Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for July 2019

93% of Organizations Cite Phishing as Top Threat

93% of Organizations Cite Phishing as Top Threat

Email remains the vector of choice for cyber threat actors with the majority of organizations citing phishing as their top perceived threat, according to a new survey from Dimensional Research and Barracuda Networks.

With the rise of more complex, advanced threats, such as account hijacking and spear-phishing, the majority of organizations have faced attacks in just the last year, according to a survey of more than 600 IT professionals responsible for corporate email security.

“On average, more than four-fifths (82%) of organizations claim to have faced an attempted email-based security threat in the past year, although the figures differ slightly by global region,” the report said.

The survey results revealed that despite growing confidence in security measures and awareness, concerns over phishing continue to rise, particularly given the reality that attack methods continue to evolve and target victims with social engineering. Nearly all (93%) of respondents said they are worried about business email compromise (BEC). With the prevalence of BEC and account takeover attacks, 79% of organizations are concerned about potential insider threats and other account hijacking attacks. 

Oddly, 63% of organizations also reported that they feel more secure than ever. The report noted that organizations should treat this feeling of confidence with caution. “If an organization lacks the tools to accurately detect threats, it may have a false sense of security. APAC companies are the most likely to feel their security has improved, while EMEA companies are the least likely,” the report said. 

When asked about the impact of email threats, 48% of participants said they had a loss of employee productivity and 36% said they experienced downtime and business disruption. When asked about breaches, 78% of participants confessed that that breach costs are also increasing, both monetary- and productivity-wise.

The survey also found a pitfall in terms of security spend. “Organizations are clearly under-investing in tools designed to protect email beyond the traditional security gateway. Just a quarter or fewer had automated incident response, dedicated spear-phishing protection or tools to prevent account takeover.”

Source: Information Security Magazine

Young Offenders Get a Second Chance to "Hack_Right"

Young Offenders Get a Second Chance to "Hack_Right"

Police officers from the UK and the Netherlands announced a new campaign that would allow first-time cybercrime offenders to learn from their mistakes through a program called Hack_Right, according to Cyberscoop.

At the International Conference on Cybersecurity at Fordham University, the joint forces discussed the program that is intended to help young offenders who may not understand the severity of their crimes. Geared toward hackers between the ages of 12 and 23 years old, Hack_Right would allow youngsters to avoid the legal consequences of their crimes by participating in a program focused instead on educating teens. 

“We do this…to get out and find them and get them into computing clubs before we have to investigate someone and lock them up,” Gregory Francis, acting national prevent lead at the National Cyber Crime Unit of the National Crime Agency, reportedly said. “[Cybercrime] is not a law enforcement problem. It’s a societal problem.”

The program includes a community service project that requires 10 to 20 hours of ethical computer training and engaging in conversations with professionals who can discuss possible career paths and education opportunities based on their interests. 

“We should welcome any opportunity to show ‘at risk’ hackers ways in which they can use their skills for good, such as helping secure the internet,” said Ben Sadeghipour, head of hacker operations at HackerOne.

“I think the best way to educate the younger generation to do the right thing is to show them the benefits of being a white hat, since now you can get the same fame, notoriety and money as black hats used to, without the risk of going to prison. Encouraging young hackers to use their skills for good is what we’re about at HackerOne. We have hundreds of thousands of hackers on our platform, and nearly 54% of them are under the age of 24. We believe that bug bounty programs provide an environment in which young hackers can safely hone their skills while earning real money from it.”

Source: Information Security Magazine

Campaign Targets Government IT in Eastern Asia

Campaign Targets Government IT in Eastern Asia

A cyberattack campaign using malicious RTF documents has been targeting government IT agencies in Eastern Asia, according to research published today by Proofpoint.

Dubbed Operation LagTime IT, the malicious documents delivers custom Cotx RAT malware to tech agencies responsible for overseeing government network infrastructures. Proofpoint has attributed the campaign to the Chinese threat group known as TA428. Researchers believe the likely motivation is conducting espionage on capabilities like 5G and establishing a beachhead for future attacks.

