Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for February 2020

Medical Devices Intro Major Bluekeep Risk to Hospitals

Medical Devices Intro Major Bluekeep Risk to Hospitals

Medical devices represent a major risk to healthcare organizations (HCOs), and are twice as likely as standard network devices to be vulnerable to Bluekeep, according to CyberMDX.

The security vendor’s 2020 Healthcare Security Vision Report claimed that a third (30%) of US HCOs have experienced a cyber-attack in the past 12 months.

Connected devices are an increasing source of risk, as many are left unpatched and unmanaged, the report claimed. For example, 55% of imaging devices run unpatched or outdated Windows versions which could leave them vulnerable to Bluekeep.

This is an RCE flaw in Windows Remote Desktop Services (RDS) which could enable an attacker to take complete control of a machine to spread malware or launch info-stealing attacks. It affects Windows XP to Windows 7 and Server 2003 to Server 2008 R2 computers, and could spread without user interaction in a way similar to the EternalBlue exploit that enabled WannaCry to do so much damage to the NHS.

CyberMDX uncovered a range of security issues among HCOs, claiming that 11% don’t patch devices at all, and that a typical hospital will have patched only 40% or fewer vulnerable devices four months after a bug disclosure.

There’s more: a quarter (25%) don’t possess a full inventory of connected devices, while a further 13% admit theirs is unreliable. A third (34%) say they don’t identify, profile or continuously monitor medical devices and a further 21% do this manually, which is is not sustainable given the explosion in such endpoints.

It’s perhaps no surprise that the average hospital has lost track of 30% of its devices, according to the report.

The challenges extend to staff cybersecurity training and awareness: 23% of respondents said they have no such program in place and 17% claimed they do but it hasn’t launched yet.

Over a third (36%) still lack a formal BYOD policy.

According to IBM’s latest Cost of a Data Breach report, HCOs suffered the highest cost of a breach – nearly $6.5m on average – for the ninth year in a row in 2019. CyberMDX also claimed that at least 10 hospitals had to turn away patients last year due to ransomware attacks.

Source: Information Security Magazine

US Gas Pipeline Shut After Ransomware Attack

US Gas Pipeline Shut After Ransomware Attack

A US natural gas facility was forced to shut down operations for two days after becoming infected with commodity ransomware, the Department of Homeland Security (DHS) has revealed.

The unnamed “natural gas compression” plant was first targeted with a spear-phishing email, allowing the attacker to access its IT and then pivot to its OT network, according to the technical alert from the DHS’s Cybersecurity and Infrastructure Security Agency (CISA).

The ransomware used was not named, but described as a “commodity” type designed to infect Windows systems, rather than the new strain spotted recently that had ICS-specific functions.

As such, it didn’t manage to impact any of the programmable logic controllers (PLCs) responsible for directly reading and manipulating physical processes. Still, the ransomware was able to compromise human machine interfaces (HMIs), data historians and polling servers on the OT network.

The victim organization was ill-prepared for such an attack: a worrying sign that some critical infrastructure providers still haven’t evolved their threat modelling to take account of modern black hat techniques.

Specifically, the organization failed to implement robust segmentation between IT and OT networks, allowing the attacker to infect both. It also did not build cyber-risk into its emergency response plan, focusing solely on threats to physical safety.

“Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyber-attacks,” the CISA alert noted.

“The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning.”

CISA urged critical infrastructure organizations to: add cyber-risk planning to their incident response strategies, practice failover to alternate control systems, use tabletop exercises to train employees, identify technical and human points of failure for operational visibility and recognize the safety implications of cyber-attacks, among other steps.

Among the physical security controls it recommended were network segmentation, multi-factor authentication, regular data backups, least privilege access policies, anti-phishing filters, AV, whitelisting, traffic filtering and regular patching.

Source: Information Security Magazine

AdSense Extortionists Threaten to Trigger Google Fraud Alarms

AdSense Extortionists Threaten to Trigger Google Fraud Alarms

Security experts are warning of a new extortion email campaign threatening to bombard websites using AdSense with fake traffic, thereby triggering Google’s anti-fraud systems.

