Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for January 2019

China, Russia Drive Increased Cyber-Threats to US

China, Russia Drive Increased Cyber-Threats to US

Leaders of six US intelligence agencies testified in front of the Senate Intelligence Committee on January 29, asserting that cyber-threats have evolved, particularly coming from China and Russia.

At issue is the collection and protection of data that can be leveraged in cyber-warfare, a concern expressed by the US Air Force as well. “We are now living in a new age – a time characterized by hybrid warfare and weaponized disinformation, all occurring within the context of a world producing more data than mankind has ever seen,” said Sen. Richard Burr (R-NC), chairman of the Senate Select Committee on Intelligence, according to Air Force Magazine. “Tomorrow, it’s going to be deep fakes, artificial intelligence, and a 5G-enabled internet of things with billions of internet-connected consumer devices.”

In his prepared opening stated, director of national intelligence Dan Coats wrote, “Our adversaries and strategic competitors will increasingly use cyber capabilities – including cyber espionage, attack and influence – to seek political, economic and military advantage over the United States and its allies and partners.”

Among the foreign adversaries that have expanded their cyber-espionage and intelligence activities are China, Russia, Iran and North Korea. According to Coats, China and Russia pose the greatest threats to the US, though Iran and North Korea remain paramount concerns.

“At present, China and Russia pose the greatest espionage and cyber attack threats, but we anticipate that all our adversaries and strategic competitors will increasingly build and integrate cyber espionage, attack and influence capabilities into their efforts to influence US policies and advance their own national security interests,” Coats wrote.

Those threats also extend to the US military and critical infrastructure. “China remains the most active strategic competitor responsible for cyber espionage against the US Government, corporations, and allies. It is improving its cyber attack capabilities and altering information online, shaping Chinese views and potentially the views of US citizens.”

The potential that adversaries will again attempt to meddle in the 2020 presidential election remains a top concern among intelligence leaders who anticipate that “US adversaries and strategic competitors almost certainly will use online influence operations to try to weaken democratic institutions, undermine US alliances and partnerships and shape policy outcomes in the United States and elsewhere.”

Source: Information Security Magazine

Japan to Hack IoT Ahead of 2020 Olympics

Japan to Hack IoT Ahead of 2020 Olympics

The Japanese government approved an amendment to allow government workers to hack into citizens’ internet of things (IoT) devices as part of efforts to improve cybersecurity ahead of the 2020 Tokyo Olympics.

Beginning next month, devices in people’s homes and offices will be subject to government scrutiny, whereby members of the National Institute of Information and Communications Technology will create usernames and passwords as they try to hack into upwards of 200 million devices, such as routers and webcams, according to NHK World.

According to a report from the Ministry of Internal Affairs and Communications Cyber-Security Office, two-thirds of the cyber attacks in Japan in 2016 targeted IoT devices. The heightened risk to connected devices at high-profile events like the Olympics has sparked a desire to mitigate risks with a heightened degree of urgency.

“IoT security is one of the greatest challenges we face today. IoT has gone unregulated and largely unsecured to date. That, paired with the sheer number and types of the devices being networked and connected to cloud interfaces and on-the-internet APIs and you have a perfect storm. A radical shift in approach is needed,” said Ashish Gupta, CEO, Bugcrowd.

“In Japan, which will soon be hit with an influx of visitors for the Olympic Games, the government has taken decisive action to make its citizens and visitors more secure. It’s not the first time a government has stepped in to help improve security for the country – this approach is similar to what Australia did with the hajime worm in 2017.

“While this is relatively novel to take this approach at this scale, many organizations take a similar approach – albeit on a smaller scale – and for good reason. Employee negligence when it comes to security is one of the biggest cybersecurity risks to businesses. Having a robust and proactive security posture is critical in today’s climate.”

Source: Information Security Magazine

Matrix Ransomware: A Threat to Low-Hanging Fruit

Matrix Ransomware: A Threat to Low-Hanging Fruit

In its 2019 Threat ReportSophos predicted a rise in targeted ransomware attacks. According to new research, Matrix, a copycat targeted ransomware that is flying under the radar, is one such threat that has been observed targeting single machines.

