Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for May 2018

Open Redis Servers Infected with Malware

Open Redis Servers Infected with Malware

After scanning 72,000 publicly available Redis (REmote DIctionary Server) servers with attack keys garnered through honeypot traffic, Imperva today reported that 75% of the publicly available Redis servers were hosting the attacks registered in the honeypot. 

Three-quarters of the servers contained malicious values, which Imperva said is an indication of infection, and more than two-thirds of the open Redis servers contained malicious keys. The honeypot data also revealed that those infected servers with "backup" keys were attacked from a medium-sized botnet (610 IPs) with 86% of the IPs located in China.

Security research team leader at Imperva, Nadav Avital wrote in a blog post today that the high percentage of infections was most likely because they are being directly exposed to the internet. "However, this is highly unrecommended and creates huge security risks." 

Earlier this year, Imperva reported on the RedisWannaMine attack, which propagates through open Redi and Windows servers. Since then, the researchers have learned of additional attacks. 

A tool with many attributes, Redis can be used as an in-memory distributed database, cache or message broker. Because it is designed to be accessed by trusted clients inside trusted environments, Redis should not be publicly exposed.

"To help protect Redis servers from falling victim to these infections, they should never be connected to the internet and, because Redis does not use encryption and stores data in plain text, no sensitive data should ever be stored on the servers," Avital wrote. 

"Security issues commonly arise when people don’t read the documentation and migrate services to the cloud, without being aware of the consequences or the adequate measures that are needed to do so," he continued. 

The research revealed the magnitude of the problem within 24 hours of being made public. Once publicly available, the servers of Imperva customers were targeted by vulnerability scanners and crypto-mining infections and attacked more than 70,000 times by 295 IPs.

"The attacks included SQL injection, cross-site scripting, malicious file uploads, remote code executions etc. These numbers suggest that attackers are harnessing vulnerable Redis servers to mount further attacks on the attacker’s behalf," Avital said. 

"As a side note, going through the huge amount of publicly available data, we found private SSH keys that can be used to access servers, certificates that can be used to decrypt network traffic, PII, and more sensitive data," he said.

Source: Information Security Magazine

Stress Relief App Turns Stressful for Facebook

Stress Relief App Turns Stressful for Facebook

Despite having downloaded an application intended to help them relax through painting, unsuspecting Facebook users have been exploited by a malicious application that instead collects sensitive information. 

According to a 30 May post on Cylance's Threat Vector written by Kim Crawley, "‘Relieve Stress Paint’ isn’t an app that’s embedded in Facebook though. Rather, cyberattack targets received links to download the malicious application through Facebook messages or email. The cyber attackers exploited the perceived legitimacy and integrity of Facebook and AOL’s brands to transmit their Trojan."

While the targeted victims do indeed receive an application that can be used for painting, lurking in the background is a malicious payload that is grabbing sensitive Facebook session cookies, login credentials and similar data. 

Cylance found that the attackers' preferred targets are Facebook users who have their own Pages with lots of followers and payment data that is linked to their accounts. 

"While ‘Relieve Stress Paint’ is installed on a Windows machine, ‘DX.exe’ remains persistent on the system, and ‘uplink.dll’ is likely the malicious dynamic link library which grabs the target’s sensitive Facebook data," Crawley wrote. 

Researchers have found that at least 35,000 users around the globe – including Vietnam, Russia, Pakistan, Indonesia, Ukraine, Italy, Romania, Kazakhstan, Egypt, Estonia and France – have been affected. Almost 3,000 victims in Vietnam alone have fallen victim to this targeted campaign dubbed the Relieve Stress Paint Trojan. 

Facebook users are cautioned to beware of applications that come through unsolicited messages on Facebook. "Even developers of legitimate commercial software who are in the business of making money won’t send people unsolicited Facebook messages in order to market their product," Crawley wrote. 

