Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Cybercrime Costs Global Economy $2.9m Per Minute

Cybercrime Costs Global Economy $2.9m Per Minute

In just one minute on the internet, $2.9 million is lost to cybercrime, according to the annual Evil Internet Minute report from RiskIQ

After analyzing proprietary research and data derived from the volume of malicious activity on the internet, the report found that cyber-criminals cost the global economy $2.9 million every minute last year, for a total of $1.5 trillion. 

Major companies are paying $25 per internet minute because of security breaches, while hacks on cryptocurrency exchanges cost $1,930. Criminals are leveraging multiple tactics, from malvertising to phishing and supply chain attacks. The loss from phishing attacks alone is $17,700 per minute. Global ransomware events in 2019 are projected to total $22,184 by the minute.

"As the scale of the internet continues to proliferate, so does the threat landscape," said Lou Manousos, CEO of RiskIQ, in today’s press release. "By compiling the vast numbers associated with cybercrime in the past year, we made the research more accessible by framing it in the context of an 'internet minute.' We are entering our third year defining the sheer scale of attacks that take place across the internet using the latest third-party research and our own global threat intelligence so that businesses can better understand what they're up against on the open web." 

Cyber-criminals have also increased their targets on e-commerce with Magecart hacks, which grew by 20% over the last year. The study found 0.21 Magecart attacks were detected every minute. The data also revealed that in each internet minute 8,100 identifier records are compromised, seven malicious redirectors occur and 0.32 apps are blacklisted. In addition, the research found 2.4 phish traversing the internet per minute.

“Without greater awareness and an increased effort to implement necessary security controls, there will be more attacks using an ever-expanding range of technologies and strategies,” Manousos said. “With the recent explosion of web and browser-based threats, organizations should look to what can happen in a matter of minutes and evaluate their current security strategy. Businesses must realize that they are vulnerable beyond the firewall, all the way across the open internet." 

Source: Information Security Magazine

Five Zero-Days Found in Comodo Antivirus Software

Five Zero-Days Found in Comodo Antivirus Software

Multiple zero-day vulnerabilities could allow malicious actors to attack Comodo antivirus software and install malware to escalate to the highest privileges, according to Tenable Research.

Though antivirus software is used to protect PCs and other devices from unknown malware and threats, Comodo – which has over 85 million desktop software installations across more than 700,000 business customers – is riddled with vulnerabilities that would ultimately grant an attacker complete control over the machine. Researchers discovered a sandbox escape and a privilege escalation to SYSTEM, according to today’s blog post. An attacker could even disable the antivirus altogether, leaving the device unprotected and vulnerable, researchers explained.

“Comodo uses many IPC mechanisms between its various AV components: Filter Ports, Shared Memory, LPC, and COM,” wrote Tenable’s David Wells.

“We happen to know Comodo has the capability to invoke scan jobs from low-privilege processes such as explorer.exe (via it’s Context Shell Handler – (the menu that appears when user right clicks)) or Cis.exe (Comodo client GUI). These scan jobs are executed by invoking routines in CAVWP.exe which runs as SYSTEM.”

In total, researchers discovered five different vulnerabilities, which are demonstrated in a proof-of-concept video that illustrates the risks.

Researchers wrote that they had disclosed the vulnerabilities to Comodo on April 17. The company confirmed some of the vulnerabilities on May 7, adding that it is awaiting confirmation of others. According to the disclosure, Tenable followed up to request a status update several times before Comodo reported on June 7 that the “LPE vulnerability is partially due to Microsoft's fault.”

On July 8, Tenable asked for a status update on when fixes would be released. As of the July 22 disclosure, researchers had not been made aware of a patch to address these vulnerabilities. In an email to Infosecurity, a Comodo spokesperson wrote, "There have been no reported incidents exploiting any of these vulnerabilities and no customers reporting related issues to us. The Comodo product team has been working diligently to resolve all vulnerabilities and all fixes will be released by Monday, July 29."

Source: Information Security Magazine

Sky Customers Urged to Reset Passwords

Sky Customers Urged to Reset Passwords

Sky customers have been advised to reset their passwords as a security measure.

In an email sent to a number of its customers, the company wrote: “At Sky we take the security of your data and information extremely seriously. To help keep your account safe we have reset the password for your Sky account.”

Sky confirmed on Twitter that the message is genuine and prompted receivers to follow the link to reset their password, although the reason behind the reset remains unclear.

“The latest news regarding password resets occurring for email accounts with sky.com, as so-called ‘precautionary measures’ that have been taken, indicates that the incident is ongoing and possibly the root cause is still unknown,” said Joseph Carson, chief security scientist & advisory CISO at Thycotic.

