Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for the News Category

Trend Micro: Major Q3 Attacks Could be Sign of Things to Come

Trend Micro: Major Q3 Attacks Could be Sign of Things to Come

Trend Micro blocked 12.6 billion threats in Q3, a 20% decrease from 2012, but warned that seismic security incidents during the period could be an indication of the kind of threats facing individuals and businesses going forward.

The third quarter saw some of the “worst-case security scenarios ever imagined," according to the vendor's Security Roundup report for the period.

First came the attack on Hacking Team reported back in July in which 400GB of stolen data was exposed, leading to the discovery of five new zero day flaws and specialist spying tools for iOS and Android.

One of these vulnerabilities was added into the Angler EK and used in attacks in South Korea and Japan and another in attacks on sites in Taiwan and Hong Kong.

Then came the Ashley Madison data dump, which it is claimed led to follow-up extortion and blackmail attacks on those exposed, even resulting in reports of suicide.

Trend Micro even discovered some honeypots it set up were used to create profiles on the site, leading some to speculate that some innocent netizens may also have been caught up in the fall-out from the attack.

The report had the following analysis:

“We believe we will see more of these chain reaction-type attacks. Bigger and better-secured organizations may experience breaches of their own if ever attackers successfully manage to leech off data from their smaller, less-secure partners. Consumers may also find their personal information at risk if companies continue to get breached due to this lateral progression of attacks.”

Elsewhere the quarter saw another major Android vulnerable—Stagefright—and even trojanized apps featuring a malicious version of Xcode were found on the App Store, putting iOS users at risk.

Despite blocking 1,588 threats per second, the figure continues to fall from 2012 highs, possibly due in part to attackers focusing their efforts on “well-chosen victims for better results,” Trend Micro said.

Trend Micro chief cybersecurity officer, Tom Kellermann, argued that incident response plans must be tweaked to manage the “secondary stages of attacks.”

“Intrusion suppression will become the goal of incident response as it is imperative that the dwell time of an adversary be limited. We must disrupt the capacity of an adversary to maintain a footprint on hosts, and thus inhibit their ability to conduct secondary infections,” he added.

“Virtual shielding, integration of breach detection systems with SIEMs, and file integrity monitoring will be key instruments in mitigating the punitive attacks of 2016.”

Source: Information Security Magazine

Casinos and Video Piracy Mark Malware Campaign Affecting 1 Million

Casinos and Video Piracy Mark Malware Campaign Affecting 1 Million

Three casino websites were the decoys in for one of the largest malvertising attacks seen to date.

Researchers at Malwarebytes Labs have identified a campaign that’s been active for at least three weeks, preying on visitors of sketchy websites offering things like free downloads of copyrighted movies, pirated live streams, pirated software and more. Those websites host malicious ads, which then redirect the victim to one of the casino websites (pennyslot.net, playcasino77.com and onlinecasinofun.org).

From there, the sites would silently load malicious iframes from disposable domains which ultimately led to the Angler exploit kit. In one case, the casino website was a direct gateway to Angler EK.

Further, the malvertising campaign used a surprising 30 or more different pieces of malware to infect victims. Researchers found the infamous CryptoWall ransomware as well as the Bunitu Trojan.

The impact is widespread.

“In all likelihood, a very large number of people were exposed to malware because of this campaign,” said Jerome Segura, senior security researcher at Malwarebytes Labs, in a blog. “When looking at the number of visitors to those websites, we see a troubling pattern. Before September, the traffic for all three combined was almost non-existent, but by mid-October, traffic spiked through the roof for a total of more than 1 million monthly visits.”

Because the campaign affected dubious publishers likely to turn a blind eye to ‘advertising issues’ and visitors knowing they were consuming illegal content, there was little reason for anybody to report the incident. The ad networks were almost all registered via Domains By Proxy LLC, meaning no information was available about the registrant.

“In fact, each of these malvertising attacks taken on its own does not stand out, but realizing that they were all connected gives us the bigger picture in how large of an operation this was,” Segura said.

But, they were all through GoDaddy, and on the same ASN: AS15169; this leads the researchers to believe they were actually all related to one another. Going through 10 ad domains, AdCash was one of the advertising networks affected—and it’s through this outlet that Malwarebytes was able to report the campaign.

