Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for the News Category

Targeted Attacks Abusing Google Cloud Platform

Targeted Attacks Abusing Google Cloud Platform

Google Cloud Platform (GCP) services have been targeted by a newly discovered malware campaign delivering malware via PDF file decoys, according to Netskope Threat Research Labs.

Attackers are reportedly using the Google Cloud App Engine platform to deliver malware with PDF decoys, identified as PDF_Phish.Gen, and GCP URLs that redirect victims to malicious payloads. The research conducted by the team verified evidence of these attacks targeting governments and financial firms worldwide, with multiple decoys possibly linked to the Cobalt Strike advanced persistent threat (APT) group.

The team reportedly detected several targeted attacks predominantly in the banking and finance sector, all of which were EML files that carried an .eml extension and contained the same detection name, which triggered alerts.

“This targeted attack is more convincing than the traditional attacks because the decoy deceives the victim with a GoogleApp Engine URL which is abused to redirect the victim to the malware. As the payload seems to be originating from a trusted source, the chance of falling victim to such attacks is very likely,” researchers wrote.

Though PDF readers typically warn users about potential security risks with document that are connects to a website, researchers said, “Once 'remember this action for this site' is checked for a domain, this feature allows any URL within the domain without any prompt.” Leveraging this default option allows the attacker to successful execute multiple attacks without prompting the security alert.

Each of the files used in the attack reportedly downloaded Microsoft Word documents with obfuscated macro code or PDF documents as the second-stage payload.

“The PDF decoy detected in our customer instances downloaded a word document named 'Doc102018.doc' containing obfuscated macro code…On execution, the victim is presented with a message to enable editing and content mode to view the document,” the report said.

The research suggests that continued adoption of the platform will create an increased cyber-attack surface where hackers can target the infrastructure.

Source: Information Security Magazine

Sneaky Malvertisers Target Apple Users with Hidden Malware

Sneaky Malvertisers Target Apple Users with Hidden Malware

Security researchers have warned of a new malvertising campaign using steganography techniques to target Apple users.

The VeryMal group has run multiple campaigns since August 2018, attempting to redirect users to the veryield-malyst domain, according to Confiant security engineer, Eliya Stein.

As many as five million users may have been subject to the most recent campaign, which used steganography to hide the payload from security tools.

“As malvertising detection continues to mature, sophisticated attackers are starting to learn that obvious methods of obfuscation are no longer getting the job done,” explained Stein.

“The output of common JavaScript obfuscators is a very particular type of gibberish that can easily be recognized by the naked eye. Techniques like steganography are useful for smuggling payloads without relying on hex encoded strings or bulky lookup tables.”

In this case the campaign is designed to drop a trojan known as Shlayer, an adware installer which uses “an atypical installation routine” in a bid to evade detection.

VeryMal campaigns are typically only active for a few days, in this case from January 11-13 on two top-tier exchanges representing around a quarter of the top 100 publisher sites, Stein added.

US-based Mac and iOS customers are the target for VeryMal.

The practice of steganography, in this case hiding JavaScript malware inside an image file, has become increasingly popular of late, according to Stein.

This could be hurting the ad industry dear. Confiant calculated the financial impact of just one day of this campaign at over $1.2m — factoring in publishers losing money from interrupted user sessions and increased use of ad blockers by disgruntled users in the future.

Ad exchanges also lose out from having inventory access cut off, and advertisers suffer ad fraud from infected devices, not to mention users with infected machines, explained Stein.

Confiant detected and blocked over 191,000 impressions across its publisher customers for this campaign, whilst a further two in December apparently yielded over 437,000 impressions.

Source: Information Security Magazine

Scamming the Scammers: How a Security Biz Tricked Social Media Phishers

Scamming the Scammers: How a Security Biz Tricked Social Media Phishers

A UK-based cybersecurity vendor has detailed how it turned the tables on an angler phishing operation posing as Virgin Media support on Twitter.

This particular type of phishing attack is a relatively new tactic. It involves the scammer registering fake Twitter accounts that masquerade as legitimate customer support and then monitoring the real support accounts for irate customer messages.

