Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for the News Category

Bug Hunting Is Cybersecurity's Skill of the Future

Bug Hunting Is Cybersecurity's Skill of the Future

The vast majority of white hat hackers who reported that they were looking for jobs in cybersecurity said that their bug hunting experience helped them land a job, according to Bugcrowd’s 2018 Inside the Mind of a Hacker report.

The report looked at the community of white hat hackers to better understand the skill sets and career aspirations of more than 750 security researchers and found that 41% of white hat hackers are self-taught. In addition, 80% of bug hunters said that their experience in bug hunting has helped them get a job in cybersecurity.

"Bug bounties have impacted my life by teaching me skills that I didn't know from doing traditional pentesting," said Phillip Wylie, a top-performing security researcher for Bugcrowd based out of Texas in today's press release. "I really enjoy being involved in the security and hacking community and I now teach ethical hacking at a community college. It's important to share knowledge in our community so we can push ourselves to be better."

“Cybersecurity isn’t a technology problem, it’s a people problem – and in the white hat hacker community there’s an army of allies waiting and ready to join the fight,” said Casey Ellis, founder and CTO at Bugcrowd in the release.

“Bug hunting is a perfect entry point for would-be infosecurity professionals to gain real-world experience, as well as for seasoned professionals to hone their skills and supplement their income. With cybercrime expected to more than triple over the next five years, bug hunting addresses the dire need for security skills at scale.”

A career in bug-hunting can be quite lucrative, with the research showing that the average total payouts for the top 50 hackers totaled around $150K, with the average submission payout coming in at $783. While hackers are finding and submitting plenty of bugs, 15% of hackers have the ambition of being a top security engineer at tech giants like Google and Facebook, yet only 6% have the desire to someday be a CISO.

Some hackers (24%) only spend an average of 6–10 hours a week bug hunting, which could be a function of the fact that more than half of the white hat hacker community are hunting bugs on top of their regular 9–5 positions.

The report also highlighted the continued gender imbalance that plagues the industry, with women representing a mere 4% of the global hacking community.

Source: Information Security Magazine

Microsoft, PayPal and Google Top the Brands Hit by Phishing

Microsoft, PayPal and Google Top the Brands Hit by Phishing

Email phishing continues to be the most common method of attack, and according to new research from Comodo Cybersecurity Microsoft, PayPal and Google are the top three brands most targeted by phishing.

In its Global Threat Report 2018 Q3, researchers in Comodo’s threat research lab found that phishing represents one of every 100 emails received by enterprises, with 19% of those attacks targeting Microsoft, followed by 17% targeting PayPal and 9.7% going after Google.

According to the report, 63% of the emails a business receives are clean, while 24% are spam, and only 1.3% of business emails are phishing attempts. Of those, there were three subject lines that were used with great frequency.

In 40% of the phishing emails examined, the subject line was related to PayPal and read, “Your account will be locked.” Another 10% of phishing emails targeted FedEx and read “Info,” while the third-most popular headline, “August Azure Newsletter,” appeared in 8% of the phishing emails and targeted Microsoft.

While malicious attachments remain the top method of infection, phishing URLs are also gaining popularity and represent 40% of the total phishing emails analyzed. In one example, researchers discovered an email claiming to be a survey of that Azure newsletter. The message contained what appeared to be an authentic URL and Microsoft logo, which made it very difficult for users to determine whether it was legitimate. If users clicked on the link, they were delivered to a malware-laden web page, where they were covertly infected.

The report also found that there was a surge in malware deployment in advance of major national elections across the globe, as well as correlations of malware detection both prior to and immediately following geopolitical crises.

“These correlations clearly stand out in the data, beyond the realm of coincidence,” said VP of Comodo's cybersecurity threat research labs Fatih Orhan. “It is inescapable that state-actors today employ malware and other cyber-threats as both extensions of soft power and outright military weapons, as do their lesser-resourced adversaries in asymmetric response.”

Source: Information Security Magazine

Campaign Targets Critical Russian Infrastructure

Campaign Targets Critical Russian Infrastructure

In a campaign that has lasted at least three years, financially motivated attackers have been targeting Rosneft, a state-owned Russian oil company, according to new threat intelligence published by Cylance.

In its Threat Intelligence Bulletin, researchers discovered that ordinary criminals – not state-sponsored actors – were behind the attacks on the predominantly Moscow-owned company. Anticipating that researchers would assume that the campaign was a nation-state attack on the critical infrastructure of a company that holds enormous political influence in Russia, these cyber-criminals were well camouflaged, making attribution all the more challenging.

Upon investigating the command-and-control (C&C) domains used by the malware authors, researchers learned that “the threat actor had created similar sites to mimic more than two dozen mostly state-owned oil, gas, chemical, agricultural, and other critical infrastructure organizations, in addition to major Russian financial exchanges,” according to the research.

