Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for June 2019

New Dridex Variant Evading Traditional Antivirus

New Dridex Variant Evading Traditional Antivirus

Only 10 days after malware researcher Brad Duncan reported analysis on a new variant of Dridex that bypasses mitigation of application whitelisting techniques by disabling or blocking Windows Script Host, eSentire discovered a new infrastructure pointing to a similar Dridex variant.  

“Dridex malware targets banking information and is delivered via email in the form of a malicious document with embedded macros,” eSentire Threat Intelligence wrote. “At the time of discovery only six antivirus solutions of about 60 detected suspicious behavior. About 12 hours later, on the morning of June 27, 16 antivirus solutions could identify the behavior.”

As has been the case with the Emotet malware, Dridex has also had many iterations, with its presumed first appearance as Cridex back in 2011. “Over the last decade, Dridex underwent a series of feature augmentation, including a transition to XML scripts, hashing algorithms, peer-to-peer encryption, and peer-to-command-and-control encryption. Like Emotet, each new version of Dridex traces a further step in the global arms race as the security community responds with new detection and mitigations,” researchers wrote.

It is believed that Dridex will continue to see more variations. “Given the same-day deployment and implementation of the ssl-pert[.]com domain on June 26th and a tendency to utilize randomly generated variables and URL directories, it is probable the actors behind this variant of Dridex will continue to change up indicators throughout the current campaign,” the report said. 

Initially the malware was delivered through a malicious document in an email; however, the different variations allow the macros to respond to different levels of employee engagement, according to the report. 

“Given email as the initial access point, employees are the first line of defense against this threat. Expect financial departments to be targeted by unsolicited invoices carrying malicious macros within. Some antivirus engines were able to detect (but not specify) the suspicious behavior. Given the rapid turnover of infrastructure and indicators, signature-based antivirus solutions will continue to have gaps throughout the Dridex campaign,” the report said.

Source: Information Security Magazine

Client Data at Ford, TD Bank Exposed by Attunity

Client Data at Ford, TD Bank Exposed by Attunity

Another company charged with managing and safeguarding client data, Attunity, left client data files exposed on the internet, according to a June 27 report from UpGuard. The incident has reportedly impacted clients, including Ford and the TD Bank, whose customer information was publicly accessible. 

Researchers disclosed that three Amazon S3 buckets used by the data management company have now been secured. “Of those, one contained a large collection of internal business documents. The total size is uncertain, but the researcher downloaded a sample of about a terabyte in size, including 750 gigabytes of compressed email backups. Backups of employees’ OneDrive accounts were also present and spanned the wide range of information that employees need to perform their jobs: email correspondence, system passwords, sales and marketing contact information, project specifications, and more,” researchers wrote. 

This news comes on the heels of reports that Attunity had left a terabyte of data from Amazon Web Services exposed only a month ago. “In order to prevent putting yourself or your valued customers in a similar situation and making headlines for all the wrong reasons, it's vital that you integrate a comprehensive privileged account management (PAM) program into your security plan,” said Todd Peterson, security evangelist at One Identity.

Despite recommendations that companies change the default admin password on any system and implement a password vault, many organizations continue to have security issues that stem from misconfiguration.

“It’s no wonder that third-party risk has become the most significant cyber issue for organizations around the globe – lax understanding of third parties' security posture and practices is creating a massive weak spot for all organizations across all industries. Simply trusting business partners to do the right thing is irresponsible – companies need to do robust monitoring,” said Jake Olcott, VP at Bitsight.

Source: Information Security Magazine

Attackers Hack PCM Inc. to Access to Client Files

Attackers Hack PCM Inc. to Access to Client Files

A US-based cloud solutions provider, PCM Inc., has experienced what KrebsOnSecurity called a “digital intrusion,” which enabled hackers to access the email and file-sharing systems of some of the company’s clients.  

“Sources say PCM discovered the intrusion in mid-May 2019. Those sources say the attackers stole administrative credentials that PCM uses to manage client accounts within Office 365, a cloud-based file and email sharing service run by Microsoft Corp,” Krebs wrote. 

