Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Travelex Begins Reboot as VPN Bug Persists

Travelex Begins Reboot as VPN Bug Persists

Under-fire foreign currency firm Travelex has claimed its first customer-facing services in the UK have gone live after a crippling ransomware attack in December, with experts suggesting an unpatched VPN bug may have been to blame.

The London-headquartered business has been slammed by customers after the suspected Sodinokibi (REvil) ransomware struck on December 31, forcing it to take systems offline as a precautionary measure.

Several complained that the foreign currency they ordered and paid for online is unavailable, leaving them out of pocket. The outage affected not just Travelex’s websites but its bricks-and-mortar outlets and services it provides to major UK high street banks such as Barclays and RBS.

However, the firm claimed in an update on Friday it has been working hard this month to restore online and customer-facing systems.

“On 17 January 2020, we confirmed that the first of our customer-facing systems in the UK were live and that the phased restoration of our systems globally was now firmly underway. We are prioritizing the UK as this is our single largest market,” it said.

Although unconfirmed, security experts believe that an unpatched critical vulnerability in Pulse Secure VPNs (CVE-2019-11510) may have allowed attackers to remotely execute malicious code on Travelex IT systems.

Troy Mursch of Bad Packets claimed to have reached out to the firm in September to flag the software flaw, which has a CVSS score of 10.0, but received no response.

On Friday, he said that there are still over 3000 vulnerable Pulse Secure VPN servers out there. That’s bad news because the bug is seeing “wide exploitation,” despite the fact that a patch has been available since April 2019, according to the US Cybersecurity and Infrastructure Security Agency (CISA).

“A remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials,” CISA said of CVE-2019-11510.

“It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.”

Although Travelex maintains that there is “no evidence that any data has left the organization,” the hackers behind the $6 million ransom demand have claimed they exfiltrated 5GB of sensitive customer data last year.

Source: Information Security Magazine

London Councils Lose Nearly 1300 Devices Over Three Years

London Councils Lose Nearly 1300 Devices Over Three Years

The number of London councils reporting lost or stolen mobile computing devices has more than doubled over the past three financial years, according to new Freedom of Information (FOI) data.

Think tank Parliament Street compiled responses from 23 out of the 31 local borough councils that operate across the UK capital.

It found that a total of 1293 devices were lost or stolen over the three financial years from 2016, including laptops, mobile phones and tablets. The figure jumped from 304 in 2016-17 to 635 in 2018-19, a 109% increase.

Phones went missing most often, accounting for 951 lost or stolen devices over the period. The figure rose 122%, from 215 in 2016-17 to 478 in 2018-19.

Laptop losses also almost doubled over the period, from 64 to 124, while tablet losses increased slightly from 26 to 33.

Lambeth was most affected by missing devices, recording 281 losses, 84% of which were mobile phones. Next came Richmond and Wandsworth (123) and Brent (170). Richmond and Wandsworth, which reported together, saw a 666% increase in lost and stolen devices, while the figure stood at 74% in Brent.

Absolute Software EMEA VP, Andy Harcup, warned that the rise of flexible working combined with opportunistic thieves is increasing the risk of confidential public sector data going missing.

“If said device ends up in the wrong hands, these councils and the constituents they serve could be facing severe consequences, including a major data breach with citizen details finding their way onto the dark web,” he added.

“It's time for all organizations to wake up to the very real risks posed by stolen devices in terms of data security. Every single council should have robust end-point security measures in place to ensure that devices reported missing can be accessed, tracked, deleted and frozen appropriately.”

Source: Information Security Magazine

Citrix Patches ADC Bug as Attacker Hoards Access

Citrix Patches ADC Bug as Attacker Hoards Access

Citrix has begun issuing patches for a serious vulnerability in its Application Delivery Controller (ADC) product which experts have warned is being exploited in the wild.

The tech giant revealed the CVE-2019-19781 bug in ADC and its Citrix Gateway back in December. If successfully exploited, it could allow an unauthenticated attacker to perform arbitrary code execution.

Although the firm announced a series of mitigations to help protect customers as it readied a permanent fix, researchers claimed to have discovered tens of thousands of users that were still exposed, including high value targets across verticals including finance, government and healthcare.

Part of the problem appeared to be that not all of these mitigations worked as intended. The Dutch authorities urged businesses to disable Citrix systems altogether.

With proof-of-concept exploits appearing online in recent days and reports of active attacks, Citrix appeared to accelerate the process of readying patches.

Permanent fixes for ADC versions 11.1 and 12.0 are now ready and it has “moved forward” availability dates for other versions 12.1, 13 and 10.5 to January 24. Its Citrix SD-WAN WANOP product will also be patched on the same day.