The recent ransomware report, published by SophosLabs, identifies brute-force attacks on weak remote desktop protocols (RDP) as the common thread between various strains of targeted ransomware, including Matrix, BitPaymer, Dharma, SamSam and Ryuk.

Matrix doesn't spread through an organization like SamSam, however. “The attackers’ ransom demands are not embedded within the ransom note. Atypically, the threat actors require victims to contact them first, and submit some of the encrypted files from the victim’s computer, and only then provide the victims with a Bitcoin address and the ransom amount,” the report said.

Though not as sophisticated as more popular attacks, Matrix comes equipped with additional tools that help it to carry out its attack.

“The malware executable bundles within itself several payload executables it needs to accomplish its tasks. It uses RDP within the networks it has infected once it has gained a foothold inside the network. Among the embedded components are some free, legitimate systems administrator tools the malware uses to achieve some of its goals,” the report said.

Interestingly, the malware authors seem to lack a level of professionalism notable in other malware authors, such as those who penned SamSam. With Matrix, researchers have seen several changes and mistakes during their monitoring of 96 samples of the malware. In some cases, the authors completely abandoned features that they had experimented with.

Also, the malware doesn’t seem to have a particular geographical distinction. “The country where the most customers encountered the malware was the United States (27.7% of Matrix detections came from the U.S.), followed by Belgium (16.7% of the detections),” the report said, but it has also been detected on machines in Taiwan, Singapore, Germany, Brazil, Chile, South Africa, Canada, and the UK.

The researchers reportedly played the role of a victim and contacted the malicious actors who demanded they pay that day's value of a Bitcoin and refrain from asking "stupid questions." However, "the authors' initial sassy attitude eventually morphed to a kind of desperation, as they continued to email us and dropped their ransom demand by nearly a third after we stopped responding to their messages."

Source: Information Security Magazine

Report: Majority of Small UK Businesses ‘Ignoring GDPR Risks’

Report: Majority of Small UK Businesses ‘Ignoring GDPR Risks’

Most small businesses in the UK have not updated or reviewed their data security and privacy policies since the GDPR came into force, according to new research from tech firm Appstractor.

The Under Attack: Assessing the struggle of UK SMBs against cyber criminals report assessed the views of 500 IT bosses at small UK companies and revealed the majority are ignoring GDPR risks seven months after the new rules were officially introduced.

Three quarters of those polled said their company is yet to take any action to improve how they store data, with a quarter of businesses having no plans to do so at all.

The findings make for concerning reading, particularly given research published by the Federation of Small Businesses prior to GDPR coming into force which claimed that 90% of small business were not GDPR-compliant.

Paul Rosenthal, CEO of Appstractor, said: “Small businesses have long been in denial about the threat they face from cyber-criminals and it seems this denial has carried over into the risk GDPR carries.

“It is not just the financial risk and the fines that can be imposed under GDPR, but businesses now have a responsibility to report a security breach to those whose data has been put at risk. The reputational damage alone of being known as a company that can’t keep its customers’ data safe can be enough to sink a small business before any financial fines are imposed.”

Whatever steps they decide to take, smaller businesses should at least be reviewing how they gather, store and secure customer data to ensure they are as compliant as possible, Rosenthal added. “Unfortunately, it seems many are not taking GDPR seriously enough which could have serious consequences.”

Source: Information Security Magazine

US Launches Major Effort to Disrupt North Korean Botnet

US Launches Major Effort to Disrupt North Korean Botnet

The US authorities have begun notifying victims of a notorious botnet run by North Korean state-sponsored hackers, as their efforts to disrupt the hermit nation's malicious activity increase.

A court order allowed the FBI and officers from the US Air Force Office of Special Investigations (AFOSI) to operate servers mimicking other peers in the Joanap botnet.