The attackers used Microsoft Office macros to deliver malicious implants to their targets throughout their extensive phishing campaign. Through analyzing several samples of the malware, researchers discovered a backdoor, programmed in Delphi, that shared IP address and hostname information in its communication over HTTP with two C&C servers.

“The backdoor had the ability to upload and download files, manipulate files and folders, compress and decompress files using ZLIB, enumerate drive information and host information, elevate privileges, capture screenshots and webcam pictures, block and/or simulate user input, log keystrokes, and manipulate processes on the infected system,” the bulletin said.

“Business email compromises like the one seen in this attack are, according to the FBI, big business – costing victims $12 bn globally in 2018 alone,” said Kevin Livelli, director of threat intelligence at Cylance.

“Organizations outside the specific target set of this attack should be alert to the fact that the techniques and targeting we normally associate with state or state-sponsored espionage efforts are also being used by ordinary criminals (even lone actors) motivated by financial gain. Targeted attacks come in all flavors – including crime – and defenders should be vigilant to this fact and resist jumping to conclusions when they see activity that might otherwise scream 'APT.'”

Source: Information Security Magazine

Operation Sharpshooter Targets Nuke and Defense Firms

Operation Sharpshooter Targets Nuke and Defense Firms

Security researchers have discovered a major targeted attack campaign aimed at stealing info from scores of mainly English-speaking organizations around the world and using source code from the infamous Lazarus Group.

What McAfee has dubbed “Operation Sharpshooter” targets government, defence, nuclear, energy and financial organizations, mainly in the US but also the UK, Canada, Australia, New Zealand, Russia, India and elsewhere.

Some 87 organizations have so far been found to be infected with the Rising Sun implant, a modular backdoor which allows the attackers to perform reconnaissance by accessing sensitive information including documents, usernames, network configuration and system settings. 

Although not previously seen, the implant draws on source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer, used in the notorious attack on Sony Pictures Entertainment. However, McAfee is not attributing the campaign to North Korea — in fact, the “numerous technical links” to the group raise the possibility that this is a false flag, it claimed.

The initial attack vector is fairly standard: a weaponized macro-based document which, when opened, runs an in-memory implant to download and retrieve the second-stage Rising Sun malware.

Any data of interest is encrypted and sent back to the C&C server. It’s unclear whether the operation will stop at reconnaissance or if this is just the first stage in a multi-layered sophisticated campaign.

Operation Sharpshooter is yet another example of a sophisticated, targeted attack being used to gain intelligence for malicious actors,” argued McAfee chief scientist and fellow, Raj Samani.

“However, despite its sophistication, this campaign depends on a certain degree of social engineering which, with vigilance and communication from businesses, can be easily mitigated. Businesses must find the right combination of people, process and technology to effectively protect themselves from the original attack, detect the threat as it appears and, if targeted, rapidly correct systems.”

Source: Information Security Magazine

AI Set to Supercharge Phishing in 2019

AI Set to Supercharge Phishing in 2019

The coming year will see a mix of old and new as phishing is supercharged with AI but reported vulnerabilities continue to cause organizations problems, according to Trend Micro.

The security giant claimed in its predictions report this week that phishing will continue to grow in popularity as exploit kits fade. The number of detections of the latter has fallen from over 14.4 million in 2015 to just 261,000 today, while blocked phishing URL volumes have jumped from 8.1 million to over 210 million over the same time period.

However, attackers will be looking to make phishing even harder to detect, via new tactics such as using AI to monitor executives’ online behavior, and AI-enabled chatbots to lure users into clicking on malicious links.

Another social engineering-based attack set to hit the mainstream in 2019 is SIM-swap fraud, according to the vendor.

However, despite some relatively new tools and techniques breaking onto the scene, it is the tried-and-tested options that remain a major threat over the coming year.

These include exploitation of known vulnerabilities: 99.99% of exploit-based attacks will involve vulnerabilities for which patches have been available for weeks or even months but have not been applied, predicted Trend Micro.

Many of these will be found in OT systems like SCADA human machine interfaces, as well as newer systems like Kubernetes and other cloud software.

Hackers will also respond to the increasing use of AI by the white hats to try and stay hidden by “living off the land,” according to principal security architect, Bharat Mistry.

“By repurposing standard computing objects for reasons other than their intended purposes — such as unconventional file extensions or online storage services — the threat actor’s arsenal will evolve significantly, and enable them to intelligently camouflage within the corporate network,” he explained.

“In 2019, as cyber-criminals look to infiltrate sites under the radar, it’s imperative that enterprises implement comprehensive security solutions that are able to spot disguised profiling attempts.”

