Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for July 2019

Slack Resets 1% of Passwords After 2015 Data Breach

Slack Resets 1% of Passwords After 2015 Data Breach

New information discovered in the aftermath of Slack’s security breach from March 2015 has prompted the company to reset the passwords of some of its users, according to a July 18 blog post

Slack explained that it reset account passwords for 1% of its users. Any users who created their account before March 2015 and haven't since changed their passwords and do not use single sign-on (SSO) will likely have their passwords reset by the company.

“We were recently contacted through our bug bounty program with information about potentially compromised Slack credentials. These types of reports are fairly routine and usually the result of malware or password reuse between services, which we believed to be the case here,” Slack wrote.

Recognizing – and apologizing for – the potential inconvenience, Slack explained, “Today we are resetting passwords for all accounts that were active at the time of the 2015 incident, with the exception of accounts that use SSO or with passwords changed after March 2015. We have no reason to believe that any of these accounts were compromised, but we believe that this precaution is worth any inconvenience the reset may cause.”

The announcement highlights the continued need to educate consumers about proper security hygiene, according to Terence Jackson, chief information security officer at Thycotic.

“We cannot control the situation in which our data will be breached, but what we can do is limit the fallout when it happens. These credentials that were exposed in 2015 are still surfacing. Once the data is out there, it’s out there. Using a password manager to prevent password reuse and enabling multi-factor authentication on all accounts that support it are good first steps to protect your digital identities.”

Because of the high frequency of data breaches, Shahrokh Shahidzadeh, CEO at Acceptto, said we all must operate under the assumption that it’s only a matter of time before we truly understand that all of our credentials and personal information are already compromised. 

For that reason, “The reliance on binary authentication methods, such as passwords independent of their length, or even mixing it with two-factor and multi-factor authentication solutions that are susceptible to phishing attacks, is a recipe for failure and a matter of when, not if. In light of recent developments, the only safe credential is one that is immutable and that can only be bio-behavioral-based,” Shahidzadeh said.

Source: Information Security Magazine

FinServ Fears Cert-Related Outages Will Hurt Brand

FinServ Fears Cert-Related Outages Will Hurt Brand

Over one-third of global finance chief information officers (CIOs) acknowledge organizations experienced an outage in the last six months, according to a new study from Venafi, the leading provider of machine identity protection.

The study queried more than 100 CIOs in the financial services industry from the U.S., U.K., France, Germany and Australia and found that financial services organizations are more likely to have digital certificate-related outages than other industries.

Since January 2019, 36% of financial organizations suffered an outage that had some degree of impact on critical business applications or services. Despite the impact to business, participating CIOs reported that they are more concerned about the impact to customers from certificate-related outages, with 50% of CIOs admitting they fear damage to brand from an outage.

Survey participants also said these types of outages are only going to become more severe, according to the report. Approximately one-third (34%) said they are concerned about increasing interdependencies, which could make future outages even more painful. 

Meanwhile, certificate use continues to skyrocket in the financial services industry with 82% of respondents expecting to see certificate usage in their organizations grow by at least 25% in the next five years. In addition, 56% of respondents projected a minimum growth rate of greater than 50%. 

“Organizations from every sector struggle with certificate-related outages on critical infrastructure, but it’s clear that these issues are even more pronounced in the financial services industry,” said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi, in the release. 

“The entire sector is focused on trust, performance and reliability, so they can’t afford service interruptions. At the same time, the industry has been transformed by open banking initiatives. As a result, financial services organizations rely on machine identities to secure and protect a wide range of business-critical, machine-to-machine communication. Unfortunately, these critical security assets are often unmanaged and unprotected, even though they protect mobile applications, containerization initiatives and cloud architectures.” 

Source: Information Security Magazine

New Malware Frame Cashing in on Ad Fraud

New Malware Frame Cashing in on Ad Fraud

A new malware framework has been discovered padding statistics on social sites and ad impressions, according to new research from Flashpoint.

Researchers explained that over the course of the past three months, the malware framework has been responsible for more than one billion fraudulent Google AdSense ad impressions.

The malware uses three separate stages of installation to deliver a malicious browser extension that performs fraudulent AdSense impressions and generates likes on YouTube videos. It also watches hidden Twitch streams. 

The initial stage of the framework executes the installer, which either sets up a new browser or downloads a module that does so. “The installer sets itself up as a task related to Windows Update by creating an XML file on the local disk and executing it as a scheduled task (schtasks),” the July 18 blog post explained. It then checks to make sure the installer was successful. 

The second component is the finder, “a module designed to steal browser logins and cookies, package them in .zip files, and send them to the attacker’s command-and-control infrastructure.” Finally, the patcher module sets up the browser extension. 

