Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for July 2019

UK's Eurofins Scientific Reportedly Pays Ransom

UK's Eurofins Scientific Reportedly Pays Ransom

The largest forensic services provider in the UK, Eurofins Scientific, has reportedly paid a ransom to criminals after its IT systems were disrupted in a cyber-attack. The amount of the ransom has not been disclosed, though BBC News reported that the attacks also resulted in the British police suspending its work with the global testing company.

Law enforcement agencies have refrained from sending new samples to Eurofins for analysis, according to reports. The Crown Prosecution Service told the BBC: “We are working to make sure all hearings remain fair and based on reliable evidence. While investigations are ongoing, prosecutors will assess the impact on a case-by-case basis. Cases where forensic evidence does not play a major role will continue as ‎usual if all parties agree. If ‎test results provided by Eurofins are central, we will seek to adjourn cases for the shortest possible period.”

Given that the investigation of the attack remains ongoing, Eurofins is refraining from commenting. 

“This kind of attack was inevitable. While many security experts warn about paying ransoms or entering into negotiations, the answer in reality comes down to simple economics,” said Barry Shteiman, vice president of research and innovation at Exabeam.

“If the downtime caused by data being unavailable, or by the backup restoration process, is more expensive than paying the ransom, then organizations should pay. Equally, if giving up on the encrypted data has a higher cost in lost revenue or intellectual property than remediation, then you can also see why an organization would pay the ransom. Of course, this is a last resort, if all other options have been exhausted,” Shteiman continued.

Still, ransomware is only one type of attack that organizations need to protect against, said Derek James, regional director of EMEA for WhiteHat Security. “You need to protect against all threats, not one specific one. For the companies that are truly concerned about ransomware, in addition to vulnerability assessments, they can follow some easy industry best practices. Backing up data and using up-to-date encryption will help negate some of the risk of ransomware.”

Source: Information Security Magazine

One in 10 IT Pros Would Steal Data if Leaving a Job

One in 10 IT Pros Would Steal Data if Leaving a Job

A survey of 320 IT experts conducted by Gurucul found that one in 10 respondents admitted they would try to take as much company information with them as possible before they left their jobs. In addition, the survey found that 15% of participants would delete files or change passwords upon exiting. 

While a number of organizations have invested in technologies to help detect and defend against external attackers, many companies are starting to better understand the risks from insider threats, which a recently published whitepaper said may actually be a larger issue.

According to the report insider attacks are more difficult to detect and prevent than external ones, with 91% of respondents in a similar survey of IT and security professionals reporting they feel vulnerable to both malicious and accidental insider threats. 

“Gurucul mitigates these risks by employing behavioral analytics,” said Craig Cooper, COO of Gurucul. “By combining user and entity behavior analytics, and identity analytics, companies can not only monitor, detect and remove excess access before it is too late, but they can also monitor employee actions by detecting unusual or risky behavior. By detecting when users are acting in ways that contradict their normal behavior and job function, our customers are able to intervene.”

At issue is teams are overloaded with identities and entitlements because of the manual processes built into the static identity management rules and roles. “It is more common than not that users inside the perimeter have access to information they do not need for their job. This gives them the capability to perform abusive tasks within the company. However, insider threats are not always caused by users within the organization. They can also occur when credentials of employees are shared or compromised, which often goes undetected,” wrote Gurucul’s Alison DeNisco Rayome in a July 2 blog post.

Source: Information Security Magazine

Golang Malware Targets Linux-Based Servers

Golang Malware Targets Linux-Based Servers

A cryptominer campaign has been targeting Linux-based servers using a new Golang malware, according to research published by F5 Labs

Though not often seen in the threat landscape, the Golang malware was first identified in mid-2018 and has sustained throughout 2019. Researchers noted the latest operation, which has infected an estimated several thousand machines, began around June 10. The first exploit requests were identified around June 16. 

Using the cryptonight algorithm to mine XMR, the attacker has earned less than $2000 USD, a figure based only on the wallets the F5 Labs miners were using. Researchers added that it is possible the attacker has several wallets used by different parts of his botnet.

