Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Russian Pleads Guilty to Running Online Criminal Marketplace

Russian Pleads Guilty to Running Online Criminal Marketplace

A Russian man has pleaded guilty to running an illegal online marketplace that sold stolen payment card credentials to criminals, who used them to make over $20m in fraudulent purchases.

Before a United States court, Aleksei Burkov admitted operating the Cardplanet website, which sold card data acquired through illegal computer intrusions. Many of the cards offered for sale belonged to United States citizens, with the result that over $20m in fraudulent purchases were made on American credit cards. 

According to the Associated Press, prosecutors said Burkov offered a money-back guarantee to his customers if a stolen card number no longer worked.

The 29-year-old also pleaded guilty to running a second website that served as an invite-only club where elite cyber-criminals could advertise stolen goods and criminal services.

Items for sale on the site included personal identifying information, malicious software, and money laundering and hacking services. 

"To obtain membership in Burkov’s cybercrime forum, prospective members needed three existing members to 'vouch' for their good reputation among cybercriminals and to provide a sum of money, normally $5,000, as insurance," said the Eastern District of Virginia US Attorney's Office.

"These measures were designed to keep law enforcement from accessing Burkov’s cybercrime forum and to ensure that members of the forum honored any deals made while conducting business on the forum."

Burkov was arrested at Ben-Gurion Airport near Tel Aviv in December 2015, and in 2017, an Israeli district court approved his extradition to the United States. Burkov was finally extradited to the United States from Israel on November 11, 2019, after appeals to the Israeli Supreme Court and the Israeli High Court of Justice were denied.

In front of Senior US District Judge T.S. Ellis, III, Burkov pleaded guilty to access device fraud and conspiracy to commit computer intrusion, identity theft, wire and access device fraud, and money laundering. 

Burkov faces a maximum sentence of fifteen years in prison when sentenced on May 8.

Russian officials objected to Burkov's extradition from Israel. According to the Associated Press, Israeli officials have suggested Russia sought Burkov’s release by offering an exchange for Naama Issachar, a 26-year-old Israeli woman who received a seven-year prison sentence in Moscow for drug-related charges.

Source: Information Security Magazine

US Issues Cybersecurity Warnings Over Flawed Medical Devices

US Issues Cybersecurity Warnings Over Flawed Medical Devices

Warnings have been issued in the United States after cybersecurity flaws were detected in medical monitoring devices manufactured by GE Healthcare Systems (GEHC). 

Safety notices were published yesterday by both the US Food and Drug Administration (FDA) and the US Department of Homeland Security's Industrial Control Systems—Cyber Emergency Response Team (ICS-CERT) regarding vulnerabilities in certain clinical information central stations and telemetry servers.

Exploitable flaws in the ApexPro and CARESCAPE telemetry servers, in version 1 of the CARESCAPE Central Station, and in CIC Pro Clinical Information Center Central Station version 1 were discovered by CyberMDX.

The flawed devices are used mostly in health care facilities for displaying information regarding the physiologic parameters of a patient, such as heartbeat and blood pressure. They are also used to monitor the status of a patient from a central location in a facility, such as a nurse’s workstation.

The FDA said the vulnerabilities "may allow an attacker to remotely take control of the medical device and to silence alarms, generate false alarms and interfere with alarms of patient monitors connected to these devices."

ICS-CERT said that an attacker could use the flaws to obtain protected health information (PHI) data and to make the device unusable. 

In a statement published yesterday, GEHC said: "In the instructions provided with the devices, GEHC requires that the MC and IX networks are properly configured and isolated from other hospital networks. If those instructions are not followed, a vulnerable situation can exist where an attacker could gain access to the MC and IX networks via the hospital network."

GEHC has published instructions for risk mitigation along with instructions on where to find software updates or patches when they become available.

The FDA said yesterday that it was "not aware of any adverse events related to this vulnerability," while also saying that such incidents may be extremely hard to detect. 

