Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for January 2019

Emotet Trojan Targets Education, Gov and Healthcare

Emotet Trojan Targets Education, Gov and Healthcare

As 2018 rounded to a close, Malwarebytes predicted that Emotet and Trickbot were the future of malware, and the third annual State of Malware Report released today confirms that the Trojan families spread wildly, most often targeting the education, government, manufacturing and healthcare sectors.

The old adage, "When one goes up, the other comes down," rang true with malware attacks in 2018. By the second quarter of the year, there was a notable decline in crypto-mining attacks, which saw only a 7% year-over-year increase; however, there was significant rise in information-stealing malware. The former banking Trojans Emotet and TrickBot plagued the education industry, while manufacturing suffered attacks from WannaCrypt and Emotet.

“The year 2018 was action-packed from start to finish,” said Adam Kujawa, director of Malwarebytes Labs, in a press release. “It began with threat actors diversifying their cryptomining tactics; broadening their reach to Android, Mac and cryptomining malware; and experimenting with new innovations in browser-based attacks.”

Seven categories of malware were detected within businesses, with Trojans, RiskWare tool, backdoors and spyware as the top four as a result of a more than 100% year-over-year increase. Vools was the top detection among backdoor compromises, according to the report.

“Year after year, we see cyber perpetrators finding new (and old) avenues for monetizing on their attacks. Regardless of whether it is ransomware, mineware or 'good old' Trojans and info stealers, the strategy is the same: find the weakest link and abuse it for initial infiltration, then deploy the 'profit module' of your choice," said Matan Or-El, co-founder and CEO of Panorays

If the report offered any good malware news, it was that consumer attacks declined, despite business threats increasing by 79%. “Despite the focus on business targets, consumer malware detections only decreased by three percent year over year, thanks to increases in backdoors, Trojans, and spyware malware categories throughout 2018. While 2017 saw 775,327,346 consumer detections overall, 2018 brought with it about 25 million fewer instances of infection – a healthy decrease in number, percentages aside,” the report said.

Last year also witnessed a rise in rogue app attacks, with extensions that fooled both users and app stores into thinking they were legitimate. Also, as Infosecurity reported, Magecart covered a lot of ground in its widespread attacks on e-commerce sites.

Finally, sextortion made its way to the top 10 takeaways list. “Major scams for the year capitalized on stale PII from breaches of old. Phishing emails were blasted out to millions of users in extortion (or in some cases, sextortion) attempts, flashing victims’ old, but potentially still viable, passwords and warning them that they’d expose their secrets if they didn’t pay up.”

Source: Information Security Magazine

2018: The Year of Next-Generation Attacks

2018: The Year of Next-Generation Attacks

Enterprises around the globe are facing a new breed of cyber-attacks that are largely fueled by geopolitical tensions, according to Carbon Black’s 2019 Global Threat Report.  

Last year cybersecurity professionals struggled to defend against increasing crypto-mining attacks, along with fileless attacks, ransomware and commodity malware, marking 2018 as the year of the next-generation of attacks.

“Modern cyberattacks appear to increasingly…reveal how clever attackers have become in evolving to remain undetected – using techniques such as lateral movement, island hopping and counter incident response to stay invisible,” the report stated.

The data analyzed in the study found that, in aggregate, enterprises saw approximately one million attempted cyber-attacks per day, though half of today’s cyber-attacks use the victim primarily for island hopping.

Governments around the globe experienced increased attacks that appeared to stem from Russia, China and North Korea. “Of the identified fileless attacks, variants of the malware Graftor were uniquely identified as the fileless payload. The FBI has high confidence that Graftor variants are used by North Korean cyber operations, also referenced as HIDDEN COBRA, to maintain presence on victim networks and to further network exploitation,” the report stated.

In addition the threat data revealed that computers/electronics, healthcare, business services, internet/software and manufacturing were the five industries most targeted by cyber-attacks in 2018.

Kryptic was the most commonly used ransomware variant in 2018, and the five industries most targeted with ransomware were manufacturing, business services, retail, government and computers/electronics.

The data also showed that the average endpoint “was targeted by two cyberattacks per month throughout 2018. At this rate, an organization with 10,000 endpoints is estimated to see more than 660 attempted cyberattacks per day.”