“Beginning in early 2019, these threat actors targeted a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development and political processes. We determined that the infection vector observed in this campaign was spear phishing, with emails originating from both free email accounts and compromised user accounts. Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT,” researchers wrote in today’s blog post

According to the research, the malicious RTFs were first delivered via Yahoo accounts and came from senders whose names closely mirrored those within the targeted entities. The email subjects were crafted with convincing IT-related themes relevant to government or public training in Asia. 

“On one specific occasion an email utilized the subject 'ITU Asia-Pacific Online CoE Training Course on "Conformity & Interoperability in 5G" for the Asia-Pacific Region, 15-26 April 2019' and the attachment name '190315_annex 1 online_course_agenda_coei_c&i.doc.' The conference referenced in the lure was an actual event likely selected due to its relevance to potential victims. This is significant as countries in the APAC region continue to adopt Chinese 5G technology in government as well as heavy equipment industries,” researchers wrote.

"Op LagTime IT is a continuation of a long-running Chinese espionage campaign which is intended to satisfy intel requirements on its regional neighbors,” said Kevin Epstein, vice president, threat operations, at Proofpoint. “The targeting of government IT agencies is both expected and significant as China continues to expand the global footprint of its communications technologies."

Source: Information Security Magazine

AT&T Faces Court Showdown Over $224m SIM Swap Case

AT&T Faces Court Showdown Over $224m SIM Swap Case

AT&T will be forced to defend itself in court after a judge refused to throw out a $224m lawsuit alleging the firm is liable for handing over the defendant’s SIM card to hackers.

The telco giant is in the dock after entrepreneur Michael Terpin was hit by a classic SIM swap attack, in which hackers persuaded an AT&T agent in a Connecticut store to transfer his mobile phone number to a new SIM.

They were then able to intercept one-time passcodes sent via text to unlock Terpin’s cryptocurrency accounts and drain it of funds worth an estimated $24m.

In August last year, Terpin’s lawyers filed 16 counts of fraud, including gross negligence, invasion of privacy, unauthorized disclosure of confidential customer records, violation of a consent decree, and failure to supervise its employees and investigate their criminal background.

More broadly, Terpin is arguing that AT&Ts contract is too one-sided.

“Mr Terpin’s claim seeks to declare AT&T’s wireless customer agreement as unconscionable, void against public policy, and unenforceable in its entirety,” presiding judge Otis Wright said. “Specifically, he objects to the exculpatory provision that exempts AT&T from liability from its own negligence, acts or omissions of a third party, or damages or injury caused by the use of the device.”

Wright ruled that Terpin’s lawyers had “sufficiently alleged” that AT&T may have violated the Federal Communications Act by allowing unauthorized access to their client’s accounts – meaning the $224m lawsuit will proceed.

“Judge Wright strongly repudiated AT&T’s audacious bid to prevent Michael from demonstrating to a jury the carrier’s contempt for consumers’ privacy and utter disregard of its legal obligations to prevent this very type of SIM swap and financial crime,” noted Terpin’s lead counsel Pierce O’Donnell. “The evidence will show that AT&T not once, but twice allowed hackers posing as Michael to obtain his SIM card.”

The case will be watched eagerly by other telco providers as SIM swapping becomes increasingly commonplace.

It’s believed that Terpin’s nemesis on this occasion was a gang led by New Yorker Nicolas Truglia, the arrested “Bitcoin bandit” who used phishing techniques and fake ID documents bought on the dark web to con telco support operatives into porting customer phone numbers.

Paul Dunphy, research scientist at OneSpan’s Innovation Centre, said the attacks also raise serious questions about the use of SMS in multi-factor authentication (MFA).

