Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

ESET Exposes Turla Malware Attacks on European Diplomats

ESET Exposes Turla Malware Attacks on European Diplomats

Turla, an infamous advanced persistent threat (APT) group, is using new PowerShell-based tools that provide direct, in-memory loading and execution of malware, executables and libraries. Researchers at ESET detected several attacks against diplomatic entities in Eastern Europe using PowerShell scripts, linking them to the group.

Turla is believed to have been operating since at least 2008 when it successfully breached the U.S. military. It has also been involved in major attacks against many government entities in Europe and the Middle East – among them the German Foreign Office and the French military. The group is also known as Snake or Uroburos. 

According to Malwarebytes Labs, Turla uses what is thought to be Russian governmental malware. It has infected Linux and Mac operating systems but is mostly associated with infecting Windows systems. 

The PowerShell-based tools can bypass detection techniques that are triggered when a malicious executable is dropped on a disk, which ESET researcher Matthieu Faou believes are being used globally against "other traditional Turla targets." 

The PowerShell loaders, detected by ESET under the umbrella name PowerShell/Turla, differ from simple droppers in their ability to persist on the system because they regularly load into memory only the embedded executables. In some samples, Turla developers modified their PowerShell scripts in order to bypass the Antimalware Scan Interface (AMSI). This technique leads to the antimalware product being unable to receive data from the AMSI interface for scanning.

“Along with Turla’s new PowerShell loader, we’ve discovered and analyzed several interesting payloads, including an RPC-based backdoor and a PowerShell backdoor leveraging Microsoft’s cloud storage service, OneDrive, as its command-and-control [C&C] server,” said Faou. “However, these techniques do not prevent the detection of the actual malicious payloads in memory."

One of the payloaders ESET has discovered is a whole set of backdoors relying on the RPC protocol, which are used to perform lateral movement and take control of other machines in the local network without relying on an external C&C server. 

“We believe this backdoor is a recovery access tool in case the main Turla backdoors are removed and operators can no longer access the compromised computers,” said Faou.

Source: Information Security Magazine

Impersonation Phishing Attacks Up 67% in Last 12 Months

Impersonation Phishing Attacks Up 67% in Last 12 Months

Mimecast has released its third annual State of Email Security Report and has found that phishing attacks have lost companies money, data and customers. Including insights from 1,025 global IT decision-makers, the report found that social engineering attacks were on the rise.

According to the study, phishing attacks were the most prominent type of cyber-attack, with 94% of respondents having experienced phishing and spear-phishing attacks in the previous 12 months. Over half (55%) cited seeing an increase in that same period.  

Most notably, the report found that impersonation attacks increased by over two-thirds (67%), with 73% of organizations impacted by impersonation attacks having experienced a direct loss. Specifically, 28% of businesses lost customers, 29% suffered financially and 40% lost data.

This surge has meant that people within organizations are losing confidence in their security. According to the report, 61% believe it is likely or inevitable their company will suffer a negative business impact from an email-borne attack this year. 

“Email security systems are the frontline defense for most of attacks. Yet just having and providing data on these attacks is not what creates value for most respondents,” says Josh Douglas, vice president of threat intelligence at Mimecast. “Survey results indicate that vendors need to be able to provide actionable intelligence out of the mass of data they collect and not just focus on indicators of compromise which would only address past problems."

According to the company's announcement on the findings, the top five industries being impacted by impersonation attacks are financial, manufacturing, professional services, science/technology and transportation. 

Other interesting statistics include: 

  • Ransomware attacks are up 26% in comparison to last year.
  • Nearly 50% of respondents noted having downtime for two to three days.
  • Just under a third experienced downtime for four to five days.

Source: Information Security Magazine

Pro-Iran Campaign Spread Fake News During Mid-Terms

Pro-Iran Campaign Spread Fake News During Mid-Terms

Security researchers have uncovered a major new state-sponsored Iranian influence campaign using dozens of fake news sites and hundreds of spoofed social media accounts in an attempt to manipulate public opinion.

Most of the accounts in question were created between April 2018 and March 2019 and used to spread inauthentic content from sites such as Liberty Front Press (LFP), US Journal, and Real Progressive Front during the US mid-terms, according to FireEye.

Some included profile pics lifted from social media users with the same name, and some described themselves as activists, correspondents, or “free journalist” in their profile.

Others even impersonated US political candidates, such as Republicans Marla Livengood and Jineea Butler. In the latter cases, those behind the scenes plagiarize some of their legitimate tweets and then add in pro-Iranian content.

