Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for the News Category

US Postal Service Exposes 60 Million Users in API Snafu

US Postal Service Exposes 60 Million Users in API Snafu

The US Postal Service (USPS) is in the dock after an apparent API vulnerability exposed the account details of 60 million users of its online service.

The issue related to a service known as “Informed Visibility” which USPS offered to businesses, allowing them to access near real-time tracking data on packages. However, along with this data, the related API also allowed anyone logged in to to query the account details of other users of the site and even modify some details.

These included email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and more, according to Brian Krebs.

It appears as if the developers forgot a key element of cybersecurity when designing the API: access controls.

USPS claimed in a statement that the incident has now been mitigated and that it has no information that it was used in any criminal endeavor.

“Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously,” it continued. “Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.”

With APIs becoming increasingly popular, security concerns have started to emerge. An Imperva poll earlier this year claimed 69% of firms are exposing APIs to the public and their partners, managing 363 on average per organization.

Tim Mackey, senior technology evangelist at Synopsys, said organizations should view tracking of API dependencies as a core risk reduction strategy.

“Understanding the data transmitted to an API and a method to validate the sanity of the returned data should be part of the review process in all development and procurement teams,” he added. “Armed with this information, API consumers can then monitor for any security disclosures associated with their API usage.”

Bernard Harguindeguy, CTO of Ping Identity, added that the USPS snafu should be a wake-up call for developers.

“Effective API security starts with deep visibility into all API traffic, followed by strong authentication and data governance,” he argued. “Companies' crown jewels — their customers' data — are increasingly being made accessible via APIs, and protecting this infrastructure from vulnerabilities and cyber-attacks has to be the top priority for CISOs and CIOs everywhere."

Source: Information Security Magazine

Mirai Used as Payload in Hadoop YARN Vulnerability

Mirai Used as Payload in Hadoop YARN Vulnerability

A Mirai variant has been discovered targeting unpatched Linux servers, shifting the use of the malicious payload beyond the internet of things (IoT), according to new research from NETSCOUT ASERT.

Using their honeypot network to monitor the tens of thousands of daily exploit attempts for the Hadoop YARN vulnerability, Arbor’s Security Engineering and Response Team (ASERT) researchers surprisingly found the all-too-familiar Mirai payload.

"Mirai botmasters have found they can target Linux servers just as easily as IoT devices. They attack the servers themselves rather than rely on the bots to propagate, since servers tend not to move around the network or get powered down,” said Matt Bing, security research analyst at NETSCOUT.

“Servers make an attractive target for DDoS bots for their network speed and hardware resources, compared to relatively underpowered IoT devices. What we've seen is Linux servers being conscripted to the same botnets as IoT devices. In the future we can expect more DDoS botnets with both infected IoT devices and Linux servers, like an army of foot soldiers being supported by tanks."

Tailored to run on Linux servers, the new variant of Mirai exhibited similar behaviors to those of the original version. This discovery marks the first time ASERT has seen Mirai used to exploit non-IoT systems in the wild.

“Rather than rely on the bots to propagate, the attackers have shifted their tactics to issuing exploits themselves. A relatively small number of attackers are using custom tools to exploit the Hadoop YARN vulnerability and deliver Linux malware,” Bing wrote.

The vulnerability leverages a command injection flaw, enabling the execution of arbitrary shell commands, a vulnerability used last month to install the DemonBot DDoS bot, according to the researchers.

Given that Linux servers have access to greater bandwidth than IoT devices running on the networks, the Mirai bots reportedly act as more efficient DDoS bots, capable of executing attacks that compete with a much larger IoT botnet.

Source: Information Security Magazine

Phishers Up Their Game to Combat User Awareness

Phishers Up Their Game to Combat User Awareness

In an attempt to undermine the security industry’s effort to educate end users about phishing campaigns, malicious actors are evolving in their tactics, according to Zscaler.

In a recent blog published by Zscaler Threat LabZ, Deepen Desai and Rohit Hegde detailed findings of new research into phishing activities. According to the findings, Microsoft, Facebook and PayPal are the top brands that are being targeted by phishing campaigns.