“F5 researchers detected malicious requests targeting vulnerabilities in ThinkPHP (CVE-2019-9082 and CVE-unassigned), Atlassian Confluence (CVE-2019-3396), and Drupal (CVE-2018-7600) also known as Druppalgeddon2,” the report said.

The malware campaign reportedly propagates using seven different methods, which include four web application exploits, SSH credentials enumeration, Redis database passwords enumeration, and an attempt to connect other machines through the use of discovered SSH keys.

“Some of these vulnerabilities are common targets, however, the delivered malware in this campaign was written in Go (Golang), a newer programming language not typically used to create malware,” the researchers wrote.

As Golang is not typically detected by anti-virus software, malicious actors have started using it as a malware language. “Although the language is about 10 years old, and is used by many legitimate programmers, there has not been as much activity with Golang malware. One of the earlier Golang samples was analyzed and published beginning of January 2019,” the report said. 

To host the spearhead bash script, attackers reportedly use pastebin.com, an online clipboard service. According to the report, the malware is hosted on a Chinese ecommerce website that has already been compromised. Combined with additional indicators, such as the online clipboard, GitHhub usernames, researchers suspect this could be the work of a Chinese speaking attacker.

Source: Information Security Magazine

OneLogin Appoints Joanne Bradford to Board of Directors

OneLogin Appoints Joanne Bradford to Board of Directors

Unified Access Management company OneLogin has announced that Joanne Bradford has become the newest member of its board of directors.

Bradford will bring over 30 years of marketing and operations experience to OneLogin’s board, having previously served in CMO and COO leadership positions for companies such as Microsoft, Yahoo, SoFi and Pinterest, as well as board positions for Wave, Adaptly and Comscore.

“Joanne's deep expertise in integrated mass consumer marketing at some of the most well-known and biggest tech companies in the world will be critical for OneLogin at this stage of our accelerating growth,” said Brad Brooks, CEO of OneLogin. “One of many things I love about having Joanne on board is her insights coming by way of looking at things from the end-user perspective. This intuition will play an important role as we continue our momentum capitalising on the multi-billion-dollar market opportunity for our Unified Access Management platform.”

Bradford said: “I am joining the OneLogin’s board during a critical time of exponential momentum and interest in its UAM solution – a solution that every company requires. Enterprises everywhere need OneLogin to navigate the changing landscape of cloud adoption, digital transformation, and cybersecurity. I'm honored to be joining this exceptional team and look forward to much-anticipated success.”

Source: Information Security Magazine

Facebook, Instagram & WhatApp Outage Reveals AI Image Tags

Facebook, Instagram & WhatApp Outage Reveals AI Image Tags

Billions of users were frustrated by not being able to see their images on Facebook, Instagram and WhatsApp this week due to glitches in Facebook's platform, which was triggered by “routine maintenance.” 

Instead of pictures and videos, users were shown grey boxes with text describing what was in the image. This is believed to be the company's image analysis software. 

This outage isn't the only downfall for Facebook-owned companies. In March, Facebook and Instagram suffered their longest period of disruption in its history. The 14-hour outage was sparked by a server configuration, according to the company. 

Speaking on its latest outage, the company tweeted: “We’re aware that some people are having trouble uploading or sending images, videos and other files on our apps. We're sorry for the trouble and are working to get things back to normal as quickly as possible. #facebookdown.

“Earlier today, some people and businesses experienced trouble uploading or sending images, videos and other files on our apps and platforms. The issue has since been resolved and we should be back at 100% for everyone. We're sorry for any inconvenience.” However, some users continued to complain of not being able to see images following. 

Other companies also faced outages this week. Cloudflare was brought down by a “bad software deployment” while users have complained that Apple's iCloud has also been down. 

However, users also noticed that their images were being tagged, which was the result of the company's artificial intelligence image analysis. The description of these images is meant to support visually impaired users, however, some users couldn't help but feel 'creeped out' by seeing how accurate the description of the image was. 

For Facebook, though, the damage might have been done from the outage. According to Bigbom, a decentralized advertising ecosystem company, Downdetector processed over 7.5 million reports from end users during the outage. Interestingly, the company tweeted that this latest outage was the “company's biggest one” in years. 