The news comes as FireEye warned it had spotted “dozens of successful exploitation attempts” against ADC deployments that had not put in place temporary pre-patch mitigations.

One particular payload, which it named “NotRobin,” appears to be hoarding access to exposed Citrix systems.

“FireEye believes that the actor behind NotRobin has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign. They remove other known malware, potentially to avoid detection by administrators that check into their devices after reading Citrix security bulletin CTX267027,” FireEye explained.

“NotRobin mitigates CVE-2019-19781 on compromised devices but retains a backdoor for an actor with a secret key. While we haven’t seen the actor return, we’re skeptical that they will remain a Robin Hood character protecting the internet from the shadows.”

Source: Information Security Magazine

Fidelis Cybersecurity Acquired by Skyview Capital

Fidelis Cybersecurity Acquired by Skyview Capital

An American company dedicated to thwarting cyber-attacks has been snapped up by a global private equity firm. 

Skyview Capital, LLC announced its acquisition of Fidelis Cybersecurity, Inc yesterday. Fidelis is located in the Maryland town of Bethesda, which a 2015 NerdWallet survey found to be the most educated place in America. 

Fidelis Cybersecurity is a leading provider of network traffic analysis and of digital forensics and incident response solutions that enable enterprises and government organizations to detect, hunt, and respond to advanced threats that evade traditional security solutions.

The company counts among its 250 employees some of the world's leading cybersecurity experts, including specialists from the US Department of Defense, the intelligence community, and industry.

Solutions developed by Fidelis are delivered as standalone network, endpoint, and deception products; an integrated platform; or as a constantly operational managed detection and response service that augments existing security operations, threat hunting, and incident response capabilities.

Fidelis was acquired from a consortium of investors in a stock transaction in a deal that serves to increase Skyview's existing software technology portfolio.

"With the ever-increasing complexity of digital environments and the pace of cyber threats across the world, we see an opportunity to build upon Fidelis' impressive technology and solidify its position within the IT security industry," said Alex Soltani, chairman and CEO of Skyview. 

"This transaction aligns well with our investment philosophy of targeting and investing in mission critical technology businesses across a wide spectrum of verticals, from telecommunications to cybersecurity."

The mission of Fidelis is not set to change as a result of the acquisition. 

Soltani said: "Skyview is committed to realizing the full value of Fidelis as a safeguard against cyber threats, and we are enthusiastic about identifying both organic and inorganic growth opportunities."

Nick Lantuh, president and chief executive officer of Fidelis Cybersecurity, sees the deal as a golden opportunity for growth. 

He said: "We are excited to partner with Skyview Capital and benefit from their ability to help us take the Fidelis platform, which provides unmatched visibility and empowers security teams to rapidly respond to threats, into other markets."

Source: Information Security Magazine

NortonLifeLock Puts Silicon Valley Real Estate Up for Sale

NortonLifeLock Puts Silicon Valley Real Estate Up for Sale

NortonLifeLock, formerly known as Symantec, has put ten large commercial buildings in California’s Silicon Valley on the market. 

The cybersecurity company is seeking a buyer for the properties, which are all based in the Mountain View area, close to the Google Quad Campus. The ten buildings on the market are grouped into three separate campuses, not more than a few minutes' drive from one another. 

Commercial real estate firm Cushman & Wakefield has been hired to help shift the properties, which together total 707,000 square feet. 

According to The Orange County Register, the buildings are featured in a brochure being circulated on behalf of NortonLifeLock. 

"Never before offered to the marketplace, the offering represents a generational opportunity to acquire a portfolio of 10 buildings totaling 706,737 square feet in the heart of Silicon Valley," states the brochure. 

Mountain View was the site of Symantec’s headquarters for many years, but in November the company, under its new name NortonLifeLock, relocated its operational nerve center to Tempe, Arizona. 

One of the three campuses for sale, described in the brochure as the "headquarters campus," is located at 350 Ellis Street. On this site are five buildings offering a total 428,000 square feet of office space. 

The second campus, which is made up of research and office buildings totaling 128,000 square feet, is located at 455, 487, and 501 E. Middlefield Road. The final clutch of office and research buildings, which together offer 150,000 square feet of space, is at 515 and 545 N. Whisman Road.

In an effort to keep the ten properties together, NortonLifeLock is ideally seeking a single buyer for all three campuses.

The brochure states that "it is a strong preference of the seller for one buyer to acquire the entire portfolio," however, "individual offers on the various components may be considered."