“The result of this court case will have big implications for designers of multi-factor authentication, and it will be interesting to see how mobile networks evolve the security of their number porting process in future,” he added. “I’d advise that for high value accounts individuals should avoid using SMS for multi-factor authentication, especially for cryptocurrency.”

Source: Information Security Magazine

APT17 Outed as MSS Operation

APT17 Outed as MSS Operation

A group of anonymous researchers have outed the APT17 cyber-attack group (aka DeputyDog) as a Chinese Ministry of State Security (MSS) operation, potentially paving the way for more US indictments.

Intrusion Truth have been right before, when they identified APT3 and APT10 as MSS groups: the former operated by a contractor known as Boyusec. These revelations led to Department of Justice indictments against some of the groups’ members in 2017 and 2018.

Now Intrusion Truth has identified a likely MSS officer, Guo Lin, who studied information security to Masters level and is affiliated with four private technology companies in the eastern city of Jinan.

The group also identified two hackers from Jinan – Wang Qingwei, who works at one of those four tech firms, and Zeng Xiaoyong (aka “envymask”).

Zeng is said to have submitted code used in a popular Chinese APT hacking tool known as ZoxRPC, which was subsequently developed into a newer tool, ZoxPNG (aka BLACKCOFFEE) by another Jinan hacker, Zhang Peng. ZoxPNG became a key part of multiple APT17 hacking campaigns, the blog post continued.

“Either, one of the authors of code in APT17’s primary malware just happens to be associated with a series of cybersecurity outfits that claim the MSS as their clients and are coincidentally managed by an MSS officer,” concluded Intrusion Truth. “Or, MSS Officer Guo Lin of the Jinan bureau of the Ministry of State Security manages APT17.”

China’s MSS is a sprawling, powerful intelligence agency that can be thought of as a combination of the FBI and CIA. That is, it deals with domestic affairs and foreign intelligence operations.

It is believed that hacking operations have increasingly been shifted from the PLA to this agency over the past few years, as attacks become more sophisticated.

Most recently it has been linked to the Marriott International breach, and a major two-year campaign targeting global telcos.

Washington is increasingly prepared to name and shame officers in indictments, although there’s little chance of them ever facing justice. This happened with charges issued in October last year related to a conspiracy to steal aviation secrets.

In a rare moment, US officials managed to arrest an alleged MSS officer in that same month, in connection with another plot to steal aviation secrets.

Source: Information Security Magazine

VideoLAN's VLC Media Player Has Serious Flaw

VideoLAN's VLC Media Player Has Serious Flaw

The latest edition of nonprofit VideoLAN’s VLC media player software has what Germany agency CERT-Bund is calling a serious security flaw that allows hackers to install and run software without user knowledge, according to NewsX

“This is just one in a long and constant stream of flaws in VLC. I absolutely would not recommend that anyone access untrusted content with VLC due to the high risk of memory corruption vulnerabilities. In general, VLC does not have a good reputation in the security industry as they regularly will leave vulnerable pre-compiled executables for download despite having patched them in the latest source code," said Craig Young, computer security researcher for Tripwire’s vulnerability and exposure research team (VERT). “Video players are a frequent target for file format exploits due to the inherent complexity of parsing multimedia files.”

If exploited, an attacker could gain remote access and potentially disclose information, manipulate files or create a denial-of-service state. According to NIST’s National Vulnerability Database, the vulnerability CVE-2019-13615 in the media player “has a heap-based buffer over-read.”

This isn’t the only VLC issue disclosed this month, according to Larry Trowell, principal consultant at Synopsys. “There have been four recent vulnerabilities disclosed that are loosely related to the same area of code.  While the issue is serious, using the CVSS 3.0 standard to rate the severity of a vulnerability can be a bit misleading as issues tend to rank higher than in version 2. Using the CVSS 2.0 scale, this vulnerability ranks as a 7.5,” Trowell said.

Because the user has to voluntarily interact with the attack mechanism, Trowell said the attacker can’t initiate. “It’s easy to make a corrupted stream, but the trick is getting a user to play it. Also, this attack doesn’t give an attacker any extra privileges.  