They then jump in quickly to exploit the customer’s frustration and the immediacy of Twitter to send messages back to those customers, typically loaded with malicious links.

This is what happened to a member of the team at pen-testing firm Fidus Information Security when they complained to Virgin Media via Twitter.

After receiving replies from the official account and a legitimate-looking fake they decided to have some fun.

First, they attempted to test how gullible the scammers were, providing a fake name (Wade Wilson, aka comic book character Deadpool) and address (Savile Row police station).

The scammers subsequently requested card details linked to the Virgin Media account, to which Fidus replied with a set of test credit card details.

After the card didn’t authorize for the scammers, they tried to persuade their ‘victim’ into handing over details to another card. At the same time, the security vendor was in turn trying to trick them into clicking on a link to site hosted by its company, to expose their IP address.

In the end the firm faked a screenshot of an AmEx fraud alert SMS featuring its own phishing link requesting that the user click to verify their card details.

That appears to have been enough to phish the phishers.

“After sending a fake SMS message we received a click on our web server. At this point the game was up as the IP linked back to our website and we never received a reply back,” the vendor explained.

“We reported this all back to Twitter, who’ve since suspended the account, and Police in the UK in the hope some action can be taken against those responsible.”

Source: Information Security Magazine

HPE Targets Girl Scouts for Next-Gen White Hats

HPE Targets Girl Scouts for Next-Gen White Hats

A new cybersecurity curriculum targeting junior Girl Scouts aged 9-11 aims to shift the image of the young girls in green from cookie distributors to cyber defenders, according to news from Hewlett Packard Enterprise (HPE).

HPE has teamed up with the Girl Scouts to launch a cybersecurity education program specifically for young girls to learn and test out their cyber savvy using a newly debuted interactive online game. The game is dubbed Cyber Squad, and the program is initially being rolled out with Girl Scouts of Nation’s Capital, in counties throughout Washington D.C., Maryland and Northern Virginia.

The narrative game was custom-designed specifically for the Girl Scouts pro bono by HPE’s women in cybersecurity group. Cyber Squad takes players through mock scenarios and simulates the consequences of both risky and safe online behaviors.

At a time when 86% of girls engage in online chats unbeknownst to their parents, this new educational tool is critical to keeping young women safe online. Given that 69% of teens regularly receive electronic exchanges from strangers and don’t share that information with their parents, they are becoming increasingly vulnerable to negative online behaviors and privacy risks. In fact, according to HPE’s press release, 27% of young people willingly agree to in-person meetings with someone they have only met online.

“Kids are becoming more mobile, networked and connected, but this also comes with alarming risks and dangers. Making basic cybersecurity awareness at a young age is imperative, and as fundamental as safety skills in the physical world, like learning how to cross the street,” said HPE chief information security officer Liz Joyce in a press release.

“As someone who tackles cyber risks and crime by day and goes home to a young daughter at night, I know just how critical this education is. Through this collaboration, we hope to arm Girl Scouts with the cybersecurity literacy and knowledge they need to be savvy, secure and safe online, and to empower them to be good digital citizens.”

To address the growing concerns of online behavior and communication, the curriculum will cover four crucial areas, including personal information and digital footprint, online safety, privacy and security, and cyber-bullying.

Those Girl Scouts who complete the game and a corresponding curriculum (taught via troops) will earn an embroidered patch for their uniforms certifying their newfound knowledge. The curriculum and game are intended to foster cyber and STEM smarts in fun and relatable way.

Source: Information Security Magazine

UK Public: Drones Are National Security Risk

UK Public: Drones Are National Security Risk

The British public is dead-set against the use of drones, with the vast majority believing that as they continue to represent a national security risk and that cyber experts must do more to mitigate the threat from above.

Think tank Parliament Street polled 2000 members of the public to compile its latest report, Drones 4 U.

It appears as if recent incidents at two London airports has had a major impact on the public perception of unmanned aerial vehicles (UAVs).

