Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for June 2018

Attackers Pick Microsoft Office for Zero-Day Exploits

Attackers Pick Microsoft Office for Zero-Day Exploits

Being top choice as an attack vector is likely not a contest any platform wants to win. Unfortunately for Microsoft, Office will not only continue to be the attackers’ vector of choice but will also be the platform for exploiting vulnerabilities, according to a new report from Menlo Security.

After 360 Total Security blogged about “the first APT (Advanced Persistent Threat) campaign that forms its attack with an Office document embedding a newly discovered Internet Explorer 0-day exploit,” Menlo Security researchers sought to understand why attackers were using malicious Office documents for endpoint exploitation.

Malicious Microsoft Office documents attached to emails as an attack delivery mechanism are not new, but the report, Microsoft Office: The New Platform for Exploiting Zero-Days, detailed the latest examples of the growing sophistication of methods being used and highlighted the need for a more foolproof approach to security. 

Even while the paper was being drafted, a new zero-day exploit – CVE-2018-5002 – was disclosed, all while two Flash zero-day vulnerabilities continue to be exploited in the wild.

“There is likely to be an increase in attacks via malevolent email attachments using stealthily embedded, remotely hosted malicious components that leverage application and operating system vulnerabilities, both old and new,” the report stated.

Researchers did find new attack methods, however. One is the use of embedded, remotely hosted malicious components exploiting app and OS vulnerabilities in Word documents delivering zero-day exploits.   

Microsoft Word is the leading cloud office-productivity platform, and it’s popularity is expected to grow. In turn it will, presumably, continue to be the attackers’ vector of choice and the platform most often used to exploit vulnerabilities.

The researchers found that almost all recent zero-day attacks have been delivered via Microsoft Word. “With CVE-2018-8174 and CVE-2018-5002, the attackers leveraged Word as a vector to exploit Adobe Flash Player and Internet Explorer. By using Word as the vector, the attackers were able to exploit a browser, even if it is not the default browser, and exploit Flash, even though Flash is blocked by most enterprises," according to the report.

"Microsoft is therefore undoubtedly going to become the platform that attackers leverage most to deliver their zero-day exploits,” the report conlcuded.

Source: Information Security Magazine

New HospitalGown Variant in iOS, Android Apps

New HospitalGown Variant in iOS, Android Apps

More than 3,000 mobile iOS and Android apps have presumably been affected by a new HospitalGown threat variant recently discovered by Appthority. The threat occurs when app developers fail to require authentication to Google Firebase databases, potentially leaving private data exposed.

Researchers first discovered what they call the HospitalGown vulnerability in 2017 after broadening their understanding of enterprise mobile threats by looking at the data leakage through back-end data stores that are unsecured. In a 31 May 2017 post, researchers wrote, “This vulnerability…can expose an enterprise to Big Data exfiltration, leakage of PII (personally identifiable information), and the potential for data being stolen and ransomed.”

As of the time Appthority reported the vulnerability, the apps affected by the Firebase variant had been downloaded 620 million times for Android devices. Researchers said 62% of enterprises were exposed to the loss of sensitive data through this vulnerability. The vulnerability is reportedly both critical and significant and has likely impacted productivity, health and fitness, communication, cryptocurrency, finance and business apps.

“The large number of vulnerable apps and the wide variety of data shows that enterprises can’t rely on mobile app developers, app store vetting or simple malware scans to address data security. To keep their data safe and stay in compliance with regulations like GDPR, HIPAA and PCI, they need to be investing in deep app analysis that detects these types of vulnerabilities,” Seth Hardy, Appthority director of security research, said in a 19 June press release.

Because mobile developers are under pressure to release a product, “the rush to market can result in developers and line-of-business owners overlooking rather basic security practices that might prevent this sort of issue. It's not hard to find mobile development talent, but finding a mobile developer with security expertise is rare, and so developers need all the help they can get," said Samuel Bakken, senior product marketing manager, OneSpan.

