Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for January 2020

REvil Ransomware Crew Sponsors Underworld Hacking Competition

REvil Ransomware Crew Sponsors Underworld Hacking Competition

A notorious Russian threat group famed for its devastating ransomware attacks has funded a hacking competition being run on a dark web forum. 

Sodinokibi—the creators of the REvil ransomware—stumped up $15,000 in prize money for the illegal hacking contest, which requires competitors to write original articles containing proof-of-concept videos or original code. 

Articles can be submitted on five different topics, including APT attacks, developing exploits for searching for 0day and 1day vulnerabilities, and how to hack other people's crypto algorithms.

Along with the prize money, Sodinokibi offered the competition's overall winner an opportunity to "work with" the threat actors under "mutually beneficial conditions." 

The competition was announced via the XSS forum, which counts several Sodinokibi representatives among its members.

News of the competition and its nefarious sponsors was published today in a report by researchers at Digital Shadows. While black hat hacking competitions on dark web forums like Exploit and XSS are nothing new, the researchers noted a significant increase in the number of high-stakes prizes on offer recently.

“Since its relaunch as XSS [in 2018], the former Damagelabs has organized three articles competitions, all with four- or five-figure prize funds,” the researchers noted.

By contrast, a 2010 competition that challenged participants to design a graphic that best represented the Russian-language segment of the internet (the "Runet") had as its prize a single iPad.

Digital Shadows’ research indicates that groups like Sodinokibi have taken an interest in these competitions to foster technical skills among forum members, increase awareness of the availability of ransomware on the forum in a savvy sales move, and gain valuable intelligence for future malware development.

For the forums, such high-prize competitions are a way to grow or sustain their membership. 

Researchers wrote: "Cybercriminal forums need to attract and retain members in order to survive and being able to present a site as a valuable repository of articles discussing pertinent cybercriminal issues is a real draw."

Currently, the prize money up for grabs in legal white hat competitions outstrips what can be won on the dark web, but based on Digital Shadows' research, that situation could one day change.

Source: Information Security Magazine

US County's Computers Still Down Nine Days After Ransomware Attack

US County's Computers Still Down Nine Days After Ransomware Attack

A county in the Pacific Northwestern state of Oregon is yet to fully recover from a ransomware attack that happened over a week ago.

Cyber-criminals hit Tillamook County in a targeted attack last Wednesday, January 22. As a result, all internal computer systems under the county government, which 250 county employees rely on, went down.

The Tillamook County website, which hosts numerous departments, was also taken out in the incident. Other network connections were disabled to contain the spread of the malware.

The Emergency Communications District’s dispatch and 911 services were not affected; however, the County Sheriff's Office has experienced some issues with its phone system and email.

County Commissioner Mary Faith Bell said that the attack was initially thought to be a storage system technical issue. It was later identified as a ransomware attack despite no initial ransom demands being made by the attackers. 

The day after the incident occurred, county officials contracted a forensic computer firm, Arete Incident Response, to investigate the attack. 

Though the potential cost of the ransom is yet to be revealed, the actions of the county earlier this week hint that the attackers may have finally issued a demand. 

On Monday, January 27, Tillamook County commissioners voted unanimously to negotiate with the cyber-attackers for an encryption key in a bid to regain control of the government's computer systems. 

Addressing the board, Information Technology Director Damian Laviolette said: "At this time, we are looking to Arete to potentially begin the process of negotiation for an encryption key for the remainder of the systems we have been unable to protect or retain the integrity of."

Bell acknowledged that paying a ransom could not guarantee the security or safe return of the data. She said: “I think the lesson is to backup absolutely everything because I think this kind of thing will become more common. There are places in the world where people are just doing this for a living.”

To keep functioning, the county has had to revert to non-digital workarounds. 

“A lot of the things like the library, we are checking books out by paper the old-fashioned way,” said Tillamook County Emergency Manager Gordon McCraw.

County phone lines were restored earlier in the week; however, no timeline has been given for when Tillamook's computers will be back up and running.

