Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for the News Category

Servers Grab Client Files via MySQL Design Flaw

Servers Grab Client Files via MySQL Design Flaw

Attackers can potentially run a malicious MySQL server and gain access to connected data, according to a new security alert.

MySQL has issued a security notice resulting from issues with the LOAD DATA LOCAL, noting that the “statement can load a file located on the server host, or, if the LOCAL keyword is specified, on the client host.”

The design flaw exists in the file transfer interaction between a client host and a MySQL server, according to BleepingComputer. Leveraging this attack would allow a malicious actor to steal sensitive information from a web server that is not properly configured either by enabling connections to untrusted servers or from database management applications.

According to the security notice, there are two potential security concerns. “The transfer of the file from the client host to the server host is initiated by the MySQL server. In theory, a patched server could be built that would tell the client program to transfer a file of the server’s choosing rather than the file named by the client in the LOAD DATA statement. Such a server could access any file on the client host to which the client user has read access. (A patched server could in fact reply with a file-transfer request to any statement, not just LOAD DATA LOCAL, so a more fundamental issue is that clients should not connect to untrusted servers.)”

In a January 20 blog post, security researcher Willem de Groot responded to the security notice’s claim that this flaw could be leveraged “in theory,” noting that “an Evil Mysql Server which does exactly that can be found on Github, and was likely used to exfiltrate passwords from these hacked sites. And could be used to steal SSH keys and crypto wallets, as interfail points out.”

“Although this may not sound critical, since most users are not easily fooled into connecting to an attacker's mySQL server, there are in fact many web servers with exposed database management interfaces that allow attacker initiated connections to arbitrary servers,” said Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposure Research Team (VERT).

“Website administrators must be aware that such pages, even when not linked to other content, may be discovered and abused by attackers. Administration tools like Adminer should not be left unprotected in any circumstances.”

Source: Information Security Magazine

Two Elasticsearch Databases Found Unprotected

Two Elasticsearch Databases Found Unprotected

After news broke that an Elasticsearch server belonging to several online casinos was left without a password, independent security researcher Bob Diachenko discovered another unprotected Elasticsearch database from AIESEC, a global, youth-run nonprofit.  

A database breach exposed more than four million intern applications with personal and sensitive information on a server without a password. The database reportedly contained information included in applications that had been tagged as "opportunity applications" for AIESEC internships and "included sensitive information as email, full name, DOB, gender, plus a detailed description on their intentions for applying for AIESEC as well as interview details,” according to Diachenko’s blog post on SecurityDiscovery.

“Basically, AIESEC was using software that is great for giving their staff access to money-making data, but they focused far too little on protecting the data,” said LUCY Security CEO Colin Bastable.

“GDPR penalties apply to the global revenues of virtue-signaling nonprofits just as much as they do to their virtue-seeking corporate sponsors. I suspect they will get a slap on the wrist, and the IT budget will be invested appropriately in keeping Laurin Stahl out of the IT security press next year. There is probably a significant proportion of nonprofits that are vulnerable in this way, so they should take this as a warning to get serious about securing consumer data. The message for consumers is [that] you can’t trust any organization with your personal data, even if they are driven by the most noble ideals, so share with care.”

This is the second misconfiguration in an Elasticsearch database disclosed this week. News also broke that a password-less Elasticsearch server belonging to a variety of online casinos had compromised the information on over 108 million bets, including customers’ payment card info, full names, home addresses, phone numbers, email addresses, birth dates, site usernames, account balances, IP addresses, browser and OS details, last login information and more.

The payment card details indexed in the server were partially redacted, however, suggesting that they were not exposing each user’s full financial details. The leaky server was found last week and was just taken offline on January 21, making it no longer accessible.

“This breach is yet another example of a company leaving a server and critical information unsecured without any password protection, an unfortunate trend that has been the cause of many recent leaks, such as the VOIPo and Oklahoma Securities Commission’s latest incidents,” said Mark Weiner, CMO, Balbix.

He continued, “108 million bets were exposed by this data leak, including full names, home addresses, phone numbers, email addresses and account balances that could be used by malicious actors as a part of phishing scam to target those who recently won large sums of money. Fortunately, the exposed payment card data was partially redacted, meaning that users did not have their full financial information exposed.”