Three-quarters (75%) believe them to be a national security threat, with only 2% disagreeing, according to the report.

Over a third (38%) said they want to see drones banned altogether, but a larger number (83%) backed a mandatory licensing system for owners similar to firearm regulations.

The vast majority (83%) of those surveyed also believe the UK is failing to keep up with the threat of developments in drone technology, and a similar number (84%) want cyber experts to do more to help during serious incidents.

Drones flying over Gatwick Airport caused chaos last month as both runways were forced to close, leading to an estimated 800 cancelled flights affecting 120,000 passengers over several days. The incident was a much worse repeat of a 2017 closure of the same airport due to UAVs when a runway was shut for 14 minutes.

A similar problem hit Heathrow Airport earlier this month.

Such incidents are becoming increasingly frequent. According to Parliament Street, drones have flown dangerously close to passenger aircraft in the airspace around Gatwick at least five times over the past four years.

There are also concerns over drones potentially being hijacked by hackers and used to cause incidents like the ones above.

PwC warned last year that GPS receivers are a major weakness in civilian drones as they’re dependent largely on unencrypted signals.

“Without secure authentication mechanisms, location spoofing is possible. The internal measurement units rely on data from other sensors on the drone and measure direction of travel — if they are fed incorrect information, the drone’s course or altitude could be altered,” it added in a blog post.

“Another potential vulnerability is the functionality to configure a drone to ignore communications from the ground during flight. This is meant to be a safety control, but it could be attractive to threat actors looking to cause harm … it is important that end-to-end security is employed to secure any drone-enabled service.”

Source: Information Security Magazine

Modular “Anatova” Ransomware Resists Analysis

Modular “Anatova” Ransomware Resists Analysis

Security researchers are warning of a newly discovered and highly sophisticated strain of modular ransomware featuring special capabilities to resist analysis.

Dubbed “Anatova” by McAfee, the malware has been detected across the globe, in the US, UK, Russia, Italy, Sweden and beyond. It was discovered in a private P2P network, using a game or application icon to trick users into downloading it.

Compiled on January 1 this year, Anatova is believed to have been created by “skilled malware authors.”

Each sample analyzed by McAfee had its own unique key, a rarity in the ransomware world, and featured strong protection against static analysis.

Most strings are encrypted, using different keys to decrypt them, and 90% of calls are dynamic and use only standard Windows APIs and C- programming, the vendor claimed. The malware also initiates a memory cleaning procedure if it comes across one of a list of usernames commonly used by virtual machines/sandboxes.

Files are encrypted via Salsa20 and the malware will also hunt down any files on network shares, with 10 DASH coins ($700) demanded in return for decryption.

“Finally, when all steps are completed, the ransomware will follow the flow of cleaning code…mainly to prevent dumping memory code that could assist in creating a decryption tool,” McAfee explained.

The ransomware is modular in architecture, leading to speculation that its authors could package these capabilities up with information-stealing or other functionality to improve the chances of monetizing attacks.

The findings highlight the fact that ransomware remains a major threat to organizations, despite more publicity being focused on crypto-mining in 2018.

Earlier this month the Texan city of Del Rio warned that it had been hit by a major ransomware-related outage.

Europol last year warned that ransomware would be a top threat to businesses for years to come.

Source: Information Security Magazine

Google Under Investigation for Another Alleged GDPR Breach

Google Under Investigation for Another Alleged GDPR Breach

Google is under investigation in Sweden over alleged breaches of the GDPR, just days after it was issued with a major €50m fine in France.

Swedish regulator Datainspektionen revealed earlier this week that it launched the investigation into collection of Android users’ location data, after receiving a complaint from the Sveriges Konsumenter (Swedish Consumer Association) linked to allegations in an earlier report by Forbrukerrådet (the Norwegian Consumer Council).

“In summary, the complainant holds that the way Google provides itself access to the location data of users of its mobile operative system Android by ways of its so called ‘Location History’ and ‘Web & App Activity’ is in breach of the GDPR,” the authority said.