“If indeed this was a credential stuffing cyber-attack, then there would be an indicator of a high number of failed log-in attempts, hopefully resulting from some users following best practices by not using the same password across multiple accounts. This is what credential stuffing is trying to abuse using an automated process.”

Sky needs to be following incident response best practices and treating this incident as serious because, in many cyber-incidents, you tend to uncover more serious data breaches when you start looking harder, Carson added. “Sky customers should really start using password managers and two-factor authentications to ensure that a password is not the only security protecting sensitive data.”

Source: Information Security Magazine

NSA Launches New Unit to Tackle Foreign Threat

NSA Launches New Unit to Tackle Foreign Threat

The NSA has announced a new unit tasked with taking on foreign adversaries like Russia and China in cyberspace.

The Cybersecurity Directorate, which will be operational from October, is to be led by Anne Neuberger. She previously led an NSA unit known as the Russia Small Group which was set up to manage the threat from Kremlin hackers during the recent mid-terms.

It will reportedly “unify NSA's foreign intelligence and cyber-defense missions and is charged with preventing and eradicating threats to National Security Systems and the Defense Industrial Base.”

NSA director and Cyber Command boss Paul Nakasone announced the new directorate at a speaking engagement at Fordham University.

“We have two missions and for a number of years, NSA has been very active in what was called the information assurance mission. We are re-emphasizing that mission under the Cybersecurity Directorate under Anne Neuberger's leadership,” the agency said in a series of live tweets from his speech at the event.

“The Department of Defense can’t wait for our adversaries to come to us. Working with our allies, we will defend forward. It’s a strategy that now accepts the fact that we have to get involved early on. The American public should rest assured that there will be consequences for taking the US on.”

The threat to national security from state-sponsored attackers has never been greater – whether it’s sabotage of smart systems and operational technologies, theft of sensitive military and other IP, breaches of information on key personnel or interference in elections.

Given that critical infrastructure is mainly run by private companies, attacks are often targeted at this sector.

Just last week, Microsoft revealed that it had warned 10,000 customers they had been targeted by nation state attacks over the past year. This included 742 political organizations including NGOs and think tanks, with 95% of them based in the US.

If there are attempts by foreign nations to disrupt the 2020 US Presidential election, preparations will certainly be well underway by now.

Source: Information Security Magazine

FIN8 Reappears with BADHATCH Malware

FIN8 Reappears with BADHATCH Malware

The financially motivated threat group known as FIN8 has recently reemerged after being somewhat dormant, according to new research from Gigamon’s applied threat research (ATR) team. 

Researchers have published findings that show FIN8 continues to evolve and adapt its tools. As part of the threat research, ATR discovered a reverse shell from FIN8, dubbed BADHATCH, while observing variants of the ShellTea implant and PoSlurp memory scraper malware. In the report, ATR also compares BADHATCH to other popular malware variants, such as PowerSniff.

“The BADHATCH sample begins with a self-deleting PowerShell script containing a large byte array of 64-bit shellcode that it copies into the PowerShell process’s memory and executes with a call to CreateThread. This script differs slightly from publicly reported samples in that the commands following the byte array are base64 encoded, possibly to evade security products. While previous analyses saw PowerSniff downloaded from online sources and executed, Gigamon ATR incident response partners recorded the attackers launching the initial PowerShell script via WMIC,” researchers wrote.

In its initial stage, BADHATCH locates the embedded DLL in order to execute the injection, which creates a local event job. “On startup, and every 5 minutes thereafter, the sample beacons to a hardcoded command and control (C2) IP (149.28.203[.]102) using TLS encryption, and sends a host identification string derived from several system configuration details and formatted as %08X-%08X-%08X-%08X-%08X-SH. Only the one hardcoded IP address and no C2 domains were observed,” the report said.

BADHATCH reportedly contains no methods for sandbox detection, differentiating it from PowerSniff. Additionally, “it includes none of the environmental checks to evaluate if it is running on possible education or healthcare systems and has no observed built-in, long-term persistence mechanisms.”

One of the more important tools in the FIN8 toolkit is the component that retrieves credit card numbers as they pass through payment-card processing systems, the report said. Breaking down FIN8’s information collection process, the researchers explained that the malicious actors first deploy the non-persistent BADHATCH reverse shell to the server and then issue commands to each POS system in a target list before executing the PoSlurp.B PowerShell script.