Given that mobile application security is so critical to enterprise security, “this vulnerability underscores why sectors such as healthcare and finance are increasingly adopting multilayered security strategies and incorporating passive biometrics and behavioral analytics to help ensure that the previously stolen data cannot be used for fraudulent purposes,” said Ryan Wilk, VP of customer success, NuData Security.

Source: Information Security Magazine

Oregon.Gov Email Domain Remains Blacklisted

Oregon.Gov Email Domain Remains Blacklisted

The state of Oregon continues efforts to resolve an email issue with the oregon.gov domain that is still preventing communication from state employees.

On 19 June, Oregon Live reported that agency directors across the state of Oregon received a message alerting them to a phishing attack that generated over eight million spam emails from an oregon.gov email address.

“This happened over the weekend and was caught on Monday. Unfortunately, we did not catch it before external mail providers downgraded the Oregon.gov sender reputation score – a score that shows how mailbox providers view your IP address. As a result of this incident, mail from Oregon.gov has been blacklisted by certain providers,” the message said.

Email providers, including Outlook, MSN, Hotmail and Live, have blacklisted emails attempting to come in from Oregon’s state email domain. As a result, mail from any state employee sent to those email domains will not be received.

State employees were reportedly told by Amy Williams, a spokeswoman for the Department of Administrative Services (DAS), that they may have to use an alternate email address. Williams also suggested that members of the public attempting to contact state employees should include phone numbers in their emails.

While Gov. Kate Brown reportedly declined to comment on the status of the cybersecurity posture of the state of Oregon, DAS is working with the Department of Enterprise Technology Services and the Enterprise Technology Office to rectify the situation. The attack on state email addresses serves as a reminder that phishing campaigns are rampant and sophisticated.

“Emails from a well-known and trusted sender are likely to be acted on by a person of that organization. Without the use of specialized email defenses and multifactor authentication, it is not surprising that these types of attacks are growing quickly globally,” said Matthew Gardiner, cybersecurity expert at Mimecast.

Attackers love to steal users’ email log-in credentials from organizations such as the state of Oregon as this access can be used to quickly pivot the attack to breach other organizations that regularly do business with the state. This technique forms the basis of many supply-chain style attacks.”

Source: Information Security Magazine

Fortnite's Android Debut Sees Malicious Apps Launched

Fortnite's Android Debut Sees Malicious Apps Launched

As Fortnite fans await its mobile debut on Android, YouTube videos have been detected claiming to contain downloads for the game.

After various tutorial videos were discovered, research by Malwarebytes into the videos found that tutorial apps were not in the Google Play store, but users found links in YouTube’s sponsored adverts which appear legitimate, and feature the Epic Games logo.

Nathan Collier, senior malware intelligence analyst at Malwarebytes, found that upon downloading and opening the app it plays the Fortnite intro song and requests updates to be downloaded, before requesting mobile verification from the user.

“There, it claims to be for the purpose of verifying 'You’r Not A BOT' (bad grammar and all) in order to proceed to Fortnite,” Collier said. “To ‘verify’ the user must complete a task, which involves downloading another ‘free’ app.”

This directs to Google Play, but Collier said no matter how many apps you download, the game never unlocks, because it never existed within the malicious app in the first place.

He said: “The more downloads that come from the website, the more money the malware developers can make. With the app being so simplistic, the amount of development effort is pretty low for the amount that could be potentially gained.”

James Hadley, CEO and founder of Immersive Labs, said: “Fortnite’s popularity, driven by gamers including the England football team, means there is an opportunity for cyber-criminals to take advantage of the demand for the game and the latest releases.

“In life, if something seems too good to be true, it usually is just that; and cyber is no different. Cyber-criminals rely on the draw of a new, exciting or trendy app outweighing the perceived negatives; in this case, getting an early release of Fortnite on Android for downloading another app.”

