Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Experts Warn of Super-Stealthy Furtim Malware

Experts Warn of Super-Stealthy Furtim Malware

Security experts are warning of newly discovered credential-stealing malware which prioritizes stealth, scoring a 0% detection rate in VirusTotal.

Furtim, a Latin word meaning “by stealth,” was first spotted by researcher @hFireF0X and consists of a driver, a downloader and three payloads, according to enSilo researcher Yotam Gottesman.

The payloads are: a power-saving configuration tool which ensures a victim’s machine is always on and communicating with Furtim’s C&C server; Pony Stealer – a powerful commercial credential stealer; and a third file that communicates back to the server but has yet to be fully analyzed.

Interestingly, Furtim goes to great lengths to stay hidden, going well beyond most malware in checking for the presence of over 400 security tools on the targeted PC, Gottesman claimed.

It blocks access to nearly 250 security-related sites by replacing Windows’ hosts file, and avoids DNS filtering services by scanning and replacing any known filtering nameserver to public nameservers.

Once installed, it will override any reboot policy to ensure downloaded payloads will run; disable Windows notifications and pop-ups; and block the user from accessing the command line and task manager, so they can’t kill any malicious processes, the enSilo researcher continued.

Also, the C&C server will only send the payload once to a specific machine, to avoid researchers trying to collect samples from the server.

It’s still not clear what purpose Furtim serves, although the Pony Stealer component would work well in the lateral movement stage of a targeted attack, it is claimed.

“Given the defense measures that Furtim takes, we can imagine that Furtim is more than a downloader used by common fraudsters. The threat actors behind Furtim were dedicated, knowing that it’s worth to remain stealthy, even on the expense of hitting more targets, than being revealed,” concluded Gottesman.

“We do know that the C&C server is hosted at a Russian domain, which resolves to several Ukrainian IP addresses. Additionally, communications are configured to accept Russian.”

Ben Johnson, chief security officer at Carbon Black, claimed hackers are more akin to secret agents than bank robbers today, in building malware to circumvent traditional filters.

“This is precisely why it’s so vital that organizations have continuous monitoring running on all endpoint devices, as that’s the only sure-fire way to capture the entire ‘kill chain’ of a successful attack so it can be traced back to where it came in and shut out completely,” he added.

“It’s also another reminder of why we need to get out there and start proactively threat hunting, so we can identify any similar breeds of sneaky malware sitting on our systems undetected.”

Source: Information Security Magazine

Experts in Game of Thrones Malware Warning

Experts in Game of Thrones Malware Warning

RiskIQ is warning Game of Thrones fans looking to catch up on the popular HBO TV show without paying for more than they bargained for.

The threat management firm claimed it had spotted more than 450 pirated content websites serving up malware to those looking to illegally stream or download the fantasy drama.

It conducted its research over a 10-day period in May in the US, UK, Germany, France and Netherlands, running simple Google searches for download or streaming sites and clicking through the links.

The vendor claimed its virtual user technology would have prevented any infections.

However, the dangers of pirated content aren’t just a consumer risk – if users attempt to illegally download shows at work or use personal devices to access corporate systems, then malware could infect the enterprise IT environment.

RiskIQ VP Emea, Ben Harknett, claimed the firm found a mix of exploit kits, malicious redirects, trojans, spyware and phishing sites, scareware and toolbars.

“Many of these could potentially impact the organization, not just the device user,” he told Infosecurity by email. “We know that Game of Thrones has been the most pirated show over the past four years, so it’s patent that bad actors are cashing in on the trend.”

In addition, of the malicious web pages analyzed, over a third (34%) spread malware via malicious ads.

So-called malvertising is an increasingly popular tactic among cybercriminals to ensure as many users as possible are exposed to their malware.

Just last month, Fox-IT claimed to have found another major campaign, targeting nearly 300 of the most popular websites in the Netherlands, affecting potentially tens of millions.

“End-users often assume that the IT within their organization will provide adequate security measures, regardless of their actions. Or worse, don’t even consider the risks that their actions might create,” Harknett concluded.

“A critical consideration of IT managers is really around ensuring much greater awareness and education on the changing nature of threats today and how each of us can unwittingly compromise our organizations.”

Source: Information Security Magazine

Security Remains Prime Barrier to Cloud Adoption

Security Remains Prime Barrier to Cloud Adoption

Following industry predictions that the global cloud market will exceed $250 billion by 2020, Crowd Research Partners has found that security concerns top the list of barriers to cloud adoption today.