Krebs said it is unclear whether there is a link between the Wipro compromise and this latest incident at PMC. "As a bystander, it does seem possible that both the Wipro and PCM compromises are connected. As for the connection to Cloud Hopper, it is not surprising that Chinese groups are attacking the ISPs and cloud providers,” said Jonathan Oliveira, cyber-threat intelligence analyst at Centripetal.

“The growing trend of targeting employees who work at cloud providers makes plenty of sense because why would an attacking group want to waste time and resources brute-forcing when employees statistically offer the best avenue of approach into a network? These employees are increasingly becoming high-value targets and, in most cases, do not realize how valuable they are to an attacker,” Oliveira said, adding that investing in technology does little to defend against human behaviors. 

Financially motivated attackers go after the lowest-hanging fruit, and it’s no surprise that cyber-criminals are exploiting attacks that will reward them with fast cash, said Kevin Gosschalk, CEO, Arkose Labs. 

“The lasting impact of this breach – like every data breach involving exposed PII and credentials – is not yet fully realized. Each breach empowers fraudsters with more ammunition to attack businesses in a highly targeted manner, and the large amount of exposed credentials on the dark web is responsible for the steady rise in account takeover attacks. Companies must make it a priority to secure their attack surface so hackers cannot extract economic reward from their company, and sensitive data is protected.”

The news raises concerns given that criminals have been more frequently targeting the cloud to use stolen passwords, API vulnerabilities or user misconfiguration and take over accounts, which gives them access to information as if they were an authorized user, thus bypassing all security controls, according to Pravin Kothari, CEO of CipherCloud.

"As more and more information, the crown jewels of business, migrate to the cloud, organizations just do not have the visibility and control that they had with their traditional enterprise security capabilities.  Businesses need to change their approach to security from network- and access-centric to data-centric,” Kothari said.

Source: Information Security Magazine

Data Mapping & Discovery Tools Top Privacy Shopping Lists

Data Mapping & Discovery Tools Top Privacy Shopping Lists

The need to demonstrate compliance is the main motivation for privacy technology adoption, according to new findings.

According to research of 345 privacy professionals by TrustArc and the IAPP, technology solutions are helping 92% of organizations to keep pace with new privacy laws. Meanwhile products that help businesses discover and map data flows top the list of purchase plans, and privacy teams are playing a larger role in privacy tech purchasing decisions as organizations navigate a complex field of regulations.

“As the number of privacy regulations grows, organizations must contend with the complexity of managing an increasingly fragmented privacy regulatory landscape,” said Chris Babel, CEO of TrustArc.

“These rapid regulatory changes make cross-regulation management more difficult. As a result, organizational leaders are purchasing technology that can streamline the process of building global privacy compliance at scale, while turning more to privacy and data protection professionals for purchase input.”

TrustArc said that the increasing complexity of business in the digital world, coupled with a growing list of global privacy frameworks, has increased the need for organizations to adopt solutions that demonstrate compliance and are scalable and efficient.

The survey found that the top purchase plans for the next 12 months include: data mapping/flow (24%), data discovery (23%), assessment management (20%) and subject access request/individual rights (18%).

Also in comparison to statistics from last year’s survey, demand for privacy legal updates and information management solutions grew by 5%.

In an email to Infosecurity, Rik Turner, principal analyst at Ovum, said that there were no surprises around discovery and mapping data flows being popular, as while asset discovery is an essential part of any IT department’s job, institutions have real problems finding all the data they have on individuals within their multiple database instances, applications, etc.

“Data discovery is thus a vital precursor to any compliance activity: you can’t wrap control around data till you know everywhere it resides within your organization and have classified and categorized it,” he said. “Of course, understanding how and where data flows, who accesses it and where it is copied to, is a vital part of data discovery.”

Source: Information Security Magazine

Five Million IP Camera Cyber-Attacks Blocked in Just Five Months

Five Million IP Camera Cyber-Attacks Blocked in Just Five Months

Trend Micro has announced that it blocked five million cyber-attack attempts against internet protocol (IP) cameras in just five months, highlighting the security risks that continue to impact IP-based surveillance devices.