"These vulnerabilities might allow an attack to happen undetected and without user interaction. Because an attack may be interpreted by the affected device as normal network communications, it may remain invisible to existing security measures," said the FDA.

In a statement published yesterday, GE Healthcare said: "There have been no reported incidences of a cyber-attack in a clinical use or any reported injuries associated with any of these vulnerabilities."

In July 2019, ICS-CERT issued a warning after vulnerabilities were detected in GE anesthesia and respiratory devices, GE Aestiva and GE Aespire (models 7100 and 7900).

Source: Information Security Magazine

London Police Adopt Facial Recognition Technology as Europe Considers Five-Year Ban

London Police Adopt Facial Recognition Technology as Europe Considers Five-Year Ban

London's Metropolitan Police Service has announced that it will start using live facial recognition (LFR) technology to scan public areas for suspected criminals. 

After trialing the technology for two years, the Met has said that it will have cameras up and running within a month. The cameras will be linked to a database containing images of suspects. In the event that a suspect is identified by the camera, an alert will be generated.

According to senior technologist with the Met, Johanna Morley, the facial recognition technology has an accuracy rate of 70%. Morley said false identifications were made by the cameras one in a thousand times. 

Nick Ephgrave, an assistant commissioner, said: "As a modern police force, I believe that we have a duty to use new technologies to keep people safe in London. Independent research has shown that the public support us in this regard."

Civil liberties groups have described the planned introduction of the technology as "a breathtaking assault on our rights."

The Met said the cameras will only be deployed after consultation with local communities. Active cameras will be displayed overtly, leaving the public in no doubt that they are being watched as they go about their daily lives. 

Commenting on the Met's decision to introduce LFR, the director of Big Brother Watch, Silkie Carlo, said: "It flies in the face of the independent review showing the Met’s use of facial recognition was likely unlawful, risked harming public rights and was 81% inaccurate."

A spokesperson for the campaign group Liberty said: "This is a dangerous, oppressive and completely unjustified move by the Met. Facial recognition technology gives the state unprecedented power to track and monitor any one of us, destroying our privacy and our free expression."

In September 2019, Cardiff's high court ruled that police use of automatic facial recognition technology to search for people in crowds is lawful. The technology is currently being used by South Wales police.

The Met is the biggest force in the UK, with jurisdiction over London and Greater London, with the exception of the City of London, which has its own territorial police force.

News of the Met's decision comes a week after the European Commission revealed it is considering a ban on the use of facial recognition in public areas for up to five years while regulators try to work out a way to prevent the technology from being abused.

Source: Information Security Magazine

#BSidesLeeds: Credential Stuffing Often Seen as “Volume” Cybercrime

#BSidesLeeds: Credential Stuffing Often Seen as “Volume” Cybercrime

Speaking at BSides Leeds, security researcher Darren Martyn explored the issue of credential stuffing, calling it an “exploding problem on the internet” and the “cyber-equivalent of volume crime.”

Saying that credential stuffing is “aided by data leaks,” Martyn argued that nothing much has been done about it “as it is not cool like ransomware, but the problem exists, and it affects everyone.”

The problem is further enhanced by tools created to enable credential stuffing to be done much more easily, and tools which are sold purely “to engage in post-compromise monetization strategies.” He said that as little as $10 can get you dumps of passwords which has been done by “low level hacking” and most of the tools are “idiot proof.”

He added that “kids revolutionized testing while we were writing Python scripts, and the kids write things that actually work.” As well as low level hacking efforts, you can build tools to do searches for data sets for you, and in his research he had stumbled across hundreds of accounts

In terms of how this makes money, he said that he had “cosplayed as a cyber-criminal” to find more information, and said that there is a “fantastic secondary market for logins” as people can add cash to gift cards using stored credit cards, or in video games where you can pay for in-game items.

Martyn said that despite the scale of the problem, “no-one cares as it affects the consumer who cannot pay for pen testing” and they are left out of pocket, “while the criminals laugh all the way to the bank.”