Source: Information Security Magazine

Amplification Bots Retweet Misinformation

Amplification Bots Retweet Misinformation

Amplification bots spread both information and misinformation across Twitter's social network through retweets, and according to new research from Duo Security, these bots not only affect how content spreads but also how the information is perceived.

Published today, Anatomy of Twitter Bots: Amplification Bots, Jordan Wright and Olabode Anise detail the characteristics that make up amplification bots based on a data set of 576 million tweets. The researchers also looked at how to build a crawler that can map out entire botnets of this kind.

The research is the culmination of a three-part series that began at Black Hat 2018 with "Don’t @ Me: Hunting Twitter Bots at Scale" and was followed by a more detailed explanation of how fake followers operate.

The focus in this final part of the series is on automated retweeting. Because retweeting is what boosts an account's popularity, amplification bots are concerning from an information security perspective. “Automated retweeting of a tweet [is considered] to be more damaging to social network conversation, since it actively spreads content as opposed to just artificially boosting the content’s popularity,” the authors wrote.

Determining which accounts are bots and which are authentic took a bit of work, though. In essence, researchers had to distinguish different patterns of likes and retweets from a wide sampling of accounts.

“We found that an average account’s timeline is composed 37.6 percent of retweets while the 90th percentile was composed of 75 percent of retweets. Because our dataset of tweets does include accounts that exhibit bot-like characteristics, it’s important to note that the the overall distribution of retweets in an account’s timeline may be affected by their behavior.”

Research suggested a key factor that distinguishes bots from actual user accounts is found in the timeline, with actual users tending to retweet in consecutive order while the activity of bots is more scattered. After determining normal behaviors, researchers set out to find bots as seen in the image below:

Credit: Duo Security
Credit: Duo Security

“The account’s most recent (re)tweet has 969 retweets and 164 likes, which is strange. Most tweets with that many retweets won’t have a retweet-to-like ratio of almost 6:1. To put some numbers to how rare this is, only 0.2 percent of tweets in our dataset had more than at least 900 retweets and a similar retweet-to-like-ratio,” researchers wrote.

Finding one bot then opened the door for the discover of many more amplification bots, which have the potential to sully the credibility of retweets, though determining legitimate information from misinformation is a challenge.

Source: Information Security Magazine

House Report Says Equifax Breach Was Preventable

House Report Says Equifax Breach Was Preventable

The US House of Representatives Committee on Oversight and Government Reform released its report on the Equifax breach. It found that the lack of modernized security controls combined with dozens of expired certificates created vulnerable systems and resulted in the data breach of 143 million records.

The cyberattack that started on May 13, 2017, lasted for 76 days, during which time malicious actors were able to access and exfiltrate unencrypted personally identifiable information hundreds of times, according to the report.

The breach resulted in CEO Richard Smith announcing his retirement on September 26, 2017, a little over a month after he had delivered a speech at the University of Georgia in which he explained that the company manages massive amounts of very unique data.

Smith stated: “We have data on approaching 100 million companies around the world. The data assets are so large, so unique it is…credit data, it is financial data – we have something like $20 trillion of wealth data on individuals, so how many annuities, mutual funds, equities you own. About $20 trillion on property data, so property that you might own – what the value was when you bought it, what it’s worth today. Utility data, marketing data, I could go on and on and on – but massive amounts of data.” 

According to the committee’s findings, “Equifax should have addressed at least two points of failure to mitigate, or even prevent, this data breach. First, a lack of accountability and no clear lines of authority in Equifax’s IT management structure existed, leading to an execution gap between IT policy development and operation.”

“This also restricted the company’s implementation of other security initiatives in a comprehensive and timely manner. As an example, Equifax had allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains.”

In addition, building critical IT applications on custom-built legacy systems added to the complexity of Equifax’s systems, which was addressed too late to prevent the breach. The report noted that Equifax understood that operating legacy IT systems posed inherent security risks, as was evidenced by the company’s action to modernized its infrastructure – steps that should have been taken much sooner.

The committee concluded that “Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented.”

Source: Information Security Magazine

Middle East Servers Targeted in Saipem Cyber-Attack

Middle East Servers Targeted in Saipem Cyber-Attack

Oil services company Saipem, based in Milan, Italy, was the victim of a cyber-attack that appears to be targeting servers in the Middle East, according to reports from Reuters.

The attack targeted servers in Saudi Arabia, the United Arab Emirates and Kuwait, while the servers in Italy, France and Britain remain unaffected, according to Saipem’s head of digital and innovation, Mauro Piasere. The attack origination has not yet been determined.

“The servers involved have been shut down for the time being to assess the scale of the attack,” Piasere told Reuters.

Information Security tried to contact Saipem. As of the time of writing this, the company has not responded. The company did share an announcement on its website in which it stated:

“We are collecting all the elements useful for assessing the impact on our infrastructures and the actions to be taken to restore normal activities. We are also in the process of notifying the report of the incident to the competent authorities.”

