Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for December 2018

Amazon Order Confirmation Phishing Scam

Amazon Order Confirmation Phishing Scam

All those who have relied upon the e-commerce giant Amazon to order their holiday gifts should heed caution when receiving order confirmation emails, as EdgeWave reportedly discovered a new and highly sophisticated malspam campaign sending fake Amazon order confirmation messages.  

The messages are reportedly quite convincing, and include subject lines that read "Your Amazon.com order," "Amazon order details" and "Your order 162-2672000-0034071 has shipped."

According to BleepingComputer, “When you open these emails, you will be shown an order confirmation that states your item has shipped, but without any details regarding what was ordered or tracking information. It then tells the recipient to click on the Order Details button in order to see more information.”

Credit: Bleeping Computer
Credit: Bleeping Computer

Unsuspecting users who click on the link thinking they are downloading a Word document named order_details.doc are then instructed to “Enable Content” so that the order may be properly viewed. However, these unwitting users are actually enabling content that triggers the macros to execute a PowerShell command, which reportedly downloads and executes the Emotet banking Trojan.

EdgeWave told BleepingComputer that while researchers were testing the malicious document, the Emotet downloaded as keyandsymbol.exe even though the name of the Trojan was mergedboost.exe.

"Interestingly, these other servers are in Houston and Lansing. Playing Dora the Explorer for a moment, we’ve encountered a compromised email server in Columbia sending phishing email with a link to a server in Indonesia that downloads malware which then contacts compromised servers in the United States,” EdgeWave reportedly said.

Source: Information Security Magazine

Grad Makes ROTC History with Cybersecurity Degree

Grad Makes ROTC History with Cybersecurity Degree

Southern University celebrated a first in its history with the graduation of Davonne Franklin, 22, a member of the Army National Guard who was the school’s first ever cybersecurity graduate.

Franklin enrolled in the ROTC and attended Southern University after graduating from McKinley High in Baton Rouge. When he completed his basic training, he returned to Louisiana as a private with the goal of studying cybersecurity at Southern, where he was able to take part in an undergraduate research project in cybersecurity for the U.S. Department of Defense, according to The Advocate.

Now a second lieutenant who has graduated, Franklin will move on to be a cybersecurity officer, who will work to strengthen defenses against cyber-terrorism. "The biggest existential threat that faces our national security is cybersecurity," said Capt. Troy Glover, a member of the Southern University Army ROTC staff who spoke with The Advocate.

"I came back more focused," Franklin reportedly said. "When I returned, I knew I wanted to join Army ROTC and become an officer, and I wanted to change my field in the National Guard to cybersecurity. I also wanted to pursue a degree in computer science. I just needed that slight chance," Franklin said. "Growing up African-American, you can feel things are denied you."

Cybersecurity degrees are growing more popular around the globe, with curiosity about the industry calling for more details about what a cybersecurity degree entails. According to IT Governance, the three key pillars of a cybersecurity strategy involve people, process and technology.

Given the increased frequency and costs associated with attacks, educating users about cybersecurity is a critical part of securing the enterprise. “Cyber-attacks can disrupt and cause considerable financial and reputational damage to even the most resilient organization. If you suffer a cyber-attack, you stand to lose assets, reputation and business, and potentially face regulatory fines and litigation – as well as the costs of remediation,” according to IT Governance.

Source: Information Security Magazine

New App Protects User Data on the Internet

New App Protects User Data on the Internet

In response to the issues of data privacy questions that have erupted in the aftermath of the Facebook-Cambridge Analytical scandal, a startup, FigLeaf, co-founded by CEO Slava Kolomeichuk and CRO Yuriy Dvoinos, is developing an app that will help users understand how their personal information has been affected.

The new app is slated for use across different platforms and will include features that allow users to control access to their private information.

"We want to empower users and give them the tools to have a choice to remain private online," Dvoinos, who also serves as FigLeaf's Chief Revenue Officer, told Download.com in the company's first public interview about its plans, according to CBS News.

The 100 person team has been busy developing a viable solution to the privacy problem. According to the company website, “Privacy is a social necessity. This is what makes us different, interesting and hence, human. If we can provide people a choice to be private some of the time, we give them the opportunity to fully embrace their own creativity,” Slava said.

By scanning the dark web, the app is able to understand how much of the user’s personal data has been compromised. The app – still in BETA form and being tested – will reportedly provide users with the tools necessary to take back control of their data. Dvoinos told CBS News that even if a user chooses to remain completely private and not share any data, they should still be able to enjoy the internet.