Source: Information Security Magazine

Americans Feel Fated to Fall Prey to Cybercrime

Americans Feel Fated to Fall Prey to Cybercrime

Only a few days after the Senate Committee on Aging released a new report in which it found that seniors lose an estimated $2.9 billion each year to financial scams, the insolvency services of Nyman Lisbon Paul and the UK’s Driver and Vehicle Licensing Agency (DVLA) have issued scam alerts warning consumers to beware of cyber scams.

Two weeks ago, Infosecurity reported that 60% of consumers in the UK were leaving themselves vulnerable to scams, and today, Nyman Lisbon Paul tweeted a warning that “pension scam victims lost an average of £91,000 to criminals in 2018, Financial Conduct Authority (FCA) research recently revealed. Criminals often use cold-calls and offers of free pension reviews to convince their victims to comply.”

As scams become more commonplace, government agencies, organizations and concerned citizens are taking to social media to caution consumers about the myriad scams to which they could fall victim. One Twitter user posted:

In an effort to prevent people from falling victim to this and other scams, “DVLA is reminding customers that the only official place to find our services and information is on GOV.UK. Cyber scams are common so we want to help our customers to spot fraudulent activity.”

However, these warnings might be ineffective. According to a recently released report from ERP Maestro that examined the relationship Americans have with cybercrime and identity theft, 76% of Americans believe it is inevitable that they will fall victim to either identity theft or some form of cybercrime. As a result, 48% confess that they are not concerned about becoming a victim. The report found that when it comes to consumer attitudes and behaviors, 57% of Americans believe that if something happens, the damage will be reversed.

In addition, 68% of Americans feel that there is little to nothing they can do to prevent falling victim to cybercrime. Those habits can be potentially dangerous for companies that employ people who don’t take cybersecurity seriously.

"While our mission is to protect companies from cybercrime on the inside, we wanted to examine how concerned people are about cybercrime in their personal life to see if cyber safety is practiced similarly professionally," said Jody Paterson, founder and CEO of ERP Maestro, in a press release.

"Good cybersecurity habits should be practiced at both work and home, but these responses may indicate that the same beliefs and behaviors on cybercrime are also brought into the workplace, and that is a huge risk for companies."

Source: Information Security Magazine

Dark Web Drug Dealers Get 43 Years

Dark Web Drug Dealers Get 43 Years

Three dark web drug dealers have been sentenced to a total of over 43 years for supplying hundreds of customers worldwide with notorious opioid fentanyl.

Jake Levene, 22, Lee Childs, 45, and Mandy Christopher Lowther, 21, were sentenced last week at Leeds Crown Court after pleading guilty to exporting and supplying class A drugs.

The group mixed fentanyl and its analog carfentanyl with bulking agents at an industrial unit in Leeds before selling them on sites like Alpha Bay under the name “UKBargins,” according to the National Crime Agency (NCA).

It’s unclear how they were brought to justice, although the trio were arrested in April 2017, less than three months before the Alpha Bay and Hansa takedowns. When policed raided the unit, a laptop was found displaying the UKBargins store on Alpha Bay.

Childs was apparently caught on CCTV in a Post Office mailing hundreds of packages of drugs to customers worldwide including as far afield as Australia, Argentina and Singapore.

Between December 2016 and April 2017 the three are said to have turned over £163,474 — selling 2853 items to 443 customers worldwide including 172 in the UK.

During the raid, 2.6kg of carfentanyl was recovered including a packet of 440g pure carfentanyl, the largest such seizure of its kind in Europe, according to the NCA.

The drug is said to be 10,000-times more potent than morphine, while fentanyl is up to 10-times stronger. Both have been linked to countless deaths over recent years.

“Fentanyl and carfentanyl are extremely potent, the latter having no medical uses for humans. Not only is it potentially lethal for those taking it, these drugs pose a serious danger to all those that come into contact with them, be that first responders like law enforcement and medical staff, or in this case, postal staff,” said NCA senior investigating officer, Graham Roberts.