A website owner wrote to journalist and researcher Brian Krebs claiming to have received just such a threat. The extortionists demanded $5000 in Bitcoin, or else they would bombard the site with bot-driven traffic.

This in turn, they claimed, would set off alarm bells with Google and force the tech giant to suspend the web owner’s AdSense account, depriving him of valuable advertising revenue.

“Next an ad serving limit will be placed on your publisher account and all the revenue will be refunded to advertisers. This means that the main source of profit for your site will be temporarily suspended,” the email reportedly argued.

“It will take some time, usually a month, for the AdSense to lift your ad ban, but if this happens we will have all the resources needed to flood your site again with bad quality web traffic which will lead to a second AdSense ban that could be permanent.”

Google itself claimed such threats are rare, and in any case it has the tools to detect and prevent sabotage like this from succeeding.

It urged any web owners that have been the subject of such threats to fill in an online form, and/or to visit its help page on sabotage.

Jake Moore, cybersecurity specialist at ESET, urged users to treat these extortionists as they should ransomware authors, by refusing to engage.

“I would firmly advise people not to pay any extortionists as there is no guarantee that this will stop the traffic. If anything, these criminals will likely place your name on their suckers list, and possibly come back with higher payment demands,” he added.

“This should be reported to the police, and I suggest you do not communicate with these attackers.”  

Source: Information Security Magazine

Intentional Malicious Insider Breaches Increased Between 2019 and 2020

Intentional Malicious Insider Breaches Increased Between 2019 and 2020

The concern about intentional data breaches has increased year-on-year, with 75% of IT leaders believing that employees have put data at risk intentionally.

According to research by Egress of 528 CSOs and IT leaders, 97% of respondents said “insider breach risk” is a significant concern. Of those surveyed, 78% said that employees have put data at risk accidentally, while 75% believed employees have put data at risk intentionally. This is a rise of 14% since last year’s research.

Chief marketing officer, Tim Pickard, said he was not surprised that 97% of CISOs and IT leaders would be concerned, and too many companies are relying on employees to report breaches.

Egress CEO Tony Pepper added that the “severe penalties for data breaches mean IT leaders must action better risk management strategies, using advanced tools to prevent insider data breaches.”

Of those employees that have accidentally leaked data, 41% said it was due to a phishing message, 31% said that this was due to information being sent to the wrong recipient and 29% said that they or a colleague had intentionally shared data against company policy in the last year.

Looking at the causes of an intentional breach, 32% of those polled said that this was due to employees sharing data to personal systems, while 22% blamed employees leaking data to a contractor and 21% said that employees share data directly to cyber-criminals. Also, 18% said that employees take data to a new job, with only 4% saying that they “don’t have malicious insider breaches.”

Speaking to Infosecurity at the launch of the research, Pickard said that, from a point of view of intentionally leaking data, “there is a general awareness around the potential risks that exist from employees, and it doesn’t have to be malicious to be intentional, it could be mis-guided by someone trying to get their job done and putting data at risk.

“There are a number of elements at play, as none of us see the work environment getting any easier and there will be increased pressure at work for most people,” Pickard argued. “People have access to all sorts of technologies that IT leaders would rather they did not have, and cloud is a great thing, but it makes available some powerful technologies to people for a very small amount of money.”

Speaking to Infosecurity, Panaseer CEO Nik Whitfield cited the case of Sergey Aleynikov who was charged with stealing code from Goldman Sachs and giving it to his next employer. “There are different types of insider: some help themselves while some do it maliciously – but to them it is normal behavior,” he said. “Malicious insiders are also being placed by cyber-criminals and getting jobs in companies to steal information or to do corporate espionage.”