"Right away, the customers can see how and what their exposure is like," Pankaj Srivastava, FigLeaf's COO and CMO told Download.com. "So when we think about the function for our privacy app, Figleaf, when we think about it and think one is first we need to understand how you are exposed. Next we need to secure that information."

Source: Information Security Magazine

UK Launches Long-Awaited Cyber Skills Strategy

UK Launches Long-Awaited Cyber Skills Strategy

The UK government has launched a new cybersecurity skills strategy designed to reduce industry shortages, and a new independent body to help shape the future of the profession.

The Initial National Cyber Security Skills Strategy sets out not only to recruit more skilled professionals into the industry but also raise the awareness levels of the general workforce, improve education and training and ensure ensure the UK has a “well structured and easy-to-navigate” profession.

To that end, a new UK Cyber Security Council will receive £2.5m of public funding to help in its mission to “lay the structural foundations” of the profession.

It will appoint independent ambassadors to promote careers in cybersecurity; launch a refreshed CyberFirst brand in 2019; and commit to investing in projects to develop the next generation of talent.

At this stage there doesn’t seem to be an awful lot of detail, although the strategy itself is currently in a “Call for Views” phase which ends on March 1, 2019.

Talal Rajab, head of cyber and national security at industry body techUK, urged members to submit their feedback.

“Only through collaboration between government, industry and academia will the cyber skills gap be bridged and initiatives like CyberFirst and the work around developing a Cyber Council are significant work streams which techUK and industry will continue to support,” he added.

“Skills are vital to the development of the UK cybersecurity sector and attracting skilled talent is a constant challenge for industry, making this wide-ranging strategy most useful as a starting point for renewed efforts from both government and industry.”

New government figures suggest that over half (57%) of all UK firms and charities have a “basic technical cybersecurity skills gap.” The global shortfall of skilled professionals now stands at nearly three million.

Source: Information Security Magazine

Over 500K School Staff and Students Hit by Breach

Over 500K School Staff and Students Hit by Breach

The personal data of more than half a million staff and students of San Diego high schools from the past decade is now likely in the hands of hackers, it has emerged.

A statement from the San Diego Unified School District on Friday revealed that unauthorized access was achieved by a simple phishing campaign which compromised 50 staff log-ins back in January.

It was only 10 months later that IT staff detected the intrusion, with the threat finally eliminated on November 1.

Although GDPR regulators require 72-hour mandatory notifications, in the US police often request a delay to give them time to investigate and possibly apprehend the suspect.

An individual has apparently been identified and all stolen credentials are now useless, but the damage has arguably already been done.

Breached data includes: first and last name; date of birth; mailing and home address; phone number; student enrolment info; Social Security and/or State Student ID numbers; contact information on parents, guardians and emergency contacts; and staff benefits and payroll info including routing and account number, tax info, and salary info.

Data is said to go as far back as the 2008-9 school year.

There’s plenty in there for financially motivated cyber-criminals to monetize, not least the Social Security numbers of students.

Over one million US children fell victim to identity fraud in 2017, resulting in losses of $2.6bn, according to Javelin Strategy & Research. It’s thought that because they have limited financial records on file, children offer fraudsters a bigger opportunity to open fake accounts and the like in their name.

The case also highlights the continued threat from phishing: it featured in 93% of all data breaches analyzed by Verizon last year.

Source: Information Security Magazine

IBM Kernel-Based Vulnerability Discovered

IBM Kernel-Based Vulnerability Discovered

Researchers have discovered a kernel-based vulnerability in a driver bundled with IBM Trusteer Rapport for MacOS, according to a recently published advisory from Trustwave. If exploited, the vulnerability could elevate privileges on the local machine, allowing an attacker to subvert or disable Trusteer altogether.

According to Trustwave, its researchers worked with IBM throughout the disclosure process. When IBM was unable to provide a patch during the 90-day disclosure policy, Trustwave reportedly extended it an additional 30 days.

“Unfortunately, that was also not enough time to develop a patch, and we feel it's important to alert the public about this issue,” Trustwave’s Neil Kettle wrote in a blog post.