How the outage affected advertisers who use the platform is unknown, but Bigbom believes thousands of dollars in ad revenue would have been lost. 

Source: Information Security Magazine

Over Half of Employees Don't Adhere to Email Security Protocols

Over Half of Employees Don't Adhere to Email Security Protocols

As many as 87% of 280 decision makers have predicted email threats to increase in the coming year, according to a survey by Barracuda Networks

According to its blog post, many organizations are admitting to being vastly unprepared when it comes to email security, with 94% admitting that “email is still the most vulnerable part of organizations’ security postures. 

“Unsurprisingly, finance departments seem to experience the most attacks, with 57% identifying it as the most targeted department," explained Chris Ross, senior vice-president of international sales at Barracuda. “What was surprising was the rise in customer support attacks; a not insignificant 32% identified this as their most attacked department in what could indicate a new emerging trend for would-be attackers.”

The blog goes onto say that employee training is still not a priority for many, with 29% of respondents only receiving such training once a year. More shockingly, 7% stated they’d either never had training or that they weren’t sure.

“The lack of training is clearly leaving employees either confused or unaware of security protocol, as over half (56%) stated that some employees do not adhere to security policies,” Ross continued. “Of those, 40% said their employees used a ‘workaround’ to do so, perhaps referring to shadow IT solutions and the issues they continue to cause in enterprise IT environments. 

“Both of these issues could be solved by regular and in-depth employee security training,” he concluded. 

Organizations have also seen cyber-attacks come through emails. In the last year, according to the survey, 47% were attacked by ransomware, 31% were victim to a business email compromise attack, and a huge 75% admitted to having been hit with brand impersonation. Barracuda also found that 83% of all email attacks were focused on brand impersonation in its recent spear phishing report. 

However, organizations are starting to take matters into their own hands, with 38% of them increasing their security budgets next year, and over a third (36%) planning to implement instant messaging applications such as Slack or Yammer, to reduce email traffic.

“This approach comes with a warning from us,” said Ross. “While we haven’t yet seen attacks using messaging platforms such as Slack, this may well change in the future and doesn’t necessarily mean that these platforms are immune to attacks. 

“Any organization going down this route should do so with care, as if we know anything about cyber-attackers, it’s that they’re always trying new ways to catch their victims out.”

These findings interestingly come out following the opinion article published in the New York Times, which highlights Slack's lack of end-to-end encryption, leaving it vulnerable to hackers. 

Source: Information Security Magazine

Activists, Journalists & SMEs at Risk From Slack Snoopers

Activists, Journalists & SMEs at Risk From Slack Snoopers

A senior privacy researcher has warned that Slack conversations could be leaked, as well as passwords and usernames, in an opinion article for the New York Times

Published on Monday, Gennie Gebhart, associate director of research at the Electronic Frontier Foundation, wrote that the business chat app does not have end-to-end encryption even though it “stores everything [a user] does on its platform by default.”

In her op-ed for the New York Times, she wrote: “…which means Slack can read it, law enforcement can request it, and hackers — including the nation-state actors highlighted in Slack’s S-1 — can break in and steal it." According to Slack’s S-1 form, the company has confirmed that it faces threats from “sophisticated organized crime, nation-state, and nation-state supported actors.”

Slack is a business tool which allows people to engage with one another whether they are in the office or not. Using channels to separate conversations and private messaging to enable people to directly communicate with one another, it has been received positively within the workplace in general. 

However, Gebhart wrote that while Slack’s paying enterprise customers “do have a way to mitigate their security risk” it's not just them who might be vulnerable to cyber-attacks. She added: “Slack’s users include community organizers, political organizations, journalists and unions. At the Electronic Frontier Foundation, where I work, we collaborate with activists, reporters and others on their digital privacy and security, and we’ve noticed these users increasingly gravitating toward Slack’s free product.”

Slack's free product allows users to have up to 10,000 searchable messages, with any more being stored away on their servers. It also enables one-to-one voice and video calls and file sharing. On its website, Slack stated this about its security: “Slack takes privacy and data protection seriously. As a cloud-based company entrusted with some of our customers’ most valuable data, we’ve set high standards for security.