The malware is generating revenue for its operators, who are using a botnet to attack the content and advertising platforms by spreading the malware and targeting browsers such as Google Chrome, Mozilla Firefox and Yandex’s browser, according to the research.

“Flashpoint researchers found code, for example, that looks for YouTube referrers and then injects a new script tag to load code for YouTube. In this case, the injected JavaScript has an extensive amount of code that is designed to like videos, most of which are related to political topics in Russia. Separately, researchers also found code that injects an iframe into the browser designed to play a hidden Twitch stream, padding the viewer stats for the streamer on that page,” researchers wrote.

Source: Information Security Magazine

Magecart Group Spotted Operating From War Zone

Magecart Group Spotted Operating From War Zone

One of the groups using Magecart to steal customer card data from e-commerce sites is operating out of a war zone in eastern Ukraine, security experts have revealed.

The Malwarebytes Threat Intelligence Team described in a blog post how the location of Luhansk near the border with Russia is an “ideal breeding ground where criminals can operate with total impunity from law enforcement or actions from the security community.”

The attacks detailed by the vendor target Magento e-commerce sites, and use JavaScript disguised as a Google Analytics domain previously associated with the VisionDirect breach of last year.

The researchers found usernames and passwords belonging to hundreds of e-commerce sites, indicating the scope of the campaign, as well as a PHP backdoor used in these attacks.

The so-called exfiltration gate, web servers set up to receive the stolen data, is also disguised as a Google domain. Along with the card details, the attackers are stealing names, addresses, emails, and phone numbers for possible use in follow-on phishing attacks, Malwarebytes claimed.

The hosting server is located in Luhansk, capital of an unrecognized state set up in 2014 by Russian-backed separatists and known as the Luhansk People's Republic. At the center of the war-torn Donbass region, bulletproof hosting services are “safe from the reach of European and American law enforcement,” according to the vendor.

“Choosing the ASN AS58271 ‘FOP Gubina Lubov Petrivna’ located in Luhansk is no coincidence for the Magecart group behind this skimmer. In fact, on the same ASN at 176.119.1[.]70 is also another skimmer (xn--google-analytcs-xpb[.]com) using an internationalized domain name (IDN) that ties back to that same exfiltration gate. In addition, that ASN is a hotspot for IDN-based phishing, in particular around cryptocurrency assets,” it explained.

“Due to the very nature of such hosts, takedown operations are difficult. It’s not simply a case of a provider turning a blind eye on shady operations, but rather it is the core of their business model.”

Source: Information Security Magazine

Microsoft Alerts 10,000 Customers of Nation State Attacks

Microsoft Alerts 10,000 Customers of Nation State Attacks

Microsoft has warned 10,000 customers that they’ve been targeted by nation state attacks over the past year, including hundreds of US political organizations, the firm revealed this week.

In a blog post to promote the firm’s new ElectionGuard secure voting system, corporate VP for customer security and trust, Tom Burt, revealed that the vast majority (84%) of state-sponsored attacks were targeted at Microsoft’s enterprise customers, with the remainder (16%) hitting consumers' personal email accounts.

The majority came from groups in Russia (Yttrium and Strontium), Iran (Homium and Mercury) and North Korea (Thallium).

“While many of these attacks are unrelated to the democratic process, this data demonstrates the significant extent to which nation-states continue to rely on cyber-attacks as a tool to gain intelligence, influence geopolitics or achieve other objectives,” said Burt.

However, a significant minority of attacks have been focused on democratic organizations. Officially launched last August, Microsoft’s AccountGuard tool has since alerted on 781 nation state attacks against “political campaigns, parties, and democracy-focused non-governmental organizations (NGOs).”

Although the tool is only available in 26 countries so far, the vast majority (95%) of political organizations targeted were in the US, which amounts to around 742.

“Many of the democracy-focused attacks we’ve seen recently target NGOs and think tanks, and reflect a pattern that we also observed in the early stages of some previous elections. In this pattern, a spike in attacks on NGOs and think tanks that work closely with candidates and political parties, or work on issues central to their campaigns, serve as a precursor to direct attacks on campaigns and election systems themselves. We saw such attacks in the US presidential election in 2016 and in the last French presidential election,” explained Burt.

“As we head into the 2020 elections, given both the broad reliance on cyber-attacks by nation states and the use of cyber-attacks to specifically target democratic processes, we anticipate that we will see attacks targeting US election systems, political campaigns or NGOs that work closely with campaigns.”