A look at some of the stats behind those ad domains shows some staggering numbers. According to SimilarWeb, a service that estimates website traffic and provides various analytics, these ad networks generated over 2 billion visits in October.

“To be clear, this is not how many people were exposed to malvertising since this only affected a few particular rogue campaigns, and not all campaigns running on these networks,” Segura added.

Looking at the stats of the casino sites that acted as an intermediary for the exploit kit is interesting as well. Interestingly, before September, the traffic on those three domains was quasi-nonexistent; but, once the campaign started, traffic spiked through the roof for a combined total of more than 1 million visits.

Photo © monamis

Source: Information Security Magazine

IBM: Ransomware, Insider Threats Top 2015 Cyber-Trends

IBM: Ransomware, Insider Threats Top 2015 Cyber-Trends

2015 has been a challenging year as insider threats and malware as well as stealthy and evolving attacks affected enterprises. Taking stock, IBM Security has identified the top four cyber-threat trends of the year: amateur hacker carelessness, ransomware, insider threats and C-suite attention.

The first notable trend is amateur hackers exposing sophisticated criminals in onion-layered attacks. While 80% of cyberattacks are driven by highly organized and sophisticated online crime rings, it is often inexperienced hackers (“script kiddies”) who unknowingly alert companies to these larger, sophisticated hackers lurking on a network or inside an organization. These amateur hackers leave clues like unusual folders or files in a temporary directory, deface corporate web materials, and more. When organizations look into these mischievous attacks, they often find much more complex attacks.

“As the name suggests, an onion-layered security incident is one in which a second, often significantly more damaging attack is uncovered during the investigation of another more visible event,” the firm said in its Q4 2015 IBM X-Force Threat Intelligence Quarterly report. “The security team has to carefully peel back layers of forensic information in order to determine the root cause of each event under scrutiny.”

Also, it’s almost undeniable that 2015 was the year of ransomware, with this type of infection ranking as the most commonly encountered infection. In fact, the FBI reported Cryptowall ransomware attacks have netted hackers more than $18 million from 2014-2015. IBM researchers believe that it will remain a common threat and profitable business into 2016, migrating to mobile devices as well.

“For ransomware to succeed, attackers rely on a multitude of security and procedural breakdowns. In some cases, clients had recurring infections during the year,” IBM said. “This was because, although some of the factors leading to infection were addressed and resolved, nothing was done to resolve the fundamental breakdowns that facilitated the initial infection.”

Those breakdowns include not backing up data, poor patching procedures and a lack of user awareness.

The report also noted the ongoing danger of malicious attacks from inside a company. This is a continuation of a trend seen in 2014 when IBM’s 2015 Cyber Security Intelligence Index revealed that 55% of all attacks in 2014 were carried out by insiders, individuals with insider access to an organization’s system, knowingly or by accident.

A series of patterns emerged from the ERS team’s investigations:

• There were shared accounts with administrative privileges.

• Password sharing between team members was not discouraged.

• Passwords were routinely set to never expire.

• Passwords were “easy.”

The common thread is that accountability was not enforced.

“Bad password policies seriously compromised the efficacy of termination procedures,” IBM said. “Whenever a system or network administrator left the organization, disabling their personal accounts did not limit their ability to perform unauthorized activity on the network via one or more of the shared accounts they had routinely used in their job. As a result, ex-employees with ill will toward former employers held powerful weapons they could use to express their resentment. They simply needed a way to get back into the network.”

And, the final trend could be entitled, “C-Suite Cares.” In 2015, cybersecurity became a true concern at the boardroom level with more positions of power asking questions about their organizations’ security posture. In fact, a recent survey of CISOs by SMU and IBM, revealed that 85% of CISOs said upper-level management support has been increasing, and 88% said their security budgets have increased.

“Organizations today are going back to the basics. The major cybersecurity trends of 2015—the challenge of recognizing stealth attackers on the network, ransomware, malicious insider attacks and growing management attention to enterprise security readiness—can largely be addressed by focusing on security 101,” IBM said. “Think patch management, user education, proper password procedures and standard security practices.”

Photo © asylum

Source: Information Security Magazine

Threat Intelligence Will Be UK Firms’ Investment Priority For 2016

Threat Intelligence Will Be UK Firms’ Investment Priority For 2016

UK firms are filing to capitalize on holistic and integrated view of security performance as performance, skills, and costs remain biggest hurdles to true data-driven security over the coming year, research from IDC and SecureData has revealed.