Source: Information Security Magazine

Breach at Indian Airline Affects 1.2 Million Passengers

Breach at Indian Airline Affects 1.2 Million Passengers

A data breach at Indian airline SpiceJet has exposed the personal information of over a million passengers.

Access to the airline's computer system was gained last month by a security researcher, who went on to report the breach to TechCrunch.

Using a brute-force attack, the researcher busted into an unencrypted database backup file containing the private information of more than 1.2 million passengers who flew with SpiceJet last month. According to the ethical hacker, the password protecting the data was easily guessable.  

Data exposed in the breach included passengers' names, phone numbers, email addresses, and dates of birth. Among the passengers whose data was exposed were several state officials.  

According to the researcher, the database file was easily accessible for anyone who knew where to look, leaving the budget airline vulnerable to cyber-attackers. 

After successfully gaining unauthorized access to SpiceJet's passenger data, the researcher contacted the airline to warn them that a breach had occurred. The researcher said that their efforts to reach out to the airline elicited no meaningful response from SpiceJet. 

The researcher went on to notify India's computer emergency response team (CERT-In) of the breach. The government-run agency confirmed that the breach had occurred and went on to issue an alert to SpiceJet.

While SpiceJet has now taken steps to secure the exposed database, the airline has declined to confirm CERT-In's findings.

A spokesperson for the airline said in a statement: “At SpiceJet, safety and security of our fliers’ data is sacrosanct. Our systems are fully capable and always up to date to secure the fliers’ data which is a continuous process. We undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level.”

SpiceJet is one of the country's largest privately-owned airlines, commanding an approximate 13% market share in India. The airline, which is headquartered in Gurgaon, flies over a million passengers a month and puts more than 600 planes in the air every day. 

The security researcher who detected the security lapse has chosen to remain anonymous.

Source: Information Security Magazine

British Council Blocked Over 10 Million Malicious Emails in 2019

British Council Blocked Over 10 Million Malicious Emails in 2019

The British Council, which promotes wider knowledge of the UK and English language in over 100 countries worldwide, was hit by over 10 million malicious email attacks in 2019, according to official figures.

The data was obtained by Nimbus Hosting under the Freedom of Information Act and showed that the British Council blocked a total of 10,336,631 emails last year. Of those, 190,155 emails were intercepted or blocked because of suspected malware such as worms, Trojan horses and ransomware.

Furthermore, the organization also blocked 14,317 suspected phishing emails, whilst a further 10,132,159 emails were intercepted and logged as spam, many of which would have had the potential to contain viruses.

Tim Dunton, MD, Nimbus Hosting, said: “These figures are another reminder that cyber-criminals will continually bombard organizations with scam emails, hoping to trick employees into handing over private data, to breach the organization’s security systems or steal personal information. All it takes is for one hoax email to fall through an email systems’ imperfect filtration system before an organization must face the consequences of a severe breach of customer information.”

Moving forward, he added, it’s vital that all organizations like the British Council have the necessary anti-virus systems in place, as well as robust security procedures to keep hackers at bay.

Source: Information Security Magazine

US Defense Contractor Hit by Ryuk Ransomware

US Defense Contractor Hit by Ryuk Ransomware

A US government technology contractor has become the latest major target taken down by a ransomware attack.

Electronic Warfare Associates (EWA) counts the Department of Defense, Department of Justice and Department of Homeland Security among its clients. It describes itself as a veteran-owned business with a track record dating back over four decades.

The firm currently claims to be working on cutting-edge projects in areas such as blockchain, anti-drone capabilities, location tracking and quantum technology. However, its own tech credentials appear to have taken a knock with this latest ransomware attack.

At the time of writing, its websites for subsidiaries EWA Government Systems and electronic deadbolt producer Simplicikey are down, but there’s no word on how widespread the attack was and how it has impacted the organization.

Its government customers will want to know if the ransomware hackers have also stolen sensitive corporate information, as is increasingly the case in such attacks.