Source: Information Security Magazine

APT Targets Diplomats in Europe, Latin America

APT Targets Diplomats in Europe, Latin America

Evidence suggests that new versions of malware families are linked to the elusive Ke3chang group, along with a previously unreported backdoor, according to researchers at ESET.

The researchers have long been tracking the advanced persistent threat (APT) group and suspect that it operates out of China, according to today’s press release.

Named Okrum by ESET, the malware was first detected in late 2016 when it was used to target diplomatic missions and governmental institutions in Belgium, Slovakia, Brazil, Chile and Guatemala. However, researchers have seen multiple variations of the malware families and attributed the activity to the Ke3chang group.

“In research going back to 2015, ESET identified new suspicious activities in European countries. The group behind the attacks seemed to have particular interest in Slovakia, but Croatia, the Czech Republic and other countries were also affected. Analyzing the malware used in these attacks, ESET researchers found that it was linked to known malware families attributed to the Ke3chang group, and dubbed these new versions Ketrican,” the release stated.

“We started connecting the dots when we discovered that the Okrum backdoor was used to drop a Ketrican backdoor, compiled in 2017. On top of that, we found that some diplomatic entities that were affected by the Okrum malware and the 2015 Ketrican backdoors were also affected by 2017 Ketrican backdoors,” said Zuzana Hromcova, the ESET researcher who made the discoveries. 

The group has remained active in 2019. As recently as March, researchers “detected a new Ketrican sample that has evolved from the 2018 Ketrican backdoor. It affected the same targets as the backdoor from 2018,” according to the research.

“Okrum can impersonate a logged on user’s security context using a call to the ImpersonateLoggedOnUser API in order to gain administrator privileges.” It then automatically collects information about the infected computer, including computer name, user name, host IP address, primary DNS suffix value, OS version, build number, architecture, user agent string and locale info (language name, country name), the report added.

Source: Information Security Magazine

Security Experts Warn Against Use of FaceApp

Security Experts Warn Against Use of FaceApp

Security experts are warning the public not to partake in the FaceApp craze, which is being exacerbated by the #FaceAppChallenge that is going viral on social media, according to multiple reports. 

While security experts and privacy advocates are warning users to avoid the app, Senator Chuck Schumer has requested that the Federal Bureau of Investigation (FBI) and the Federal Trade Commission (FTC) investigate whether there are adequate safeguards in place to protect the privacy of the app’s users. 

"FaceApp's location in Russia raises questions regarding how and when the company provides access to the data of U.S. citizens to third parties, including foreign governments," wrote Schumer.

Created in 2017 by developers at Wireless Lab in St. Petersburg, Russia, FaceApp now has access to the face and images of over 150 million people, Forbes reported. Users’ photos are being uploaded to the cloud, yet the terms and conditions grant FaceApp the ability to do additional processing locally on their device.

“To make FaceApp actually work, you have to give it permissions to access your photos – ALL of them. But it also gains access to Siri and Search….Oh, and it has access to refreshing in the background – so even when you are not using it, it is using you,” tweeted technology author Rob La Gesse, who warned users who have installed the app to delete it. 

“FaceApp serves as an important reminder that free isn't free when it comes to apps. The user and his/her [photo are] the commodity, whether sold for purposes like marketing or more nefarious things like identity theft and creation of deep fakes. Don't use apps that need access to all your data and be sure to read the EULAs to ensure the app gives users some sort of control and protection based on where the data is stored and processed," said Rick McElroy, head of security strategy at Carbon Black.

Source: Information Security Magazine

California State Auditors Say Government IT is Flawed

California State Auditors Say Government IT is Flawed

Weaknesses in the information security of some California state offices were brought to light after the state auditor called for additional oversight and regular assessments, according to the report Gaps in Oversight Contribute to Weaknesses in the State’s Information Security.

In the midst of ongoing conversations around the security of customer data and less than six months before the California Consumer Privacy Act (CCPA) is scheduled to go into effect, the report comes at a time when governments are grappling with the ever-growing threat of cyber-attacks. 

According to the report from state auditor Elaine Howle, the personal information of California residents may not be protected because of flaws in the government’s IT systems. “We surveyed 33 non-reporting entities from around the State and reviewed 10 of them in detail. Twenty-nine of the 33 obtained an information security assessment to evaluate their compliance with the specific security standards they selected, 24 learned that they were only partially compliant, and 21 identified high-risk deficiencies,” the report said.

Howle called for state agencies to do more in order to effectively safeguard the information that state government agencies collect, maintain and store. Additionally, Howle noted that “the non-reporting entities we surveyed may be unaware of additional information security weaknesses because many of them relied upon information security assessments that were limited in scope.”

