Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for the News Category

Nation-States Have Right to Hack Back, Survey Says

Nation-States Have Right to Hack Back, Survey Says

Security professionals who attended RSA 2019 believe that the world is in the midst of cyber-war, according to a survey conducted by Venafi.

While 87% of the 517 IT security professionals surveyed believe that cyber-war is a current reality rather than a future threat, 72% of respondents said that nation-states should be able to "hack back" when their infrastructure are targeted by cyber-criminals.

The Venafi survey sought feedback from IT professionals on the Active Cyber Defense Certainty (ACDC) Act, which was introduced in October 2018, while keeping in mind the current prohibition on retaliatory cyber-defense methods established in the Computer Fraud and Abuse Act.

““We’re always interested in the intersection of regulation (often by politicians that don’t appear to have a basic understanding of security) and security imperatives (as perceived by the people in the trenches)," said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

"We’ve been seeing more stories on hacking back and thought it would be interesting to understand if most security pros really think their organization should be able to do this. We felt this was particularly interesting in light of the controversy surrounding ACDC, and the mixed results that are likely to result for offensive hacking.” 

"Cyber-war" as a term, though, is often used too loosely, according to Alex Hamerstone, GRC practice lead at TrustedSec. “War has a specific definition that involves a declaration. People often conflate offensive operations with war when they don’t really cross that line. However, infrastructure is different. Infrastructure is 100% a red line that you cannot cross without expectations of a significant response.

“I’m a bit surprised that only 72% say nations should be able to hack back. I think it’s a given that a country has the right to defend itself when it’s under attack. An attack on infrastructure can easily cross the line from digital to kinetic, putting human lives at risk both directly and indirectly."

Because the potential impact on critical services like power, transportation and healthcare are so enormous, security needs to plan for both robust deterrence and response. "The capacity of the response is the primary deterrence. There is a lot of gray area and complexity here which a nation has to consider when deciding how robustly to respond. It’s easy for a situation to escalate beyond what is necessary. That said, nations should have the ability to 'hack back' to the fullest extent needed in order to defend their infrastructure and assets,” Hamerstone said.

Private entities, though, are not the same as nation-states, a point on which Hamerstone and Jeff Bardin, chief intelligence officer of Treadstone 71, agreed. “I have been in favor of active defense since at least 2010. There should be some sort of capability to strike back at attackers with a viable and capable force,” said Bardin.

“Many organizations are not capable of doing so, nor do they wish to take the risk. I see third-party mercenary-type organizations that would take this onto their 'paid' plates to accept the risk and execute a proportional attack. You cannot win at cybersecurity if all you do is defensive. You can never win a football game if all you do is play defense. Never win a basketball game if the other team is always on offense. You lose by definition.”

Source: Information Security Magazine

FIN7 Still Active Despite Arrests

FIN7 Still Active Despite Arrests

Researchers have discovered the advanced persistent threat group (APT) FIN7 is using a new attack panel in campaigns that Flashpoint analysts have called Astra.

Despite alleged members of the group being charged with 26 felony counts in August 2018, analysts have found previously unseen malware samples, which are reportedly written in PHP and function as a script-management system. In addition, the new administrative panel, believed to be linked to the group, also has ties to Carbanak.

The group's activity dates back to at least 2015, when FIN7 targeted over 100 companies across the US, Europe and Australia, predominantly those within the hospitality, restaurant, and gaming industries. According to the US Department of Justice (DoJ), suspected members of FIN7 were arrested between January and August 2018.

According to today’s blog post, attackers access targeted machines using phishing emails with malicious attachments. “The emails are often industry-specific and crafted to entice a victim to open the message and execute the attached document,” wrote Joshua Platt and Jason Reaves.

The previously unseen malware that drops files and executes SQL scripts on the host system has been called an SQLRat, which unlike traditional malware leaves no evidence behind, analysts said. The SQLRat campaign is, however, similar to traditional phishing campaigns in that it typically involves a lure document. In the cases analyzed, the documents requested the user “Unlock Protected Content.”

“Once they are deleted by the attackers’ code, there is nothing left to be forensically recovered. This technique has not been observed in previous campaigns associated with Fin7. The second new malware sample discovered is a multi-protocol backdoor called DNSbot, which is used to exchange commands and push data to and from compromised machines.

“The campaigns maintain persistence on machines by creating two daily scheduled task entries. The code, meanwhile, is still controlled by the Fin7 actors and may be leveraged in future attacks by the group.”

In addition to sharing the indicators of compromise (IoCs) and recommending the security teams look for newly added Windows tasks, Flashpoint also advised monitoring for attempts to delete the Microsoft update service.