In terms of protection, he recommended consumers use a password manager and two-factor authentication to better protect their details and logins, while businesses should look to make automated login testing hard, but there were problems with rate limiting, temporary IP blocks and captchas as they can be bypassed.

Asked by Infosecurity what a good first step would be to better prevent credential stuffing attacks, Martyn said that, if you are a company, start by trying to make it expensive for the attacker.

“Rate limiting, temporary IP blocks and captchas don’t prevent, they just slow down,” he said, “but actually put in logging as you will know straight away when you are getting lit up by some script kiddie with Sentry, and your application logs start showing 'gajillions' of logins. See if your API is being brute forced, as no one really checks.”

Source: Information Security Magazine

#BSidesLeeds: Credential Stuffing Often Seen as “Volume” Cybercrime

#BSidesLeeds: Credential Stuffing Often Seen as “Volume” Cybercrime

Speaking at BSides Leeds, security researcher Darren Martyn explored the issue of credential stuffing, calling it an “exploding problem on the internet” and the “cyber-equivalent of volume crime.”

Saying that credential stuffing is “aided by data leaks,” Martyn argued that nothing much has been done about it “as it is not cool like ransomware, but the problem exists, and it affects everyone.”

The problem is further enhanced by tools created to enable credential stuffing to be done much more easily, and tools which are sold purely “to engage in post-compromise monetization strategies.” He said that as little as $10 can get you dumps of passwords which has been done by “low level hacking” and most of the tools are “idiot proof.”

He added that “kids revolutionized testing while we were writing Python scripts, and the kids write things that actually work.” As well as low level hacking efforts, you can build tools to do searches for data sets for you, and in his research he had stumbled across hundreds of accounts

In terms of how this makes money, he said that he had “cosplayed as a cyber-criminal” to find more information, and said that there is a “fantastic secondary market for logins” as people can add cash to gift cards using stored credit cards, or in video games where you can pay for in-game items.

Martyn said that despite the scale of the problem, “no-one cares as it affects the consumer who cannot pay for pen testing” and they are left out of pocket, “while the criminals laugh all the way to the bank.”

In terms of protection, he recommended consumers use a password manager and two-factor authentication to better protect their details and logins, while businesses should look to make automated login testing hard, but there were problems with rate limiting, temporary IP blocks and captchas as they can be bypassed.

Asked by Infosecurity what a good first step would be to better prevent credential stuffing attacks, Martyn said that, if you are a company, start by trying to make it expensive for the attacker.

“Rate limiting, temporary IP blocks and captchas don’t prevent, they just slow down,” he said, “but actually put in logging as you will know straight away when you are getting lit up by some script kiddie with Sentry, and your application logs start showing 'gajillions' of logins. See if your API is being brute forced, as no one really checks.”

Source: Information Security Magazine

#BSidesLeeds: Cyber is Running the World, More Innovation to Come

#BSidesLeeds: Cyber is Running the World, More Innovation to Come

In the opening keynote at BSides Leeds head of cybersecurity research Daniel Cuthbert said that we are “in the best industry in the world” and, having spent 27 years doing cybersecurity, he has seen that it is the “misfits and weirdos who are doing amazing things.”

Cuthbert said that we are “going through interesting times” in what we are calling the 'fourth industrial revolution,' “and it is good as it is about cyber” and there has been a fundamental change in how we relate and talk.

Pointing to the 1984 film Revenge of the Nerds, he explained that if you look at the most powerful people in the world, they are people like Elon Musk and Mark Zuckerberg, and “people in technology impact how we work.”

Cuthbert also pointed out that law makers and politicians are getting more involved in cybersecurity issues, as once 'Spot the Fed' was played at DEFCON, distinguishable by their smart-casual clothing, eventually “they saw the need to get people like us back in the fold.”

This was made further evident by the likes of San Bernadino district attorney Michael Ramos using the term “lying dormant cyber-pathogen” after the shooting and locked iPhone debate, and Cuthbert also pointed at the FBI now having a dedicated page for cyber-criminals, which was mostly made of foreign nationals.