The Trustwave SpiderLabs Security Advisory TWSL2018-012 stated: “IBM Trusteer Rapport is an advanced endpoint protection solution designed to protect users from financial malware and phishing attacks. Using industry-leading technology, Trusteer Rapport is designed to defend against MitBattacks, remove malware from endpoint devices and protect customers by preventing them from entering phishing sites. Trusteer Rapport offers a broad security solution that can help your organization reduce costs, enhance your fraud detection and prevention, and help to provide a seamless customer experience.”

The vulnerability, which is caused by a signedness bug issue, was initially reported to the vendor on August 15, 2018. The 90-day deadline was extended on November 14, but on December 17, IBM confirmed that no patch was available, at which point Trustwave published the vulnerability advisory.

In lieu of a patch, Kettle wrote that “the risk of this vulnerability is slightly mitigated by requiring local access, so those affected are recommended to verify that only authorized users can log in to those systems," the risk of the vulnerability being exploited can be slightly mitigated.

In addition, he wrote, “security awareness training can also help prevent local malware or social engineering attacks. Finally, you may want to step up auditing of any affected systems for signs of infection.”

Source: Information Security Magazine

Criminal Charges Filed in DDoS-for-Hire Services

Criminal Charges Filed in DDoS-for-Hire Services

Efforts to take down multiple domains that offered distributed denial-of-services (DDoSs) for hire were successful and resulted in another announcement from the Justice Department (DOJ), which yesterday declared that it had seized 15 internet domains, as well as filed criminal charges against three defendants who facilitated the computer attack platforms.

According to a DOJ news release the sites were selling what are commonly known as “booter” or “stresser” services. When purchased, users could leverage these services to launch DDoS attacks, which overwhelm victim computers with a flood of information that prevents them from successfully accessing the internet.

These types of booter services are alleged to enable wide-scale attacks on an array of victims around the globe. Often the targets include financial institutions, universities, internet service providers, government systems and various gaming platforms, according to the DOJ.

“The attack-for-hire websites targeted in this investigation offered customers the ability to disrupt computer networks on a massive scale, undermining the internet infrastructure on which we all rely,” said US Attorney Nick Hanna. “While this week’s crackdown will have a significant impact on this burgeoning criminal industry, there are other sites offering these services – and we will continue our efforts to rid the internet of these websites. We are committed to seeing the internet remain a forum for the free and unfettered exchange of information.”

The director of security research at Flashpoint, Allison Nixon, said that the company provided threat intelligence derived from extensive visibility into deep and dark web actors and communities. “It’s this expertise that was tapped to provide actionable intelligence about cybercrime tools, techniques and operators. Our input was combined with a wealth of intelligence from a range of fantastic industry partners. This combined threat intelligence and attribution is strong enough to stand up in a court of law.”

However, as Hanna noted, DDoS is a complex issue without a quick fix, but Nixon pointed out that something significant happened among these seizures. “The US government just made the argument that running a booter service itself is inherently illegal. The FBI, in executing these actions, has stated clearly and unequivocally that the act of running a service that attacks any website in exchange for anonymous money is not just reckless but patently illegal – and will be prosecuted."

December is a time of year when the cybersecurity industry sees a surge in DDoS attacks, particularly targeting the gaming world, largely because of the Christmas holiday, but this year the criminals might not be so merry.

"Many cyber-criminals have convinced themselves they have found a legal 'loophole' to hurt people," said Hanna. "The development that we all hope for is that cyber-criminals see this, realize they will never legally profit from attacking websites without clear consent and change behavior toward more productive – and legal – applications of their talents. They have been sufficiently warned. Merry Christmas.”

Source: Information Security Magazine

Singapore Launches Second Bug Bounty Program

Singapore Launches Second Bug Bounty Program

The agency at the helm of Singapore’s digital services, the Government Technology Agency of Singapore (GovTech Singapore), announced that Singapore will be working with security researchers over the course of three weeks on a bug bounty program intended to further protect Singapore citizens and help secure public-facing government systems.

Singapore has established multiple cyber initiatives as part of its Smart Nation Singapore strategy. According to its website, the Strategic National Project aims “to drive pervasive adoption of digital and smart technologies throughout Singapore, we have identified key Strategic National Projects, which are key enablers in our Smart Nation drive.”

Among the goals of those key projects are enabling a lean, agile and future-ready government by implementing e-payment capabilities and delivering government services across different agencies to the citizens of Singapore. All of which hold the promise of convenience and efficiency but also present risks, which the government is proactively seeking to mitigate.