These fears are led by general security concerns (53%, up from 45% in last year’s survey), legal and regulatory compliance concerns (42%, up from 29%), and data loss and leakage risks (40%). The rise in specific concerns about compliance and integration suggests that companies are moving from theoretical exploration of cloud models to actual implementation.

The report also found that unauthorized access through misuse of employee credentials and improper access controls is the single biggest threat (53%) to cloud security, respondents felt. This is followed by hijacking of accounts (44%) and insecure interfaces/APIs (39%). One in three organizations say external sharing of sensitive information is the biggest security threat.

“As organizations look to cloud computing to reduce IT costs, increase agility and better support business functions, security of data and applications in the cloud remains a critical requirement,” said Holger Schulze, founder of the 300,000-member Information Security Community on LinkedIn. “The 2016 Cloud Security Report indicates that as organizations increase investments in cloud infrastructure, they are seeking a similar level of security controls and functionality to what’s available in traditional IT infrastructures.”

Further, the vast majority (84%) of respondents are dissatisfied with traditional security tools when applied to cloud infrastructure. Respondents say traditional network security tools are somewhat ineffective (48%), completely ineffective (11%), or can’t be measured for effectiveness (25%) in cloud environments. In a positive data point, 61% of organizations do plan to train and certify existing IT staff for cloud security.

“More than 56% of surveyed organizations use Active Directory on-premises to authenticate and authorize access to cloud applications, like Office 365,” said Alvaro Vitta, principal solutions consultant, Dell Systems and Information Management. “The failure to provide adequate on-premises Active Directory security controls leave cloud-based applications vulnerable to unauthorized access. Don’t let on-premises Active Directory be your hybrid directory environment’s Achilles’ heel.”

The cloud will bring back renewed relevance for some technologies, like encryption. “Once the ‘silver bullet’ of security, encryption has been ‘out marketed’ by other technologies that mostly focus on securing the perimeter and not securing the target of intruders,” added Bob Adhar, president, Randtronics. “A business that only encrypts their data is more secure than businesses with everything else.”

Photo © wk1003mike

Source: Information Security Magazine

Enormous Malware as a Service Infrastructure Fuels Ransomware Epidemic

Enormous Malware as a Service Infrastructure Fuels Ransomware Epidemic

The Check Point Research team has uncovered an operation that turns out to be one of the world’s largest attack infrastructures.

The malware-as-a-service (MaaS) play is being used by a cyber-criminal syndicate to use the Nuclear exploit kit to spread malware worldwide.

With 15 active Nuclear control panels, the likely Russian perpetrators behind the MaaS operation accumulates revenue of approximately $100,000 a month, according to Check Point’s estimates. In the last month alone, infrastructure was used to attack 1,846,678 machines. The success rate of these attacks was 9.95%, resulting in 184,568 newly infected machines.

EKs are a major part of the MaaS industry, which facilitates the execution of ransomware and banking trojans, among others. Their creators rent them to cyber-criminals who use them to attack unsuspecting users. Nuclear is one of the top EKs, Check Point noted, both in complexity and in spread.

“Nuclear’s infrastructure is not the work of a lone wolf,” the researchers said. “According to our findings, the leading developer is located in Krasnodar, Russia. Nuclear is rented to cyber-criminals for a few thousand dollars a month.”

The service provider owns the master server, which controls all of the attackers’ servers. Each attacker rents a server with a control panel from which he or she can manage his malware campaign, distributing any malware of choice. Each server has a number of landing page servers, to which unsuspecting users are directed to be infected. They can be directed there by malicious links in phishing mails, malvertising or hacked websites.

With the current ransomware trend, it’s not surprising to see that ransomware is the dominant payload for attackers at this moment in time. Nuclear served 110,000 Locky droppers in the inspected month, costing victims around $12.7 million.

The victims of this malicious campaign are located almost all over the globe: The researchers noted that Nuclear does not attack countries which belong to the Eastern Partnership, in order to avoid law enforcement activities against the developers.

The analysis efforts appear to have had a salubrious effect on the threat landscape. “The puppet masters were apparently startled by our findings,” the researchers said. “Following our previous publication, all known Nuclear servers were shut down.”

Photo © kentoh

Source: Information Security Magazine

US DoD: ‘China Ramped Up Cyber Warfare Capabilities in 2015’

US DoD: ‘China Ramped Up Cyber Warfare Capabilities in 2015’

The Chinese military is investing a huge amount of resources into developing its offensive and defensive cyber capabilities, believing them to be the key to seizing “information dominance” in the early stages of any future conflict, according to a new US government report.

