Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for July 2018

Registry Keys Vulnerable with COM Hijacking

Registry Keys Vulnerable with COM Hijacking

Attackers are leveraging a new technique that allows them to run a specious file that looks legitimate but is actually malicious, according to the research team at Cyberbit. The component object model (COM) hijacking technique, usually used for attackers as a persistence mechanism, also has evasive capabilities.

A proof-of-concept experiment run by the Cyberbit research team and detailed in today's blog post reveals that the team discovered that hundreds of registry keys were vulnerable to this attack. While most modern malware creators use code injection to disguise malicious behavior within benign activity, the idea with COM hijacking is to run code within the context of a legitimate, whitelisted process, like a web browser.

Researchers wrote that their findings were alarming. “Another troubling finding is the fact that adding these DLLs doesn’t even require a boot. Since most keys were affected immediately upon running the target process, some keys did not even require execution of the target process for a process which is already running such 'Explorer.exe.'”

Using this technique, attackers are able to legally load and run the malware while evading detection, making it very easy for attackers to implement because it does not require sophisticated code injection. Yet it does have the privileges to perform sensitive actions, like connecting to the Internet, according to researchers.

“The purpose of this research was to uncover the scope of the problem, which is often overlooked by security products,” said Meir Brown, director of research at Cyberbit. “The scope of the risk is wide since we have seen many critical windows processes which load COM objects without verification. This generates an easy method of injection and persistence with minimal visibility."

"The mitigation is to have a security solution which alerts on COM hijacking and to monitor any system error carefully since it may imply on COM hijacking," Brown said. "In addition, I would suggest carefully monitoring specific registry keys like the one we present in our report which are used to load popular COM objects.”

Source: Information Security Magazine

Criminals Avoid Detection Using Old Campaigns

Criminals Avoid Detection Using Old Campaigns

McAfee Labs has released its Threats Report June 2018, in which it highlights the notable investigative research and threat trend statistics gathered from Q1 2018. A key finding was a significantly high spike in the total coin miner malware, which rose by 629% in Q1 to more than 2.9 million samples.

Additional findings included in this report are the complex nation-state threat campaigns – driven by financially and politically motivated criminals – that had targeted users and enterprise systems worldwide.

“We have seen continued expansion of this criminal endeavor during the quarter,” the report state. “The goal of the perpetrators is to monetize their criminal activity by expending the least amount of effort, using the fewest middlemen, and executing their crimes in the shortest time possible and with the least risk of discovery.”

Bad actors continue to grow more innovative and demonstrate an impressive level of technical agility, improving on several of the attack schemes that emerged at the end of 2017. With some technical creativity, these actors have discovered new ways to avoid detection and mitigation.

Among the key campaigns were Gold Dragon, Lazarus and the cryptocurrency campaigns GhostSecret and Bankshot. “Gold Dragon is a particularly slippery instance of fileless malware because it is designed to be evasive, checking on processes related to antimalware solutions,” the report stated. 

Researchers believe the currently active and extremely complex campaign, GhostSecret, is associated with the international cybercrime group known as Hidden Cobra. The campaign, which “employs a series of implants to appropriate data from infected systems, is also characterized by its ability to evade detection and throw forensic investigators off its trail.”

The Lazarus cybercrime ring returned to target global financial organizations and Bitcoin users with a new Bitcoin-stealing phishing campaign dubbed HaoBao.

Overall, the June report highlights the efforts on the part of bad actors who strive to do better. To that end, they’ve shifted from PowerShell to LNK. “In 2017 we saw a surge in the exploitation of benign technologies for malicious purposes, such as PowerShell. In Q1 2018, we saw malicious actors turn away from PowerShell exploits, which dropped 77%, and take advantage of LNK capabilities. New LNK malware rose 59% in Q1."

Source: Information Security Magazine

UK Consumers Prefer Security to Convenience

UK Consumers Prefer Security to Convenience

UK consumers prioritize security over convenience far more than IT and business executives, according to a new study from CA.

The firm commissioned analyst Frost & Sullivan to poll 990 consumers, 336 security professionals and 324 business executives across 10 countries, including nearly 600 respondents in Europe.

It revealed that 83% of UK consumers prefer security over convenience when authenticating during transactions, while the figure is much lower for cybersecurity professionals (60%) and business executives (59%).

Organizations often cite concerns about user friction as a reason not to tighten access controls and payment security with two-factor authentication — although many will be forced to put such measures in place by the new European banking rules known as PSD2.

The report also revealed a disconnect between customer trust in organizations to protect their personal data and the attitudes of business executives.