The content promoted by these accounts was overwhelmingly pro-Iranian, pro-Palestinian and anti-Saudi, anti-Israeli. However, a small percentage of messages were anti-Iran, possibly to add legitimacy to them and/or to draw in those with opposing views who can then be targeted with messages in support of the Islamic Republic.

Interestingly, the campaign appears to have extended to legitimate print and online media sources via guest columns, letters and blog posts republished on these platforms. In some cases, the text for separate articles penned by 'different' individuals was almost identical, or had the same narrative. Most appeared in small local US news outlets.

FireEye said the content was in line with “Iranian political interests in a manner similar to accounts that we have previously assessed to be of Iranian origin.” However, definitive attribution is difficult, especially as most of the accounts have now been suspended.

“Apart from the narratives and messaging promoted, we observed several limited indicators that the network was operated by Iranian actors. For example, one account in the network, @AlexRyanNY, created in 2010, had only two visible tweets prior to 2017, one of which, from 2011, was in Persian and of a personal nature,” FireEye continued.

“Subsequently in 2017, @AlexRyanNY claimed in a tweet to be ‘an Iranian who supported Hillary’ in a tweet directed at a Democratic political strategist. This account, using the display name ‘Alex Ryan’ and claiming to be a Newsday correspondent, appropriated the photograph of a genuine individual also with the first name of Alex.”

In addition, while most accounts in this network had their language set to English, one was set to Persian, the vendor revealed.

Source: Information Security Magazine

Flipboard Breached in Nine-Month Raid

Flipboard Breached in Nine-Month Raid

Flipboard has reset all customer passwords as a precaution after revealing that hackers had unauthorized access to user data for over nine months.

The news aggregator site, which has around 150 million monthly users, said the “unauthorized person” gained access to “certain Flipboard users account information,” although it didn’t reveal how many were affected.

“Findings from the investigation indicate an unauthorized person accessed and potentially obtained copies of certain databases containing Flipboard user information between June 2, 2018 and March 23, 2019 and April 21 – 22, 2019,” it said in a statement.

“The databases involved contained some of our users’ account information, including name, Flipboard username, cryptographically protected password and email address.”

The good news is that Flipboard protected passwords with salted hashing, making it harder but not impossible for attackers to crack them. However, those credentials created or changed before March 14, 2012 are only salted and hashed with SHA-1, a less secure algorithm than the current bcrypt.

“Additionally, if users connected their Flipboard account to a third-party account, including social media accounts, then the databases may have contained digital tokens used to connect their Flipboard account to that third-party account,” the firm added.

“We have not found any evidence the unauthorized person accessed third-party account(s) connected to users’ Flipboard accounts. As a precaution, we have replaced or deleted all digital tokens.”

No financial information or Social Security numbers were affected by the breach, and the firm claimed to have “enhanced” its security following the incident.

Although it followed best practices regarding user passwords, the fact that hackers managed to stay hidden for nine months will be of concern to users.

Source: Information Security Magazine

Cryptopia Fights to Keep Data Held by Arizona Firm

Cryptopia Fights to Keep Data Held by Arizona Firm

Cryptopia, an exchange that was hacked and subsequently went into liquidation in May, has filed for bankruptcy protection in the United States. Grant Thornton will be handling the preservation of the data stored and hosted on servers with an Arizona-based firm, according to Yahoo News

The bankruptcy court in the Southern District of New York issued an order to Cryptopia on Friday, granting an emergency motion for provisional relief till June 7. However, the Arizona company that runs the servers has severed ties with the exchange and is requesting $2 million be paid, according to Bloomberg. If Cryptopia doesn't pay the company, the data could be overwritten or lost.

The New Zealand–based exchange operated with 300,000 accounts from across the globe. It filed for U.S. bankruptcy protection after hackers stole over $16 million earlier this year. Bloomberg reports that every account holder is a potential creditor in the liquidation, with trade creditors owed about $2.6 million. 

“The interim order preserves the Cryptopia data, which includes a SQL database containing all account holders’ individual holdings of cryptocurrencies and the account holder contact details," said Grant Thornton. "Without this information, reconciling individual holdings with the currencies held by Cryptopia will be impossible.”

On its website, Cryptopia said, "On Friday 24 May 2019, we filed a petition in the Bankruptcy Court in the Southern District of New York (SDNY) seeking recognition of the New Zealand liquidation in the USA, and we also applied for urgent interim relief. We took these steps to preserve the Cryptopia information that is stored and hosted on servers with an Arizona based business.