“We’ve received internationally recognized security certifications for ISO 27001 (information security management system) and ISO 27018 (for protecting personal data in the cloud).”

However, Gebhart was concerned that privacy could be breached with the collaboration tool. She said: “Free customer accounts don’t allow for any changes to data retention. Instead, Slack retains all of your messages but makes only the most recent 10,000 visible to you. Everything beyond that 10,000-message limit remains on Slack’s servers. So while those messages might seem out of sight and out of mind, they are all still indefinitely available to Slack, law enforcement and third-party hackers.

“Slack’s business case for keeping your old messages is to have them ready for you just in case you decide to upgrade to the paid product, which has no limit on the number of messages available for you to search and view. But many users — including those most likely to be in the cross-hairs of a law enforcement request or headline-grabbing nation-state hack — are unlikely to ever make that switch.”

Jake Moore, a cybersecurity specialist at ESET, said that while Slack is a “fantastic application” to help people break away from the downsides of email, it might now come with downsides of its own: “Admittedly, many people don’t think or even care about encryption or place it on a priority list when it comes to data or messaging but in a world where privacy is increasingly becoming more popular, companies need to be thinking about enforcing encryption and privacy for all of their customers by default with no option to bypass it. 

“Similarly, companies who don’t use two-factor-authentication by default also put their customers data at risk of having their confidential data viewed by anyone with the right know-how and tools,” he added. 

Ending her opinion article, Gebhart gave her recommendations for what the company should do for its customers: “Slack should give everyone the same privacy protections available to its paying enterprise customers and let all of its users decide for themselves which messages they want to keep and which messages they want to delete.”

Source: Information Security Magazine

Brits Shun Biometric Authentication for Traditional Passwords, Report

Brits Shun Biometric Authentication for Traditional Passwords, Report

Nearly a third of people in the UK still prefer to use passwords to authenticate over biometric credentials, according to research by GMX. In the report, 30% of respondents said that typing a password was their preferred method of accessing their online and mobile accounts. What's more, 22% also said that they like fingerprint biometrics over face or voice.

According to GMX, 30% of respondents had at least 10 different online accounts, with a further 43% feeling overwhelmed by the number of passwords they had to remember. Alarmingly, 8% feel that remembering their passwords was more stressful than changing jobs or getting a divorce. 

This stress impacts how often people get locked out of online accounts: 19% said that they get locked out of an account at least once a month because of multiple incorrect attempts to access it. Given the choice between Single Sign-On services (where you can log in with any device – laptop, PC, smartphone, etc.) or a password manager (where each service has to be logged in separately with its own password), 32% preferred Single Sign-On, while 24% chose password managers.

“This survey shows positive signs that consumers are ready to accept biometric authentication once their data privacy concerns have been met so it is up to providers to meet those privacy demands by demonstrating that they are complying with all the relevant laws,” said Jan Oetjen, managing director of GMX. “The combination of convenience and data protection will create further demand for biometric security.”

However, the public in the UK does not seem to be receptive to advanced biometric techniques. Iris scans (4%), facial (1%) and voice recognition (1%) hardly featured at all as preferred methods of authentication. 

The survey of 1050 people in the UK was carried out by email services company GMX, who did a similar study in 2016. Since this research, people who prefer using passwords has almost halved from 61%.

Source: Information Security Magazine

29 VPN Services Owned by Six China-Based Organizations

29 VPN Services Owned by Six China-Based Organizations

Analysis of the world’s top VPN services conducted by the privacy and security research firm VPNpro revealed that the top 97 VPN services are owned by only 23 parent companies.

Of those parent companies, six are based in China, and information on these companies is often hidden to consumers, according to VPNpro. Together those six companies offer 29 of the world’s VPN services, but researchers were able to piece together ownership information via company listings, geolocation data, the CVs of employees and other documentation.

“OpenVPN is incorporated in the US, and they pride themselves on their transparency and that their open source protocol is the de facto standard used by almost all other providers,” said Francis Dinha, CEO of OpenVPN.