Javvad Malik, security advocate at AlienVault, said that ongoing user awareness is essential to ensure users are savvy to the risks that can affect them, and defenses to stop such malware making its way into app stores, or running on devices, needs to be continually improved.

Steve Giguere, lead EMEA engineer at Synopsys, added: “There's no shame in being caught out by schemes or scams like these, but we need to learn that where we exhibit human weakness, the cyber-criminal will be present looking to take advantage to turn our nature against us.

“As attacks like these become more common place, awareness will inevitably follow; but until then, ensure you are running a modern endpoint security program and remember that if you think it looks too good to be true, don't take the bait – it's called phishing for a reason.”

Source: Information Security Magazine

A Third of UK Orgs Have Sacked Employees for Data Breach Negligence

A Third of UK Orgs Have Sacked Employees for Data Breach Negligence

Almost a third of UK organizations have sacked an employee as a result of data breach negligence, according to new research from Shred-it’s Security Tracker report.

The firm carried out a survey of three sample groups – 1000 small business owners, 1000 C-suite execs of large organizations and 1100 consumers/employees to expose security risks currently threatening UK companies.

A key finding was that businesses recognize employee negligence as playing a major or moderate role in data security breaches, but that a significant percentage are failing to take action with robust information security training programs.

Only just over half (55%) of the large organizations surveyed had trained their workers on public Wi-Fi use, whilst almost a third had failed to provide training on spotting fraudulent emails. Smaller businesses faired a lot worse, with just 46% of them offering necessary key training; only 27% had provided public Wi-Fi training and a third offered fraudulent email training.

“It might feel like rough justice for employees to be held to account when training is not comprehensive, but it reflects how difficult this process is, even for businesses with extensive resources,” said Neil Percy, vice-president market development and integration EMEA, Shred-it.

“There may also be an assumption that some elements are common sense, but that potentially belies how easy it is to be duped by skilled phishers and hackers, or even to lose confidential info during the course of a busy day. Mindfulness is key and training helps.”

Source: Information Security Magazine

Attackers Spy and Steal from Financial Firms

Attackers Spy and Steal from Financial Firms

In an attempt to steal sensitive data, cyber-criminals have been targeting financial firms by building hidden tunnels in order to break into networks. According to a report released today by Vectra, these attack behaviors are the same as those that led to the 2017 Equifax breach. 

According to a new report, 2018 Spotlight Report on Financial Services, attackers are able to gain remote access through the use of command-and-control (C&C). In the data analyzed, attackers had established nearly 30 web shells accessible from approximately 35 different public IP addresses, which allowed them to exfiltrate data while going undetected.

Attackers often leverage hidden tunnels to infiltrate networks with strong access controls because legitimate applications also use hidden tunnels to bypass security controls that can sometimes compromise full functionality. That's why it's a successful attack method.

"Every industry has a profile of network and user behaviors that relate to specific business models, applications and users," said Chris Morales, head of security analytics at Vectra. "Attackers will mimic and blend in with these behaviors, making them difficult to expose."

In this latest discovery, Vectra detected more hidden C&C tunnels and more than twice as many hidden data-exfiltration tunnels per 10,000 devices in financial services than all other industries combined. 

To evade firewalls, attackers use special tunneling tools to move laterally, stockpiling data from database after database as they go. They were able to amass so much data that it then needed to be divided into smaller stockpiles so that no alarm bells went off during exfiltration. 

"All this points to one painful fact: The largest enterprise organizations in the world remain lucrative targets for sophisticated cyber-attackers. Security breaches across multiple industries forge ahead in an upward trajectory, and the financial services industry is no exception," the report said.

Source: Information Security Magazine

Cyber Group Targets Satellites, Telecom

Cyber Group Targets Satellites, Telecom

A cyber-espionage group infiltrated satellite, telecom and defense companies in the US and Southeast Asia, and evidence suggests that the campaign's objective was espionage. Identified by Symantec and announced on 19 June, the campaign originated from machines based in mainland China, according to researchers.