“The lengthy jail terms handed down to them today are a reflection on their dangerous and careless actions.”

Source: Information Security Magazine

Active Cyber Defence Should Be Rolled Out UK-Wide: Report

Active Cyber Defence Should Be Rolled Out UK-Wide: Report

The UK government’s highly successful Active Cyber Defence (ACD) program should be rolled out across other sectors to improve national cybersecurity, and could even be spurred by the government naming and shaming laggards, according to a new report.

The Cyber Security Research Group at King’s College London (KCL) argued that the ACD has done well in reducing low-level cybercrime against government services.

“There are no significant technical obstacles to extending these protections beyond the public sector and no fundamental reasons why ACD tools and techniques should not be tested and deployed as appropriate,” it claimed.

The report urged stakeholders to actively engage with the government via the National Cyber Security Centre (NCSC) to make this a reality.

It could also be a competitive differentiator for organizations in the future, the report claimed, adding that greater transparency in this area would help consumers decide which ones to trust, while incentivizing firms to improve.

“There will need to be careful calibration of ‘sticks and carrots’ to encourage industry and others to adopt ACD where possible but the existing buy-in of major companies and industry bodies will assist greatly in this process,” the report claimed.

“NCSC has no legal power to mandate ACD in any circumstance, nor does it seek it, so all progress in this area must be based on high standards of transparency, partnership and public reporting, particularly given NCSC’s status as part of GCHQ.”

ACD could even be exported abroad, helping to enhance the UK’s reputation and build out international partnerships, KCL claimed.

Launched in 2016, ACD includes several complementary elements: a takedown service designed to remove malicious content spoofing government domains; DMARC implementation to improve email security; Web Check to test government websites for vulnerabilities; and a Public Sector DNS service to prevent employees being directed to malicious sites.

After just a year of operation the program had enabled the removal of 121,479 unique phishing sites across 20,763 attack groups physically hosted in the UK, and 18,000 more sites internationally. Government domains supporting DMARC rose from just over a quarter to nearly 39%, while Web Check produced 4,108 advisories for customers, covering a total of 6,218 different issues.

During 2017, 3TB of DNS data was analysed for security threats, with over 134,000 unique queries blocked.

“The Active Cyber Defence program has been a huge success in protecting government agencies — and those who use them — from cyber threats. Our research finds that it could be legally, cheaply and efficiently rolled out beyond the public sector, to further protect people online,” said Tim Stevens, convenor of KCL’s Cyber Security Research Group.

“Greater transparency around the level of cybersecurity employed by businesses and other organisations will motivate them to adopt ACD measures that will keep users and their data safe.”

Source: Information Security Magazine

Global Firms Face $5tr in Cybercrime Losses

Global Firms Face $5tr in Cybercrime Losses

Global firms could lose over $5tr to cybercrime over the next five years, a new Accenture study has warned.

The consulting giant interviewed over 1700 CEOs and other C-suite executives to compile its report, Securing the Digital Economy: Reinventing the Internet for Trust.

It claimed that as businesses become more dependent on complex web-based models, their ability to innovate and grow securely cannot keep up.

In fact, over three-quarters (79%) claimed that the growth of the digital economy will be held back unless internet security is dramatically improved, while 59% said they don’t know how to react to growing instability.

Most at risk over the next five years are hi-tech companies, which could face losses of $753bn, followed by those in life sciences ($642bn) and automotive ($505bn).

Nearly four-fifths (79%) claimed their organization is adopting new technologies faster than they can secure them, while 80% said third-party threats are increasingly difficult to mitigate.

Only 30% of those polled said they were very confident in their own cybersecurity.

“Strengthening internet security requires decisive — and, at times, unconventional — leadership by CEOs, not just CISOs,” argued Accenture CMT lead, Omar Abbosh. “To become a cyber-resilient enterprise, companies need to start by bringing CISOs’ expertise to the board, ensuring security is built-in from the initial design stage and that all business managers are held responsible for security and data privacy.”

Over half of respondents (56%) said they’d welcome stricter business regulations in the cybersecurity sphere, while three-quarters (75%) claimed that addressing security concerns will require a group effort.