“There are not a lot of people who are playing random videos they get off the internet as the root/admin user on their computers. This attack can only be triggered with user interaction: the user has to either download a malicious file or open a stream that is streaming said files,” Trowell said.

As a result, a malicious actor would be dependent on the user searching out and opening a corrupted file. Trowell noted that this could be accomplished with a phishing campaign, but “it seems like in most cases the video sent would be opened with the internet browser or the email client, not VLC.

“Video parsing is hard to do correctly. There is a reason that a number of issues have been found and a reason why a correct patch will take time to implement and test. I do not know when the finding was announced to VLC or if any time was given to fix the issue before it’s announcement, and that should be taken into account when criticizing the company for not having a fix ready,” Trowell added.

Source: Information Security Magazine

Cybercrime Costs Global Economy $2.9m Per Minute

Cybercrime Costs Global Economy $2.9m Per Minute

In just one minute on the internet, $2.9 million is lost to cybercrime, according to the annual Evil Internet Minute report from RiskIQ

After analyzing proprietary research and data derived from the volume of malicious activity on the internet, the report found that cyber-criminals cost the global economy $2.9 million every minute last year, for a total of $1.5 trillion. 

Major companies are paying $25 per internet minute because of security breaches, while hacks on cryptocurrency exchanges cost $1,930. Criminals are leveraging multiple tactics, from malvertising to phishing and supply chain attacks. The loss from phishing attacks alone is $17,700 per minute. Global ransomware events in 2019 are projected to total $22,184 by the minute.

"As the scale of the internet continues to proliferate, so does the threat landscape," said Lou Manousos, CEO of RiskIQ, in today’s press release. "By compiling the vast numbers associated with cybercrime in the past year, we made the research more accessible by framing it in the context of an 'internet minute.' We are entering our third year defining the sheer scale of attacks that take place across the internet using the latest third-party research and our own global threat intelligence so that businesses can better understand what they're up against on the open web." 

Cyber-criminals have also increased their targets on e-commerce with Magecart hacks, which grew by 20% over the last year. The study found 0.21 Magecart attacks were detected every minute. The data also revealed that in each internet minute 8,100 identifier records are compromised, seven malicious redirectors occur and 0.32 apps are blacklisted. In addition, the research found 2.4 phish traversing the internet per minute.

“Without greater awareness and an increased effort to implement necessary security controls, there will be more attacks using an ever-expanding range of technologies and strategies,” Manousos said. “With the recent explosion of web and browser-based threats, organizations should look to what can happen in a matter of minutes and evaluate their current security strategy. Businesses must realize that they are vulnerable beyond the firewall, all the way across the open internet." 

Source: Information Security Magazine

Five Zero-Days Found in Comodo Antivirus Software

Five Zero-Days Found in Comodo Antivirus Software

Multiple zero-day vulnerabilities could allow malicious actors to attack Comodo antivirus software and install malware to escalate to the highest privileges, according to Tenable Research.

Though antivirus software is used to protect PCs and other devices from unknown malware and threats, Comodo – which has over 85 million desktop software installations across more than 700,000 business customers – is riddled with vulnerabilities that would ultimately grant an attacker complete control over the machine. Researchers discovered a sandbox escape and a privilege escalation to SYSTEM, according to today’s blog post. An attacker could even disable the antivirus altogether, leaving the device unprotected and vulnerable, researchers explained.

“Comodo uses many IPC mechanisms between its various AV components: Filter Ports, Shared Memory, LPC, and COM,” wrote Tenable’s David Wells.

“We happen to know Comodo has the capability to invoke scan jobs from low-privilege processes such as explorer.exe (via it’s Context Shell Handler – (the menu that appears when user right clicks)) or Cis.exe (Comodo client GUI). These scan jobs are executed by invoking routines in CAVWP.exe which runs as SYSTEM.”