Thus far, the analysis suggests that the defense, telecom and satellite sectors – more specifically, the geospatial sector – have been targeted. In the geospatial sector, the group targeted computers running MapXtreme GIS (geographic information system) software, used to develop custom geospatial applications and to integrate location-based data. Not surprisingly, machines running Google Earth Server and Garmin imaging software were also targeted.

“The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organizations won’t notice their presence,” said Greg Clark, Symantec CEO, said in a press release. "They operate very quietly, blending in to networks, and are only discovered using artificial intelligence that can identify and flag their movements. Alarmingly, the group seems keenly interested in telecom, satellite operators, and defense companies. We stand ready to work with appropriate authorities to address this serious threat."

Because attackers are moving laterally in order to infect satellite monitoring and controlling devices within a satellite communications operator, the threat has the potential to be very disruptive. In a 19 June blog postFortinet said this component of the threat suggests that the group likely wanted to gather intelligence, exfiltrate data and disable the satellites.  

“Thrip exemplifies the growing urgency for being able to quickly and reliably detect lateral movement across the network,” said Anthony Giandomenico, senior security researcher, Fortinet FortiGuard Labs. However, defending against an advanced threat such as Thrip requires a number of critical security strategies to be in place.

Attackers rarely find what they are looking for in their first compromised device, which is why they then move laterally in search of the systems they need to accomplish their goal. Moving through the systems also allows them to "establish a stronger foothold to increase the difficulty of properly removing the malware from the network," Giandomenico said.

“Detecting an initial compromise can be very difficult, even with sophisticated security measures in place, as it usually happens very fast and often uses advanced evasion techniques to disguise the attack," Giandomenico continued. "This sort of countermeasure requires keeping up with the latest techniques adversaries are using while being proactive in finding and addressing existing network blind spots and control gaps.”

Source: Information Security Magazine

Nation-State Actions Could Negatively Impact Businesses

Nation-State Actions Could Negatively Impact Businesses

In today’s interconnected world, it’s more likely that politics and social unrest the world over could have significant impact on today’s digital business. That’s according to Flahspoint’s Business Risk Intelligence Decision Report, which took a midyear look at the methods, motives and moves of nation-state actors.

“The relatively quiet first six months of 2018 could turn on a dime as midterm elections loom, tense relations in the Middle East persist, the U.S. leaves the Joint Comprehensive Plan of Action (JCPOA), sanctions against Iran tighten, and numerous other dramatic geopolitical developments continue to arise,” the report stated.

The report analyzed trends and indicators in threat actor reactions to, and prioritization of, activities with regards to global events and dynamics. From that analysis, Flashpoint developed a six-tiered capability and potential impact scale, with the sixth tier potentially having what the company defined as a catastrophic impact.

Results of the analysis rank China and Russia at a Tier 6 – the greatest threat – across most verticals, with the exception of retail. Though state-sponsored cyber activity coming from Russia has been quiet thus far this year, “the apparent lack of cohesion between Europe and the US in dealing with Russian offensive cyber tactics may server to embolden Russia to continue expanding its cyber operations,” according to the report.

Activity from state-sponsored actors in China remained potent threats to private companies and government institutions. China has continued its internal crackdown on anonymity while increasing scrutiny of online activities and foreign corporate interests. In addition, The National Cybersecurity Law has driven cyber-criminals to either cooperate with authorities or move farther to the fringes in tools and techniques.

Also rated as potentially having a catastrophic impact is the intelligence-sharing arrangement between several Anglophone countries known as the Five Eyes. The report defines the Five Eyes as the group that “collectively represents the pinnacle of cyber capabilities related to cyber espionage and destructive or disruptive attacks."

"Yet they are not traditionally considered threat actors to Western entities," the report states, "because their activities are generally undertaken in support of national security objectives rather than for commercial or economic gain.”