Source: Information Security Magazine

Attacks Target AmEx, NetFlix Users with Phishing

Attacks Target AmEx, NetFlix Users with Phishing

Windows Defender Security Intel has reported two major phishing attacks targeting American Express and NetFlix.

The Office 365 research teams discovered the attacks, which reportedly emerged over the weekend, hitting unsuspecting customers with well-crafted phishing campaigns that attempt to steal credit card information. According to a tweet from Windows Defender Security, “Machine learning and detonation-based protections in Office 365 ATP protect customers in both campaigns.”

Additional tweets warned, "The Netflix campaign lures recipients into giving away credit card and SSN info using with a 'Your account is on hold' email and a well-crafted payment form attached to the email."

Phishing emails such as these are not only easy to craft but also easy to deploy. When aimed at unsuspecting users, they are highly successful. “They are designed to make us afraid that if we don’t click on that link or open that attachment something bad will happen,” said Colin Little, senior threat analyst, Centripetal Networks.

Cyber-criminals continue to employ the social engineering tactics of brevity and urgency, understanding that threatening user accounts or suggesting something may be amiss will evoke action.

In addition to the many places in the phishing kill chain that can keep these malicious emails away from users, Little said, “a security awareness program that trains users on how and why to identify phishing emails is both essential and fundamental. If our users are the broadest attack surface, their preparation for this attack is our best defense.”

When in doubt about whether an email is legitimate or not, an additional safety precaution is to address the potential issue in a separate dialogue. “Start a new email chain (such as to the Netflix help desk, in this example) using an address you obtain from the site,” Little said.

“Address the inquiry in a different media, such as calling their vendor support line. Or the recipient can open the applicable app (if one's available) on their smartphones and check their credit or account status.”

Source: Information Security Magazine

BEC Gift Card Scams Go Mobile

BEC Gift Card Scams Go Mobile

Cyber-criminals are evolving their tactics with Business Email Compromise (BEC) attacks by transferring victims from email over to mobile communications channels early on in a scam, according to Agari.

Researcher James Linton described how such an attack typically takes place, with the initial spoofed CEO email containing a request for the recipient’s mobile phone number.

“By moving them over to their cell phone, the scammer is equipping their victim with all the functionality needed to complete the task that is to be given to them,” he explained.

“A mobile device offers instant and direct messaging, the ability (in most cases) to still access email, the ability to take pictures with the phone’s camera, and far greater portability than a laptop, which all increases the chances that the scammer will be successful in achieving their desired outcome once a victim is on the hook.”

If the victim hands over their number, the BEC scammer knows they have a great chance of success. In fact, the extra complexity of moving across two different comms channels may even add extra credibility to the scam, Linton claimed.

The instantaneous communication of mobile-based SMS or IM also makes it less likely that the victim will stop and think about what’s happening.

Temporary numbers can be relatively easily set up for the purpose, and can even be managed from a single desktop environment, making things easier for the scammer.

Linton explained how BEC scammers could use this tactic to trick workers into buying a set of gift cards on their behalf, scratching off the back and taking a photo of the redemption codes with the phone’s camera.

These are then swiftly laundered through online platforms, he added.

The best way of mitigating this new tactic is to check the domain on an incoming email for any red flags.

“If the email address checks out and a number is supplied, insist on a brief call before making purchases on behalf of someone else,” Linton concluded.

“As a final safety net, share concerns with a colleague or friend, especially if pressure is increased in unusual ways. As always, it’s better to be safe than sorry when dealing with these types of emails.”

Source: Information Security Magazine

Kaspersky Lab Files Antitrust Case Against Apple

Kaspersky Lab Files Antitrust Case Against Apple

Kaspersky Lab has filed an antitrust complaint against Apple in Russia, arguing that the tech giant forced it to remove two key features from one of its apps just as Apple’s released similar functionality.

The issue boils down to Kaspersky Lab’s use of configuration profiles in its Kaspersky Safe Kids app.

Removing this according to Apple’s demands would have meant disabling two “essential” features, app control and Safari browser blocking, the AV vendor claimed.

“The change in Apple’s policy toward our app (as well as toward every other developer of parental control software), notably came on the heels of the Cupertino-based company announcing its own Screen Time feature as part of iOS 12,” it continued.

“This feature allows users to monitor the amount of time they spend using certain apps or on certain websites, and set time restrictions. It is essentially Apple’s own app for parental control.”

This effectively means Apple is abusing its position as platform owner and supervisor for the only official iOS store, Kaspersky Lab argued.

“By setting its own rules for that channel, it extends its power in the market over other, adjacent markets: for example, the parental control software market, where it has only just become a player,” the firm concluded.