The Digital Trust Index for UK consumers stood at 56 points out of 100 — among the lowest in the world and much less than the global average of 61.

However, 88% of UK executives believe they are doing an “excellent” or “very good” job of protecting customer data. This is despite the fact that 56% admitted their organization has been involved in a breach of consumer data.

Jarad Carleton, industry principal, cybersecurity at Frost & Sullivan, argued that the information age is at a crossroads as more firms are being publicly held to account for failing to protect customer data.

“What the survey found is that there is certainly a price to pay — whether you’re a consumer or you run a business that handles consumer data — when it comes to maintaining data privacy,” he added. “Respect for consumer privacy must become an ethical pillar for any business that collects user data.”

The study was conducted in March and April, before the GDPR came into force across the EU, so it will be interesting to see if the report tells a different story next year.

Source: Information Security Magazine

STEM Teachers Focus on Cyber at Summer Camp

STEM Teachers Focus on Cyber at Summer Camp

Underway this week is NittanyGenCyber Camp, a five-day summer camp offered at Penn State University’s College of Information Sciences and Technology’s (IST) and designed for middle and high school STEM teachers. The week-long camp kicked off yesterday and will run through Friday, 3 August 2018.

This first-of-its-kind summer camp aims to provide teachers with fundamental cybersecurity principles, delivering them hands-on experience to inform them of cyber’s intersection with data science. Applications were due on 25 May 2018, and attendees include teachers from different New Jersey school districts and Pennsylvania’s West Essex Regional School District.

The summer camp is part of the GenCyber program, which offers cybersecurity summer camps to students and teachers at the K-12 level. It’s an effort to not only increase awareness in cybersecurity careers but also to diversify the cybersecurity workforce.

NittanyGenCyber camp is funded by a grant from the National Security Agency and the National Science Foundation, which is why it was able to provide the camp at no charge fee to its participants. Attendees also received a stipend to cover travel expenses.

Led by Penn State’s IST GenCyber principal investigator, Dongwon Lee, associate IST professor, and two co-principal investigators, Anna Squicciarini, associate IST professor, and Nick Giacobe, assistant teaching IST professor and director of the college’s undergraduate programs, the first workshop included a hands-on course using a security board game. Additional topics covered include OS basics, social engineering attacks, cryptography basics, online frauds and fakes, steganography basics, password, forensics, cyber competitions, ethics and access control.

“Researchers and other organizations have identified somewhere between 130,000 and 209,000 unfilled cybersecurity jobs exist in the U.S. today,” Giacobe told TAP into West Essex news.

“Worldwide, those estimates climb to 2.5-3.5 million unfilled cyber jobs by 2025. Regardless of which numbers you follow, the point is that there is a significant gap between the skills of the talent pool we have today versus what companies need today and tomorrow.”

Source: Information Security Magazine

Dixons Carphone: Breach Hit 10 Million Personal Records

Dixons Carphone: Breach Hit 10 Million Personal Records

Dixons Carphone has revised up its estimate of how much customer data was stolen in a recently disclosed breach by almost nine million records.

The UK retailer revealed in June that hackers had accessed personal data on 1.2 million Currys PC World and Dixons Travel store customers — including names, addresses and email addresses.

However, in a new statement today it claimed that 10 million records containing personal data “may have been accessed” in the 2017 incident, whilst also admitting that “there is now evidence that some of this data may have left our systems.”

However, the high street giant was again at pains to point out that the compromised records “do not contain payment card or bank account details and there is no evidence that any fraud has resulted.”

Alongside the 1.2m records containing personal data, the original breach saw an ‘attempt’ to compromise 5.9m cards held in its systems. Dixons Carphone said that 5.8m of these had chip and PIN protection and that the stolen data did not include pin codes, card verification values (CVV) or authentication data — making it more difficult for the hackers to monetize although still exposing customers to a serious CNP fraud risk.

“Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right. That’s included closing off the unauthorized access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today,” said CEO Alex Baldock.

“As a precaution, we’re now also contacting all our customers to apologise and advise on the steps they can take to protect themselves. Again, we’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers.”

Mark Adams, regional VP for UK & Ireland at Veeam, argued it was worrying that Dixons Carphone got the scale of the breach so wrong.

“These days the public care a lot about how their data is handled and by whom, and they want organizations to be more proactive in managing that data, so the size of the breach is going to translate into a much higher loss than many will imagine,” he added. “With so much competition for business, this will be an expensive breach with a long tail of damage for the organization's brand and reputation.”