“This new report that exposes nearly a third of top VPN providers being owned by parent companies in China is very alarming as this makes the service from these companies very insecure. If you use one of these VPNs, China can use your device to store dangerous content and initiate malicious encounters. You might be subjecting yourself to a criminal investigation.”

When all is said and done, not all VPNs are created equal. Users need to fully understand what constitutes a reputable VPN and do their due diligence when selecting a provider.

Using the example of the Chinese company Innovative Connecting, which owns three businesses that produce VPN apps, VPNpro explained that it is often the case that ownership of multiple VPNs is shared amongst various subsidiaries. With a total of ten VPN products that it produces, Innovative Connecting’s products also include the VPN apps Autumn Breeze 2018, Lemon Cove and All Connected. 

“We’re not accusing any of these companies of doing anything underhand. However, we are concerned that so many VPN providers are not fully transparent about who owns them and where they are based. Many VPN users would be shocked to know that data held on them could be legally requested by governments in countries such as China and Pakistan,” said Laura Kornelija Inamedinova, research analyst at VPNpro. 

“Our recommendation is that people do a lot of due diligence on the VPN that they want to use, since they aren’t all created equal and simply using a VPN does not guarantee privacy or security.”

Additionally, VPNpro noted that the company of origin of Super VPN & Free Proxy, Giga Studios, Sarah Hawken and Fifa VPN, four companies which together own 10 VPN services, is completely hidden.

Source: Information Security Magazine

Magecart Campaign Offers Customizable Payload

Magecart Campaign Offers Customizable Payload

Magecart has launched a new campaign offering a highly customizable payload along with JavaScript loaders and software bundles that can ensure the malicious payload isn't being executed in a debugger or sandbox, according to Fortinet researchers.

“This skimmer is called Inter. It is highly customizable, so it can be easily configured to fit the buyer’s needs and is reportedly being sold in underground forums for $1,300 per license. We started seeing attacks from this campaign on April 19,” the researchers wrote

“E-commerce websites use different platforms for handling payments. For instance, some websites handle the payments internally while others use external payment service providers (PSPs). Depending on which platform the compromised website uses, the campaign uses either a web skimmer or a fake payment form,” the report said.

The campaign reportedly injects a fake card payment form on a targeted web page and skims a victim's entered card information, whether or not the page is a checkout form, enabling the skimmer to be brought into the customer experience earlier, avoiding possible security software intended to catch it on the checkout page. Another feature allows Inter to avoid detection by hiding the stolen information in plain site, according to the report.

“The addition of obfuscation and anti-debugging capabilities to digital skimming toolkits such as Inter renders many of the passive scanners ineffective due to their reliance on finding the malicious payload hidden deep inside the site. In addition, attackers are now targeting specific users and are aware of the scanners that might block them, so attackers may serve a 'clean' script,” said Omri Iluz, CEO and co-founder of PerimeterX.

“A more effective solution is runtime analysis of real users. When analyzing runtime behavior of the site running in real user browsers, obfuscation and anti-debugging techniques are simply avoided, exposing the malicious payload as it’s being executed by the user.”

Magecart has launched a new campaign offering a highly customizable payload along with JavaScript loaders and software bundles that can ensure the malicious payload isn't being executed in a debugger or sandbox, according to Fortinet researchers.

“This skimmer is called Inter. It is highly customizable, so it can be easily configured to fit the buyer’s needs, and is reportedly being sold in underground forums for $1,300 per license. We started seeing attacks from this campaign on April 19,” the researchers wrote

“E-commerce websites use different platforms for handling payments. For instance, some websites handle the payments internally, while others use external payment service providers (PSPs). Depending on which platform the compromised website uses, the campaign uses either a web skimmer or a fake payment form,” the report said.

The campaign reportedly injects a fake card payment form on a targeted Web page and skims a victim's entered card information, whether or not the page is a checkout form, enabling the skimmer to be brought into the customer experience earlier, avoiding possible security software intended to catch it on the checkout page. Another feature allows Inter to avoid detection by hiding the stolen information in plain site, according to the report.

Source: Information Security Magazine