Source: Information Security Magazine

US Teen Arrested Over Alleged Swatting and Cyberstalking

US Teen Arrested Over Alleged Swatting and Cyberstalking

A 19-year-old American man has been arrested for allegedly engaging in a six-year cybercrime wave that involved swatting, computer fraud, and the stalking of multiple victims, including a New York schoolgirl.

Tristan Rowe was arrested on February 12 after allegedly threatening to kill one victim and bomb their school. Cops say he sent multiple disturbing messages to the victim, including one depicting a knife accompanied by the words "you don't deserve to live."

Another chilling message allegedly sent by Rowe showed a detailed map from Tennessee to a victim's home address in the Bronx, New York. 

Rowe, who refers to himself as Angus, is alleged to have engaged in a persistent online stalking and harassment campaign against one particular victim. Police say he hacked online accounts belonging to the victim and to members of their family and even hacked into the computer systems of the victim's former high school to interfere with the grading system.

Tennessee resident Rowe is further accused of orchestrating multiple incidents of swatting, sending armed police to respond to false reports of an emergency at a victim's residence.  

One such incident, brought about by 19-year-old Ohio gamer Tyler Barriss, resulted in the death of Kansas father 28-year-old Andrew Finch, who was shot and killed by a member of the responding SWAT team in 2017. Rowe allegedly used this potentially fatal tactic not only to terrorize his intended victim, but also to stage swatting incidents at the homes of the victim's friends and family. 

In a message that demonstrated he was fully aware of the danger to life caused by swatting, Rowe allegedly told the victim, "Your choice u can wind up dead cause the armoured cops will come raid u."

Cops say that evidence obtained from Rowe's computer indicates that he conducted a number of computer intrusions of government and private-sector websites. They say Rowe was planning to compromise, or had already compromised, an inmate tracking website used by federal and local law enforcement, a police department website, the website of a hospital in New York, and a website for a state Department of Motor Vehicles. 

Rowe has been charged with one count of cyberstalking and one count of unauthorized access to a computer. He faces a ten-year custodial sentence if convicted on both counts.

Source: Information Security Magazine

Indian Arrested Over Sale of Illegal Drugs Disguised as Sex Aids on Dark Web

Indian Arrested Over Sale of Illegal Drugs Disguised as Sex Aids on Dark Web

India has made its first arrest of an alleged dark web narcotics vendor. 

Recent Amity University graduate Dipu Singh was taken into custody in Alambagh, Lucknow, on February 9 by India’s Narcotics Control Bureau (NCB). The 21-year-old is accused of selling psychotropic drugs disguised as erectile dysfunction remedies on dark web marketplaces in exchange for cryptocurrency.

Singh, whom the NCB described as "a major player on the dark net," allegedly sold illegal drugs to clients in several European countries, including Romania and Spain, and to customers in the UK and the US. 

The illegal pills were mostly sold through dark web sites Majestic Garden and Empire Market, then shipped via global post offices and international courier services. The NCB suspects Singh also made sales via WhatsApp.

"Singh had mastered the technique to disguise the identity while making a shipment. It was learnt that the said parcel was devoid of KYC details," said deputy director general of operations at the NCB, Rajesh Nandan Srivastava.

In three seizures, NCB’s Mumbai Zonal Unit recovered 33,000 Tramadol and Zolpidem tablets, which they claim can be linked to Singh’s alleged drug dealing operation. Another 22,000 tablets were seized by the Delhi team.

A total of 55,000 psychotropic tablets, which include tramadol, zolpidem, and alprazolam, were seized as part of a two-month-long operation into Singh's alleged activities. 

Singh gained a bachelor’s degree in Hotel Management last year. To help fund his studies, Singh accepted a part-time job at a legitimate internet pharmacy in 2018. There he earned a commission from the sale of fitness supplements and erectile dysfunction medicines, but the NCB alleges that the then student was lured over to the dark side by the promise of more money.

An NCB spokesperson said Singh "further learnt that the major profit is in the sale of controlled psychotropic medicines."