The security vendor analyzed 7000 anonymously aggregated IP cameras, and discovered that the IP surveillance industry is facing high numbers of attacks.

Trend Micro detailed that of the attacks it blocked, 75% were brute force login attempts, and stated that there is a clear pattern of malicious attackers targeting IP surveillance devices with common malware such as Mirai variants.

Oscar Chang, executive vice-president and chief development officer for Trend Micro, said: “More verticals are seeking connected, AI-powered video surveillance applications causing a clear paradigm shift from a relatively closed-off network to a more interconnected network operated heavily by cloud-based technologies. Due to this shift in the landscape, manufacturers and users must pay attention to the security of these IoT devices.”

“While the industry has known about cyber-risks, manufacturers have been unable to properly address the risk without knowing the root cause and attack methods,” added Dr Steve Ma, vice-president of engineering, Brand Business Group for VIVOTEK.

The topic of the use of surveillance cameras was recently brought to the fore on National Surveillance Camera Day, June 20, featuring conversations about how camera technology is evolving and what the benefits and risks are for society.

Source: Information Security Magazine

Silexbot Bricks Nearly 4,000 IoT Devices

Silexbot Bricks Nearly 4,000 IoT Devices

Silex, a new strain of malware that was used to brick IoT devices, is apparently the work of a 14-year-old boy from Europe, according to an Akamai researcher.

The botnet works by trashing the IoT device's storage, removing the network configuration, such as dropping firewall rules, and ultimately halting the devices, which renders them useless. Researcher Larry Cashdollar shared text the individual had embedded into the code, which revealed the hacker’s intentions:

Credit: Akamai
Credit: Akamai

The bot has been targeting Unix-like systems with default login credentials and thus far has affected nearly 4,000 devices and counting. In order to recover, victims need to reinstall the device’s firmware, which is not an easy task for many device owners. 

Cashdollar explained: “Silexbot is using known default credentials for IoT devices to login and kill the system. The bot does this by writing random data from /dev/random to any mounted storage it finds. Examining binary samples collected from my honeypot, I see Silexbot calling fdisk -l which will list all disk partitions. Using that list, Silexbot then writes random data from /dev/random to any of the partitions it discovers.”

The malware’s tactic of hacking devices using default-credentials is the most basic way to take over highly vulnerable and internet-facing IoT devices, according to Ben Seri, VP of research at Armis

“The fact that despite this, the malware was able to brick a few thousand devices so quickly is a testament to how vulnerable IoT devices are. This experiment is a warning sign to how ransomware attacks may evolve. A ransomware that is designed to brick IoT devices unless a certain payout is given can become extremely dangerous," Seri said.

As many industries saturated with unmanaged IoT devices are still running old operating systems, there are lots of easy targets that are wide open to attacks, Seri continued.

“In many cases, these devices have critical functions within these industries – the industrial controllers operating the production lines in factories, the bedside patient monitors, and the life-support systems in hospitals. Adding the ability to brick these types of devices to a ransomware would make it much more dangerous and destructive than any of the ransomware attacks we have seen so far.” 

Source: Information Security Magazine

China's 'Cloud Hopper' Hacked Eight Tech Service Companies

China's 'Cloud Hopper' Hacked Eight Tech Service Companies

Chinese hackers broke into the networks of multiple large technology service providers across the globe and stole commercial secrets as part of a global hacking campaign dubbed Cloud Hopper, according to an exclusive report from Reuters

The attack, which “exploited weaknesses in those companies, their customers and the Western system of technological defense,” according to Reuters, has been attributed to China by the U.S. and its allies.

Among those reportedly impacted in the large-scale attack were Ericsson, Hewlett Packard Enterprise and IBM.

“Also compromised by Cloud Hopper, Reuters has found: Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation and DXC Technology. HPE spun-off its services arm in a merger with Computer Sciences Corporation in 2017 to create DXC.”

As a result, more organizations that are part of the supply chains or customers of these service providers were also impacted, including Sabre, a leading travel reservation system that manages plane bookings in the US.  Huntington Ingalls Industries was also a victim. The company is reportedly the largest shipbuilder for the U.S. Navy.