Late last year new malware with data theft capabilities dubbed “Ryuk Stealer” was discovered. Keywords found in the code including “military,” “engineering,” “defense,” “government” and “restricted” raised suspicions that the authors may be gearing up to target the stealer at organizations like EWA and its clients.

Alexander García-Tobar, CEO and co-founder of Valimail, claimed that a phishing email was the likely attack vector.

“Phishing is implicated in more than 90% of all cyber-attacks, and it is the preferred vector used by the Ryuk ransomware that hit EWA servers,” he added. “Therefore, it’s likely that email played a role in delivering this attack. Additionally, impersonation-based techniques are leveraged in the majority of phishing attempts, so as to convince the target the fraudulent message is from a trusted source.”

Ransomware attacks targeting municipalities caused a trail of chaos across the US last year, but this is the first major raid against a federal government contractor.

Source: Information Security Magazine

AlphaBay Moderator Faces 20 Years Jail Time

AlphaBay Moderator Faces 20 Years Jail Time

A Colorado man who worked as a moderator on the infamous AlphaBay marketplace is facing two decades behind bars after pleading guilty to racketeering charges this week.

Bryan Connor Herrell, 25, worked on the now-shuttered dark web site settling disputes between buyers and sellers of illicit goods, according to a Department of Justice (DoJ) notice.

Known by the online pseudonyms “Penissmith” and “Botah,” he’s said to have settled over 20,000 such disputes on the site whilst also monitoring transactions for signs of fraud.

It appears Herrell’s identity may have become known to police after FBI, DEA and Royal Thai Police officers raided the home of AlphaBay founder Alexandre Cazes in 2017. At the time they seized an open laptop which contained “the passwords/passkeys for the AlphaBay website, the AlphaBay servers, and other online identities associated with AlphaBay.”

While Cazes subsequently died in prison, of suspected suicide, investigations into his former colleagues continue.

AlphaBay is thought to have been the world’s largest dark web marketplace of its kind when it stepped up to fill the gap left by Silk Road.

However, it suffered the same fate as its predecessor after police managed to infiltrate and shut it down. Announced alongside the takedown of Hansa in July 2017, the site is said to have reached over 200,000 users and 40,000 vendors.

According to Europol, the site hosted over 250,000 listings for illegal drugs and over 100,000 for stolen and fake ID documents, malware, hacking tools, counterfeit goods and more.

The policing organization estimated that at least $1bn flowed through the marketplace since it was launched in 2014.

Herrell was paid in Bitcoin for his efforts, and likely received a handsome remuneration. However, after he pleaded guilty to conspiring to engage in a “racketeer-influenced corrupt organization,” he faces a maximum of 20 years in prison.

Source: Information Security Magazine

UK Cyber Sector Tops £8bn as Brexit Looms

UK Cyber Sector Tops £8bn as Brexit Looms

New figures cited by the UK government claim the country’s cybersecurity sector has achieved double-digit growth over the past two years, but Brexit threatens to undo much of the good work by making cross-border recruitment and sales harder.

Based on research from Queen’s University Belfast, the sector is now worth £8.3bn, with revenues from UK firms having increased 46% from 2017-19. The number of cybersecurity firms located in the UK also grew significantly over the period, by 44% from 846 in 2017 to over 1200 at year-end 2019.

In addition, investment into the industry was a record £348m last year, and topped £1.1bn over the past four years, the paper claimed.

The university argued that government-backed initiatives like HutZero, Cyber101 and the London Office for Rapid Cyber Security Investment (LORCA) have played a key role in helping start-ups and SMEs develop new products and services.

Andy Harcup, VP EMEA at Absolute Software, welcomed the news, arguing that it’s a reflection of the growing market demand for products designed to mitigate cyber-risk.

“However, whilst it’s great to see that cybersecurity has grown in priority on the corporate agenda as companies are spending more than ever on security, it must be mentioned that the threat landscape is developing even faster,” he added.

“Therefore, we must witness continued dedicated commitment from all organizations to tackle this problem head on. This involves the use or introduction of security tools that not only mitigate risk, but help the organization to respond, recover and actually fix the things that are breaking.”