Singh allegedly worked with an associate, who took orders for the drugs and shared details of where to deliver each package. After using couriers to collect the drugs from various cities in India, Singh is accused of sending them out to his customers packaged as erectile dysfunction medicine.

If convicted, Singh is likely to face a stiff sentence.

Source: Information Security Magazine

Dell in Talks to Sell RSA Cybersecurity Firm

Dell in Talks to Sell RSA Cybersecurity Firm

Dell is said to be finalizing a $2bn deal to sell its RSA cybersecurity company to a private equity firm, according to the Wall Street Journal

Citing sources “familiar with the matter,” the Journal reported Monday that a deal concerning the sale of RSA Security LLC could be finalized as early as today between Dell Technologies Inc. and STG Partners LLC.

Multiple award-winning security company RSA is best known for its software tokens, which generate random codes to enable access to corporate networks. According to its website, the firm has 30,000 customers around the globe. 

RSA Security was founded as an independent company in 1982 and was acquired by EMC Corporation in 2006 for $2.1bn. Dell acquired RSA a decade later with the purchase of EMC.

Reports that Dell was considering divesting the security company were first shared back in November 2019 by Bloomberg. Back then, RSA Security was expected to fetch at least $1bn, including debt.  

A month later, PE Hub reported that Morgan Stanley had been engaged by Dell to complete the sale of RSA in a deal estimated at the time to be worth $3bn.  

News of the possible finalization of the transaction comes one week before RSA's annual conference is due to take place in San Francisco. The conference hit the headlines last week when major sponsor IBM Corporation withdrew its support from the event, citing concerns over the spread of the coronavirus. 

If given the green light, the RSA deal will be the latest in a string of acquisitions of cybersecurity companies by private equity firms. In January, Insight Partners shelled out $5bn to acquire Swiss cloud data management company Veeam Software Inc and set aside a further $1.1bn in an agreement to acquire Armis Inc. 

Then, earlier this month, news broke that PE firm Advent International and Crosspoint Capital Partners would be acquiring Forescout Technologies Inc for $1.9bn

Currently Dell has two different endpoint security products. The computer manufacturer bought a controlling stake in Secureworks in 2011 and through its acquisition of EMC, the company owns 81% of VMware, which last year bought Carbon Black for $2.1bn.

Source: Information Security Magazine

Two-Thirds of CISOs Struggling with Skills Shortages

Two-Thirds of CISOs Struggling with Skills Shortages

Two-thirds (66%) of global CISOs say they are struggling to recruit the right talent and a similar number believe shortages will only get worse, according to a new study from Marlin Hawk.

The global executive recruiter surveyed 500 cybersecurity leaders working in businesses with 500 or more employees across the US, Europe and APAC, to compile its report, Global Snapshot: The CISO in 2020.

It found CISOs in APAC are encountering most difficulties with recruitment: 91% of respondents there said it was hard to find the right talent, versus 61% in the UK and 54% in the US. Globally, the main challenges revolved around candidates lacking the right technical knowledge (34%), the right experience (30%) and being the right culture fit (10%).

Although 73% of respondents are under 45-years-old, there may be long-term trouble ahead for many companies. The average tenure as CISO is four years globally, and 85% of respondents said they are actively looking for a new role or would consider one if approached.

The report warned in particular of a “brain drain” from the public sector, where over a quarter of respondents are actively pursuing new roles. Over half (52%) said they wanted a new challenge whilst 37% pointed to better compensation.

A further 62% of CISOs think the global cybersecurity talent shortage will get worse over the next five years.

This chimes with data from other sources, including the (ISC)2, whose most recent study reported a global shortfall in security professionals in excess of four million. This included 561,000 in North America and a 2.6 million shortfall in APAC, while the shortage in Europe rose by over 100% from the previous year to 291,000.

Ron Green, CSO at Mastercard, argued that the right technology could help to alleviate skills challenges.  

“Machine learning and automation are going to be really helpful to current and future CISOs,” he said.