“This was the theft of industrial or commercial secrets for the purpose of advancing an economy,” Australia's former national cybersecurity adviser Alastair MacGibbon told Reuters. “The lifeblood of a company.”

China is making no effort to conceal its strategy for information dominance, said Tom Kellermann, chief cybersecurity officer for Carbon Black. “This strategy was developed during the first Gulf War and a cornerstone of it is to conduct island hopping from [managed service providers] and telcos into their corporate client networks. Carbon Black research shows that island hopping is exploding and occurring 50% of the time as corporate brands are being used to target their clients.

“The systemic theft of intellectual property is coupled with the colonization of sensitive corporate networks, which allows the Chinese to become telepathic. The irony is Chinese hacking has dramatically increased as a reaction to the trade war. The overt colonization continues."

Source: Information Security Magazine

MedicalSupplement.com Left 5m Records Exposed

MedicalSupplement.com Left 5m Records Exposed

An online database containing the records of more than 5 million customers apparently belonging to MedicareSupplement.com was left open and accessible to the public, according to a report from Comparitech

In order to get a quote from the TZ Insurance Solutions–owned website, MedicareSupplement.com, users are required to enter personal information. Though not an insurance company, the site does allow users to find supplemental medical insurance through the US-based insurance marketing website.

According to its website, MedicareSupplement.com takes precautions to secure user data. “We have taken certain physical, administrative, and technical steps to safeguard the information we collect from and about our customers through the Services. While we make every effort to help ensure the integrity and security of our network and systems, we cannot guarantee our security measures."

Security researcher Bob Diachenko discovered what appeared to be part of the site’s marketing leads database on May 13, where millions of MongoDB instances were left publicly available, according to the report. Diachenko tweeted that the database was first found on BinaryEdge.

“Some records – about 239,000 – also indicated insurance interest areas, for example, cancer insurance. Data was spread around several categories, including life, auto, medical, and supplemental insurance,” the report said.

Having personal information exposed puts users at risk of fraud, spam and targeted phishing attacks, and Comparitech warned that users of MedicareSupplement.com vigilantly keep an eye out for these types of attacks. 

“I have previously reported that the lack of authentication allows the installation of malware or ransomware on the MongoDB servers. The public configuration allows the possibility of cyber-criminals to manage the whole system with full administrative privileges,” said Diachenko who collaborated with Comparitech. “Once the malware is in place, criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.”

Source: Information Security Magazine

Crypto Exchange Bitrue Loses $4.5m in Cyber Raid

Crypto Exchange Bitrue Loses $4.5m in Cyber Raid

Bitrue has become the latest cryptocurrency exchange to suffer a major cyber-attack, losing an estimated $4.5m in customer funds in the process.

The Singapore-based company revealed the security breach in a series of tweets early this morning.

“At approximately 1am June 27 (GMT+8), a hacker exploited a vulnerability in our Risk Control team's second review process to access the personal funds of about 90 Bitrue users,” it said.

“The hacker used what they learned from this breach to then access the Bitrue hot wallet and move 9.3 million XRP and 2.5 million ADA to different exchanges.”

At current prices, that makes it around $4.25m in Ripple (XRP) coins and $225,000 in Cardano (ADA) coins.

Bitrue seems to have acted promptly to respond to and contain the incident: suspending activity temporarily on the exchange while it investigated and alerting exchanges Huobi Global, Bittrex and Change Now to freeze affected funds and accounts.

“Please note that at the time, due to uncertainty about the current situation, we stated that the exchange was going down for some unplanned maintenance. We apologize for this miscommunication with our users,” Bitrue continued.

“Once again, I want to assure everybody that their personal funds are insured, and anybody affected by this breach will have their funds replaced by us as soon as possible.”

The exchange also posted a link for users to monitor the flow of stolen funds, and alerted the Singaporean authorities of the cyber raid in an attempt to find the culprit and retrieve the stolen funds.

Most customers responding on Twitter have been sympathetic to the exchange’s plight and appreciative of its transparency — although this would no doubt change if they weren’t getting their money back.

A report from earlier this year revealed that cryptocurrency exchanges lost $1.2bn from fraud and cyber-attacks — versus an estimated $1.7bn for the whole of 2018.