The news comes as the UK officially leaves the European Union at midnight tonight. Experts and IT security professionals have warned that Brexit could have a “chilling” effect on the country’s nascent cybersecurity industry, by making cross-border intelligence sharing harder, and impacting jobs.

The world is already experiencing a cybersecurity skills shortage in excess of four million positions, with shortfalls in Europe having soared by over 100% from 2018-19.

It is predicted that Brexit will discourage many skilled job-seekers from coming to the UK, while the pipeline from UK universities remains weak.

Over 90% of UK IT professionals told RedSeal last year they believe Brexit will make chronic industry skills shortages even worse.

There are also question marks over UK sales to the continent. Boris Johnson’s government has refused to consider remaining in the single market, meaning likely trade restrictions that will hinder firms’ growth prospects.

Source: Information Security Magazine

Number of Web Certs Up, More Public Education Needed

Number of Web Certs Up, More Public Education Needed

The number of deployed Extended Validation (EV) SSL certificates has increased, with new measures by browsers to promote “secure” websites.

Speaking at the DigiCert Security Summit in San Diego, DigiCert senior director of business development, Dean Coclin, said that EV certificates are still important, but acknowledged that there is a need for more education around them.

One idea he discussed was to create a whitelist of sources that use an EV certificate, and allow all certificate authorities (CAs) to access the whitelist to improve validation. Another was to establish a minimum amount of time it could take to allow an EV certificate to be issued, but Coclin acknowledged that this was not popular as it may affect new companies who want an EV cert for their domain.

Another idea was to add “validated trademarks” into the certificate as they are recognizable and distinguishable, “and if we put these into the certificates, people would have an extra way of validating that the certificate is authentic.” These will have been validated by the CA, using a standard set of validations and rules.

The last option is to add a requirement that the CA checks the record to see what sort of certificate should be issued for a domain. “If you say you don’t want an EV certificate to be issued for a domain, and someone in a different location tries to issue a certificate, the CA could look at the record and see that they cannot issue one for that domain.”

Looking at the number of TLS certificates issues, Coclin said that around 78 million trusted web certificates are on websites globally, an increase by almost two million since last month, and DigiCert has issued 13 million since the beginning of the year.

For the individual certificates, Coclin said DigiCert had issued 27.4% of the domain validation (DV) certificates (the most was by Lets Encrypt with 49.7%), while DigiCert had issued 59.7% of the EV certificates and 96% of the organization validation (OV) certificates.

Pointing out that the number of TLS certificates had increased in recent years, Coclin said that this was about the move by browsers to highlight those websites not using HTTPS. “No website wants their domain to be seen as not secure, so certificates have increased,” he said.

The next step will be a red line through the address bar to show that a site is not secure, after that there will be an intermediate page saying that the page is not secure with a question of “do you really want to go to it?” The next step will be the same intermediate page saying “the following web page is not secure.”

He added: “Now who wants a website that you cannot get to? That should take us to 100% encryption on the web.”

Looking forward, Coclin predicted that the number of TLS certificates will increase, as well as Verified Mark Certificates in email as DMARC is further deployed. “EV is not going away, it has moved, but I think it is going to change again – maybe for the better or worse – but there are discussions going on and improvements being made, and we’ll see where that goes,” he concluded.

“We used to tell people ‘look for the lock’ but you cannot just do that anymore, as hackers know that is what we were told as they are getting free EV certificates and putting them on their sites and getting verified for 24-48 hours.”

Source: Information Security Magazine

Need for “Big Data Biology” as Users Create More Data

Need for “Big Data Biology” as Users Create More Data

Speaking at the DigiCert Security Summit in San Diego, DigiCert senior director of business development, Dean Coclin, said that “identity data is created on us all of the time,” but asked how protected it is.

He said that as we browse we create more and more data every day, and this data is about us and we should be sure it is “kept secure and in the right format.” Now with more devices available, cloud computing and IoT, we have ended up with the situation where we have big data, but not the “big data biology” on how it should be managed.

