Immediately following infection, the GoScanSSH malware attempts to determine how powerful the infected system is and assigns the malware instance a unique identifier, which is all sent to the command-and-control (C&C) server. From there, it initiates SSH scanning activity to find additional vulnerable SSH servers exposed to the internet.

It specifically avoids IP addresses assigned to the US. Department of Defense and several in South Korea. The reason for this is unclear.

"It is difficult to fully get inside the head of attackers, but one theory could be that the attackers know that nation-states are resourced and have the political and networking connections to perform accurate attribution,” said Dan Matthews, director of engineering at Lastline, via email. He added, “This attack does not appear complex, although they have done two things which differ from recent commodity malware Written in Go, which is an efficient/cross-platform/modern/cool programming language; and added an IP address validation step prior to performing dictionary attacks against publicly reachable SSH servers.”

Once it has been determined that the selected IP address is an ideal candidate for additional attacks, the malware attempts to obtain valid SSH credentials by attempting to authenticate to the system using the aforementioned wordlist containing username and password combinations. If successful, the malware reports back to the C&C server.

Organizations should employ best practices to ensure that servers they may have exposed remain protected, including ensuring that systems are hardened, that default credentials are changed prior to deploying new systems to production environments and that these systems are continuously monitored for attempts to compromise them.

As Matthews said, “The best thing any organization can do to protect against password reuse attacks is to enable some type of multifactor authentication, particularly for services such as VPNs, SSH servers and web/cloud-based email services, which are reachable from the internet."

Source: Information Security Magazine

College Kids Turn to Crypto-Mining, Riddling Higher-Ed Networks

College Kids Turn to Crypto-Mining, Riddling Higher-Ed Networks

The higher-education landscape has become a fertile field for growing crypto-mining revenue. College students are crypto-mining from their dorm rooms, while outside actors are targeting their online activities for web-based attacks.

According to Vectra’s 2018 RSA Conference Edition of its Attacker Behavior Industry Report, higher education is a prime arena given that students are usually not protected by universities’ open networks. These same students also do their own crypto-mining, because they get free electricity.

“Students are more likely to perform crypto-mining personally as they don’t pay for power, the primary cost of crypto-mining,” said Chris Morales, head of security analytics at Vectra. “Universities also have high-bandwidth capacity networks with a large volume of easy targets, especially as students are more likely to use untrusted sites (like illegal movies, music and software) hosting crypto-mining malware.”

The report, which analyzed traffic and collected metadata from more than 4.5 million devices and workloads from customer cloud, data-center and enterprise environments, found that 60% of cryptocurrency mining detections occurred in higher education, followed by entertainment and leisure (6%), financial services (3%), technology (3%) and healthcare (2%). Mining overall has surged with the rising price of cryptocurrencies like Bitcoin, Monero and Ethereum.

Colleges and universities aren’t just over-indexing in crypto-mining. The highest volume of attacker behaviors per industry were in higher education (3,715 detections per 10,000 devices) followed by engineering (2,918 detections per 10,000 devices).

This is primarily due to command-and-control (C&C) activity in higher education, according to the report, and internal reconnaissance activity in engineering. To the former point, C&C activity in higher education, with 2,205 detections per 10,000 devices, is four times above the industry average of 460 detections per 10,000 devices. These early threat indicators usually precede other stages of an attack and are often associated with opportunistic botnet behaviors, Vectra said.

Higher education can only respond to students when they detect crypto-mining with a notice the activity is occurring. They can provide assistance in cleaning machines, or in the case of the student being responsible, they can issue a cease-and-desist. As such, the problem is likely to persist.

“Students are exceedingly intelligent and very enterprising,” said Daniel Basile, executive director of the Security Operations Center (SOC) at ‎Texas A&M University. “This is a time that many of them are working with new technologies, and it is not surprising that they utilizing their machines for cryptocurrency mining. However, there is also a large increase in websites that will crypto-jack your PC while you are on their website. This new trend of mining Bitcoin for revenue instead of ads can directly affect students. With the increase in online video streaming resources, this creates a large amount of cryptocurrency mining.”

Source: Information Security Magazine

Under Armour's MyFitnessPal Sees 150 Million Accounts Compromised

Under Armour's MyFitnessPal Sees 150 Million Accounts Compromised

The MyFitnessPal virtual health and wellness assistant has copped to a data breach affecting 150 million accounts; hackers made off with user names, email addresses and bcrypt-hashed passwords.