Source: Information Security Magazine

Misguided “Bitcoin Baron” Hacker Gets 20 Months

Misguided “Bitcoin Baron” Hacker Gets 20 Months

An inept cyber-criminal has been given a 20-month sentence behind bars after DDoS-ing the networks of a Wisconsin city, temporarily taking out its 911 center.

Randall Charles Tucker, 23, of Apache Junction, Arizona carried out the attacks on the City of Madison in 2015 as part of a wider DDoS campaign against various cities, according to the Department of Justice.

“In addition to disabling the City of Madison’s website, the attack crippled the city’s internet-connected emergency communication system, causing delays and outages in the ability of emergency responders to connect to the 911 center and degrading the system used to automatically dispatch the closest unit to a medical, fire, or other emergency,” the noticed read.

It’s unclear what his motivation was in launching the attack, although it came just days after a fatal shooting by a Madison police officer.

Tucker’s other exploits saw him DDoS the municipal computer systems in Phoenix suburbs Chandler and Mesa and user-generated video portal News2Share, the latter in a bid to persuade it to feature one of his videos.

These charges were reportedly dropped as part of the plea deal.

Tucker boasted of his crimes on social media, dubbing himself the “Bitcoin Baron,” and has also reportedly taken part in hacktivist campaigns like Anonymous #OpSeaWorld.

However, his attempts to portray himself as a moral crusader failed miserably. In one incident in 2015 he apparently DDoS-ed the city and police websites of San Marcos in Texas — demanding a local policeman who had assaulted a female college student be jailed and fired. That cop had already been sent to prison two years previously.

Tucker also launched an attack on a children’s hospital, reportedly defacing it with child pornography, which if true somewhat undermined his hacktivist credentials.

Alongside the jail sentence, Tucker was ordered by the court to pay restitution of over $69,000 to the victims of his attacks.

Source: Information Security Magazine

Olympic Destroyer Malware is Back to Wreak Havoc

Olympic Destroyer Malware is Back to Wreak Havoc

The notorious Olympic Destroyer malware which disrupted the last Winter Games has resurfaced, targeting several countries in Europe as well as Russia and Ukraine, according to Kaspersky Lab.

The Russian AV company warned that the latest activity could spell the start of new destructive malware campaigns from the group behind the threat.

“In May-June 2018 we discovered new spear-phishing documents that closely resembled weaponized documents used by Olympic Destroyer in the past. This and other TTPs led us to believe that we were looking at the same actor again,” the firm explained.

“However, this time the attacker has new targets. According to our telemetry and the characteristics of the analyzed spear-phishing documents, we believe the attackers behind Olympic Destroyer are now targeting financial organizations in Russia, and biological and chemical threat prevention laboratories in Europe and Ukraine.”

Phishing emails were used to infiltrate and map out target networks ahead of a destructive campaign which disrupted the Pyeongchang Olympics earlier this year, leading the firm to speculate that this new activity could lead to similar.

It warned all biochemical-threat prevention and research organizations in Europe to bolster their defenses and run unscheduled security audits.

It’s not clear what the link between these new targets is, with the group behind it considered “a master in the use of false flags.” However, Kaspersky Lab claimed the TTPs and operational security techniques used by the group “bear a certain resemblance” to Sofacy/Fancy Bear/APT28, the notorious Kremlin hacking outfit that disrupted the 2016 US presidential election.

“The variety of financial and non-financial targets could indicate that the same malware was used by several groups with different interests – i.e. a group primarily interested in financial gain through cyber-theft and another group or groups looking for espionage targets,” the vendor concluded.

“This could also be a result of cyber-attack outsourcing, which is not uncommon among nation state actors. On the other hand, the financial targets might be another false flag operation by an actor who has already excelled at this during the Pyeongchang Olympics to redirect researchers’ attention.”

Source: Information Security Magazine