That’s why Accenture is recommending business leaders focus on improved collaboration with their peers, government officials and regulators, as well as improving baseline security across the supply chain.

“No organization can tackle the challenges posed by cyber-threats on its own; it’s a global challenge that needs a global response, and collaboration is key,” explained Accenture Security senior managing director, Kelly Bissell.

“To shape a future that thrives on a strong and trustworthy digital economy, senior executives need to look beyond the bounds of their organization, team with an ecosystem of partners, and secure their entire value chains — across every partner, supplier and customer.”

Source: Information Security Magazine

DNC: Russian Hackers Targeted Staffers After Midterms

DNC: Russian Hackers Targeted Staffers After Midterms

The Democratic National Committee (DNC) has claimed that one of the same Russian hacking groups blamed for leaking sensitive information in 2016 targeted its employees again just days after the 2018 midterm elections.

In court documents filed at the weekend, the DNC said that the group known as Cozy Bear (aka APT29/The Dukes) posed as a State Department official in spear-phishing emails sent to dozens of its employees.

The emails were booby-trapped with a malware-laden PDF designed to provide access to the victim’s machine.

“In November 2018, dozens of DNC email addresses were targeted in a spear-phishing campaign, although there is no evidence that the attack was successful,” the filing noted.

“The content of these emails and their timestamps were consistent with a spear-phishing campaign that leading cybersecurity experts have tied to Russian intelligence. Therefore, it is probable that Russian intelligence again attempted to unlawfully infiltrate DNC computers in November 2018.”

The revelations are part of a civil suit filed by the DNC against the Kremlin, Julian Assange and WikiLeaks, the Trump campaign, and others. It details an alleged conspiracy to win Trump the presidency by stealing sensitive DNC documents and leaking them ahead of the 2016 election.

The Kremlin has already argued for it to be thrown out, claiming that even if it did hack the DNC, this activity would fall under military operations and therefore be immune from civil claims.

In July 2018, special counsel Robert Mueller indicted 12 alleged Russian intelligence officers for their part in this 2016 operation.

That followed a February charge against 13 Russian nationals and three Russian companies for the alleged role they played in online disinformation and influence campaigns ahead of the election.

Source: Information Security Magazine

Collection #1 Data Dump the “Tip of the Iceberg”

Collection #1 Data Dump the “Tip of the Iceberg”

A recently discovered trove of breached data is just a small part of a major 871GB haul up for sale on the dark web which could contain billions of records, according to experts.

The 87GB Collection #1 dump was first publicized late last week when noted researcher Troy Hunt was alerted to the files hosted on a popular cloud site. After cleaning up the data he found it contained nearly 773 million unique email addresses and over 21 million “dehashed” passwords.

It has since emerged that this data is two to three years old, gathered from multiple sources, and that the same seller, dubbed ‘Sanixer’ on Telegram, has much more recently obtained data to sell.

Authentication security vendor, Authlogics, claims to have the data from Collection #2, 3, 4, and 5 in its possession and is loading it into its breached password database.

It estimates the new trove of data comes to roughly 784GB, nine-times the size of Collection #1, and could contain over seven billion records in its raw state.

In fact, Sanixer may have even more breached and leaked data to sell: the cyber-criminal told researcher Brian Krebs that taken together, all the other packages they have up for sale are less than a year old and total over 4TB in size.

These include one dubbed “ANTIPUBLIC #1” and another titled “AP MYR&ZABUGOR #2.”

The bottom line is that users need to invest in password managers to store and support long-and-strong unique credentials for all the main sites/accounts they have online, and to opt for multi-factor authentication where it’s available.

One security vendor warned in its 2019 predictions report at the end of last year that credential stuffing tools would become increasingly popular among the black hat community as they look to monetize troves of breached data.

“Because of the volume of data breaches in the past years and the likelihood that cyber-criminals will find a lot of users recycling passwords across several websites, we believe that we will see a surge in fraudulent transactions using credentials obtained by cyber-criminals from data breaches,” Trend Micro claimed.