Another key finding of the study found that approximately $1.8 billion of cryptocurrency-related thefts transpired last year, up from the $1.3 billion in total losses reported by the FBI in 2016, and cyber-criminals have largely shifted from Bitcoin to Monero as their currency of choice.

“Of the identified attacks, cryptocurrency exchanges are the most vulnerable target for cybercriminals. Attacks on these exchanges account for just over 27% of all reported incidents. These exchanges represent prime targets for cryptocurrency theft, fraud and harvesting of user information for follow-on targeting by these same criminals.”

Source: Information Security Magazine

Hacker Demos Jailbreak of iOS on iPhone X

Hacker Demos Jailbreak of iOS on iPhone X

A security researcher with the Qihoo 360 Vulcan Team, Qixun Zhao (@S0rryMybad), has revealed the second stage of an exploit chain in which he was able to remotely jailbreak the latest iOS system on iPhone X.

In a January 23 blog post, Zhao released the proof of concept (PoC) of a kernel vulnerability that can be reached in the sandbox, which he dubbed Chaos. For the benefit of beginners, he provides what he calls elaborate details on the tfp0 exploit, though he does not reveal the exploit code.

Instead, he stated, “if you want to jailbreak, you will need to complete the exploit code yourself or wait for the jailbreak community’s release. At the same time, I will not mention the exploit details of the post exploit, as this is handled by the jailbreak community.”

Zhao does demonstrate the jailbreak in a video posted to Twitter..

Following his intuition, Zhao said he believed there would be a path that would cause a leak, which he found could be exploited before iOS 12 even started in the sandbox.

Noting that the bug has been fixed in the most recent version, Zhao wrote, “As soon as I saw the code I felt that this part of the code is definitely lacking review and the quality is not high enough. After all, the code that can be directly reached in the sandbox, that means the kernel developer may not be familiar with the rules for generating MIG code. This information is more important than finding the bug in the above.”

Despite the misguided belief that PAC mitigation was the end of UaF or jailbreak, Zhao said the UaF hole can still be used in the PAC environment. “We can see that in the whole process of getting tfp0, we didn't need to control the pc. This is because there was a port property value in the object ipc_voucher we released. The exploitation of the UaF vulnerability depends greatly on the data structures of the released object, as well as how to use them, since in the end we have to convert to type obfuscation."

Source: Information Security Magazine

US Confirms Huawei CFO Extradition Plans

US Confirms Huawei CFO Extradition Plans

US officials have confirmed their intention to formally extradite Huawei CFO Meng Wanzhou from Canada to face criminal charges, according to reports.

Meng, who is also the daughter of founder Ren Zhengfei, was arrested in Vancouver on December 1 last year at the request of Washington.

A statement from the Department of Justice confirmed that the US plans to meet the 60-day deadline for filing a formal extradition demand, which runs to January 30.

“We will continue to pursue the extradition of defendant Ms. Meng Wanzhou, and will meet all deadlines set by the US/Canada Extradition Treaty,” said DoJ spokesman Marc Raimondi, in the reported statement. “We greatly appreciate Canada’s continuing support of our mutual efforts to enforce the rule of law.”

The news will likely inflame Sino-Canadian diplomatic relations as Beijing continues to lambast Ottowa for what it sees as a geopolitical decision, while Justin Trudeau’s government stands firm on the rule of law.

Beijing has apparently retaliated by arresting two Canadians on suspicion of spying.

It is alleged that Meng participated in a conspiracy at the telecoms equipment giant to trick US banks into breaking sanctions on Iran. This was apparently done by pretending that subsidiary Skycom was not connected to the Shenzhen firm.

Although Huawei has repeatedly claimed it does not represent a national security risk, governments around the world are getting cold feet, following America’s lead in sidelining its role or banning outright its technology in upcoming 5G networks.

The UK is one of the few Five Eyes countries which has taken a fairly liberal stance with the Chinese firm, although an official change in its policy could be on the cards.

Back in November the government reminded 5G network providers to ensure their suppliers are heavily vetted for security.

In a rare appearance, MI6 boss Alex Younger said in December: “We need to decide the extent to which we are going to be comfortable with Chinese ownership of these technologies and these platforms in an environment where some of our allies have taken a quite definite position.”

Source: Information Security Magazine

Security Boffins Block 100K Malicious Sites in 10 Months

Security Boffins Block 100K Malicious Sites in 10 Months

Hundreds of security researchers have come together in a global non-profit project, working to take down 100,000 malicious websites in just 10 months.