“Don’t stop what you’re doing; we do amazing stuff and people watch what we do,” he said.

Source: Information Security Magazine

European Energy Firm Targeted by RAT Linked to Iran

European Energy Firm Targeted by RAT Linked to Iran

Security researchers have discovered a new cyber-espionage operation with links to Iranian state hacking groups targeting a major European energy organization.

Recorded Future’s Insikt Group detected command-and-control (C&C) communications between a C&C server and the victim organization, from late November 2019 until at least January 5 2020.

The C&C server is associated with PupyRAT, an open source, post-exploitation remote access Trojan (RAT) used in the past by multiple Iranian threat actor groups such as APT33 and Cobalt Gypsy.

“While metadata alone does not confirm a compromise, we assess that the high volume and repeated communications from the targeted mail server to a PupyRAT C2 are sufficient to indicate a likely intrusion,” the security vendor wrote.

“Whoever the attacker is, the targeting of a mail server at a high-value critical infrastructure organization could give an adversary access to sensitive information on energy allocation and resourcing in Europe.”

Recorded Future emphasized that the activity pre-dates the current escalation in tensions between the West and Tehran, following the US assassination of a leading Iranian general and the downing of a civilian aircraft by Iranian soldiers.

Security experts have warned that the stand-off could lead to a new wave of Iranian attempts to compromise and disrupt critical infrastructure in the US and elsewhere.

In fact, as Recorded Future argued, Iranian state hackers have been “amassing operational network infrastructure throughout 2019,” and shifted their focus from IT networks to physical control systems in utilities, manufacturing facilities and oil refineries.

The firm urged organizations take a defence-in-depth approach to guard against RATs like PupyRat.

This includes: implementing multi-factor authentication, and/or using a password manager to store unique, strong credentials, monitoring for sequential login attempts from the same IP against different accounts and analyzing and cross-referencing log data.

Source: Information Security Magazine

Ransomware Payments Doubled and Downtime Grew in Q4

Ransomware Payments Doubled and Downtime Grew in Q4

The average ransomware payment more than doubled quarter-on-quarter in the final three months of 2019, while average downtime grew by several days, according to the latest figures from Coveware.

The security vendor analyzed anonymized data from cases handled by its incident response team and partners to compile its Q4 Ransomware Marketplace report.

It revealed that the average payment in the quarter was $84,116, up 104% from the previous three months. Coveware claimed the jump highlights the diversity of hackers utilizing ransomware today.

“Some variants such as Ryuk and Sodinokibi have moved into the large enterprise space and are focusing their attacks on large companies where they can attempt to extort the organization for a seven-figure payout. For instance, Ryuk ransom payments reached a new high of $780,000 for impacted enterprises,” it argued.

“On the other end of the spectrum, smaller ransomware-as-a-service variants such as Dharma, Snatch, and Netwalker continue to blanket the small business space with a high number of attacks, but with demands as low as $1500.”

That said, Sodinokibi (29%) and Ryuk (22%) accounted for the majority of cases spotted in Q4 2019. Attackers using the former variant began during the quarter to use data theft to force firms to pay-up, which may have increased the figure for total losses.

Also during the quarter, the amount of downtime experienced by victim organizations increased from the previous three months — from 12.1 to 16.2 days. This increase was driven by the larger number of attacks targeting major enterprises with more complex network architectures, which can therefore take weeks to restore and remediate, Coveware claimed.

Phishing, RDP targeting and vulnerability exploitation remain the most popular attack methods, it added. Professional services (20%), healthcare (19%) and software services (12%) were the top three sectors targeted.

According to the data, 98% of organizations that paid a ransom received a decryption key, and those victims successfully decrypted 97% of their data. However, with multi-million-dollar ransoms now commonplace, the official advice is still not to give in to the hackers’ demands, especially as it will lead to continued attacks.