Credit: Zscaler
Credit: Zscaler

The top five sector categories that are most commonly targeted are communications (41.4%), social media (18.3%), finance (16.7%), travel (12.4%) and dating (3.4%).

“In addition to the known brands, it was interesting to see phishing campaigns targeting Travel Visa portals (Canadian Visa and Australian Visa, for example) included in our top five most targeted brands. The attackers in this case were most likely interested in phishing for sensitive immigration information, such as passport details, date of birth and national identification numbers,” Desai and Hedge wrote.

Notably one of the best tools in a hacker’s toolbox, phishing is a successful tactic long used by attackers who are looking to steal personally identifiable information, such as Social Security numbers, credit card details, date of birth, and other sensitive data.

Wrote the authors, “About 65% of all phishing content we’ve seen in the past three months was over HTTP and the remaining 35% was over HTTPS. This represents a 300% increase in phishing content being delivered over HTTPS since 2016.”

Because the security industry has been diligent in its efforts to raise awareness, putting great effort into educating users how to identify phishing sites, cybercriminals have reportedly had to up their game. The attackers have had to get creative in order to trick better-informed users, and they are reportedly now carefully designing sites to look identical to the popular brands they are imitating.  

"As the end users become more vigilant against clicking suspicious links, attackers have also upped the ante by evolving the way in which the phishing content is being delivered as well as tactics being leveraged to make the phishing pages stay undetected for longer period," they wrote.

Source: Information Security Magazine

13 Malware-Laden Fake Apps on Google Play

13 Malware-Laden Fake Apps on Google Play

A security researcher used Twitter to warn users about about malware embedded in fake apps available on Google Play. Lukas Stefanko, malware researcher at ESET, reported the malicious apps to the Google security team, noting that 13 apps have been installed more than 560,000 times.

While the app downloads, an additional Android Package Kit (APK) called Game Center downloads in the background, which then requests that the user install it. According to Stefanko, once the APK is installed, it hides itself and displays ads when the device is unlocked.

Malicious actors are able to deliver malware to a victim's phone through application repackaging, often by combing screen overlay attacks to fool users into installing malware payloads because they think the requests are legitimately connected to the app they are downloading.

Attackers hijacking applications is nothing new, according to Will LaSala, director of security solutions, security evangelist at OneSpan. "Application repackaging has been on the rise for a while now. Earlier this year it was reported that applications were being hijacked to install cryptocurrency miners.”

After governments addressed the process of the cryptocurrency conversion, it became more difficult for people to cash out anonymously, LaSala said.

“However, these repackage attacks did not stop; instead they got more sophisticated and refocused on other valuable data that can be converted to money just as quickly. New repackaging attacks make common or simple apps into nefarious payload delivery applications.

“These malware apps focus on harvesting credentials and injecting libraries that can cause applications to deliver sensitive information directly into the hands of the hacker. If your application becomes the target of one of these repackaging attacks, it will affect your brand’s reputation and may cause users to turn to competitors. Besides root and jailbreak detection, applications on iOS and Android should protect themselves with application shielding technology that detects and actively prevents repackaging,” LaSala said.

Source: Information Security Magazine

Magecart Black Hats Battle it Out On Infected Site

Magecart Black Hats Battle it Out On Infected Site

Groups of cyber-criminals vying for supremacy on the dark web are sabotaging each other’s attempts to skim customer card details from victim e-commerce sites, according to researchers.

Two groups spotted by Malwarebytes head of investigations, Jérôme Segura, had both infected the Brazilian website of sportswear brand Umbro with the infamous Magecart skimming code.

The first loads its code via a fake BootStrap library domain bootstrap-js[.]com and exfiltrates the data in a standard JSON output, while the second group loads from g-statistic[.]com, is heavily obfuscated, and attempts to interfere with the operation of the first.

“Before the form data is being sent, it grabs the credit card number and replaces its last digit with a random number. By tampering with the data, the second skimmer can send an invalid but almost correct credit card number to the competing skimmer," Segura explained.