This enabled them to map the extent of the botnet and where infected machines are. The next stage is to notify the owners of those machines, most of whom will have no idea they’re unwittingly aiding a foreign power’s hacking campaigns.

The FBI is coordinating this process via ISPs and in some cases direct communications with the individuals, as well as communicating with foreign governments in cases where victims live abroad.

The Joanap botnet has been in operation since 2009, enabled by the first-stage Brambul worm which targets poorly secured Windows machines.

The latter spreads via a list of hard-coded log-in credentials, which it uses to brute-force its way into SMB shares. Once Joanap is dropped it goes on to scan for other potential victims.

The Joanap malware is a fully functional RAT able to receive multiple commands and linked by the US authorities to North Korean "Hidden Cobra" actors.

It enables them to exfiltrate data, drop additional payloads, initialize proxy communications on a compromised Windows device, manage files, processes and nodes and create and delete directories.

According to a US-CERT alert in May 2018, Joanap had been found on 87 compromised network nodes in countries including China, Spain, Sweden, India, Brazil and Iran.

“Our efforts have disrupted state-sponsored cyber-criminals who used malware to establish a computer network that gave them the ability to hack into other computer systems,” said US Attorney Nicola Hanna.

“While the Joanap botnet was identified years ago and can be defeated with anti-virus software, we identified numerous unprotected computers that hosted the malware underlying the botnet. The search warrants and court orders announced today as part of our efforts to eradicate this botnet are just one of the many tools we will use to prevent cyber-criminals from using botnets to stage damaging computer intrusions.”

Source: Information Security Magazine

Third-Party Breaches Plague Multiple Industries

Third-Party Breaches Plague Multiple Industries

From January 25 to 28, 2019, multiple organizations, including Discover Financial Services, Verity Medical Foundation, Verity Health Systems and Allen Chern LLP, have made routine filings in accordance with California state law, reporting cybersecurity incidents that may or may not be data breaches, according to the office of the Attorney General (AG).  

The AG’s website notes, “In some cases the organization that sent the notice is not the one that experienced the breach,” and each of the companies that have filed in the past five days has asserted the information was compromised as a result of some unauthorized activity of a third-party vendor.

“Discover was not breached in this incident and our information and data systems were not compromised. This incident was the result of a merchant data compromise, and not the result of any action by Discover or an intrusion of our customer information systems,” a Discover spokesperson wrote in an email.

“We re-issued cards out of an abundance of caution for our cardholders. Our notices to all customers state that 'this breach did not involve Discover card systems.'”

According to Colin Bastable, CEO of Lucy Security, third parties are the CISO’s Achilles' heel. “It appears to be a classic case of a third party’s failure to protect Discover Card customer data. Discover is not going to feel it, but the buck has stopped somewhere down their food chain.”

Health records and payment card data are some of the most highly sought-after data for sale on the dark web, and “these kind of breaches create a lot of stress on both the issuers’ side and on consumers – regardless of whether an issuer was actually the target of a breach or a merchant in the network,” said Felix Rosbach, product manager at comforte AG.

“It’s crucial to protect sensitive data over the entire data lifecycle – from the POS device to processing to backup. Implementing data-centric security, which means protecting data at the earliest possible point and de-protecting it only when absolutely necessary, is the only way forward.”

Still, enterprises continue to trust that their data is secure when put in the hands of its partners, often without having done a thorough review of the security practices of their downline vendors.

“Until the market adopts a more sophisticated approach to third-party cyber-risk management that provides visibility at scale and with cost efficiency, these incidents will continue to occur frequently," said Fred Kneip, CEO, CyberGRX.

Source: Information Security Magazine

65 Fortune 100s Downloaded Flawed Apache Struts

65 Fortune 100s Downloaded Flawed Apache Struts

Despite Apache Struts releasing multiple updates to its software in the nearly two years since the Equifax breach, Sonatype published research which found that between July and December 2018, two-thirds of the Fortune 100 companies downloaded the same vulnerable version of Apache Struts that was used in the infamous Equifax breach, according to an email from Sonatype.