“According to the complainant, the report by Forbrukerrådet states that Google use deceptive design, misleading information and repeated pushing to manipulate users into allowing constant tracking of their movements. In essence, the complainant holds that the processing of location data in this way is unlawful and that Google is in violation of Articles 5, 6, 7, 12, 13 and 25 of the GDPR.”

A supervisory letter sent to the web giant requests more information and answers to a series of questions by February 1.

Specifically, it wants to know the total number of Swedes who have had location data slurped through the services and how many data points are gathered on average per individual, broken down for every hour of the day.

It asks for privacy policies, data impact assessments and records of processing activities, and wants to know the legal basis for processing, why data is being collected, and when and how consumers are notified, among other details.

The investigation highlights the continued scrutiny of firms under the GDPR. Although we have yet to hear about a major investigation undertaken due to concerns over data security, one is surely not far away as the regulators begin to flex their muscles.

Source: Information Security Magazine

Another Bank Found in Elasticsearch Database Leaks

Another Bank Found in Elasticsearch Database Leaks

What was reported earlier this week as only two Elasticsearch database misconfigurations that left millions of bets and thousands of personal records exposed has evolved into a trove of disclosures involving more than 24 million banking and financial records at several organizations, including Bancolombia, according to security researcher Bob Diachenko.

As the week has progressed, Diachenko has revealed the names of different organizations that were part of his Elasticsearch discovery, including Citi and Ascension, a data and analytics company. Today, Diachenko has revealed his exchange with yet another company, Bancolombia, whose database misconfigurations left records exposed.

In an email to Infosecurity, Diachenko wrote:

To discover data breaches, leakages, and vulnerabilities on the Internet, we at SecurityDiscovery.com use public search engines only, such as Shodan, Censys etc. When we find a public database (data that’s fully accessible to anyone without any restrictions) we collect several digital samples for further analysis. If these samples contain any kind of private and sensitive data, we employ a Responsible Disclosure model to privately communicate the findings with data owners (the company or organization that left the information publicly accessible) and help them implement specific security safeguards to protect their private data.

On Nov 29th I have identified an unprotected Elasticsearch cluster, available for public access, via Shodan engine. It took me some time before I analyzed the data and noted that almost all payment information (credit cards details) was related to Bancolombia, so I decided it would be the quickest possible solution to prevent this data from being stolen and report the incident directly to bank authorities.

Shortly after I contacted Bancolombia, instance has been secured (Nov. 30) and on the next day I was contacted by a representative of a company that managed the data, Waumovil, who thanked me for the heads up and said that "unfortunately we had some open ports that I was not aware”.

In an attempt to get ahead of what has been dispersed on social media, Bancolombia responded to Diachenko, asserting that none of its systems had been compromised but that the information was “stolen at trade,” according to a translation of the statement.

"We have previously reported that the lack of authentication allowed the installation of malware or ransomware on the Elasticsearch servers. The public configuration allows the possibility of cyber-criminals to manage the entire system with full administrative privileges. Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains," Diachenko said.

"Although the company reacted fast to secure their data it is unclear how long it may have been publicly available or who else might have accessed the files. Data privacy and data protection laws like GDPR are a good first step but companies and charities need to be proactive when it comes to data protection." 

Source: Information Security Magazine

Emotet Trojan Targets Education, Gov and Healthcare

Emotet Trojan Targets Education, Gov and Healthcare

As 2018 rounded to a close, Malwarebytes predicted that Emotet and Trickbot were the future of malware, and the third annual State of Malware Report released today confirms that the Trojan families spread wildly, most often targeting the education, government, manufacturing and healthcare sectors.

The old adage, "When one goes up, the other comes down," rang true with malware attacks in 2018. By the second quarter of the year, there was a notable decline in crypto-mining attacks, which saw only a 7% year-over-year increase; however, there was significant rise in information-stealing malware. The former banking Trojans Emotet and TrickBot plagued the education industry, while manufacturing suffered attacks from WannaCrypt and Emotet.