While details of how hackers exploited the accounts are still emerging, this appears to be the largest data breach of 2018 to date.

The intrusion occurred in February, but the Under Armour–owned company said in a notice that it wasn't aware of the breach until March 25. Fortunately, the affected data did not include Social Security numbers or driver's license numbers, because the app doesn’t collect that information; nor did it affect payment card data, which in another win for network segmentation, is collected and processed separately.

While the event thankfully doesn’t impact financial accounts, John Gunn, CMO at VASCO Data Security, pointed out that there’s an opportunity to up the ante on data security across the board.

“This event, like similar ones where credit-card data is not taken in a breach, demonstrates the value of enforcing security requirements,” he said, via email. “If businesses applied the Payment Card Industry Data Security Standards (PCI DSS) to all data and not just credit-card information, you would see a lot less personal information, such as user names, email addresses and passwords, getting into the hands of hackers.”

MyFitnessPal users are being required to change their passwords. In terms of mitigation, users should of course immediately do that, but they should also be aware that the information taken could be used for phishing attacks, which is where the real danger lies. Any user should avoid clicking on links in emails, social media posts or other messages that seem to have come from Under Armour or MyFitnessPal.

Also, if a user repurposes the MyFitnessPal password on any other websites, especially for banking accounts or similar websites, they should immediately change their passwords on those websites – and choose a different, strong password for each one.

“The reuse of passwords in situations like this may seem like short lapse in judgment, but this data that aligns names and email addresses with passwords is a potential disaster for anyone who reuses their passwords across multiple sites and accounts,” said Lisa Baergen, marketing director of MasterCard-owned NuData Security, via email.

Source: Information Security Magazine

Infosecurity Magazine System Upgrade: 30th March-1st April

Infosecurity Magazine System Upgrade: 30th March-1st April

Infosecurity Magazine will be undergoing a system upgrade from Friday March 30th until Sunday April 1st 2018. During this time users will be unable to access their member accounts and any member only content.  All other content will be available to access as normal.

Thank you for your patience during this upgrade. 

Any questions or queries please contact us on: infosecurity.magazine@reedexpo.co.uk 

Source: Information Security Magazine

Microsoft Products Are Hackers’ Favorite — Report

Microsoft Products Are Hackers’ Favorite — Report

The majority of vulnerabilities used by cyber-criminals last year in phishing attacks and exploit kits were found in Microsoft products, with some dating back several years, according to Recorded Future.

The security vendor followed-up a similar 2016 report by analyzing thousands of sources — including code repositories, deep web forum postings, and dark web onion sites — to spot “co-occurrences” with known software flaws.

Unlike the 2016 and 2015 reports, where Adobe Flash dominated the rankings, Microsoft led the way with seven out of the top 10 vulnerabilities.

The most commonly observed vulnerability was CVE-2017-0199, found in several Microsoft Office products and allowing attackers to download and execute a Visual Basic script containing Powershell commands from a malicious document.

It was spotted in multiple phishing attacks and linked to 11 separate pieces of malware, while exploit builders for the flaw were seen on the dark web last year being sold for between $400-$800, according to the report.

The second most frequently cited vulnerability, CVE-2016-0189, appeared on the 2016 rankings. It’s an Internet Explorer vulnerability which served as a popular avenue for exploit kits in 2017, Recorded Future claimed.

Alongside these two were five more Microsoft vulnerabilities dating from 2017, 2016 and even 2014. The three Adobe Flash bugs on the list were first published in 2015 and 2016.

The continued popularity of these flaws should be a timely reminder of the need to patch known vulnerabilities. Just this week, for example, Boeing was caught out after some machines in its South Carolina facility were infected with WannaCry.

Overall, however, Recorded Future claimed to have seen a decline in exploit kit activity — a 62% drop in new variants.

“The observed drop in exploit kit activity overlaps with the rapid decline of Flash Player usage,” explained report author, Scott Donnelly. “Users have shifted to more secure browsers, and attackers have shifted as well. Spikes in cryptocurrency mining malware and more targeted victim attacks have filled the void.”

The firm urged users to switch to Google Chrome as their primary browser; improve user training; frequently back-up to mitigate the risk of ransomware; use ad-blockers to prevent malvertising; and remove affected software if it doesn’t impact key business processes.

It also warned firms to be aware that social sites like Facebook may use Flash, exposing users to cyber-risk.