Source: Information Security Magazine

Canadians Unsure What to Do Post-Identity Theft

Canadians Unsure What to Do Post-Identity Theft

An overwhelming majority of Canadians reported that they wouldn't know what actions to take if their identity were stolen in a data breach, according to new research from dragonfly id.

Partnering with ThinkHatch and Haven Insights, dragonfly id surveyed 425 Canadians over the course of four days in early March 2018. The goal of the survey was to understand how much Canadians know about the steps they should take to retrieve data in the aftermath of an identity breach. Results showed that 83% of respondents don't know what to do to restore their identities.   

Given the current state of the economy, the number of data breaches being reported daily and the impact identity theft has on both companies and consumers, younger respondents agreed that it's important to educate consumers on the need to have a restoration service in place for when a breach does happen.

"As age increased, concerns about online identity theft of personal data and records tended to decline," according to a 30 May press release issued by dragonfly id.

A majority (65%) of respondents also said that they really don't understand how criminals are able to compromise their identities online. Only 5% of respondents said they have a good understanding of the way thieves can steal personal information. 

Of the respondents, 46% believe it would take fewer than 50 hours to restore someone's identity after it was stolen. 

Karey Davidson, president of dragonfly id, said that a low-level identity theft breach could take between two to five weeks to resolve. However, if an attacker engages in a more sophisticated and comprehensive attack and gains access to more detailed identity information, recovering one's identity could take up to six months.

"Canadians are becoming increasingly more concerned with the impact of identity theft on their personal and financial lives. They are unsure about how to deal with the fraud that can result [in] and, in particular, the time and the steps that it takes to resolve a breach," Davidson said in the press release. 

Earlier this month, Peter Boys, Canadian Association of Farm Advisors wrote an opinion piece in The Stettler Independent. Boys noted that according to a recent annual fraud survey commissioned by the Chartered Professional Accountants of Canada (CPA Canada), Canadians are growing increasingly more concerned about identity theft.

Recognizing that citizens are fearful that businesses in Canada are more vulnerable to cyber-attacks, Boys warned, "Fraud comes in many different forms, from credit card theft, mail theft, mortgage fraud, [and] skimming to hacking. In today’s ever-evolving economy, change is rapid, and the threat of fraud is constant. Canadians are strongly encouraged to be aggressive in protecting themselves against fraud."

Source: Information Security Magazine

Senators Urge Bolton to Reconsider Cyber-Tsar Role

Senators Urge Bolton to Reconsider Cyber-Tsar Role

A group of 19 senators have called on the Trump administration to reverse its decision to drop a key cybersecurity role from the upper echelons of government.

An open letter to national security adviser (NSA), John Bolton, expressed concern that the lack of a special assistant to the President and cybersecurity coordinator would hamper US efforts at precisely the wrong time.

It detailed concerns from US lawmakers and intelligence officials of Russia’s growing confidence in conducting audacious cyber-attacks against its geopolitical enemies.

“Our country’s cybersecurity should be a top priority; therefore, it is critically important that the US government present a unified front in defending against cyber-attacks. Eliminating the cybersecurity coordinator role keeps us from presenting that unified front and does nothing to deter our enemies from attacking us again,” the letter continued.

“Instead, it would represent a step in the wrong direction. Again, we urge you to send a strong signal to the rest of the world that cybersecurity is a top priority by reconsidering the elimination of the cybersecurity coordinator.”

News that the position had been dropped broke earlier this month, after the White House chose not to replace Trump’s first appointee to the role, Rob Joyce, whose departure was announced in April.

It’s believed controversial NSA Bolton was behind the decision, which came amidst a spate of departures from the National Security Council following his appointment.

The decision was justified on the basis of “streamlining management” reducing bureaucracy and increasing accountability by placing decision-making firmly in the National Security Council.

It’s unlikely that the letter will change policy, given that all 19 senators are Democrats, even though it features the signatures of heavyweights including Elizabeth Warren and Mark Warner, the latter vice-chairman of the powerful Senate Intelligence Committee.