“According to our analysis of The Central Repository (defacto repository of Java components used by all the popular Java build tools as the source of the components by default), over last 6 months of 2018 – we saw 65 of the Fortune Global 100 have downloaded vulnerable versions of Struts,” a spokesperson wrote.

“Beyond Struts, this problem of electively consuming known vulnerable open source components is a large issue that extends across all industries.  In 2018, Sonatype (Central report again) and npm reported that 12.1% of Java open source components and 51% of JavaScript npm packages downloaded had known vulnerabilities. Equifax is actually now leading the charge and taking action to manage their software supply chains. While Equifax has changed, too many others haven't learned their lesson; it's clear that the cost of inaction, is massive,” according to the spokesperson.

“The scope of companies that are still using CVE-2017-5638 demonstrates the importance of vulnerability identification. A researcher in our Crowd of ethical hackers identified CVE-2017-5638 months before the Equifax breach and submitted that information to one of our customers, a major worldwide financial services company. As a result, the customer remediated the vulnerability before a bad actor could take advantage of it,” said Ashish Gupta, CEO of Bugcrowd.

Vulnerability disclosures are intended to raise awareness and help to mitigate risks. After the Equifax breach, it was expected that more companies would have taken security seriously.  

“We found the same vulnerability in major credit company’s environment several months before the Equifax breach and help prioritize and remediate the issue well before the company faced any reputational or financial risk from this vulnerability,” Gupta said.

“Since then we have worked with our researchers and other customers to further protect themselves from the Struts vulnerability successfully. If you haven’t already done so, anyone with Apache Struts in their environment should patch immediately. The best protection against such a breach is a layered defense-in-depth approach, a strong SDL (security development lifecycle) for all application development including a bug bounty. The security research community wants to help organizations find and fix these issues.”

Source: Information Security Magazine

Digital Growth Exposes Firms to Complexity and Threats

Digital Growth Exposes Firms to Complexity and Threats

Digital transformation is exposing organizations to greater IT complexity and cyber-risk, according to new global research from Thales eSecurity.

The security vendor polled 1200 execs with responsibility for IT and data security in nine countries around the world to compile its 2019 Thales Data Threat Report.

It found that over a third (39%) class themselves as belonging to one of the two most advanced digital transformation categories defined by report author IDC. This means they’re either “aggressively disrupting” markets or embedding digital into the enterprise to become more agile.

Nearly all (97%) admitted they will use sensitive data in these emerging technologies. This is a major risk, given that traditional corporate network perimeters are a thing of the past as more fluid cloud and mobile technologies dominate.

It’s also a concern given that these new digital platforms can add greater complexity, according to the vendor. For example, 40% of firms polled are using multiple cloud platforms across SaaS, PaaS and IaaS models.

Respondents also claimed “complexity” was the number one perceived barrier to implementing data security.

It’s perhaps not surprising that 86% of the IT executives surveyed admitted their organization is vulnerable to data security threats, with over a third (34%) claiming they’re “very” or “extremely” at risk.

These aren’t theoretical risks: 60% of respondents claimed to have been breached in the past, including 34% in the past year.

Despite the risks, less than 30% currently use encryption, despite it being one of only two technologies named explicitly in the GDPR.

Organizations are splitting their efforts between different layers of the IT environment, spending on average 36% of their time on networks, 34% on data, and 30% on application security.

The report also warned that only half of global firms expect to see an increase in their IT security budgets.

“Our research shows that no organization is immune from data security threats and, in fact, we found that the most sophisticated organizations are more likely to indicate that they have experienced a data security breach,” argued IDC research VP, Frank Dickson.

“This trend is consistent no matter how we define the sophistication of the audience: those who are spending more on IT security, those for whom data security is a larger portion of their security budget, or those who are further along in their digital transformation journey.”

Source: Information Security Magazine

Global Ransomware Attack Could Cost $193 Billion

Global Ransomware Attack Could Cost $193 Billion

A major global ransomware attack could cost organizations an estimated $193bn, with those in the US worst affected, according to a new cyber-risk report.