“Businesses are still going to need smart humans on security but already the humans that are in our security operations centers are being overwhelmed with things they have to monitor and you can't simply keep putting in more people because there aren't enough.”

Source: Information Security Magazine

Remote Wipe Plugin Bug Hits 200,000+ WordPress Sites

Remote Wipe Plugin Bug Hits 200,000+ WordPress Sites

Security researchers are warning of a new plugin vulnerability which is exposing over 200,000 WordPress sites to the risk of being remotely wiped by an attacker.

The problem lies with versions 1.3.4 and above and 1.6.1 and below of the ThemeGrill Demo Importer plugin, according to WebARX.

The firm said that the bug could allow any unauthenticated user to wipe the entire database to its default state and then log in as administrator.

“The prerequisite is that there must be a theme installed and activated that was published by ThemeGrill. In order to be automatically logged in as an administrator, there must be a user called ‘admin’ in the database. Regardless of this condition, the database will still be wiped to its default state,” the firm explained.

“Based on the SVN commit history, this issue has existed in the code for roughly three years, since version 1.3.4.”

WebARX warned that the vulnerability is particularly dangerous as it doesn’t require a suspicious-looking payload to exploit. For that reason, firewalls are not likely to block attacks by default and security admins would need to create a special rule for them to do so.

ThemeGrill is a popular provider of WordPress themes which users can deploy to customize their websites. The plugin in question can be used to demo content, widgets and theme settings quickly and easily.

The vulnerability is the second in the space of a month which could allow attackers to effectively wipe targeted WordPress sites.

Back in January, Wordfence warned of critical flaw CVE-2020-7048 which affects the WP Database Reset plugin that has been installed over 80,000 times.

“Without proper security controls in place, the WP Database Reset plugin contained a serious flaw that allowed any unauthenticated user the ability to reset any table in the database,” the firm explained. “This reset would result in a complete loss of data availability. An attacker could send a simple request and a site would be completely reset to the WordPress standard defaults.”

Source: Information Security Magazine

Iranian Hackers Backdoored VPNs Via One-Day Bugs

Iranian Hackers Backdoored VPNs Via One-Day Bugs

Security researchers have joined the dots on a long-running Iranian cyber-espionage campaign that targeted unpatched bugs in VPN and RDP to infiltrate target organizations globally.

Building on previous research from Dragos, which named the campaign “Parasite” and attributed it to the state-backed APT33 group, ClearSky has gone further with more details.

Its new report claimed the three-year-long campaign “Fox Kitten” is most likely the product of APT33 (Elfin) and APT34 (OilRig) and APT39 (Chafer).

Dozens of companies working across IT, telecoms, oil and gas, aviation and defense industries were affected by the campaign, which is said to have been focused on reconnaissance and planting backdoors to create a “long-lasting foothold” in the target companies.

The initial incursion into these organizations was achieved by exploiting one-day vulnerabilities in VPN services, such as those offered by Pulse Secure, Fortinet and Palo Alto Networks’ Global Protect.

The Pulse Secure vulnerability is also thought to have been exploited by ransomware attackers to compromise Travelex, among other victims.

“Upon gaining a foothold at the target, the attackers tried to maintain the access to the networks by opening a variety of communication tools, including opening RDP links over SSH tunneling, in order to camouflage and encrypt the communication with the targets,” the report noted.

“At the final stage, after successfully infiltrating the organization, the attackers have performed a routine process of identification, examination and filtering of sensitive, valuable information from every targeted organization. The valuable information was sent back to the attackers for reconnaissance, espionage, or further infection of connected networks.”

The groups used a combination of open source tools such as Juicy Potato and Invoke the Hash, and custom malware like open ports mapping tool STSRCheck and RDP over SSH tunneling backdoor POWSSHNET.

Although the purpose of the operation appears to be reconnaissance, there’s a concern that the same attack infrastructure could be used in the future to spread destructive malware like ZeroCleare and Dustman, which has been previously linked to APT34.

Source: Information Security Magazine