Revealed on Monday, the stats are testament to the power of information sharing among the information security community and hosting providers, when they work together to fight a common foe, according to Abuse.ch.

The non-profit’s URLhaus project saw 265 researchers work together to identify and submit 300 malware sites each day over the period. This makes it easier for hosters to spot and remediate any bad domains on their networks.

“This is not an easy task, especially for large hosting providers that have tens of thousands of customers and hence a significant amount of hijacked websites in their network that are getting abused by cyber-criminals to distribute malware,” the non-profit explained.

However, despite its early success, there’s still a long way to go. URLhaus claimed to observe 4-5000 active malware distribution sites every day, and that they stay active for over eight days on average, potentially infecting thousands of devices in the process.

In China, things are even worse: the three top malware hosting networks have an “average abuse desk reaction time” of over a month.

Of the 380,000 malware samples collected by the project over the past 10 months, Emotet/Heodo was the most common.

“Emotet gets propagated through spam that hits users inbox almost every day. These malspam campaigns usually contain a malicious Office document with macros. Once the victim opens the document and enables macros, it will automatically download and execute Emotet from a comprised website,” Abuse.ch explained.

“To bypass spam filters, these malspam campaigns sometimes point to a compromised website that hosts the malicious Office document instead of attaching it to the email directly. To dismantle these campaigns and prevent that users are getting infected with Emotet, it is essential that the associated malware distribution sites are getting cleaned up in time by the responsible hosting provider.”

The group urged national CERTs, ASN operators and TLD owners to subscribe to the free URLhaus feed and implement its free block lists.

Source: Information Security Magazine

Servers Grab Client Files via MySQL Design Flaw

Servers Grab Client Files via MySQL Design Flaw

Attackers can potentially run a malicious MySQL server and gain access to connected data, according to a new security alert.

MySQL has issued a security notice resulting from issues with the LOAD DATA LOCAL, noting that the “statement can load a file located on the server host, or, if the LOCAL keyword is specified, on the client host.”

The design flaw exists in the file transfer interaction between a client host and a MySQL server, according to BleepingComputer. Leveraging this attack would allow a malicious actor to steal sensitive information from a web server that is not properly configured either by enabling connections to untrusted servers or from database management applications.

According to the security notice, there are two potential security concerns. “The transfer of the file from the client host to the server host is initiated by the MySQL server. In theory, a patched server could be built that would tell the client program to transfer a file of the server’s choosing rather than the file named by the client in the LOAD DATA statement. Such a server could access any file on the client host to which the client user has read access. (A patched server could in fact reply with a file-transfer request to any statement, not just LOAD DATA LOCAL, so a more fundamental issue is that clients should not connect to untrusted servers.)”

In a January 20 blog post, security researcher Willem de Groot responded to the security notice’s claim that this flaw could be leveraged “in theory,” noting that “an Evil Mysql Server which does exactly that can be found on Github, and was likely used to exfiltrate passwords from these hacked sites. And could be used to steal SSH keys and crypto wallets, as interfail points out.”

“Although this may not sound critical, since most users are not easily fooled into connecting to an attacker's mySQL server, there are in fact many web servers with exposed database management interfaces that allow attacker initiated connections to arbitrary servers,” said Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposure Research Team (VERT).

“Website administrators must be aware that such pages, even when not linked to other content, may be discovered and abused by attackers. Administration tools like Adminer should not be left unprotected in any circumstances.”

Source: Information Security Magazine

Two Elasticsearch Databases Found Unprotected

Two Elasticsearch Databases Found Unprotected

After news broke that an Elasticsearch server belonging to several online casinos was left without a password, independent security researcher Bob Diachenko discovered another unprotected Elasticsearch database from AIESEC, a global, youth-run nonprofit.  

A database breach exposed more than four million intern applications with personal and sensitive information on a server without a password. The database reportedly contained information included in applications that had been tagged as "opportunity applications" for AIESEC internships and "included sensitive information as email, full name, DOB, gender, plus a detailed description on their intentions for applying for AIESEC as well as interview details,” according to Diachenko’s blog post on SecurityDiscovery.

“Basically, AIESEC was using software that is great for giving their staff access to money-making data, but they focused far too little on protecting the data,” said LUCY Security CEO Colin Bastable.