“It is precisely in this extension of its leverage through possession of so-called ‘key capacity’ over other segments, leading to restriction and elimination of competition, that we see the essential elements of antitrust law violation, which consist of erecting barriers and discriminating against our software.”

Kaspersky Lab claimed to have repeatedly tried to open dialog with the Cupertino giant, but “no meaningful negotiations have ensued.”

The move comes after Spotify filed a similar complaint against Apple in the EU, which the US firm replied to here.

Source: Information Security Magazine

US Orgs Not Ready to Comply with CCPA

US Orgs Not Ready to Comply with CCPA

Protecting consumer privacy has become a top priority for legislators as candidates launch their 2020 campaigns and try to win over voters. According to research findings revealed in the new CCPA and GDPR Compliance Report, however, US companies haven't made privacy regulations a top priority.

The online survey, conducted by TrustArc, reflects responses from 250 IT professionals who represent a wide spectrum of industries and company sizes. Of all the participating organizations, half were impacted by both General Data Protection Regulations (GDPR) and California Consumer Privacy Act (CCPA), while half were impacted only by CCPA. The report found that 88% of companies need help complying with California’s new privacy regulations.

According to the findings, only 14% of companies are currently compliant with CCPA, despite its deadline being less than 10 months away. Additionally, survey results revealed that 84% of respondents have started the CCPA compliance process, though only 56% have moved forward to the implementation stage.

Even though fewer than half (44%) have not yet started the implementation process, 64% of companies said they need help developing their CCPA privacy plan. However, compliance readiness varied depending on whether companies have already worked on GDPR compliance.

Responses from those companies that were not impacted by GDPR showed that 79% will need to spend more than six figures to comply with CCPA, while only 61% of companies that have worked on GDPR compliance will need to spend as much.

“At TrustArc, we’ve seen a significant increase in the number of customers coming to us for support to comply with CCPA,” said CEO Chris Babel. “Companies that took the steps to comply with GDPR are already ahead of the game and will have an easier path to meet the requirements of CCPA. The companies that did not work on GDPR compliance will be under the gun to implement scalable compliance processes by the January 1, 2020, deadline.”

Source: Information Security Magazine

Consumers Donate Data with Recycled Electronics

Consumers Donate Data with Recycled Electronics

With the rapid turnover of technology, many consumers willingly trade in, sell or donate their old electronics, often times without ensuring that all of their data has been wiped clean, according to new findings from Rapid7.

In a recent experiment conducted by Rapid7’s Josh Frantz, nearly every device he analyzed contained some form of personally identifiable information (PII) left over from its previous owner. Over the span of six months, Frantz looked at a collection of recycled consumer electronics, including laptops, smartphones and external drives. Even though many thrift shops claimed to wipe devices before reselling them, the devices contained such information as passwords, social security numbers and banking information.

In total, Frantz found 41 social security numbers, 19 credit card numbers and two passport numbers among a trove of additional PII. Additionally, he extracted 147,000 emails and 214,000 images. “I used pyocr to try to identify Social Security numbers, dates of birth, credit card numbers, and phone numbers on images and PDFs. I then used PowerShell to go through all documents, emails, and text files for the same information. You can find the regular expressions I used to identify the personal information here,” Frantz wrote in today’s report.

According to the findings from Frantz’s months-long experiment, not only are the thrift shops not holding up their end of the bargain, but consumers are also turning in devices without wiping them clean, an obvious recipe for disaster. Of the 85 devices analyzed, only two of them were properly erased and a mere three were encrypted.

Given the ease with which these types of data can be accessed and sold, Frantz found that the value of the data itself has dropped to less than $1 per record on the dark web.

“Realistically, unless you physically destroy a device, forensic experts can potentially extract data from it. If you’re worried about potential data exfiltration, it’s best to err on the side of caution and destroy it. However, wiping your device is usually enough, and can be a very easy and relatively painless process,” Frantz said.

Source: Information Security Magazine

Apple, Microsoft Top Orgs Used in Spear Phishing

Apple, Microsoft Top Orgs Used in Spear Phishing

As spear-phishing tactics continue to evolve, attackers are using these threats with greater frequency and severity, making spear-phishing attacks the top threat vector for many organizations, according to a new report from Barracuda Networks.

Despite increased awareness of the types of threats they face, companies continue to fall victim to spear-phishing campaigns because attacks are becoming more tailored, with malicious actors leveraging social engineering tactics such as urgency and brevity, the report found.