Source: Information Security Magazine

Icann Files Suit in Germany in Bid to Clarify GDPR

Icann Files Suit in Germany in Bid to Clarify GDPR

Internet oversight body Icann has filed a one-sided lawsuit in Germany in a bid to clarify its GDPR obligations, after clashes with European regulators.

Icann is taking action after EPAG, part of the Tucows group, decided to no longer collect “administrative and technical contact information” for the Whois database as it believes it would conflict with the new privacy legislation.

However, failing to do so breaks the terms of Icann’s recently created Temporary Specification.

Although the oversight body believes the new rules comply with the GDPR, Tucows disagrees, claiming it breaks the principle of data minimization if it means the registry is required “to store and process personal data belonging to people with whom we have no legal or contractual relationship.”

There are also issues with Icann’s requirement that registrars send all data collected to the relevant registry as it contravenes the principle of data use only when a legitimate legal basis applies, Tucows said.

“Icann has also required that we continue to publish the organization, state/province, and country fields in the public Whois. We disagree that the organization should be published because, although it is optional, many people do not realize this and put their own first and last names in the organization field,” Tucows added. “We do not want to expose the personal data of these registrants because of a misunderstanding, and it will take considerable time to educate registrants and cleanse this data from the field.”

For Icann and the US government, this is a serious matter as they believe Whois data is a critical resource for law enforcers and IP rights holders and one which should be kept intact.

That sets Washington yet again on a collision course with Brussels.

It should also be mentioned that Icann’s one-sided filing should help to stay any further GDPR-related legal action against the body until a decision is made.

Andy Kays, CTO of Redscan, argued that Whois can be an invaluable resource in helping to track down phishers and spammers.

“An accreditation scheme, that would vet access to personal data in Whois records for special interest groups such as the police, security researchers and journalists, would certainly be very welcome and help to address concerns,” he added. “Planning to implement such a vetting system should have started years ago but by only recently attempting to outline its proposals, Icann shows that it has been too slow to react to the global impact of the GDPR.”

Source: Information Security Magazine

EU Agencies Join to Tackle Dark Web Crime

EU Agencies Join to Tackle Dark Web Crime

In an effort to strengthen their ability to fight cybercrime on the dark web, multiple law enforcement agencies have come together to establish a Dark Web Team. Europol announced yesterday that it will work with EU partners and global law enforcement agencies to reduce the size of the underground crime economy.

In a 29 May event that marked the official launch of the new Europol Dark Web Team, stakeholders from the European Commission, Interpol, and Eurojust joined with law enforcement agents from 28 countries in The Hague, the Netherlands, and expressed their enthusiasm over the expanded efforts to take down cybercriminals on the dark web.

Through its European Cybercrime Centre (C3), Europol has been actively monitoring the dark web for several years. Investigations in the underground marketplaces have yielded an array of tools, tactics and techniques used by cybercriminals. 

As a result, Europol, in partnership with other law enforcement agencies, has successfully shut down AlphaBay and Hansa, "two of the largest marketplaces responsible for the trading of over 350 000 illicit goods like drugs, firearms and cybercrime tools, such as malware," according to a Europol press release

The reported success of the crime-fighting partnerships has led to a reduced number of illicit transactions, with Europol reporting that some dark web traders have closed down their platforms for fear of getting caught. 

The dedicated Dark Web Team will share information through a coordinated approach, allowing the different agencies to provide operational support and varying degrees of expertise in the wide range of cybercrimes that they are fighting.  

Chief commissioner Ivaylo Spiridonov, director of the Bulgarian general directorate combatting organised crime, delivered the opening remarks on behalf of the current Presidency of the Council of the EU and highlighted that “today’s expert assembly will further enhance the law enforcement’s ability to find sustainable solutions and a common coordinated approach to respond to criminality on the dark web.”