Because California has usually been considered a trailblazer when it comes to information security and data privacy practices, Ben Sadeghipour, head of hacker operations at HackerOne, said the auditor’s report comes as a surprise. “When you are a large government agency like the State of California dealing with the data of almost 40 million residents, it is absolutely critical to have consistency across information security policies, especially among the numerous government entities who are tasked with handling, storing and safeguarding personal data,” said Sadeghipour.

“Cyber-criminals are constantly searching for ways to exploit vulnerabilities, especially in the government sector due to the notion that they are easy targets with a goldmine of data. Every government agency, regardless of budget, should at minimum implement a vulnerability disclosure policy (VDP) so that security researchers or ethical hackers can find those vulnerabilities before the bad guys do.”

Source: Information Security Magazine

Security is Biggest Digital Transformation Concern

Security is Biggest Digital Transformation Concern

Cybersecurity is viewed as the biggest single risk to digital transformation projects, but most organizations aren’t involving CISOs early enough in projects, according to new research from Nominet.

The .uk registry and DNS security organization polled 274 CISOs, CIOs, CTOs and others with responsibility for security in US and UK organizations.

It found that the vast majority (93%) were implementing digital transformation projects, although of the small number who weren’t, more than a quarter (27%) said it is because of security concerns.

Cybersecurity was also far and away the biggest worry for those currently undertaking such projects, with 53% citing it as a top-three threat. Some 95% expressed some concern, with over two-fifths (41%) either “very” or “extremely” concerned.

Topping these concerns were exposure of customer data (60%), cyber-criminal sophistication (56%), an increased threat surface (53%), visibility blind spots (44%), and IoT devices (39%).

Although a third (34%) of respondents claimed security was considered during the development of the digital transformation strategy, many left it to the pre-implementation (28%) and implementation (28%) stages, or even post-implementation (9%). Some 2% said security wasn’t considered at all.

IT leaders may be over-confident in their ability to mitigate cyber-risk in digital transformation. Some 82% of respondents claimed it was considered early enough in their projects and 85% scored it near top marks for effectiveness, despite 86% having suffered a breach in the past 12 months.

What's more, a majority of partners (59%), customers (55%) and industry/regulatory bodies (54%) had queried the robustness of their approach.

“With digital transformation you have to be sure that when you’re bringing in new applications, security is considered from the outset," argued Nominet CISO, Cath Goulding. "More than this though, in a digital transformation project, the real trick is to manage the security considerations of legacy and new applications simultaneously.”

On the plus side, 31% of respondents reported that 11-25% of their digital transformation budget is allocated to cybersecurity, with over a fifth (23%) claiming that 26-50% is set aside.

Source: Information Security Magazine

BEC Scams Cost US Firms $300m Each Month

BEC Scams Cost US Firms $300m Each Month

Business Email Compromise (BEC) scams have rocketed in volume and value over the past two years, making cyber-criminals over $300m each month in 2018 from US victims alone, according to new data.

The findings were revealed by the Financial Crimes Enforcement Network (FinCEN), a bureau of the US Department of the Treasury.

They note that the number of BEC reports has climbed rapidly, from around 500 per month in 2016 to more than 1100 last year. The total value of related BEC thefts has also soared over the same period, from around $110m per month to an average of $301m.

Manufacturing and construction was the most targeted sector in 2017 and 2018, accounting for around a fifth and quarter of reports in these respective years.

In 2018, this sector was followed by “commercial services” – which includes shopping centers, entertainment facilities, and lodging – and then real estate.

The former saw reported BEC attacks increase more than any other vertical, tripling from 6% in 2017 to 18% last year.

Interestingly, the vast majority (73%) of BEC attacks seen over the period involved scammers receiving funds into US accounts, rather than ones overseas, taking advantage of money mule networks nationwide, FinCEN claimed.

“Industries that are common in a particular state likely represent the most targeted companies in that state,” it added. “For example, financial firms are the most frequently targeted firms in New York, while manufacturing and construction firms are the most frequently targeted in Texas.”

In terms of attack methodology, CEO impersonation ranked pretty high in 2017, accounting for a third (33%) of scams, but declined to 12% in 2018. On the other hand, use of a fraudulent vendor or client invoices grew from 30% to 39% over the period. Impersonation of an outside entity was 20% in 2018 but not documented in 2017.

The FBI warned earlier this year that BEC losses hit $1.3bn in 2018, almost half of all losses associated with cybercrime in the year. These were linked to just 20,000 victims, highlighting the potential high ROI for the scammers.

The figure works out much lower than the cost of BEC calculated by FinCEN, but this could be down to under-reporting.

Source: Information Security Magazine