Source: Information Security Magazine

Boeing Computers Hit by WannaCry

Boeing Computers Hit by WannaCry

Aerospace giant Boeing was struck with the notorious WannaCry ransomware this week, but initial fears it had infected a production facility have since been dismissed as speculation.

Chief engineer, Mike VanderWel, sent an “all hands on deck” email round internally on Wednesday, according to the Seattle Times.

“It is metastasizing rapidly out of North Charleston and I just heard 777 [automated spar assembly tools] may have gone down,” he’s reported to have said. “We are on a call with just about every VP in Boeing.”

Once the dust had settled, an official statement indicated that the incident was limited to a “few machines” which were subsequently patched and remediated. However, head of communications, Linda Mills admitted that it had taken time to assess the scale of the problem at Boeing’s South Carolina facility.

“Our cybersecurity operations center detected a limited intrusion of malware that affected a small number of systems. Remediations were applied and this is not a production and delivery issue,” the statement noted.

The incident is a timely reminder of the latent risk posed even by cyber-threats for which there are security updates available.

The Windows SMB vulnerability exploited by WannaCry was actually patched by Microsoft a couple of months before the ransomware struck in May 2017, causing catastrophic damage around the world on hundreds of thousands of endpoints.

The NHS was perhaps most notably affected, with an estimated 19,000 operations and appointments cancelled and a third of the health service hit.

Sporadic outbreaks have appeared ever since, with Honda forced to temporarily close a plant in June last year, weeks after the first attack struck.

Still, it appears as if ransomware is increasingly being eschewed by the black hats in favor of crypto-currency mining malware.

Trend Micro claimed the number of ransomware-related threats it blocked last year stood at 631 million, down from over one billion in 2016.

Source: Information Security Magazine

FTSE 100 Firms Fail to Share Security Plans

FTSE 100 Firms Fail to Share Security Plans

Most FTSE 100 companies are not being transparent with their board or the wider public about security strategy, according to new Deloitte research.

The global consultancy analyzed reporting practices on cyber-risk covering all FTSE 100 annual reports in the year ending 30 September 2017.

It found that just 21% disclosed that they provide cybersecurity updates to the board on a regular, monthly to bi-annual, basis. Even fewer (20%) disclosed details of specific cyber-risk testing, such as ethical hacking, designed to find vulnerabilities in their IT systems.

The research revealed that FTSE 100 firms are either under-investing in cybersecurity or failing to be transparent about their efforts, which could be a missed opportunity to reassure investors and customers they understand the online threat.

Organizations must focus their efforts on analyzing the business for any weaknesses which could be exposing them to hackers, argued Pete Banham, cyber-resilience expert at Mimecast.

“It has never been more imperative for businesses to implement a cyber resilience strategy,” he added. “This should include strong methods of protection, combined with a reliable archive and recovery strategy for data that will ensure uninterrupted access and use of vital systems like email in the event of a breach.”

The opacity in reporting highlighted by Deloitte will need to change when the GDPR lands in May, according to the firm’s head of cyber risk services, Phill Everson.

“As we see GDPR regulations introduced from May 25 this year this becomes even more important as they require regulators to be notified within 72 hours of a breach,” he explained. “In preparation, companies will be looking at their processes for delivering security updates to the right people in a timely manner. However, with just two months to go to GDPR, our analysis shows there is still some work to do.”

However, things are moving in a more positive direction. Some 89% of respondents claimed to recognize cyber threats as a “principal risk” and identified multiple impacts of a breach including disruption to business and operations (70%), data loss (58%), reputational damage (56%) and financial loss (54%).

“Over the past two years, one in five companies disclosed the creation of a brand new role or body to have overall accountability on cyber,” Everson continued. “This shows that companies are upgrading their approach to match the raised level of threat. This brings the total number of FTSE 100 companies with a clearly identified person or team with cybersecurity responsibility to 38, but we would like to see 100%, and expect investors would as well.”

Source: Information Security Magazine

HiddenMiner Stealthily Drains Androids for Monero Mining

HiddenMiner Stealthily Drains Androids for Monero Mining

New Android malware that stealthily mines the Monero cryptocurrency is posing as a legitimate Google Play update app (complete with Google Play’s icon), so far affecting users in India and China where third-party app stores are more popular.

According to Trend Micro researchers, the malware is being used in a notably successful and active campaign; in one case, operators withdrew over $5,000 worth of Monero from one wallet.