Source: Information Security Magazine

Tesla Car Crashes into Police SUV

Tesla Car Crashes into Police SUV

Police are investigating a 29 May crash in which the driver of a Tesla Model S car struck a parked police vehicle in Laguna Beach, California, at 11:07 a.m. local time. The police cruiser, though unoccupied, was damaged when the Tesla’s front end rammed into the rear driver’s side of the patrol car.

The driver of the 2015 Model S car, who suffered minor injuries, told investigators that the car was in autopilot. According to a Tesla spokesperson, “When using Autopilot, drivers are continuously reminded of their responsibility to keep their hands on the wheel and maintain control of the vehicle at all times.”

Tesla told Infosecurity Magazine the company has always been clear that Autopilot doesn’t make the car impervious to all accidents. “Before a driver can use Autopilot, they must accept a dialogue box which states that ‘Autopilot is designed for use on highways that have a center divider and clear lane markings,’” the spokesperson wrote in an email.

Many Twitter users have weighed in on the crash, expressing both defense of Tesla and concern over the expectations of what autopilot is actually capable of. In response to news of the crash, one person tweeted, “IMO, Tesla tech gives a driver an invaluable 2nd set of eyes that make the car way safer than most … BUT it seems the pattern emerging is drivers believing they purchased a chauffeur ! – driver aid NOT driver replacement.”

In related news, another Tesla owner endured a crash in Seattle, Washington, yesterday. While the company continues crash tests for the Tesla Model 3, electrek reported that the owner of a Model 3 was rear-ended yesterday but said that the car “performed miraculously.”

In his story of the crash published on Tesla Motor Club, the car owner, known as Anatari, wrote that he was traveling along the I-90 tunnel at 65 mph when he was hit from behind by another vehicle. Anatari said he lost control of the car.

The car then spun out of control and hit the freeway divider wall, “all the way on the other side of the freeway 4 lanes across, and then bouncing back all the way back to the other side of the freeway and hitting that wall before coming to a stop.

“Thankfully the model 3 performed miraculously, crumple zones compressed, airbags deployed, no fire after the accident, and no one in my family seems to be seriously injured.”

Source: Information Security Magazine

To Keep Them Safe Online, Teach Them to Phish

To Keep Them Safe Online, Teach Them to Phish

Security experts in Hamilton, Bermuda, yesterday hosted a live hacking demonstration showing event attendees the ease with which attackers are able to gain access to a corporate network through a phishing email campaign. 

The event, hosted by the (ISC)Bermuda Chartering Chapter, revealed the tricks that hackers use to get email recipients to click on malicious links and share their personal information. Dionach senior technical consultant Mark Phillips and business development manager Mathew Sofiyani simulated the phishing attacks.

According to the Royal Gazette, the demonstration warned that "having gained controlled of a compromised computer, an attacker is in a position to monitor everything that goes on, operate inbuilt microphones, webcams, and record key strokes to capture username and password details. If it is a company workstation that is compromised that could lead to serious and costly damage to an internal network, and the loss of valuable corporate data."

These events are an effort to raise awareness and share technical expertise, with good reason. Symantec's 2018 Internet Security Threat Report found that "spearphishing is the number one infection vector, employed by 71 percent of organized groups in 2017."

A classic example is the tech support scam, and since the GDPR has prompted many organizations to make customers aware of changes to their privacy policies, attackers have leveraged that communication as another avenue for scams.

Penetration testers and ethical hackers are increasing their efforts to help organizations educate their employees on not only the inherent dangers of phishing campaigns but also how to spot a malicious email.

On 29 May, The Wall Street Journal broke down the anatomy of a phishing attack as explained by Shawn Moyer, a founding partner at Atredis Partners

Attackers look for a way into the company and use social engineering tactics to hack the trust of unsuspecting users. Then comes the attack. Yet there are several ways to avoid falling victim to an attack.