“Cyber-criminals will use breached credentials to acquire real-world advantages such as registering in mileage and rewards programs to steal the benefits. They will also use these accounts to register trolls on social media for cyber-propaganda, manipulate consumer portals by posting fake reviews, or add fake votes to community-based polls — the applications are endless.”

Source: Information Security Magazine

New Year, New Features for Fallout EK

New Year, New Features for Fallout EK

The new year is a time for resolutions and promises of change, so much so that even malware has returned from a bit of time off with some new features, including a new Flash exploit, according to Malwarebytes head of investigations, Jérôme Segura.

The Fallout exploit kit (EK) took a little respite over the first few weeks of 2019, but it has returned, this time using CVE-2018-15982, along with HTTPS support, a new landing page format, and Powershell to run its payloads. In addition, Seguara said the team has seen an increase in RIG EK campaigns, which he suspects might have been an effort to fill that temporary void.

As the malware has returned to business, it continues to spread using malvertising chains. In September 2018, FireEye wrote that the Fallout EK was discovered affecting mostly countries in the Asia Pacific region. Though it did distribute SmokeLoader in Japan, the malware then shifted to dropping GandCrab in the Middle East.

When the malware was detected again in October 2018, the EK was being used in the HookAds campaign, which delivered victims to a fraudulent dating page, according to Malware-Traffic-Analysis.net, which also noted that the first payload was the Minotaur ransomware, followed by AZORult during the second and third runs.  

Since Fallout EK's return, Malwarebytes researchers have discovered the malware is delivering the GandCrab ransomware, though it delivers its payload via Powershell, as opposed to iexplore.exe. “This technique is most likely an attempt at evasion, as traditionally we’d expect the Internet Explorer process to drop the payload,” Segura wrote.

"What this new development tells us is that exploit kit developers are still monitoring the scene for new exploits and techniques," he continued. "In 2018, several zero-days for Internet Explorer and Flash Player were found and turned into easily adaptable proofs of concept. Even though the market share for IE and Flash continues to drop, there are many countries still running older systems where the default browser is Internet Explorer.”

Source: Information Security Magazine

Malware Evades Detection One Step at a Time

Malware Evades Detection One Step at a Time

Malicious code was lurking about in two different apps within the Google Play store, according to researchers at Trend Micro who have disclosed that they discovered a banking Trojan in what seemed like legitimate apps.

Both the currency converter and the battery-saving app have been removed from Google Play, but not before they were downloaded thousands of times. The battery app, BatterySaverMobi, even had 73 reviews resulting in a 4.5 star rating, making it appear all the more legitimate.

“We looked into this campaign and found that the apps dropped a malicious payload that we can safely link to the known banking malware Anubis (detected by Trend Micro as ANDROIDOS_ANUBISDROPPER ). Upon analysis of the payload, we noted that the code is strikingly similar to known Anubis samples. And we also saw that it connects to a command and control (C&C) server with the domain aserogeege.space, which is linked to Anubis as well,” researchers wrote.

The apps were reportedly able to evade detection by using the device's motion sensor data.

The malware authors assume that the device is scanning for malware, so they created an emulator with no motion sensors that monitors the user’s steps so that they check for sensor data to determine whether the app is running in a sandbox environment. If it is, the malicious code does not run.

If it does run, though, the user receives a fraudulent prompt, alerting them that a system update is available.

“Here’s more proof that criminals are following users to mobile devices and investing more time and effort in attempting to exploit them. As hard as organizations might work to secure their customers’ mobile experiences, attackers work just as hard to innovate and find ways to take advantage,” said Sam Bakken, senior product marketing manager, OneSpan.

“This is why it’s imperative to give app developers a leg up with one-stop mobile app security tools that allow them to build security into mobile apps from the start, which will save them time and effort and save financial institutions and other purveyors of high-value mobile services money in terms of reduced fraud and maintaining consumer trust in their brand. In addition, meeting attackers’ innovations with mobile app security innovations such as App Shielding – which proactively detects and defends against a variety of nefarious activities executed by mobile banking Trojans such as this one – is another step in the right direction for what will be an ongoing battle.”

Source: Information Security Magazine