“The year 2018 was action-packed from start to finish,” said Adam Kujawa, director of Malwarebytes Labs, in a press release. “It began with threat actors diversifying their cryptomining tactics; broadening their reach to Android, Mac and cryptomining malware; and experimenting with new innovations in browser-based attacks.”

Seven categories of malware were detected within businesses, with Trojans, RiskWare tool, backdoors and spyware as the top four as a result of a more than 100% year-over-year increase. Vools was the top detection among backdoor compromises, according to the report.

“Year after year, we see cyber perpetrators finding new (and old) avenues for monetizing on their attacks. Regardless of whether it is ransomware, mineware or 'good old' Trojans and info stealers, the strategy is the same: find the weakest link and abuse it for initial infiltration, then deploy the 'profit module' of your choice," said Matan Or-El, co-founder and CEO of Panorays

If the report offered any good malware news, it was that consumer attacks declined, despite business threats increasing by 79%. “Despite the focus on business targets, consumer malware detections only decreased by three percent year over year, thanks to increases in backdoors, Trojans, and spyware malware categories throughout 2018. While 2017 saw 775,327,346 consumer detections overall, 2018 brought with it about 25 million fewer instances of infection – a healthy decrease in number, percentages aside,” the report said.

Last year also witnessed a rise in rogue app attacks, with extensions that fooled both users and app stores into thinking they were legitimate. Also, as Infosecurity reported, Magecart covered a lot of ground in its widespread attacks on e-commerce sites.

Finally, sextortion made its way to the top 10 takeaways list. “Major scams for the year capitalized on stale PII from breaches of old. Phishing emails were blasted out to millions of users in extortion (or in some cases, sextortion) attempts, flashing victims’ old, but potentially still viable, passwords and warning them that they’d expose their secrets if they didn’t pay up.”

Source: Information Security Magazine

2018: The Year of Next-Generation Attacks

2018: The Year of Next-Generation Attacks

Enterprises around the globe are facing a new breed of cyber-attacks that are largely fueled by geopolitical tensions, according to Carbon Black’s 2019 Global Threat Report.  

Last year cybersecurity professionals struggled to defend against increasing crypto-mining attacks, along with fileless attacks, ransomware and commodity malware, marking 2018 as the year of the next-generation of attacks.

“Modern cyberattacks appear to increasingly…reveal how clever attackers have become in evolving to remain undetected – using techniques such as lateral movement, island hopping and counter incident response to stay invisible,” the report stated.

The data analyzed in the study found that, in aggregate, enterprises saw approximately one million attempted cyber-attacks per day, though half of today’s cyber-attacks use the victim primarily for island hopping.

Governments around the globe experienced increased attacks that appeared to stem from Russia, China and North Korea. “Of the identified fileless attacks, variants of the malware Graftor were uniquely identified as the fileless payload. The FBI has high confidence that Graftor variants are used by North Korean cyber operations, also referenced as HIDDEN COBRA, to maintain presence on victim networks and to further network exploitation,” the report stated.

In addition the threat data revealed that computers/electronics, healthcare, business services, internet/software and manufacturing were the five industries most targeted by cyber-attacks in 2018.

Kryptic was the most commonly used ransomware variant in 2018, and the five industries most targeted with ransomware were manufacturing, business services, retail, government and computers/electronics.

The data also showed that the average endpoint “was targeted by two cyberattacks per month throughout 2018. At this rate, an organization with 10,000 endpoints is estimated to see more than 660 attempted cyberattacks per day.”

Another key finding of the study found that approximately $1.8 billion of cryptocurrency-related thefts transpired last year, up from the $1.3 billion in total losses reported by the FBI in 2016, and cyber-criminals have largely shifted from Bitcoin to Monero as their currency of choice.

“Of the identified attacks, cryptocurrency exchanges are the most vulnerable target for cybercriminals. Attacks on these exchanges account for just over 27% of all reported incidents. These exchanges represent prime targets for cryptocurrency theft, fraud and harvesting of user information for follow-on targeting by these same criminals.”

Source: Information Security Magazine