“Because only a small part of it was changed, it will most likely pass validation tests and go on sale on black markets. Buyers will eventually realize their purchased credit cards are not working and will not trust that seller again.”

Multiple infections on a single site are not uncommon, and stem from poor web security, but the direct competition from the two groups highlights the popularity of Magecart among the black hats, and the potentially large financial rewards on offer.

RiskIQ recently revealed that card details belonging to BA and Newegg customers went up for sale within a week of being harvested, potentially generating millions in revenue. That report lists six groups operating the Magecart code, although there are likely to be more.

In fact, RiskIQ threat researcher, Yonathan Klijnsma tweeted that the above skirmish involved Group 3 “being bullied” by a Group 9.

“Website owners that handle payment processing need to do due diligence in securing their platform by keeping their software and plugins up-to-date, as well as paying special attention to third-party scripts,” concluded Segura.

“Consumers also need to be aware of this threat when shopping online, even if the merchant is a well-known and reputable brand. On top of closely monitoring their bank statements, they should consider ways in which they can limit the damage from malicious withdrawals.”

Source: Information Security Magazine

Online Fraud Losses Set to Hit Nearly $50bn by 2023

Online Fraud Losses Set to Hit Nearly $50bn by 2023

Online payment fraud losses are set to more than double over the next five years to reach a staggering annual figure of $48bn, according to Juniper Research.

The analyst’s latest report, Online Payment Fraud: Emerging Threats, Segment Analysis & Market Forecasts 2018-2023, covers e-commerce, airline ticketing, money transfer and banking services.

It claimed that the astonishing growth in fraud will be fuelled by a continued epidemic of data breaches.

Increasingly common will be moves by the fraudsters to use pieces of this breached identity data plus PII on other individuals and/or made-up information to create new, “synthetic” identities.

“Synthetic identity is currently the low-hanging fruit because, even though it takes time for fraudsters to establish, many of their targets are not set up to detect the behavioral giveaways that indicate this type of fraud,” said research author Steffen Sorrell.

“Fraud management providers have solutions on the market to combat this, but the industry as a whole is playing catch-up.”

Synthetic fraud is reportedly the fastest-growing type of identity fraud in the US, accounting for an estimated 80-85% of the total.

“The point to remember is that with Synthetic ID Theft is that since it is not your name, address, phone number or credit file….credit monitoring, fraud alerts or credit freezes will not inform you or stop synthetic ID theft,” warned the FTC.

As instant payments become more prevalent, but fraud teams continue to focus on transactional rather than behavioral risk, losses in the money transfer sector could rise by 20% per year to hit $10bn by 2023, the Juniper research continued.

The underground fraud-as-a-service’ economy will also continue to mature, resulting in greater complexity, the report warned.

Source: Information Security Magazine

Majority of Orgs Unaware of IoT Security Threats

Majority of Orgs Unaware of IoT Security Threats

New research revealed that 86% of IT and security leaders believe their organization needs to improve its awareness of internet of things (IoT) threats, according to Trend Micro.

Connected devices are increasingly being used as gateways to the corporate networks. By compromising these devices, attackers can gain access to the greater corporate network, where they are then able to conduct even more damaging attacks.

In a survey carried out by Vanson Bourne, 1,150 IT and security decision makers across the US, UK, France, Germany and Japan revealed that the majority of participating organizations lack an understanding of cybersecurity in relation to the deployment of IoT projects. Survey participants held either C-level or management positions in companies across many sectors, including retail, media and construction.

“A common theme in cyberattacks today is that many are driven by a lack of security awareness, and this is accentuated with IoT security,” said Kevin Simzer, chief operating officer for Trend Micro in a press release.

“It’s a good first step to see that IT leaders recognize awareness levels need to rise across the organization. We recommend business leaders clearly acknowledge the IoT security challenges affecting their company, understand where their security requirements, and invest accordingly to make their security goals a reality.”

Despite an awareness that 59% of IoT attacks target corporate office devices, more than half of the participants said they have not yet identified the key capabilities that should be prioritized in their security solutions. Also, 37% claimed they’re not always able to define their security needs before implementing IoT solutions, according to the survey.