NortonLifeLock's decision to put the properties on the market comes amid a concerted effort by the company to downsize. Over the course of 2019, the company announced it would be terminating 320 jobs in Mountain View and a further 82 in San Francisco.

Source: Information Security Magazine

Teen Charged Over $50m SIM-Swapping Scam on Blockchain Experts

Teen Charged Over $50m SIM-Swapping Scam on Blockchain Experts

A teenager from Montreal is facing four criminal charges in connection with a $50m SIM-swapping scam that targeted two renowned Canadian Blockchain experts. 

Eighteen-year-old hacker Samy Bensaci is accused of being part of a crime ring that stole millions of dollars in crypto-currency by gaining unauthorized access to the cell phones of crypto-currency holders in America and Canada. 

Spokesperson for the Canadian police force, the Sûreté du Québec, Lieutenant Hugo Fournier, said the elaborate SIM-swapping cyber-fraud was responsible for the theft of "$50 million from our neighbors to the south and $300,000 in Canada."

Police say the crypto-currency thefts, which netted dozens of victims, were perpetrated by the gang in the spring of 2018. 

Among the alleged victims are renowned Toronto businessman, author, and head of the Blockchain Research Institute Don Tapscott and his son Alex, a globally recognized investor, advisor, and speaker on Blockchain technology and crypto-currencies. Together, father and son co-authored Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World.

Bensaci was arrested in Victoria, British Colombia, in November and charged with fraudulently obtaining computer service, committing fraud over $5,000, identity fraud, and illegally accessing computer data. In December, the teen was released on $200,000 bail and ordered to live with his parents in northeast Montreal until his next court hearing.

According to La Presse, neighbors described Bensaci as a discreet young man who spends a lot of time on his computer.

While staying at his parents' residence, Bensaci is prohibited from accessing "any computer, tablet, mobile phone, game console, including PS3, PS4, Xbox, Nintendo Switch, or any other device capable of accessing the Internet," and banned from possessing or exchanging any form of crypto-currency. 

Many of the individuals allegedly targeted by the gang had attended the Consensus crypto-currency fair, held annually in New York.

"We suspect that hackers spot targets during such events," said American SIM-swapping victim Rob Ross. Ross, who was robbed of $1m in crypto-currency in two separate attacks by 21-year-old hacker Nicholas Truglia, now manages the StopSIMCrime.org website.

Ontario Provincial Police sent out an alert regarding the SIM-swap scam in November, along with a warning that fraudsters sometimes impersonate a target and falsely claim that their phone has been lost or stolen.

Source: Information Security Magazine

Oracle Issues Record CPU with 334 Patches

Oracle Issues Record CPU with 334 Patches

Oracle has hit an all-time record for number of security fixes issued in a critical patch update (CPU), providing sysadmins with over 330 in its first quarterly release of the decade.

The enterprise software giant issued 334 patches in total across more than 90 products this week. As such, January 2020 easily beats the previous largest CPU, consisting of 308 fixes in July 2017.

Oracle strongly urged firms to apply the patches as soon as possible, claiming that attacks have had success in compromising customers that failed to update their systems promptly. However, there are short-term alternatives.

“Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack,” it explained.

“Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.”

Among the products affected by this quarter’s CPU are popular platforms including: Oracle Database Server, which featured 12 new patches including three remotely exploitable; Oracle Communications Applications (25 patches, 23 of which are remotely exploitable); Oracle E-Business Suite (23, 21); Oracle Enterprise Manager (50, 10); Fusion Middleware (38, 30); Java SE (12); JD Edwards (9); MySQL (19, 6); Siebel CRM (5); Oracle Virtualization (22, 3); and PeopleSoft (15, 12).

It’s a busy time of the year for IT administrators. Earlier this week, Microsoft released fixes for scores of vulnerabilities in the last regular Patch Tuesday for Windows 7 and Server 2008.

These included a serious bug disclosed by the NSA which could allow attackers to circumvent existing security by ‘signing’ malware with a legitimate-looking certificate.

Source: Information Security Magazine

Equifax Breach Settlement Could Cost Firm Billions

Equifax Breach Settlement Could Cost Firm Billions

Equifax could end up paying as much as $9.5bn following a data breach settlement branded one of the largest in history by its presiding judge.

The credit reporting giant suffered a major cyber-attack in 2017 after hackers exploited an unpatched Apache Struts vulnerability, compromising highly sensitive personal and financial information on around 148 million customers.

Over two-fifths (44%) of the population of the US are thought to have been affected.

This week, a court in Georgia finally approved a settlement in the long-running class action case that followed the breach, which will require Equifax to pay $380.5m, plus potentially an extra $125m, to satisfy claims of out-of-pocket losses.