He said: “It is my data, not your data, and what is generated should be known by me and not some other company.” Citing the introduction of the GDPR in Europe in 2018 and the California Consumer Privacy Act (CCPA) this month in the USA, Coclin also referred to other legislations that had not passed, including the New York Privacy Act, which he said was “stronger than CCPA and gave private right of action.” However, he added that this failed in a legislative session, and he suspected that other proposed privacy laws would not pass in the current political climate.

Focusing on anonymity on the web, he said that there is a push to be more anonymous on the web, and particularly in the case of electronic voting “as you don’t want people to know who you voted for.”

Elsewhere, he said it was the same with email and IoT, that with the former you want to know that who has emailed you is actually that person, and with IoT, you want to know which devices are trusted and authorized to join your network.

On the other side, there are those “who do not want to be identified and cases where identity is important” and that is where Tor is important.

“Ideally for consumers, a strong privacy law is something that they need,” he argued. “For companies trying to comply, an over-arching privacy law, whether at state, federal or country level or global level would be even better, would be fantastic.”

Source: Information Security Magazine

Quantum Computing is Here, Look to a Post Quantum Future

Quantum Computing is Here, Look to a Post Quantum Future

Data is the new oil, but advances in quantum computing could be breaking encryption faster in the future.

Speaking at the DigiCert Security Summit in San Diego, Dr Michio Kaku, futurist and theoretical physicist, talked of the rise of quantum computing and its deployment in modern society.

Saying that after we built the world wide web, television, radio, radar and microwaves “and everything you see in a doctor’s office” the next step will be quantum. “If the first wave was about steam power, the second on electricity, the third on high tech, what will the fourth and fifth be about? The fourth wave we are now entering, it is physics at the molecular level, such as AI, nano and bio technology; then we will see the fifth wave of technology which will be dominated by physics at the atomic level.”

Kaku predicted the end of silicon, saying it “cannot compute at a quantum level” and now millions are being spent on this computing. However, while this technology is in its infancy, the threat is there. 

In a press conference, Kaku said that we will head to a post silicon era and that the use of atoms can be used to break any encryption, so governments are getting ahead of the game “as there is much at stake, so now the race is on for the post quantum era where we want to find defenses against methods used by quantum computers to break codes.”

He added that today’s mainframes will be replaced by quantum computers, but mobile phones will not be replaced due to the need for a cooling infrastructure for the atoms. 

Referring to Google’s announcement about its creation of a quantum computer, Kaku noted it was “premature” as while the computer was workable, it did not have any practical application for the consumer and it was compared with a modern super computer. “IBM said that because of that and not using such a fast super computer, their announcement was not such a big deal.”

However, he praised Google’s efforts, as he said that the tide has shifted, as people are no longer saying that this is a possibility for the future.

He also said that as the industrial age was powered by oil, the fourth and fifth wave will be powered by data. “Data will be the energy source of the future,” he claimed, “but data has to be processed. Oil has to go to refineries, in the same way data has to be raw, then processed. In the future, every aspect of human behavior, every aspect of human endeavor and every aspect of human enterprise will be reduced to data.”

However, this data can be hacked, and needs to be protected by encryption – and this can be broken with advanced quantum computing.

Kaku concluded by saying that all human activity will be digitized as data is wealth, and companies will want that information “and this means that data is vulnerable, and new ways to do encryption have to be devised.”

He also said that the arrival of quantum computing is not an immediate threat, but one for the coming years and decades so it is time to prepare and consider converting now. “Don’t do anything yet, but think about it and study the question” as it may take years for the conversion to take place.

He recommended four things you can do now:

  1. Increase the length of your keys, and you can make it more difficult for a quantum computer to crack things
  2. Consider symmetric, rather than asymmetric encryption, as symmetric gives you an extra layer of encryption
  3. Use increasingly complex trapdoor functions, such as lattice and elliptic curve technologies
  4. Use quantum cryptography, use quantum to fight quantum

Source: Information Security Magazine