The Defense Department’s annual Report to Congress on Chinese military and security was published on Friday and noted that for the first time last year, Beijing described cyberspace as “a new domain of national security and area of strategic competition.”

The Communist Party believes China’s cyber capabilities lag those in rival countries so it has ploughed considerable resources into developing them.

It views “information dominance” as a key strategy to effectively winning a military conflict in its early stages.

The report explained:

“The PLA would likely use Electronic Wardare, cyberspace operations (CO), and deception to augment counterspace and other kinetic operations during a wartime scenario to deny an adversary’s attainment and use of information. Chinese military writings describe informationized warfare as an asymmetric way to weaken an adversary’s ability to acquire, transmit, process, and use information during war and to force an adversary to capitulate before the onset of conflict.”

Cyber warfare capabilities help China in three areas, the DoD continued:

“First and foremost, they allow the PLA to collect data for intelligence and potential offensive cyberoperations (OCO) purposes. Second, they can be employed to constrain an adversary’s actions or to slow response time by targeting network-based logistics, communications, and commercial activities. Third, they can serve as a force-multiplier when coupled with kinetic attacks during times of crisis or conflict.”

The Department of Defense explained its networks had been on the receiving end of Chinese military espionage efforts over the past year, suggesting that the information gleaned could be used to benefit China’s own defense and hi-tech industries, and also to inform party officials about US leadership thinking on the Middle Kingdom.

It added:

“Targeted information could inform Chinese military planners’ work to build a picture of US defense networks, logistics, and related military capabilities that could be exploited during a crisis. The accesses and skills required for these intrusions are similar to those necessary to conduct cyberattacks.”

China has predictably reacted strongly to the report, claiming it has undermined trust between the two superpowers and “deliberately distorted” Beijing’s military policy.

Source: Information Security Magazine

UK Banks Moot Cyber Forum to Bolster Info Sharing

UK Banks Moot Cyber Forum to Bolster Info Sharing

Financial services body TheCityUK has called for the creation of a new Cyber Forum comprising key board members, CISOs and risk managers, to support the government’s attempts to improve information security.

The recommendation came in a new report from the group: Cyber and the City.

It suggests that the forum could be established as a committee of TheCityUK, with links into the BBA and other trade bodies.

It claimed a “steering group of board level cyber risk owners and a working group from the risk or CISO community” would help the financial services industry “mobilize itself around its own defense and to reinforce the goals of government.”

Specifically, a Cyber Forum could help improve information sharing in the industry via platforms such as CISP.

The report continued:

“Information-sharing works when contributors get something back – a committee structure will create peer pressure to contribute which will in turn make contributing more worthwhile. It will also help identify any barriers to contribution (such as customer anonymity or regulatory reaction) that need resolving. The information-sharing should be within the sector, but with links to and from the police and intelligence services to support offensive action against criminals.”

The group could also help to alleviate problems in the jobs market by encouraging apprenticeships and education programs for cybersecurity, as well as encouraging adoption of the government’s Cyber Streetwise and Cyber Essentials initiatives, the report claimed.

A Cyber Forum would also be instrumental in outreach to third parties such as regulators – by putting forward guidelines on cyber assessment – the Bank of England – engaging on risk management – and supporting the development of a UK cybersecurity sector.

The report also suggests that the government could effectively introduce tax breaks to offset the extra investment needed by the financial services sector in these new cyber initiatives – which may not be politically popular.

Andy Buchanan, area VP UK and Ireland for security vendor RES, welcomed the proposed creation of a Cyber Forum.

“For too long there has been a lack of knowledge sharing across all industries, including financial services. As the saying goes, knowledge is power,” he argued. “By sharing information banks would have better, smarter intelligence into how to shore up their defenses and innovate accordingly in the face of a determined, highly adaptive and sophisticated opponent.”

Source: Information Security Magazine

Scammers and Spammers Target Rio Olympics

Scammers and Spammers Target Rio Olympics

Security experts are warning Olympics fans to be on their guard ahead of the Rio Games this summer, after spotting numerous spam and phishing campaigns piggy-backing on interest in the event.

Kaspersky Lab analysts Tatyana Shcherbakova and Andrey Kostin explained that the scammers have been ramping up their activities for a year, starting with fake lottery win notifications spoofed to come from the Brazilian government and the International Olympic Committee (IOC).

To claim their winnings, the recipients are asked to provide personal details – clearly a standard phishing tactic.