"Our objective is to protect and to preserve those holdings for the benefit of those entitled to them. We expect that the process of recovering data and determining how to make distributions to account holders will take some months at least. 

"We understand that this delay will be frustrating for account holders. For that reason, we are working to resolve these issues as soon as reasonably practicable."

All trading on the Cryptopia exchange has been suspended, meaning that users cannot deposit or withdraw crypto assets.

Source: Information Security Magazine

Germany Seeks Access to Encrypted Messages on WhatsApp, Telegram

Germany Seeks Access to Encrypted Messages on WhatsApp, Telegram

Germany's federal interior minister, Horst Seehofer, wants companies such as WhatsApp and Telegram to give security authorities access to end-to-end encrypted messages or calls. Not complying with this could end with companies being banned by the Federal Network Agency. 

The latest issue of Der Spiegel reports that Seehofer wants the order to be implemented quickly, especially with the move to 5G potentially causing "complications" for security authorities. This comes after WhatsApp had to fix its app due to a remote code execution (RCE) vulnerability, which may have been exploited by a national-state. 

As Infosecurity reported at the time, the Facebook-owned mobile communication giant, with 1.5 billion users, rolled out a fix on the vulnerability that allowed users to be infected with spyware by being phoned by the attacker. 

5G itself has also been a controversial topic recently, with an FBI agent citing that the technology would lead to "an explosion in cybersecurity risks." Experts in Europe have also called for 5G to be provided with end-to-end encryption. 

Additionally, Germany has had dealings with WhatsApp's parent company, Facebook, this year. Its antitrust watchdog, the Federal Cartel Office, banned the technology company from combining data collected from its social platform without user consent, according to Forbes.

Andreas Mundt, president of the Federal Cartel Office, said, "Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts."

Source: Information Security Magazine

Fredericton, New Brunswick, Makes Its Cybersecurity Bulletproof

Fredericton, New Brunswick, Makes Its Cybersecurity Bulletproof

The city of Fredericton, New Brunswick, has agreed to pay C$100,000 (almost $75,000) to cybersecurity company, Bulletproof Solutions, to strengthen its network and protect it from cyber-attacks. The three-year agreement was approved at the city council meeting on Monday, May 27, 2019. 

The city's assistant director of finance, innovation and technology, Adam Bell, believes that this move will help protect against the rise of municipality attacks. This follows a cyber-attack that hit the city of Stratford, Ontario, in April, which affected the city's email system and online forms. 

According to Akamai and the Canadian Internet Registration Authority's (CIRA) Fall 2018 Cybersecurity Report, 40 percent of respondents experienced a cyber-attack in the previous 12 months, with large businesses seeing 66 percent. Fredericton joins around two-thirds of Canadian businesses that outsource part of the cybersecurity footprint to external vendors.

However, 88 percent of Canadian employees of these companies are concerned with the prospect of future cyber-attacks. Perhaps they are right to be: 37 percent of companies don't have anti-malware protection installed, and nearly 75 percent did not have a formal patching policy, which exposes organizations to massive security holes.

"A key element of building a better online Canada is ensuring Canadians have safe, secure internet access," president and CEO of CIRA, Byron Holland, said. In the introduction of the Akamai report, Holland explains that hackers will be attracted to companies with a lot of personal data, such as a government organization, because they can make money from it on the dark web. 

"Personal information is being sold on the dark web for as little as $5 for a credit card number, $30 for an entire identity, or up to $1,000 for medical records. There are hundreds of examples of low hanging fruit for hackers in everyday interactions Canadians have with businesses every day. All these situations are potential breaches and many businesses don’t even know the risks."

The upgrade was approved the same day Fredericton hosted its hackathon to find internet of things solutions for the city. 

Source: Information Security Magazine

GandCrab Campaign Attacks MySQL Servers

GandCrab Campaign Attacks MySQL Servers

Thousands of organizations running MySQL may have been infected with the infamous GandCrab ransomware after researchers spotted a new campaign targeting the open source database.

Sophos principal researcher, Andrew Brandt, explained in a blog post that the British security firm spotted the attack via a honeypot set up to monitor port 3306, used for SQL servers.

It scanned for unsecured databases running on Windows servers.

Interestingly, while the IP address of the machine hosting GandCrab geolocated to Arizona, the user interface of the server software (HFS) running on it was set to simplified Chinese, hinting at the origins of the perpetrator.