A small Aberdeen, Scotland, office is the only European site affected by the attack, which has impacted 400 servers that remain down as the company investigates, according to Bloomberg Law.

“It's still too early to tell, but given Saipem's position as a trusted third-party supplier to Saudi Aramco, an educated guess would be that the adversary is the same one that attacked Saudi Aramco in the past – which points to the destructive Shamoon attacks of 2012 and 2016, now widely attributed to Iran," said Phil Neray, VP of industrial cybersecurity at CyberX.

Earlier this year, Saipem announced that it was looking to transition from oil and gas construction to offshore and wind energy, Energy Voice reported. To that end, it has invested $55m into technological innovation, though it is unclear what percentage of that investment is slated for cybersecurity.

Source: Information Security Magazine

Quarter of NHS Trusts Have No Security Pros

Quarter of NHS Trusts Have No Security Pros

New research has revealed a dearth of qualified cybersecurity staff in the NHS and low levels of spending on in-house training for employees.

RedScan received Freedom of Information (FOI) responses from 159 trusts between August and November.

It found that nearly a quarter of trusts have no qualified security professionals working in-house despite some of them employing as many as 16,000 staff.

Although some of this security work is outsourced by the health service, RedScan director of cybersecurity, Mark Nicholls, claimed that security specialists should still number more than the average of one per 2628 employees revealed by the research.

“There’s no magic number. Every organization has a responsibility to assess its cybersecurity risk and make a judgement call about the number of trained professionals it needs. Factors to consider include the size of the network, number of employees, systems in use, plus the type and quantity of data stored,” he told Infosecurity.

“When you consider how big a target the NHS is, how diverse and interconnected its networks are and how many people rely on healthcare services day-to-day, it’s pretty clear that trusts lack the specialist skills required. The fact that several trusts with more than 10,000 employees had no security professionals whatsoever is a great concern.”        

What’s more, trusts spent an average of only £5356 on data security training over the past 12 months, with GDPR understandably the most common course type undertaken. However, this average figure hides a wide disparity in spending, with some trusts forking out just £238 and some as much as £78,000.

Trusts are also failing to meet minimum standards on information governance (IG) training, with NHS Digital requiring 95% of all staff to pass such training every 12 months, according to RedScan. Unfortunately, just 12% of trusts that sent back FOI answers had met this target, with the majority having trained 80-95% of staff.

However, a quarter had trained less than 80%, with some claiming less than half had been sent on IG courses.

The healthcare sector accounted for 43% of all data breach incidents reported to the ICO between January 2014 and December 2016, although this figure may be relatively high because of mandatory reporting requirements in the sector.

It added another 619 incidents in Q2 2018/19 alone, including 420 labelled as “disclosure of data” and 190 security-related.

Source: Information Security Magazine

NHS Fax Ban Set to Improve Security from 2020

NHS Fax Ban Set to Improve Security from 2020

The NHS will be banned from buying any more fax machines from next month as the government looks to upgrade the health service to more modern and secure communications platforms.

Health secretary Matt Hancock has also ordered a complete ban on their use by March 2020, as part of a plan to bring the NHS into the 21st century.

According to a Freedom of Information (FOI) request from the Royal College of Surgeons (RCS) in July, the NHS in England still uses over 8000 fax machines.

“We’ve got to get the basics right, like having computers that work and getting rid of the archaic fax machines still used across the NHS when everywhere else got rid of them years ago,” he said in a statement.

“I am instructing the NHS to stop buying fax machines and I’m setting a deadline for getting rid of them altogether. Email is much more secure and miles more effective than fax machines. The NHS can be the best in the world — and we can start with getting rid of fax machines.”

Richard Kerr, chair of the RCS Commission on the Future of Surgery, welcomed the news.

“Advances in artificial intelligence, genomics and imaging for healthcare promise exciting benefits for patients,” he argued. “As these digital technologies begin to play a bigger part in how we deliver healthcare it is crucial that we invest in better ways of communicating the vast amount of patient information that is going to be generated.”

Tony Pepper, CEO of Egress Software, highlighted the security risks associated with using fax machines.

“Fax machines provide a large surface area for human error and consequently data breaches when used to transfer sensitive data, as they can’t offer assurance over how the data is picked up and used at the receiving end, or a safety net to allow for user error when dialing,” he explained. “When used to transfer confidential information, there is a significant risk of a data breach.”

However, care will be needed to ensure sensitive data is encrypted when shared outside the health service via email, for example with patients, Pepper added.

Research from Check Point in August also pointed to a possible new attack vector exploiting vulnerabilities in a common implementation of the fax protocol, which could even allow hackers to infiltrate corporate networks via these machines.

Source: Information Security Magazine