However, that’s just a small part of the overall financial impact of the ruling.

The firm has agreed to spend at least $1bn on improving its cybersecurity posture over the coming five years. It will also need to fund several years of credit monitoring from Experian and its own services for class members. That could amount to an extra $2bn if all 140 miilion+ customers sign up.

That’s not to mention the $6bn in credit monitoring services already being claimed by several million class members, their $77.5m in attorney fees and further amounts in litigation expenses that Equifax will need to pay.

The total could creep up towards $10bn — a cautionary tale for organizations tempted to focus on business growth at the expense of cybersecurity and risk mitigation.

“This settlement is the largest and most comprehensive recovery in a data breach case in US history by several orders of magnitude,” wrote district judge Thomas Thrash.

“The minimum cost to Equifax of the settlement is $1.38bn and could be more, depending on the cost of complying with the injunctive relief, the number and amount of valid claims filed for out-of-pocket losses and the number of class members who sign up for credit monitoring.”

Source: Information Security Magazine

Data Breach Site WeLeakInfo Suspended as Feds Swoop

Data Breach Site WeLeakInfo Suspended as Feds Swoop

The FBI has joined forces with the UK’s National Crime Agency (NCA) and other law enforcers to suspend a popular website which sells access to stolen data.

The WeLeakInfo[.]com domain was seized by the Feds after the District Court for the District of Columbia issued a warrant, although its administrators are still at large.

Although the site claimed to be focused on helping breached internet users discover if their personal data had been compromised, by selling access to billions of records it also provided a useful resource for cyber-criminals looking to launch credential stuffing, phishing and other attacks.

“The website had claimed to provide its users a search engine to review and obtain the personal information illegally obtained in over 10,000 data breaches containing over 12 billion indexed records – including, for example, names, email addresses, usernames, phone numbers, and passwords for online accounts,” a statement from the Department of Justice explained

“The website sold subscriptions so that any user could access the results of these data breaches, with subscriptions providing unlimited searches and access during the subscription period (one day, one week, one month, or three months).”

The way it operated stood in contrast to legitimate breach notification site HaveIBeenPwned, which only lets users know if their accounts have been compromised, rather than providing access to troves of breached data.

Jake Moore, cybersecurity specialist at ESET, argued that hackers can do a great deal of damage even just with limited sets of breached emails and names.

“The big risk comes from brute force attacks, where criminals use common password combinations against emails to try and break into personal accounts,” he added.

“An incredibly large amount of people still use predictable or simple passwords. Many people's passwords are also readily available on the dark web, so it quickly and simply becomes an exercise in joining the dots for the cyber-criminals.”

The FBI is seeking any information on the owners and operators of WeLeakInfo.

Source: Information Security Magazine

Emotet Locked onto US Military and Government

Emotet Locked onto US Military and Government

New research into the latest victims of Emotet has found increased instances of the malware affecting the United States of America's government and military.

The pernicious malware, which is spread via email, has been infecting organizations all over the world since 2014. By shining a spotlight on Emotet's recent activities, researchers at Cisco Talos discovered that the US government is among the latest victims to be compromised. 

Researchers made the discovery by closely examining the patterns of outbound email associated with the malware. 

A Talos spokesperson said: "If a person has substantial email ties to a particular organization, when they become infected with Emotet the effects would manifest in the form of increased outbound Emotet email directed at that organization. 

"One of the most vivid illustrations of this effect can be seen in Emotet's relationship to the .mil (U.S. military) and .gov (U.S./state government) top-level domains (TLDs). 

"When Emotet emerged from its summer vacation back in mid-September 2019, relatively few outbound emails were seen directed at the .mil and .gov TLDs. But sometime in the past few months, Emotet was able to successfully compromise one or more persons working for or with the U.S. government."

The malware's successful compromise of at least one US government employee led to what researchers described as a "rapid increase" in the number of infectious Emotet messages directed at the .mil and .gov TLDs in December 2019.

Following a brief spot of respite over the winter holidays, Emotet is once again causing trouble. Cisco Talos said that the upward trend in the quantity of messages directed at .mil and .gov had "continued into January 2020."

Emotet works by stealing someone's email, then impersonating the victims and sending copies of itself in reply. The malicious emails are delivered through a network of stolen SMTP accounts. 

Recipients, conned into thinking that they are receiving a message from a friend or professional colleague, open the email and are then infected.

The simplicity of Emotet's attack strategy belies its effectiveness. "This relatively simple email-man-in-the-middle social engineering approach has made Emotet one of the most prolific vehicles for delivering malware that we have seen in modern times," said researchers. 

Source: Information Security Magazine