That server hosted five Windows executables with file names starting “3306,” and also provided useful stats on the campaign so far.

“The server appears to indicate more than 500 downloads of the sample I saw the MySQL honeypot download (3306-1.exe). However, the samples named 3306-2.exe, 3306-3.exe, and 3306-4.exe are identical to that file. Counted together, there has been nearly 800 downloads in the five days since they were placed on this server, as well as more than 2300 downloads of the other (about a week older) GandCrab sample in the open directory,” explained Brandt.

“So while this isn’t an especially massive or widespread attack, it does pose a serious risk to MySQL server admins who have poked a hole through the firewall for port 3306 on their database server to be reachable by the outside world.”

MySQL has a market share of over 50%, putting many organizations at potential risk of a damaging GandCrab infection.

The ransomware has been used in an increasingly targeted manner over recent months, with hackers trying out different threat vectors in a bid to outwit defenses.

In February it was spotted as the payload in a campaign targeting MSPs via a two-year-old flaw in a third-party plug-in for remote management software.

As of March 2018, GandCrab had infected over 50,000 victims and extorted an estimated $300,000-600,000, with over 70% of victims based in the US and UK, according to Check Point.

Source: Information Security Magazine

Aussie Teen Hacked Apple in Hope of Job Offer

Aussie Teen Hacked Apple in Hope of Job Offer

An Australian boy who hacked Apple when he was just 13 did so in a misguided attempt to get a job with the tech giant, a court has heard.

The schoolboy, who is now 17, pleaded guilty to multiple cybercrime offenses after hacking Apple in December 2015 and early 2017 and making off with internal data, according to local reports.

His actions were reported to the FBI, which subsequently contacted the Australian Federal Police.

The boy’s lawyer, Mark Twiggs, told Adelaide Youth Court that his client is now very remorseful.

“This offending started when my client was 13 years of age, a very young age. He had no idea about the seriousness of the offence and hoped that when it was discovered that he might gain employment at this company,” he’s reported as saying.

“He didn't know this was going to lead to anything other than a job at the end of it, [this] happened in Europe, a similar person got caught and they ended up getting employed by the company.”

The magistrate appears to have agreed, putting the boy on a AU$500 good behavior bond for nine months.

“He is clearly someone who is a gifted individual when it comes to information technology, that being said, those who have this advantage of being gifted doesn't give them the right to abuse that gift," he said.

“You must remain on the straight and narrow and use your gifts for good rather than evil.”

It’s unclear what data the individual stole from Apple, but the firm’s spokesperson confirmed that the incidents were promptly contained and that no customer information was involved.

Source: Information Security Magazine

Snapchat: Claims of Employees Spying "Inaccurate"

Snapchat: Claims of Employees Spying "Inaccurate"

In response to news that multiple Snapchat employees abused their privileged access to spy on users, reported by Motherboard, the social media platform said the allegations are false.

“Two former employees said multiple Snap employees abused their access to Snapchat user data several years ago. Those sources, as well as an additional two former employees, a current employee, and a cache of internal company emails obtained by Motherboard, described internal tools that allowed Snap employees at the time to access user data, including in some cases location information, their own saved Snaps and personal information such as phone numbers and email addresses,” Motherboard wrote on May 23.

Whether accurate or not, "the incident highlights the risks posed by insider threats. Most of the employees are busy doing their day-to-day jobs but a handful have malicious intent thus causing harm to the organizations they work for,” said Mayank Choudhary, senior vice president at ObserveIT.

“As in the case of Snapchat where a few users with elevated access were able to take their own and consumers’ data easily. Existing security controls did not pick this up, given most of the technology is focused on protecting the company from external threats. It’s high time that organizations focus on insider threats with platforms that help customers known the whole story, protect IP quickly, easily and reliably.”

However, the Motherboard report states that how any access might have been abused or which system was used remains unknown. Pointing out that the spying happened 'several years ago,' the story does note that one tool, SnapLion, is capable of accessing user data, according to multiple anonymous sources.

“Any perception that employees might be spying on our community is highly troubling and wholly inaccurate,” a Snapchat spokesperson wrote in an email to Infosecurity.

“Protecting privacy is paramount at Snap. We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have, including data within tools designed to support law enforcement. Unauthorized access of any kind is a clear violation of the company's standards of business conduct and, if detected, results in immediate termination.”

Source: Information Security Magazine