Phillips showed yesterday's event attendees that hovering over links reveals the actual URL destination and pointed out the distinctions between "http" and "https". 

End users were also advised to read carefully in order to spot spelling errors. While phishing is far more problematic, brazen attackers also use "vishing" and engage with their targets over the phone. The goal is always to get the victim to reveal personal information, which Phillips said is very easy for attackers to do. 

Source: Information Security Magazine

Spear-Phisher Gets Five Years for Helping FSB Yahoo Hackers

Spear-Phisher Gets Five Years for Helping FSB Yahoo Hackers

A Canadian man has been handed down a five-year prison sentence for his part in a Russian government conspiracy which resulted in the compromise of 500 million Yahoo accounts.

Kazakhstan-born Karim Baratov, 23, pleaded guilty in November 2017 to spear-phishing at least 80 webmail accounts belonging to “individuals of interest” for the Russian intelligence service the FSB. He’s then said to have sent the account passwords to a co-conspirator in exchange for money.

Baratov is also said to have hacked more than 11,000 webmail accounts in total from around 2010 until his March 2017 arrest in Canada.

Although he wasn’t directly responsible for the Yahoo breach, his co-conspirators in the FSB and fellow “hacker-for-hire” Alexsey Belan were, according to the Department of Justice. Baratov’s job was in fact to hack user accounts for non-Yahoo providers such as Gmail.

The persons of interest Baratov helped the FSB to monitor included Russian journalists, US and Russian government officials and private-sector employees of financial, transportation and other companies, the DoJ said in a detailed description of the case back in March 2017.

“It's difficult to overstate the unprecedented nature of this conspiracy, in which members of a foreign intelligence service directed and empowered criminal hackers to conduct a massive cyber-attack against 500 million victim user accounts,” said FBI special agent in charge John Bennett.

“Today's sentencing demonstrates the FBI's unwavering commitment to disrupt and prosecute malicious cyber actors despite their attempts to conceal their identities and hide from justice.”

The judge also ordered Baratov to pay a fine of $250,000, apparently claiming the large sum would make up for the relatively lenient sentence, which prosecutors wanted doubled.

The compromise of 500 million user accounts at Yahoo is not thought to be linked to the other breaches affecting billions of customers.

Source: Information Security Magazine

US Government Warns of North Korean APT Malware

US Government Warns of North Korean APT Malware

The US-CERT has released a new technical alert warning of two pieces of malware it says are being used by the North Korean government.

The joint alert comes from the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) and refers to the prolific APT group known as Hidden Cobra.

The two pieces of malware it’s using are: remote access trojan (RAT) Joanap and SMB worm Brambul.

“According to reporting of trusted third parties, Hidden Cobra actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally and in the United States — including the media, aerospace, financial, and critical infrastructure sectors,” US-CERT claimed.

The US government has found Joanap on 87 compromised network nodes in 17 countries including China, Spain, Sweden, India, Brazil and Iran.

“Joanap malware is a fully functional RAT that is able to receive multiple commands, which can be issued by Hidden Cobra actors remotely from a command and control server,” the alert continued. “Joanap typically infects a system as a file dropped by other Hidden Cobra malware, which users unknowingly downloaded either when they visit sites compromised by Hidden Cobra actors, or when they open malicious email attachments.”

Joanap operates covertly, moving laterally inside an infected network to any connected nodes, said US-CERT.

“Brambul malware is a brute-force authentication worm that spreads through SMB shares. SMBs enable shared access to files between users on a network,” it added. “Brambul malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.”

The US-CERT urged organizations to mitigate the risk posed by these attacks by: keeping systems up-to-date with patches and the latest AV, applying least privilege policy to permissions, scanning and blocking suspicious email attachments, disabling Microsoft’s File and Printer Sharing service and configuring personal workstation firewalls to deny unsolicited connection requests.

Source: Information Security Magazine