In total, researchers discovered five different vulnerabilities, which are demonstrated in a proof-of-concept video that illustrates the risks.

Researchers wrote that they had disclosed the vulnerabilities to Comodo on April 17. The company confirmed some of the vulnerabilities on May 7, adding that it is awaiting confirmation of others. According to the disclosure, Tenable followed up to request a status update several times before Comodo reported on June 7 that the “LPE vulnerability is partially due to Microsoft's fault.”

On July 8, Tenable asked for a status update on when fixes would be released. As of the July 22 disclosure, researchers had not been made aware of a patch to address these vulnerabilities. In an email to Infosecurity, a Comodo spokesperson wrote, "There have been no reported incidents exploiting any of these vulnerabilities and no customers reporting related issues to us. The Comodo product team has been working diligently to resolve all vulnerabilities and all fixes will be released by Monday, July 29."

Source: Information Security Magazine

Sky Customers Urged to Reset Passwords

Sky Customers Urged to Reset Passwords

Sky customers have been advised to reset their passwords as a security measure.

In an email sent to a number of its customers, the company wrote: “At Sky we take the security of your data and information extremely seriously. To help keep your account safe we have reset the password for your Sky account.”

Sky confirmed on Twitter that the message is genuine and prompted receivers to follow the link to reset their password, although the reason behind the reset remains unclear.

“The latest news regarding password resets occurring for email accounts with sky.com, as so-called ‘precautionary measures’ that have been taken, indicates that the incident is ongoing and possibly the root cause is still unknown,” said Joseph Carson, chief security scientist & advisory CISO at Thycotic.

“If indeed this was a credential stuffing cyber-attack, then there would be an indicator of a high number of failed log-in attempts, hopefully resulting from some users following best practices by not using the same password across multiple accounts. This is what credential stuffing is trying to abuse using an automated process.”

Sky needs to be following incident response best practices and treating this incident as serious because, in many cyber-incidents, you tend to uncover more serious data breaches when you start looking harder, Carson added. “Sky customers should really start using password managers and two-factor authentications to ensure that a password is not the only security protecting sensitive data.”

Source: Information Security Magazine

NSA Launches New Unit to Tackle Foreign Threat

NSA Launches New Unit to Tackle Foreign Threat

The NSA has announced a new unit tasked with taking on foreign adversaries like Russia and China in cyberspace.

The Cybersecurity Directorate, which will be operational from October, is to be led by Anne Neuberger. She previously led an NSA unit known as the Russia Small Group which was set up to manage the threat from Kremlin hackers during the recent mid-terms.

It will reportedly “unify NSA's foreign intelligence and cyber-defense missions and is charged with preventing and eradicating threats to National Security Systems and the Defense Industrial Base.”

NSA director and Cyber Command boss Paul Nakasone announced the new directorate at a speaking engagement at Fordham University.

“We have two missions and for a number of years, NSA has been very active in what was called the information assurance mission. We are re-emphasizing that mission under the Cybersecurity Directorate under Anne Neuberger's leadership,” the agency said in a series of live tweets from his speech at the event.

“The Department of Defense can’t wait for our adversaries to come to us. Working with our allies, we will defend forward. It’s a strategy that now accepts the fact that we have to get involved early on. The American public should rest assured that there will be consequences for taking the US on.”

The threat to national security from state-sponsored attackers has never been greater – whether it’s sabotage of smart systems and operational technologies, theft of sensitive military and other IP, breaches of information on key personnel or interference in elections.

Given that critical infrastructure is mainly run by private companies, attacks are often targeted at this sector.

Just last week, Microsoft revealed that it had warned 10,000 customers they had been targeted by nation state attacks over the past year. This included 742 political organizations including NGOs and think tanks, with 95% of them based in the US.

If there are attempts by foreign nations to disrupt the 2020 US Presidential election, preparations will certainly be well underway by now.

Source: Information Security Magazine