“GDPR penalties apply to the global revenues of virtue-signaling nonprofits just as much as they do to their virtue-seeking corporate sponsors. I suspect they will get a slap on the wrist, and the IT budget will be invested appropriately in keeping Laurin Stahl out of the IT security press next year. There is probably a significant proportion of nonprofits that are vulnerable in this way, so they should take this as a warning to get serious about securing consumer data. The message for consumers is [that] you can’t trust any organization with your personal data, even if they are driven by the most noble ideals, so share with care.”

This is the second misconfiguration in an Elasticsearch database disclosed this week. News also broke that a password-less Elasticsearch server belonging to a variety of online casinos had compromised the information on over 108 million bets, including customers’ payment card info, full names, home addresses, phone numbers, email addresses, birth dates, site usernames, account balances, IP addresses, browser and OS details, last login information and more.

The payment card details indexed in the server were partially redacted, however, suggesting that they were not exposing each user’s full financial details. The leaky server was found last week and was just taken offline on January 21, making it no longer accessible.

“This breach is yet another example of a company leaving a server and critical information unsecured without any password protection, an unfortunate trend that has been the cause of many recent leaks, such as the VOIPo and Oklahoma Securities Commission’s latest incidents,” said Mark Weiner, CMO, Balbix.

He continued, “108 million bets were exposed by this data leak, including full names, home addresses, phone numbers, email addresses and account balances that could be used by malicious actors as a part of phishing scam to target those who recently won large sums of money. Fortunately, the exposed payment card data was partially redacted, meaning that users did not have their full financial information exposed.”

Source: Information Security Magazine

Looking to Attract Cybersecurity Talent? Enhance Your Covert Ops. Domini Clark to The Staffing Stream

Blackmere founder and cybersecurity recruiting expert Domini Clark shared her tips on how to attract cybersecurity talent in a recent article in The Staffing Stream.

Excerpt from the article:

Cyber-attacks are on the rise, with a 38% jump in security incidents from 2014 to 2015. Companies in all industries are vulnerable, regardless of size – some 43% of attacks target small business. Attacks can cost into the millions for a single data breach, and more than half of these costs are related to lost business due to customer churn.

Since the best approach is prevention, it’s clear that cybersecurity needs to be part of your IT program. Finding the right talent is not so clear. Cybersecurity professionals are a unique group, so you’ll need a recruitment approach that is different from what you’re using with other positions.

A Unique Profile

The best in the trade think like the criminals they oppose, enabling them to anticipate hacker tactics and identify chinks in a system’s armor. Insiders joke that superstars have an “evil bit” (as in bits and bytes) in the code of their personalities. “Paranoid” is too strong a word, but they tend to be hyper-cautious, and some take pride in operating under the radar.

Very few post résumés, so you’ll need to leverage your best networking skills and hardcore power searching techniques. Be creative, Sherlock. But don’t email a link — they don’t click on links from unknown sources. Send a PDF with instructions for connecting with you.

Sell, Sell, Sell

Some estimate that half of cybersecurity professionals get a recruitment call at least once a week. If you reach out with a standard list of duties and requirements, your message will wash out among all the other background noise. You have to court talent in all areas, especially with hard-to-fill roles. Don’t think of it as a job posting, think of it as a sales pitch. Instead of focusing on what your company needs, lead with the selling points that will engage your target audience.

In general, cybersecurity professionals want the opportunity to:

  • Take on intriguing work that is varied and unique.
  • Try new tools and techniques to keep up with the ever-evolving threat landscape.
  • Do more than just scratch the surface, including taking some deep dives into systems and code.
  • Work remotely, even if only two or three days a week.
  • Receive recognition and rewards, like the rest of us.

Apply Social Media Liberally

The content doesn’t have to be about job openings. Think of social media as digital pheromones that make your company attractive. Have team members in all disciplines share their ideas and insights. Blogs and tweets help establish your company as a thought leader, enhancing your brand.

But be sure to target the cybersecurity community specifically, including forums and discussion groups. Encourage your existing cybersecurity and IT talent to write blog posts and white papers on the topic. Spray those pheromones where they’ll get the best results.

Stay Loose

With a pool this small, you can’t run an effective search if you focus only on screening people out. Loosen the requirements. For example, since security threats are constantly evolving, a degree probably isn’t as important as current experience. Another tactic: Instead of asking for five to seven years of experience, ask for three to five and highlight the opportunity for career growth.