Source: Information Security Magazine

Malvertising Campaign Delivers Millions of Bad Ads

Malvertising Campaign Delivers Millions of Bad Ads

By using the HiBids advertising platform, cyber-criminals have been delivering malicious advertisements to millions of victims worldwide in a large-scale malvertising and banking Trojan campaign, according to researchers at Check Point.

These malicious ads can infect the PC or mobile device of the person viewing the ads with malware, such as a crypto-miner, ransomware or a banking Trojan. Master134, the criminal reported to be responsible for the campaign, redirected stolen traffic from over 10,000 hacked WordPress sites, then sold it to Adsterra, the real-time bidding (RTB) ad platform, according to today’s blog post.

From there, Adsterra sold the traffic to advertising resellers, including ExoClick, AdKernel, EvoLeads and AdventureFeeds, which passed it on to the highest-bidding ‘advertiser.’ “Our discovery revealed an alarming partnership between a threat actor disguised as a Publisher and several legitimate Resellers that leverage this relationship to distribute a variety of malware including Banking Trojans, ransomware and bots,” researchers wrote.

The key to the campaign's success was that the advertisers were seemingly legitimate companies; however, they were actually criminals looking to distribute ransomware, banking Trojans, bots and other malware, which is how the infected ads – not legitimate ads – appeared on thousands of publishers’ websites worldwide.

During this campaign, which is still active, Check Point reportedly saw 40,000 clicks per week on these malicious ads. Cyber-criminals, who measure the return on investment of their ad spend by comparing it to the money they make from crypto-mining and ransom, are compromising the legitimate business of online advertising, exploiting it to display malware-infected ads.

Recognizing that threat actors will always search for new ways to spread their attack campaigns, researchers anticipate seeing more of these types of attacks, though the involvement of seemingly legitimate online advertising companies is of great concern. “We can’t help but wonder – is the online advertising industry responsible for the public’s safety? Indeed, how can we be certain that the advertisement we encounter while visiting legitimate websites are not meant to harm us?” the researchers wrote.

Source: Information Security Magazine

Three Campaigns Targeted as Senate Pushes Security

Three Campaigns Targeted as Senate Pushes Security

During a 29 July interview on “Face the Nation,” Sen. Jeanne Shaheen (D-N.H.) expressed concern over widespread phishing attacks against the Senate and political parties, according to The Hill.

“I don't know who else is on the list but I do know that we've had an experience in our office with people getting phishing emails with social media accounts,” Shaheen said in the interview. “There has been one situation that we have turned over to authorities to look into. And we're hearing that this is widespread with political parties across the country, as well as with members of the Senate.”

Sunday’s “Face the Nation” interview came only days after Microsoft confirmed that the campaign of Sen. Claire McCaskill (D-Mo.) was one of the three congressional campaigns in which Russians had unsuccessfully targeted staff and computer systems.

Russian meddling in midterm election campaigns has been a growing concern since the 2016 election. News that the Mueller investigation indicted 12 Russians for election meddling has renewed concerns, particularly as the 2018 midterm elections are swiftly approaching. President Trump met with his National Security Council (NSC) on Friday, 27 July, to address these and other cybersecurity concerns.

After the meeting, the White House released a statement affirming that “the President has made it clear that his Administration will not tolerate foreign interference in our elections from any nation state or other malicious actors.”

Prior to the NSC meeting, Defense Secretary Jim Mattis reportedly told reporters that US cyber-defenses have already been deployed, according to the Washington Examiner’s Daily on Defense newsletter. “Rest assured, there are actions underway to protect our elections or to expose any external efforts by anybody to influence the American public, to show false news, that sort of thing,” Mattis said.

As confirmation of foreign meddling continues to mount, the Senate Rules Committee aims to prioritize the Secure Elections Act, which is reportedly slated for markup in mid-August.

Source: Information Security Magazine

New NetSpectre-Class Attack Raises Device-Hardening Concern

New NetSpectre-Class Attack Raises Device-Hardening Concern

A new type of NetSpectre attack requires no malware or malicious JavaScript, because it instead attacks victims through network connections, according to researchers at Graz University of Technology.

Four scientists at the university have published findings on a new type of Spectre attack in a paper entitled NetSpectre: Read Arbitrary Memory over Network. The paper details a new CPU attack that can be carried out via network connections and does not require the attacker to host code on a targeted machine, a significant development for Spectre-class attacks.

“By manipulating the branch prediction, Spectre tricks a target process into performing a sequence of memory accesses which leak secrets from chosen virtual memory locations to the attacker. This completely breaks confidentiality and renders virtually all security mechanisms on an affected system ineffective,” the researchers wrote.