Organizations are exposed to damaging cyber-attacks stemming from this lack of security awareness in IoT, according to Trend Micro, given that manufacturing and the supply chain are next in line for the types of IoT devices that are most frequently targeted. 

To mitigate the risks of cyber-attacks resulting from compromised IoT, survey participants said they have a need for vulnerability management solutions and tools that monitor networks for anomalous behavior. Trend Micro recommends a strong network defense approach to ensure IoT devices do not add security risk at any part of a corporate network.

Source: Information Security Magazine

Malvertising in Apple Pay Targets iPhone Users

Malvertising in Apple Pay Targets iPhone Users

The Media Trust has discovered a recent malvertising campaign involving Apple Pay that is part of a large-scale phishing and redirect campaign targeting iPhone users visiting premium newspapers and magazines.

In today’s blog post, Michael Bittner, digital security and operations manager at The Media Trust wrote that the campaign was discovered when the security team helped “a winner of several Pulitzer Prizes and one of the largest daily newspapers in the West Coast, thwart a large-scale phishing and redirect campaign targeting iPhone users visiting premium newspapers and magazines.”

Disguised as a legitimate ad, the malware, dubbed PayLeak, delivers those newspaper or magazine visitors who click on the ad to a malicious domain registered in China. Upon arriving, the malware then checks to see whether the visitor’s device is in motion or at rest, upright or lying down and whether it is an Android or iPhone. In addition to determining whether the browser platform in use is Linux x86_64, Win32 or MacIntel, the malware also confirms whether there is malware detection technology running on the device.

When those conditions are detected, Android users are redirected to a fraudulent phishing site that falsely claims that they have won an Amazon gift card. The iPhone users, however, receive two successive popups. The first one is an alert that the device itself needs updating, followed by an additional notice that the Apple Pay app needs updating.

The popup messages are highly sophisticated, particularly the Apple Pay credit card information screen, which is convincingly identical in appearance to that of the Apple Pay, where users enter their credit card details.

Credit: The Media Trust
Credit: The Media Trust
Credit: The Media Trust
Credit: The Media Trust

Unsuspecting users then share their credit card information, while the malware logs additional device information, iOS version and IP, then sends that data to a malicious command-and-control server. According to Bittner, this information can potentially be used for a future man-in-the-middle attacks.

“Targeted sites with weaker security measures, such as those that do not monitor their digital environments for unauthorized code, could risk leaking their users’ sensitive information and leave the latter exposed,” Bittner warned.

Source: Information Security Magazine

Hackers Linked to Russia Impersonate US Officials

Hackers Linked to Russia Impersonate US Officials

In a targeted campaign directed at multiple organizations across law enforcement, media, pharmaceutical and other public sectors, hackers with alleged ties to the Russian government have been trying to infiltrate US government computers and networks, according to a new report published by FireEye.

Malicious phishing activity believed to be conducted by the advanced persistent threat (APT) hacking group APT29, also known as Cozy Bear, was detected on November 14, 2018. According to the FireEye report, “The attempts involved a phishing email appearing to be from the U.S. Department of State with links to zip files containing malicious Windows shortcuts that delivered Cobalt Strike Beacon.”

Attackers reportedly compromised the email server of a hospital and a consulting company’s corporate website in order to distribute phishing emails. “The phishing emails were made to look like secure communication from a Public Affairs official at the U.S. Department of State, hosted on a page made to look like another Department of State Public Affairs official's personal drive, and used a legitimate Department of State form as a decoy,” FireEye said.

Impersonating an official from the US Department of Public Affairs, attackers distributed the phishing emails, which dropped a publicly available form from the US Department of State using a Cobalt Strike Beacon. The majority of targeted victims reported having received fewer than three emails, though the report noted that one target received 136 emails.

The activity is still being analyzed, and while FireEye has identified key similarities in tactics that correlate with past Cozy Bear activity, “the new campaign included creative new elements as well as a seemingly deliberate reuse of old phishing tactics, techniques and procedures (TTPs), including using the same system to weaponize a Windows shortcut (LNK) file.”