Spam emails have also been spotted by Kaspersky Lab trying to sell everything from TVs to pills – all using interest in the Olympics as a lure to entice internet users.

Fake ticketing emails require extra work on the scammers’ part and could seem more authentic to unsuspecting sports fans, according to the Russian AV vendor.

It has blocked dozens of newly registered domains containing the keywords “rio” or rio2016” etc which are hosting “good quality imitations” of official ticketing sites.

“The scammers register these domains to make their sites look more credible; for the same purpose, they often buy the cheapest and simplest SSL certificates,” explained Shcherbakova and Kostin.

“These certificates are registered within a few minutes, and certification authorities don’t verify the legal existence of the organization that has issued the certificate. The certificates simply provide data transfer over a secure protocol for the domain and, most importantly, gives fraudsters the desired ‘https’ at the beginning of their address.”

Users who input their card details into these sites are effectively giving cyber-criminals access to their bank accounts. They’ll be sent a confirmation that the payment has gone through and that the tickets will be sent a few weeks before the games, in order to keep them in the dark for even longer, according to Kaspersky Lab.

“As a result, the criminals not only steal the victim’s money but deprive them of the chance of attending the Olympics – by the time they realize they won’t be getting the tickets they booked it will be too late to buy genuine tickets … especially if there’s no money in their bank account,” the blog continued.

These are well organized campaigns, with separate but affiliated cybercrime groups operating globally taking various roles – one to create the site, one to register the domain, and so on.

The security vendor urged netizens not to buy via unsolicited emails, and to consult the official website of the Olympic Games which has a list of official regional ticket sellers.

Spam and phishing attacks have always been prevalent in the run up to major sporting events but the scammers only really started to focus on the Olympics in the run-up to Sochi 2014, according to Kaspersky Lab.

Source: Information Security Magazine

#InternationalRecyclingDay: Recycle Your Devices, but Wipe Data First

#InternationalRecyclingDay: Recycle Your Devices, but Wipe Data First

Today is International Recycling Day, a custom which will see many organizations or environmental and conservationist groups around the world conduct campaigns and informative or educational activities on the theme of recycling.

Whilst the key subject of the day is the admirable objective of being green and salvaging old or unwanted equipment, data recovery provider Kroll Ontrack has issued a warning to companies reminding them of the importance of destroying data stored on disused servers, laptops, computers and mobile devices before recycling them.

Most electrical equipment can be recycled, and it is estimated that two million tons of electrical and electronic waste is disposed of in the UK every year – the fastest growing waste stream. It is an effective way of keeping these sorts of devices out of landfill sites and, because some of the old materials or even parts from previous models can be reused, new products don’t rely so heavily on raw materials.

However, recent research from Kroll Ontrack revealed the significant security threats that surround the recycling of electrical equipment if steps are not taken to wipe any sensitive data first.

The firm examined 122 pieces of second-hand equipment, finding that 48% of hard disk drives and solid state drives contained residual data while thousands of leftover emails, call logs, texts/SMS/IMs, photos and videos were retrieved from 35% of mobile devices.

Further, simple deletion or restoring to factory settings does not ensure data will not fall into the wrong hands and although deletion attempts had been made on 57% of the devices, three quarters of the drives still contained residual data, according to Kroll Ontrack.

“Businesses go to great lengths to protect data in equipment they are currently using via encryption, backups, and redundant systems but often the data which has been protected so carefully is easily stolen from disused equipment if not properly destroyed,” said Phil Bridge, managing director of Kroll Ontrack. “If the data was once worth protecting it is worth permanently deleting and businesses in particular need to make sure they dispose of data as carefully as they protected it.”

Paul McEvatt, senior cyber-threat intelligence manager, UK & Ireland, Fujitsu shares a similar view.

“Recycling devices should not just mean ensuring the devices are disposed of in the correct manner but also making sure that the data that remains on the disk is not recoverable,” he told Infosecurity.

“With the right tools and a little bit of knowledge and research, it’s relatively easy to imagine how an individual with malicious intentions could recover information from recycled devices. The devices could contain personally identifiable information, company sensitive information or data that could be used to hold a company to ransom.”

“Organizations should always assume that any data left on a disk can be read by anyone and as such be much more mindful of deleting it securely or through a trusted partner,” he added.

Source: Information Security Magazine

Someone Hacked the Hackers: 500K Accounts Leaked Online

Someone Hacked the Hackers: 500K Accounts Leaked Online

Someone has a sense of irony: A well-known hacker forum dubbed Nulled.IO has been itself compromised, leading to the release of a treasure trove of pwn data.