Source: Information Security Magazine

ENISA Reinforced as EU Cybersecurity Agency to Steer New Act

ENISA Reinforced as EU Cybersecurity Agency to Steer New Act

The EU Cybersecurity Act (CSA) comes into force from today, establishing an EU framework for cybersecurity certification under a reinforced and rebranded ENISA.

Originally proposed in 2017 as part of a wide-ranging set of measures to deal with cyber-attacks and to build strong cybersecurity in the EU, the Cybersecurity Act includes:

  • A permanent mandate for the ENISA to replace its limited mandate that would have expired in 2020, as well as more resources allocated to the agency to enable it to fulfill its goals
  • A stronger basis for ENISA in the new cybersecurity certification framework to assist member states in effectively responding to cyber-attacks with a greater role in cooperation and coordination at Union level

In addition, ENISA will help increase cybersecurity capabilities at the EU level to support capacity building and preparedness as part of its new title of the EU Cybersecurity Agency. This will see ENISA become an independent center of expertise that will help promote awareness of citizens and businesses, and also assist EU Institutions and member states in policy development and implementation helping to raise awareness of cybersecurity risks, leading on “research needs and priorities in the field of cybersecurity.”

According to the regulation, “there is a need for a comprehensive set of measures that would build on previous Union action and would foster mutually reinforcing objectives” which would include further increasing the capabilities and preparedness of member states and businesses, as well as improving cooperation, information sharing and coordination across Member States and Union institutions, bodies, offices and agencies.

“Furthermore, given the borderless nature of cyber-threats, there is a need to increase capabilities at Union level that could complement the action of member states, in particular in cases of large-scale cross-border incidents and crises, while taking into account the importance of maintaining and further enhancing the national capabilities to respond to cyber threats of all scales,” it said.

Article seven of the regulation, which deals with “operational cooperation at Union level” states that “ENISA shall support operational cooperation among member states, Union institutions, bodies, offices and agencies, and between stakeholders.” This article also states that ENISA shall support member states with respect to operational cooperation within the CSIRTs network by:

  1. Advising on how to improve their capabilities to prevent, detect and respond to incidents and, at the request of one or more member states, providing advice in relation to a specific cyber threat
  2. Assisting, at the request of one or more member states, in the assessment of incidents having a significant or substantial impact through the provision of expertise and facilitating the technical handling of such incidents including in particular by supporting the voluntary sharing of relevant information and technical solutions between member states
  3. Analyzing vulnerabilities and incidents on the basis of publicly available information or information provided voluntarily by member states for that purpose
  4. At the request of one or more member states, providing support in relation to ex-post technical inquiries regarding incidents having a significant or substantial impact within the meaning of Directive (EU) 2016/1148

ENISA will also regularly organize cybersecurity exercises at Union level, and shall support member states and Union institutions, bodies, offices and agencies in organizing cybersecurity exercises following their requests.

Commissioner Mariya Gabriel, EU Commissioner in charge of Digital Economy and Society, said that the EU Cybersecurity Act “has demonstrated the urgency to opt for an EU approach” and the reinforcement of ENISA was needed as “it is crucial for citizens, businesses and member states to feel more secure.”

“The Cybersecurity Act also enables EU-wide cybersecurity certification for the very first time, thus boosting the Single Market for cybersecurity,” Gabriel said. “Through the Cybersecurity Act, the Directive on the security of networks and information systems and the proposed European Cybersecurity Competence Centre, we have put forward a strong EU pattern, based on values and open for strengthening cooperation with international partners.”

Udo Helmbrecht, executive director of ENISA, said: “I welcome the Cybersecurity Act and thank the Council, European Parliament and Commission for their support in the drafting and passing of this important piece of cybersecurity legislation. I also welcome the reinforced role of ENISA in the European cybersecurity ecosystem and the opportunity for ENISA to support the Digital Single Market.

“I believe the European Cybersecurity Certification Framework detailed in the Act will play a leading role for the advancement and harmonization of cybersecurity certification in Europe and beyond.” 

Source: Information Security Magazine