Brandon Levene, head of applied intelligence at Chronicle, confirmed that the TTPs used in this case are identical – down to the metadata – to those attributed to APT29 in 2016. “It’s odd that the exact same techniques were reused given that they have nation-state resources to develop malware,” Levene said.

“If the reports that media is a target are true, it would be interesting and could show that attackers are attempting to observe and manipulate news cycles. For instance, attackers would have advance notice of news stories and could prepare social media posts to go out when the news hits that could discredit the news or otherwise manipulate it.”

FireEye also noted that if evidence supports the suspicion that the activity is coming from Cozy Bear, this will be the first uncovered activity of the group in at least a year. “The attackers will likely remain active and come back with more sophisticated intrusion attempts since this campaign was quickly discovered. They’re going to be forced back to the drawing board,” said Levene.

Source: Information Security Magazine

UK Government Failing on CNI Security, Say MPs

UK Government Failing on CNI Security, Say MPs

The government is failing to act with a “meaningful sense of purpose or urgency” to tackle the growing threat to critical national infrastructure (CNI), despite itself acknowledging the risks, according to a new parliamentary report.

The Joint Committee on the National Security Strategy report comes days after it criticized slow government progress on addressing crucial skills shortages in the sector.

Noting the impact of WannaCry on the NHS, increasingly destructive attacks launched by nation state like Russia, and the threat from organized crime groups which “are becoming as capable as states,” it cited the National Cyber Security Centre (NCSC)’s assessment that a major CNI attack is a matter of “when not if.”

“Identifiable political leadership is lacking. There is little evidence to suggest a ‘controlling mind’ at the center of government, driving change consistently across the many departments and CNI sectors involved,” it warned.

“Unless this is addressed, the government’s efforts will likely remain long on aspiration and short on delivery. We therefore urge the government to appoint a single Cabinet Office minister who is charged with delivering improved cyber resilience across the UK’s critical national infrastructure.”

Although the NCSC is doing good work, its limited resources threaten to be overwhelmed, while important regulation in the form of the NIS Directive covers only certain sectors, and in any case has been driven by leadership from the EU.

Part of the problem lies with the 2016 National Cyber Security Strategy, which doesn’t set out clearly defined objectives for protecting CNI. The government should therefore publish annual reports to improve transparency, which would also provide an opportunity to tweak the strategy in response to changing threats, the committee advised.

The government should also review each sector’s inter-dependencies and maturity and gain greater visibility into why the market has so far failed to deliver improved cyber resilience. A CNI-wide threat- and intelligence-led penetration testing program was recommended.

Regarding the necessary cultural change needed to improve cybersecurity in CNI organizations, the committee urged the government to consider improving board-level expertise and accountability, encouraging the management of supply chain risk, and the promotion of cyber insurance.

“We are struck by the absence of political leadership at the center of government in responding to this top-tier national security threat,” said committee chair, Margaret Beckett.

“There are a whole host of areas where the Government could be doing much more, especially in creating wider cultural change that emphasizes the need for continual improvement to cyber resilience across CNI sectors.”

Experts welcomed the report’s findings.

“The Joint Committee is right to point out the importance of securing not just critical infrastructure itself, but the entire supply chain that supports it. We must never forget to question what an adversary might do to tamper with supply or design chains, even in areas such as open source software, where a cyber-criminal could introduce defects that practically an entire industry might use for many years,” said McAfee chief scientist, Raj Samani.

“Greater levels of transparency around technology design are vital. We need more visibility into what different components do, and how they do it. We also need greater visibility into what they should and shouldn’t be doing. More effort must be made to secure the most sensitive components of technology upon which we rely every day.”

Talal Rajab, head of cyber and national security at industry body, techUK, added that the issue required “utmost vigilance.”

“Much has changed since the strategy was published in 2016, with the threat to government and businesses constantly evolving,” he argued. “As the current strategy draws to a close, it is vital that cybersecurity becomes business as usual across all areas of government. The appointment of a Cabinet Office Minister designated as a cybersecurity lead could help ensure government remains one step ahead of the threat and drive real change across departments.”

Source: Information Security Magazine