Hopefully you weren’t expecting fast and easy tips for recruiting cybersecurity talent. You’ll have to invest time and money, but you can think of it as insurance against multi-million dollar losses.

Americans Feel Fated to Fall Prey to Cybercrime

Americans Feel Fated to Fall Prey to Cybercrime

Only a few days after the Senate Committee on Aging released a new report in which it found that seniors lose an estimated $2.9 billion each year to financial scams, the insolvency services of Nyman Lisbon Paul and the UK’s Driver and Vehicle Licensing Agency (DVLA) have issued scam alerts warning consumers to beware of cyber scams.

Two weeks ago, Infosecurity reported that 60% of consumers in the UK were leaving themselves vulnerable to scams, and today, Nyman Lisbon Paul tweeted a warning that “pension scam victims lost an average of £91,000 to criminals in 2018, Financial Conduct Authority (FCA) research recently revealed. Criminals often use cold-calls and offers of free pension reviews to convince their victims to comply.”

As scams become more commonplace, government agencies, organizations and concerned citizens are taking to social media to caution consumers about the myriad scams to which they could fall victim. One Twitter user posted:

In an effort to prevent people from falling victim to this and other scams, “DVLA is reminding customers that the only official place to find our services and information is on GOV.UK. Cyber scams are common so we want to help our customers to spot fraudulent activity.”

However, these warnings might be ineffective. According to a recently released report from ERP Maestro that examined the relationship Americans have with cybercrime and identity theft, 76% of Americans believe it is inevitable that they will fall victim to either identity theft or some form of cybercrime. As a result, 48% confess that they are not concerned about becoming a victim. The report found that when it comes to consumer attitudes and behaviors, 57% of Americans believe that if something happens, the damage will be reversed.

In addition, 68% of Americans feel that there is little to nothing they can do to prevent falling victim to cybercrime. Those habits can be potentially dangerous for companies that employ people who don’t take cybersecurity seriously.

"While our mission is to protect companies from cybercrime on the inside, we wanted to examine how concerned people are about cybercrime in their personal life to see if cyber safety is practiced similarly professionally," said Jody Paterson, founder and CEO of ERP Maestro, in a press release.

"Good cybersecurity habits should be practiced at both work and home, but these responses may indicate that the same beliefs and behaviors on cybercrime are also brought into the workplace, and that is a huge risk for companies."

Source: Information Security Magazine

Dark Web Drug Dealers Get 43 Years

Dark Web Drug Dealers Get 43 Years

Three dark web drug dealers have been sentenced to a total of over 43 years for supplying hundreds of customers worldwide with notorious opioid fentanyl.

Jake Levene, 22, Lee Childs, 45, and Mandy Christopher Lowther, 21, were sentenced last week at Leeds Crown Court after pleading guilty to exporting and supplying class A drugs.

The group mixed fentanyl and its analog carfentanyl with bulking agents at an industrial unit in Leeds before selling them on sites like Alpha Bay under the name “UKBargins,” according to the National Crime Agency (NCA).

It’s unclear how they were brought to justice, although the trio were arrested in April 2017, less than three months before the Alpha Bay and Hansa takedowns. When policed raided the unit, a laptop was found displaying the UKBargins store on Alpha Bay.

Childs was apparently caught on CCTV in a Post Office mailing hundreds of packages of drugs to customers worldwide including as far afield as Australia, Argentina and Singapore.

Between December 2016 and April 2017 the three are said to have turned over £163,474 — selling 2853 items to 443 customers worldwide including 172 in the UK.

During the raid, 2.6kg of carfentanyl was recovered including a packet of 440g pure carfentanyl, the largest such seizure of its kind in Europe, according to the NCA.

The drug is said to be 10,000-times more potent than morphine, while fentanyl is up to 10-times stronger. Both have been linked to countless deaths over recent years.

“Fentanyl and carfentanyl are extremely potent, the latter having no medical uses for humans. Not only is it potentially lethal for those taking it, these drugs pose a serious danger to all those that come into contact with them, be that first responders like law enforcement and medical staff, or in this case, postal staff,” said NCA senior investigating officer, Graham Roberts.

“The lengthy jail terms handed down to them today are a reflection on their dangerous and careless actions.”

Source: Information Security Magazine