Source: Information Security Magazine

Lancaster University Confirms Data Breach, Applicants Targeted

Lancaster University Confirms Data Breach, Applicants Targeted

Lancaster University has confirmed that it was “subject to a sophisticated and malicious phishing attack” which resulted in breaches of student and applicant data.

This has led to undergraduate student applicant data records for 2019 and 2020 being accessed, including names, addresses, telephone numbers and email addresses. Lancaster confirmed in its statement that it was “aware that fraudulent invoices” were being sent to some undergraduate applicants and has warned applicants to be aware of any suspicious approaches.

Also breached was Lancaster’s student records system. “At the present time we know of a very small number of students who have had their record and ID documents accessed,” it confirmed.

Its statement said that it “acted as soon as we became aware that Lancaster was the source of the breach on Friday” and immediately reported the issue to the Information Commissioner’s Office.

“Since Friday we have focused on safeguarding our IT systems and identifying and advising students and applicants who have been affected,” it said.

A spokesperson for the Information Commissioner’s Office said that the incident had been reported to them, and it was currently assessing the information provided.

The news follows the announcement that over 60 US colleges had been compromised after hackers exploited a vulnerability in popular ERP software.

Ed Macnair, CEO of Censornet, said that this proves how targeted cyber-criminals are becoming in their hacking methods, and how any and all sectors are now at constant risk. “The attack happened through the ever persisting phishing method,” he said. “This kind of data allows criminals to carry out attacks like credential stuffing, where hackers attempt to log in to a number of an individual's accounts with the intent to access card details that have been linked to certain accounts.

“This attack highlights how absolutely any organization is now vulnerable to being hacked, so more vigilance, education, and sophisticated protection is required.”  

Source: Information Security Magazine

Iranian Threat Group Targets LinkedIn Users

Iranian Threat Group Targets LinkedIn Users

Iranian threat actors are believed to be behind a phishing campaign that is masquerading as a member of Cambridge University to target users of LinkedIn, according to FireEye

In June 2019, FireEye devices detected a large phishing campaign from APT34 targeting Middle East critical infrastructure, telecom, and oil and gas entities. This campaign is consistent with the overall Iranian targeting of the energy sector that we’ve seen dating back to at least 2012. Further, this activity is representative of Iran's overarching efforts to collect strategic information of relevance to its national interests. With increasing geopolitical tensions between the U.S. and Iran and the introduction of new sanctions, we expect Iran to continue to increase the volume and scope of its cyber-espionage campaigns," FireEye's principal analyst, cyber-espionage analysis, Cristiana Brafman Kittner wrote in an email.

In addition the behavior aligns with elements of activity reported as OilRig and Greenbug by various security researchers who have attributed those attacks to APT34. "This threat group has conducted broad targeting across a variety of industries operating in the Middle East; however, we believe APT34's strongest interest is gaining access to financial, energy, and government entities,” researchers wrote

Victims received a message from Rebecca Watts, a specious member of the research staff at Cambridge University. 

Credit: FireEye
Credit: FireEye

These types of attacks have been seen across social media platforms, whereby criminals attempt to gain a foothold into the network or infrastructure by inducing users to click on malicious links or to download compromised files.

“Organizations and nation-states should be prepared for what is already to all intents and purposes a war. Cybercrime, much like any other form of criminal activity, is either motivated by monetary gains or by political interests, or – more often – by both,” said DomainTools’s senior security advisor Corin Imai.  

“Both private and public organizations should be investing in their employees’ cybersecurity training. As threats continue to evolve, having a solid foundational understanding of the best practices to stay safe online is the most effective way to create a first line of defense. In the current climate, organizations can no longer compromise on their security efforts, which should be holistic and account for both technical vulnerabilities and for human ones,” said Imai.

Source: Information Security Magazine

We “Cannot Stop Cyber-Attacks,” Say Over 40% of UK Orgs

We “Cannot Stop Cyber-Attacks,” Say Over 40% of UK Orgs

More than 40% of UK organizations believe cyber-attackers can infiltrate their networks at every attempt, according to new research from CyberArk.

CyberArk surveyed 1000 global organizations and detailed its findings in the CyberArk Global Advanced Threat Landscape Report 2019. The firm discovered that while UK organizations view privileged access security as a core component of an effective cybersecurity program, understanding has not yet translated to action.

For example, only 45% of those polled have a privileged access security strategy in place for protecting business critical applications and cloud infrastructure respectively, with even fewer having a strategy for DevOps (28%) or IoT (20%).

What’s more, only 17% of respondents understood that privileged accounts, credentials and secrets exist in containers.