According to HackerOne, the crowdsourced platform with which GovTech Singapore has partnered, this is the country's second bug bounty program, which follows the successful endeavor of a bug bounty program with the Singapore Ministry of Defence (MINDEF) that ran earlier this year.

GovTech Singapore and the Cyber Security Agency of Singapore (CSA), aim to build a secure and resilient Smart Nation by leveraging access to local and overseas hackers through this collaboration with the hacker community as Singapore continues to undergo its digital transformation.

During the three-week challenge that will extend from December 2018 into January 2019, a select group of bug bounty hackers will receive financial payments, commonly called bounties, as a reward for identifying and reporting valid vulnerabilities to GovTech. The goal is for researchers to find security flaws in five public-facing government systems and websites so that GovTech may fix them before they are exploited by malicious actors.

"Singapore is again setting an example for the rest of the world to follow by taking decisive steps towards securing their vital digital assets," said Marten Mickos, CEO HackerOne. "Only governments that take cybersecurity seriously can reduce their risk of breach and interruption of digital systems. Singapore's continued commitment to collaboration in cybersecurity is something that will help propel the industry’s progress just as much as it will contribute to protecting Singapore citizen and resident data."

Source: Information Security Magazine

Caribou Coffee Card Breach Hits 265 Stores

Caribou Coffee Card Breach Hits 265 Stores

US chain Caribou Coffee announced a payment card data breach on Thursday, listing 265 outlets across 11 states that had been affected.

It claimed to have identified unusual network activity on November 28, enlisting the help of Mandiant, which subsequently found evidence of unauthorized access to point of sales (POS) systems two days later.

The firm claimed it is confident that this access was stopped immediately and the breach contained. However, it is warning that an unspecified number of customers may have had their payment card details taken.

“If you visited any of our company-owned Caribou locations between August 28, 2018 and December 3, 2018, there is a possibility that your name and credit card information, including card number, expiration date and card security code may have been accessed as a result of this unauthorized activity,” it stated.

“Payments made through your Caribou Coffee Perks account or other loyalty account were not affected. Any catering orders placed online with Bruegger’s Bagels, Einstein Bros. Bagels, Manhattan Bagel and Noah’s NY Bagels were also not affected by this breach.”

The firm urged customers to check the list of outlets affected and monitor their credit/debt card transactions carefully.

It does not appear to be offering any free credit monitoring or credit freeze services.

The incident proves POS malware remains a threat for businesses handling card data. The advent of EMV was meant to deter attackers, because it includes additional security measures to make it difficult to clone cards following a card-present breach.

However, many merchants are making the hackers’ job easier by continuing to use EMV cards' fallback magstripe functionality, according to recent research.

Gemini Advisory claimed in November that of the 60 million US payment cards compromised in the previous 12 months, 75% were stolen at POS and 90% of these were EMV-enabled.

“As 2018 comes to a close, besides refuelling stations, there are numerous merchant locations that are still asking their customers to swipe rather than use the chip insert method, thus completely neglecting the EMV security features,” it warned.

“This often happens because the merchant does not have an upgraded EMV enabled POS or the merchant has the EMV enabled POS system but is not using its full capabilities. In some cases, retailers are opposing migration to newer EMV technology because of the inherent high cost of the equipment.”

Source: Information Security Magazine

Microsoft Issues Emergency Patch for IE Flaw

Microsoft Issues Emergency Patch for IE Flaw

Microsoft has been forced to release an emergency patch for a critical remote code execution vulnerability in Internet Explorer (IE) being actively exploited in the wild.

Clement Lecigne of Google’s Threat Analysis Group is credited with the discovery of the flaw (CVE-2018-8653), which apparently affects the way that the scripting engine handles objects in memory in IE.

“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” Microsoft explained.

“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Redmond claimed that in a web-based attack, a hacker could host a malicious website designed to exploit the bug through IE and then trick the user into visiting, ie via a phishing email.

The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory, it added.

“While details are not currently available, in most cases, attackers exploit similar vulnerabilities by sending convincing emails to their intended targets with a link to a specially crafted website containing the exploit code,” Satnam Narang, senior research engineer at Tenable.

“The vulnerability affects Internet Explorer 11 from Windows 7 to Windows 10 as well as Windows Server 2012, 2016 and 2019. Internet Explorer 9 is affected on Windows Server 2008, while Internet Explorer 10 is affected on Windows Server 2012. As the flaw is being actively exploited in the wild, users are urged to update their systems as soon as possible to reduce the risk of compromise."

Source: Information Security Magazine