The email threat report analyzed 350,000 spear-phishing emails and discovered that brand impersonation schemes – most notably Apple or Microsoft – account for 83% of spear-phishing attacks. “These types of spear-phishing attacks, designed to impersonate well-known companies and commonly-used business applications, are by far the most popular because they are well designed as an entry point to harvest credentials and carry out account takeover. Brand impersonation attacks are also used to steal personally-identifiable information, such as credit card and Social Security numbers.”

Attackers often exploit zero-day vulnerabilities in brand-impersonation attacks, which makes it easier to bypass traditional email security because they come from reputable senders and are typically hosted on domains that weren’t previously used as part of any malicious attack, the report said.

The attacks are not randomly deployed, as the report found that cyber-criminals carefully time their attacks, with one in five emails delivered on Tuesday. In addition, cyber-criminals also take advantage of the holiday season, knowing that there is a greater likelihood of security weaknesses.

The report found that the week before Christmas saw a 150% spike in spear-phishing attacks.

“Spear phishing attacks are designed to evade traditional email security solutions, and the threat is constantly evolving as attackers find new ways to avoid detection and trick users,” said Asaf Cidon, VP, content security at Barracuda Networks, in a press release. “Staying ahead of these types of attacks requires the right combination of technology and user training, so it’s critical to have a solution in place that detects and protects against spear-phishing attacks, including business email compromise, brand impersonation, and sextortion.”

Barracuda will discuss findings from this research in the Infosecurity Magazine Online Summit keynote, next Tuesday, 2:30–3:00 pm GMT. Register to attend at https://www.infosecurity-magazine.com/online-summits/online-summit-emea-2019-1-1-1-1-1/.

Source: Information Security Magazine

Half of Global Firms Concerned Over Security Skills Gaps

Half of Global Firms Concerned Over Security Skills Gaps

Nearly half (49%) of global organizations feel more exposed to security breaches because of skills shortages, according to a new Trend Micro study.

The vendor polled 1125 IT decision makers around the world and found that nearly two-thirds (64%) have experienced an increase in attacks over the past year.

The uptick in threats is coming at a bad time, as estimates put the global shortfall of cybersecurity professionals at nearly three million today.

However, AI-based tools could offer new opportunities.

Some 69% of those polled agreed that automating cybersecurity through Artificial Intelligence (AI) could reduce the impact of skills shortages, and a further 63% said they’re actively planning to use such tools.

Trend Micro cybersecurity architect, Ian Heritage, argued that the CISO’s role has never been harder, driving up demand for automated and hosted solutions.

“Protecting the enterprise from cyber-threats is like a game of whack-a-mole,” he added. “Not only do IT and security teams have to maintain constant vigilance of their cyber-defenses, they also have to communicate these risks to business leaders to ensure sufficient budgets, and don their HR hats to recruit the necessary skill sets.”

However, AI is certainly not a silver bullet. A report from 2018 argued that even automated machine learning tools require significant input from skilled practitioners: first to train them what is normal versus unusual activity, and then to interpret the output.

Over half of the IT and security professionals polled (56%) said they believe machines can’t be trained to do tasks performed by humans, while a similar number claimed that security teams are better equipped to catch threats in real time.

Source: Information Security Magazine

Aluminium Giant Norsk Hydro Suffers Major Cyber-Attack

Aluminium Giant Norsk Hydro Suffers Major Cyber-Attack

One of the world’s biggest aluminium producers has been hit by a major cyber-attack affecting production systems, according to reports.

Norwegian firm, Norsk Hydro, said it had called in national security authorities to help repel the attack, which appears to have started overnight local time.

“IT systems in most business areas are impacted and Hydro is switching to manual operations as far as possible,” it said in a reported statement. “Hydro is working to contain and neutralize the attack, but does not yet know the full extent of the situation.”

It’s claimed that the attack has affected operations across Europe and the US, with some — such as its extrusion plants — being forced to temporarily shut down.

The disruption comes at a bad time for the aluminium giant, which is struggling to get approval to fully restart its Alunorte plant in Brazil after admitting leaking untreated water during heavy rains there.

It’s unclear at this early stage exactly what kind of cyber-threat the firm is tackling, although its main website was down at the time of writing. It could be a ransomware attack, and/or something designed to tie up IT security staff while sensitive data is stolen.

Company spokesman Halvor Molland has told local reporters that the attacks are “of a magnitude we haven’t seen before” and cover “several areas of our organization.”

Suspicious activity on servers overnight initially tipped off IT workers that something was wrong, but the threat seems to have spread quickly to other parts of the business.

The firm has 35,000 employees and operates in 40 countries around the world.

Back in 2016, German steel giant ThyssenKrupp said it was the victim of a major cyber-attack designed “to steal technological know-how and research” from its steel production and manufacturing plant design divisions.

Source: Information Security Magazine