Dubbed HiddenMiner, it lives up to its name by using various obfuscation techniques, including anti-emulator capabilities, to evade detection and automated analysis. It also hides from the victim by emptying the app label, using a transparent icon and hiding the app from the app launcher.

The malware requires users to activate it as a device administrator; once downloaded it will persistently pop up until victims click the "Activate" button. Once granted permission, HiddenMiner will start mining Monero in the background and will automatically run with device administrator permission until the next device boot. There’s no switch, controller or optimizer in HiddenMiner’s code, which means it will continuously mine Monero until the device’s resources are exhausted, which will drain the battery and potentially cause a device to overheat.

The bad code is just the latest malware to hop on the Monero-mining bandwagon; Monero takes fewer resources to effectively mine than other forms of virtual currency.

“Indeed, HiddenMiner is yet another example of how cybercriminals are riding the cryptocurrency mining wave,” said the researchers in a blog. “For users and businesses, this reinforces the importance of practicing mobile security hygiene: download only from official app marketplaces, regularly update the device’s OS (or ask the original equipment manufacturer for their availability), and be more prudent with the permissions you grant to applications.”

Source: Information Security Magazine

Facebook Expands Bug Bounty Amid Spiraling Privacy Scandal

Facebook Expands Bug Bounty Amid Spiraling Privacy Scandal

Amid a data privacy scandal that has blown up worldwide, Facebook has decided to make a few changes to “review developers' actions for evidence of misuse, implement additional measures to protect data, and give people more control of their information.”

For one, the social network is expanding its bug bounty program to reward people for reporting misuses of data by app developers. Details are as yet scant, but the change seems apropos given the revelations that Cambridge Analytica was able to scrape private user data on 50 million Americans using an internecine path around convoluted terms of service, Facebook login loopholes and an obsolete API that the platform made available up until 2014.

Facebook has also paused app review while it reviews its current situation and policies – again, likely a wise move given that the US's Federal Trade Commission has opened up a closed-door inquiry into the company’s privacy practices.

Other efforts to reduce the potential of future scandals include an in-depth investigation of all apps that had access to large amounts of information before Facebook changed its platform in 2014 to reduce data access and full audits of any apps with suspicious activity. The company will also inform users if an app is removed for data misuse of personally identifiable information and will ban the developer.

Additionally, Facebook said that developers that build applications for other businesses, that is, the Cambridge Analyticas of the world, “will need to comply with rigorous policies and terms,” which it promised to publish in the coming weeks.

“We know these changes are not easy, but we believe these updates will help mitigate any breach of trust with the broader developer ecosystem,” said Ime Archibong, vice president of platform partnerships at Facebook, in a blog.

Source: Information Security Magazine

Legal Departments Struggle with GDPR Role

Legal Departments Struggle with GDPR Role

The General Data Protection Regulation (GDPR) is set to take effect on May 25, and research suggests that while businesses are busy scrambling to fill data protection officer (DPO) vacancies, other areas of the organization, especially the legal department, could be taken by surprise.

According to logistics firm BDO, about half (48%) of legal team respondents in a recent survey claim GDPR is not applicable to their organization. Given that any US or foreign company that deals with EU citizens’ personal data – the definitions of which are not entirely clear – will be subject to the GDPR’s stringent requirements, that perception is likely not in line with reality.

“It behooves every organization – whether they touch EU personal data or not – to regularly review how information is used and managed to maximize its value and minimize risk,” said Karen Schuler, BDO National Information Governance practice leader. “GDPR is just the catalyst for a higher standard of data privacy and protection to which every company should aspire.”

This confusion comes as digital assets increasingly become corporate counsels’ purview: Among respondents whose organizations have a defined information governance program, 42% of those programs are led by legal, surpassed only by the CIO (47%).

At the same time, legal officers’ cyber-responsibilities continue to expand: 73% of respondents believe their boards are more involved in cybersecurity than they were 12 months ago. About a third (34%) of the counsel surveyed say their organizations will increase cyber-investment by 10% or more in the next 12 months.

The survey also uncovered that, to keep pace with mounting digital risks, almost half (46%) of senior counsel plan to increase their investment in information governance in the next 12 months.  

“Ultimately, today’s corporate counsel must take a holistic view of their organization’s digital risk profile – assessing risk based on data flows, cross-functional interdependencies and global operations – and play a proactive, rather than reactive, role in risk-based strategic planning,” said Stephanie Giammarco, partner and BDO Technology & Business Transformation Services practice leader.

Source: Information Security Magazine