UK organizations ranked hackers (74%), organized crime (57%), hacktivists (46%) and privileged insiders (42%) among the greatest threats to critical assets.

Rich Turner, SVP EMEA, CyberArk said: “These findings are sober reading for businesses and cybersecurity practitioners. Despite the vast sums being spent on cybersecurity, it’s clear that businesses have very little confidence in their ability to defend themselves from cyber-attacks, protect their most critical assets, or their value creation activities. UK businesses need to be on the front foot with security, know what is most valuable to them, how it may be attacked and how to protect it while ensuring their cyber-strategy supports collaboration and innovation.

“Proactive cybersecurity strategies have to be implemented wherever critical data and assets live, specifically to manage and secure the privileged credentials that are fundamental to their operation. This is the most valuable step security teams can take to support wider business initiatives in today’s digital economy.”

Source: Information Security Magazine

Pen Tests Show Passwords Still a Security Problem

Pen Tests Show Passwords Still a Security Problem

Passwords continue to be a top security challenge for organizations, with penetration testers revealing that they can easily guess passwords in the majority of their engagements, according to the 2019 Under the Hoodie report published by Rapid7.

The new report, which documents the results of 180 pen tests carried out from September 2018 through May 2019, highlights the most common external and internal weaknesses present in companies. Sample findings showed that password management continues to be a problem. In 72% of engagements hackers were able to compromise one password. Of those, 60% were easily guessed passwords.

In its fifth year, the report shows year-over-year progress. The data suggests that basic network segmentation controls between internal and external networks are generally effective, particularly when looking at migration to the cloud for externally accessible resources. 

In only 21% of the attempts at an externally based engagement were hackers able to gain internal LAN access. The numbers decreased significantly for web-application–specific engagements, where hackers were rarely to never successful (under 3%) at achieving a total site-wide compromise. Over 70% of web applications were hosted somewhere other than the client's data center, making an attacker’s path far more complex.

“The traditional 'external compromise' test, where the client wants to ferret out their weaknesses and exposures that are exposed to the general internet, is the most popular scoping choice, accounting for just about 40% of the engagements surveyed,” according to the report.

“This makes sense, since most clients are concerned about external bad actors – the criminal hackers that don't already have some reach into the internal network and are seeking some kind of leverage over the target to execute whatever criminal enterprise they're involved in.”

Once attackers gain a foothold, the next task is to leverage access to more and better systems across the internal network. Increasingly attackers are veering away from using PowerShell to gain a foothold because its restrictions are “becoming increasingly common in enterprise Windows networks, and while attackers got a lot of mileage in years past with PowerShell, those techniques seem to be falling by the wayside in 2019,” the report said.

Source: Information Security Magazine

New Laws in Asia Pacific Impact Threat Landscape

New Laws in Asia Pacific Impact Threat Landscape

The Chinese government is enabling law enforcement and military to monitor citizen behavior through advanced artificial intelligence and video surveillance, according to Charity Wright, former NSA and cyber threat intelligence analyst, IntSights Cyber Intelligence, who presented at the Asia Pacific & Japan 2019 RSA Conference.  

In her presentation, Dark Consequences: How New Laws Are Impacting the Cyberthreat Landscape, Wright said the Chinese government has developed and implemented technology that can recognize people by their facial features and movements, eye color, hair color and distinct marks in an effort to increase national security. “This technology is implemented through millions of cameras across the nation and in airports and is allegedly able to find an individual in real time and send location information to law enforcement,” Wright wrote in an email to Infosecurity Magazine.

Additionally impacting the cyber-threat landscape is Vietnam’s Cybersecurity Law of 2017, which, Wright explained, “allows the government to collect data, including encrypted data within its borders and internet infrastructure, and forces companies in Vietnam to allow the government access to all data.”

Slide from Wright's Talk on Dark Consequences
Slide from Wright's Talk on Dark Consequences

The law also limits the content allowed within Vietnam and enables the government to secure the nation against foreign and domestic threats to the people and the regime, with a focus on cyber-threats from criminals and advanced nation-state actors, Wright said.

As many of these laws enforce limitations of how citizens can use the internet, the information they can access and what business they are allowed to do, Wright said, “Some restrictions incite fear of being constantly monitored by technology and government forces and push users to the dark web for anonymity in their internet use. Many people are flocking to cryptocurrency forums and dark web tutorials for advice on how to stay anonymous, how to not be tracked by their government and how to use alternate currencies. As usership in dark web forums grow, business grows. The deep web is often a gateway to criminal forums and markets that clear-web users would not be exposed to.” 

Source: Information Security Magazine