Until now, Spectre attacks have needed the victim to either download and run malicious code on a machine or access a website that runs malicious JavaScript in the user's browser, but Spectre attacks have now evolved from requiring local code execution privileges to the first cache-less version that uses AVX state and instructions to create a covert channel, according to Craig Dods, distinguished engineer, security, at Juniper Networks.                                                                                                             

While Dod said the research is concerning from a device-hardening perspective, “The need for leak and transmit gadgets to be present on the victim’s computer makes it a less valuable approach. Today, threat actors have access to much easier tools to compromise victims – they won’t need to deal with the complexity and uncertainty of a network-based Spectre attack," said Mounir Hahad, head of threat research at Juniper Networks.

Some commentators agree that the industry could be moving too far into the weeds with the attacks as the likelihood of exploitation is so low. Brajesh Goyal, vice president of engineering at Cavirin, said, “The need for leak and transmit gadgets to be present on the victim’s computer also makes it a less valuable approach. Today, threat actors have access to much easier tools to compromise victims – they won’t need to deal with the complexity and uncertainty of a network-based Spectre attack."

Source: Information Security Magazine

UK CNP Fraud Drops as Banks Fight Back

UK CNP Fraud Drops as Banks Fight Back

UK Card Not Present (CNP) fraud losses have fallen for the first time since 2011, despite rising levels in many European countries, according to new stats from FICO.

The fraud prevention firm’s latest interactive map is built on data from Euromonitor International and UK Finance.

It revealed that the UK saw the biggest reduction in net fraud losses of 8%, although the average across Europe rose by 2% (€30m).

A FICO spokesperson confirmed to Infosecurity that the vast majority (around 70%) of CNP fraud is committed online.

“As well as fraud migration, we are also seeing an evolution of fraudulent exploitation using cyber-enabled crimes,” said fraud consulting director, Toby Carlin. “The total size of the cyber-enabled threats will come to the fore as PSD2 reporting comes into play across Europe, but early indications from the UK show that cyber-enabled digital fraud is set to overtake plastic fraud by 2020.”

Despite the growing online threat, the UK is now the first market to have “significantly” reduced CNP fraud losses in several years. This should serve as an example to other regions that investment in the right technologies can reap rewards, but also as a warning that scammers may be on the lookout for geographies where less is being spent, said the firm.

“This is a significant turning point in the global fight against CNP, with hundreds of millions of euros worth of fraudulent migration imminent,” FICO claimed. “All other markets should be on high alert to receive this migrating attack and ensure that preventative mechanisms are deployed as soon as possible to stop themselves becoming the easiest target for criminals to hit.”

A PwC report recently claimed that nearly half (49%) of UK organizations have suffered from cyber-enabled fraud over the past two years, while Cifas figures from April pointed to identity fraud reaching an all-time-high last year, and e-commerce fraud jumping 49%.

Source: Information Security Magazine

Idaho Inmates Hack Tablets for Extra Credits

Idaho Inmates Hack Tablets for Extra Credits

Hundreds of tech-savvy inmates at several Idaho correctional facilities have been caught exploiting a software vulnerability on their state-funded tablets to artificially increase account balances.

Officials claimed that 364 prisoners had been caught hacking the JPay tablets which are provided to allow them access to email, music and games.

The software exploit apparently allowed them to transfer a total of nearly $225,000 into their accounts, with one inmate managing an audacious $10,000.

There’s no hit to the taxpayer as these are virtual credits provided by JPay, with the firm claiming it has already recovered $65,000 worth. The guilty inmates will not be able to download games or music until they can compensate the corrections-related service provider, it said.

“JPay is proud to provide services that allow incarcerated individuals to communicate with friends and family, access educational programming, and enjoy positive entertainment options that help prevent behavioral issues,” a JPay spokesperson statement noted.

“While the vast majority of individuals use our secure technology appropriately, we are continually working to improve our products to prevent any attempts at misuse.”

The Idaho Department of Correction has also moved to discipline those involved, with reports suggesting they could lose various privileges and even be transferred to a higher security risk level.

US telecoms firm CenturyLink refused to disclose the vulnerability exploited by the inmates, citing it as proprietary technology.

The incidents took place at the: Idaho State Correctional Institution, Idaho State Correctional Center, Idaho Correctional Institution-Orofino, South Idaho Correctional Institution and the Correctional Alternative Placement Plan facility.

Source: Information Security Magazine