Bashe attack: Global infection by contagious malware, was produced by the Singapore-based Cyber Risk Management (CyRiM) project, of which Lloyd’s of London and other insurers are founding members.

It paints a scenario not unlike WannaCry or NotPetya, in which a ransomware ‘worm’ goes global, causing untold damage.

The report’s hypothetical attack begins with a malicious email directed at one organization, which is opened, triggering the ransomware download. The malware then spreads itself to connected networks and forwards itself to all contacts.

The report estimates that as many as 600,000 businesses globally could be affected by such an attack, with the resulting financial damage hitting anywhere between $85bn and $193bn.

In the most severe scenario, US organizations lose $89bn, European firms suffer $76bn in losses and those in Asia escape relatively lightly with a $19bn hit.

In this scenario, retail and healthcare (both $25bn) would be the worst affected industries, with payment system disruption crippling commerce and lengthy delays in recovery due to infection of legacy healthcare IT systems.

Manufacturing is the next most impacted sector, suffering $24bn in losses thanks to encryption of production equipment and inventory management systems. This will also have a major knock-on impact for the supply chain, the report claimed.

With a staggering 86% of total economic losses currently uninsured, organizations could be on the hook for $166bn if such an attack hit home, the report concluded.

Ed Macnair, CEO of CensorNet, argued that with the right email security, most organizations could mitigate the risk of a global threat on this scale.

“This research has been based on a phishing attack and the kind of spread they are talking about would be prevented if just a couple of companies had email security in place. The chances are many more than that do,” he claimed.

“Cyber insurance is a good idea to have, but without preventative tools in place it’s the same as insuring your home contents and leaving the door unlocked. It’s there as a back-up and, if you do everything right, shouldn’t be needed.”

Source: Information Security Magazine

Global Police Close Notorious Online Marketplace

Global Police Close Notorious Online Marketplace

Europol and the FBI are celebrating this week after announcing the takedown of a notorious marketplace for breached server credentials.

The xDedic site was first revealed back in 2016 when Kaspersky Lab was tipped off by a European ISP. The security vendor claimed it provided a platform for the trade of log-ins to as many as 70,000 corporate and government servers, starting at just $6.

Users could search for servers by various criteria including price, OS and geographic location. Affected organizations including hospitals, governments, law firms, universities and many more.

With control of these organizations' servers, cyber-criminals could launch DDoS, click fraud, crypto-mining and other attacks. It’s claimed that xDedic enabled over $68m in fraud, with those behind the marketplace are said to have made a commission on each sale.

Last year, police in Belgium and Ukraine, backed by Europol, signed a Joint Investigative Team agreement. Together with the FBI, they tracked down and last week seized the servers used by xDedic’s administrators, while Ukrainian police announced key arrests.

The German Bundeskriminalamt provided assistance also helped with the server seizures, while in the US, the FBI was aided by the Immigration and Customs Enforcement’s Homeland Security Investigations and the Florida Department of Law Enforcement, alongside the Department of Justice’s Office of International Affairs and the Criminal Division’s Computer Crime and Intellectual Property Section.

While the news is a welcome reminder of the success that can come from co-ordinated law enforcement work, it would be wise not to overstate its significance, according to Hi-Tech Bridge CEO, Ilia Kolochenko.

"Unfortunately, this is just a drop in the ocean of the stolen data market. Other similar markets and platforms of different sizes exist, including more discreet ones where one can buy virtually anything including access to breached law enforcement systems and stolen data. Worse, cyber-criminals will certainly learn a lesson and move their data and servers to other jurisdictions immune to justice,” he argued.

“We should treat the root cause of skyrocketing cybercrime – growing economic inequality and global poverty. Otherwise, while we dig up standalone trees, a dark forest will grow behind. Hopefully, the seized data will shed some light on previously unknown data breaches and help to investigate them." 

Source: Information Security Magazine