Source: Information Security Magazine

Sonos Backtracks to Offer Fixes for Legacy Speakers

Sonos Backtracks to Offer Fixes for Legacy Speakers

Sonos appears to have bowed to customer pressure and will now offer security updates for legacy kit and ensure it can co-exist with newer systems.

The smart speaker firm issued a statement earlier this week warning that from May, “some of our oldest products will no longer receive software updates or new features.”

It claimed that the legacy products — Zone Players, Connect and Connect:Amp, first-generation Play:5, CR200 , and Bridge — were “stretched to their technical limits.” The firm urged customers to buy new items and take their old kit to a recycling facility.

That stance drew criticism from customers concerned that they wouldn’t be able to use old speakers in concert with newer, supported equipment.

A furore also erupted over the firm’s roll-out of a “Recycle Mode” for legacy equipment, which was designed to protect consumers from unwittingly buying old speakers. It effectively removes all user information and permanently bricks the device in preparation for recycling. But it has been argued that by doing so, recycling firms can subsequently do nothing but strip it for parts, which is more wasteful.

To its credit, Sonos appears to have reversed its stance. In an apology published on Thursday, CEO Patrick Spence said the firm would continue to offer security updates to legacy purchases, as well as finding a way for old and new equipment to work together.

“We are not bricking them, we are not forcing them into obsolescence, and we are not taking anything away. Many of you have invested heavily in your Sonos systems, and we intend to honor that investment for as long as possible,” he said.

“While legacy Sonos products won’t get new software features, we pledge to keep them updated with bug fixes and security patches for as long as possible. If we run into something core to the experience that can’t be addressed, we’ll work to offer an alternative solution and let you know about any changes you’ll see in your experience.”

Back in 2018, Trend Micro research warned that hackers could exploit flaws on internet-connected Sonos speakers to remotely control the devices themselves and infiltrate the networks they’re on.

This could present security challenges for corporates if remote workers have speakers operating on their home networks, it claimed.

Source: Information Security Magazine

US Cybersecurity Agency Issues Emotet Warning

US Cybersecurity Agency Issues Emotet Warning

America's Cybersecurity and Infrastructure Security Agency (CISA) issued a warning yesterday after observing an increase in the number of targeted cyber-attacks that utilize Emotet.

Emotet functions as a modular botnet that can steal data, send malicious emails, and act as a dropper, downloading and installing a wide range of malware onto a victim's computer. This sophisticated strain of malware was developed by threat group TA542. 

CISA said: "Emotet primarily spreads via malicious email attachments and attempts to proliferate within a network by brute forcing user credentials and writing to shared drives. If successful, an attacker could use an Emotet infection to obtain sensitive information."

The agency warned that such an attack could result in the loss of money and of proprietary information as well as cause "disruption to operations and harm to reputation."

CISA advised users and system administrators to block email attachments such as .dll and .exe, which are commonly associated with malware, and to block any email attachments that cannot be scanned by antivirus software.

Further protection measures suggested by CISA are to implement firewalls, an antivirus program, and a formalized patch management process.

To stop a virus from running rampant around your network, CISA recommended segmenting and segregating networks and functions. 

The warning comes a week after cybersecurity firm Proofpoint announced that Emotet was back and causing trouble with a new campaign after taking what appeared to be a Christmas break. Researchers spotted Emotet going after targets in the pharmaceutical industry in the US, Canada, and Mexico on January 13. 

By Tuesday, the attackers had widened their net to go after victims in multiple industries in Australia, Austria, Germany, Hong Kong, Italy, Japan, Singapore, South Korea, Spain, Switzerland, Taiwan, and the United Arab Emirates. 

"Based on past activity and what our researchers are seeing, organizations around the globe should take Emotet’s return seriously," wrote researchers. "On Monday alone we saw nearly three quarters of a million messages and they’re already fast approaching one million messages total."

This mass of messages, although large, isn’t the highest volume the researchers have ever seen from the TA542 group. Previously, researchers have seen the threat actors send over one million messages in just one day.

Source: Information Security Magazine