Nulled.IO said that it has 473,700 registered users who share, sell and buy leaked content, stolen credentials, nulled software and software cracks. According to Risk Based Security, the database that was leaked includes critical information about the users of the forum, including 536,064 user accounts with 800,593 personal messages, 5,582 purchase records and 12,600 invoices, which seem to include donation records as well.

The accounts compromised all contain user names, email addresses, encrypted passwords, registration dates and registered with IP address. Other tables such as the nexus transactions table for VIP access payments contains User ID (which can be matched back to users in the customers table), payment methods, PayPal emails, dates and costs.

But that’s not all: Also, including are API credentials for three payment gateways (PayPal, Bitcoin, Paymentwall) as well as 907,162 authentication logs with geolocation data, member ID and IP addresses, and 256 user donation records that are able to be matched to the user with member ID.

It all means that by simply searching by email or IP addresses, it can become evident who might be behind various malicious deeds. “With this being such a comprehensive dump of data it offers up a very good set of information for matching a member ID to the attached invoices, transactions and other content such as member messages and posts,” RBS noted in a blog post.

Interestingly, RBS uncovered in its analysis that 19 accounts were registered with .gov based domains, including in the United States, Philippines, Brazil, Turkey and others. Eight of the government accounts were marked as “User Group 5,” which is for banned accounts, the rest were either activated members with posts or awaiting activation.

No word yet as to who hacked the hackers, but there’s a good bet on how it happened. Nulled.IO was running the IP.Board community forum commonly known as IP.b or IPb, along with an IP.Nexus Setup for its marketplace as well as VIP forums among a few other IPb plugins.

“While we do not have confirmation as to how this breach occurred at this point, there have been over 4,500 vulnerabilities to date in 2016, and with 185 total vulnerabilities in IP.Board (92 of them do not have a CVE by the way!),” the researchers said. “It is not hard to make a guess.”

Photo © tadamichi

Source: Information Security Magazine

Anonymous #OpIcarus Hits Bank of England Email

Anonymous #OpIcarus Hits Bank of England Email

Attackers affiliated to the Anonymous collective claimed to have taken down the Bank of England’s internal email server.

According to Anon News, the attackers claimed to have taken down the Bank of England’s internal email server as part of an operation dubbed ‘OpIcarus.’ The websites of the National Reserve Bank of Tonga, the Federal Reserve Bank of Boston and the central banks of Sweden, Myanmar and Laos were also claimed to have been hit.

Stephanie Weagle, senior director at Corero Network Security, said: “While the impact on the individual targets of the DDoS attack campaign, ‘OpIcarus’ is unclear; obstructing or eliminating the availability of email servers is significant. In an online world any type of service outage is barely tolerated, especially in the banking industry where transactions and communications are often time-sensitive, and account security is of utmost importance.”

In January, a statement about OpIcarus said that the power behind the throne lies “within the global financial system, centered within the New York Stock Exchange and Bank of England”.

It went on to say: “We must strike at the heart of their empire by once again throwing a wrench into the machine, but this time we face a much bigger target; the global financial system. This time our target is the New York Stock Exchange and Bank of England.”

“This is a call to arms my brothers who for too long have stood for nothing but have criticized everything. Stand now, behind the banner of free men against the tyrannical matrix of institutions that oppose us. Ready your weapons and aim them at the New York Stock Exchange and Bank of England. This is the operation to end all others. Innocent people may stand to lose something from this but the powers that be stand to lose much more.”

Federico de-la-Mora, vice-president in EMEA at Lastline, said: “Based on the coverage across the media, the Waking Shark exercise was indeed a success. However, this recent breach at the Bank of England brings to the fore three key points in cybersecurity: First, it is not possible to eliminate all the cyber risk. Organizations would require an unlimited amount of resources and budget to close all the gaps, and even then new ones would be likely to appear.

“Second, cybersecurity professionals are taking a more pragmatic approach to protect their organizations. They focus their limited resources to protect the organization’s most critical assets and applications to ensure the continuity of the business. Something we can’t answer based on the available information is whether the Bank of England considers its internal email a critical service or not. The answer is likely yes, but with so many alternative communication technologies, the downtime might have had a more limited impact.

“Finally, scenario planning supported by exercises like Waking Shark has limitations. For instance, it is not possible or practical to simulate all the critical scenarios or to implement timely defenses for new vulnerabilities identified during the exercise. As a result, it’s important for organizations to implement robust breach detection processes and the Incident Response capability to deal with a breach.”

Source: Information Security Magazine