Almost all (96%) of UK firms already use threat intelligence products and services and each and every one intend to do so within the next 24 months. There were clear benefits for doing so: companies saw that use of such products could bring about faster attack detection and response (55%), better understanding of threats and attacks (43%), and finding new or unknown threats (42%).

Yet the survey also revealed a number of major challenges that needed to be addressed such as optimizing performance and response times (75%), training and expertise (59%), and the costs of tools, maintenance and personnel (52%). Analytics-based issues were also found to be a significant hurdle. Correlating events (49%) and reducing false positives/negatives (36%) were the highest ranking worries in this regard. Two-thirds of organizations (66%) plan to invest in Big Data analytics engines, but only a quarter are ready to invest in third-party intelligence products or services.

Only a third of those surveyed by IDC believe that threat intelligence includes intrusion monitoring or the sharing of information within the security community (35%). An even smaller group includes analytics either based on behavior (6%) or correlation of security data (6%), while just 3% believe cloud-based intelligence sharing is part of threat intelligence.

Of the most concerning findings  in report was the trend for many  organizations to collect a substantial amount of information across their IT security infrastructure, but then fail to integrate this with their threat intelligence platform. Just under three-fifths of respondents were found to integrate data from their firewall or UTM devices while almost half (47%) of the 86% of organizations using an MDM to manage mobile devices integrate data from their system with their threat intelligence platform. only a third of firms correlate external data such as threats or attacks on peer companies with their threat intelligence platform.

“Threat intelligence is not simply information,” commented IDC research director Duncan Brown. “It is a service delivering a collated and correlated range of data feeds and sources to provide actionable advice to security operations. Getting this holistic view of security beyond IT is critical to understanding the full context of threat information, but our study suggests firms are taking a somewhat traditional view of intelligence that discounts more innovative developments.”

“IDC’s findings suggest Chief Information Security Officers are not considering the wider context in which their business operates, either from a physical security and application security perspective, or from a broader industry viewpoint,” added SecureData CEO Etienne Greeff. “Nevertheless, the fact they recognize the importance of increased context and intend to invest in such insight as a priority is encouraging as it will enable them to adopt an offensive security posture – one that mitigates the ever-expanding attack surface and better protects their infrastructure, applications and valuable information assets.”

Source: Information Security Magazine

UK’s NCA Shares Threat Data with 50 Web Hosters

UK’s NCA Shares Threat Data with 50 Web Hosters

The UK’s National Crime Agency is claiming a new threat information sharing initiative has already helped web hosters reduce the threat to their servers by 12%, potentially saving them millions.

The NCA said last week that it shared details related to over 30,000 separate threats with internet hosting companies as part of a joint program with CERT-UK.

Around 50 organizations took part over a near three-month-long program, using info on malware infections, phishing attacks, DDoS and command and control (C&C) systems to help take remedial action.

The crime agency’s initial analysis claimed the 12% reduction in the volume of malicious domains over a whole year could reduce cybercrime losses by “tens of millions of pounds.”

Specially trained officers from police Regional Organised Crime Units (ROCUs) are now being sent out to support those organizations that benefited from the threat intelligence.

“Working with industry to jointly combat cybercrime is a priority for the NCA, and sharing timely, customized intelligence with hosting companies can contribute to the protection of the UK internet infrastructure,” said NCA industry partnerships boss Paul Hoare.

“Many alert recipients have taken timely action against the threats identified, and this is likely to have prevented losses to individuals and businesses further down the line.”

The threat alerts are also available to firms who sign up to the government’s Cyber-security Information Sharing Partnership (CISP) initiative, designed to improve situational awareness for members by facilitating the sharing of threat and vulnerability information.

Governments and their law enforcement and intelligence agencies are increasingly being put under pressure to share the wealth of threat information they collect with the private sector, in order to bolster the resilience and economic well-being of UK PLC.

BH Consulting founder and Europol advisory group member, Brian Honan, welcomed the news.

"Many though have criticized these initiatives as being primarily one way, whereby information from the private sector is going into the public sector but very little is coming back in return. This type of sharing from the NCA is a welcome change to that status quo and the quality of the information they share will be of major benefit to the ISPs," he told Infosecurity.

"One can only hope that now the ISPs have real actionable information they will work on it to make the internet a safer place for all."

In the US, efforts to legislate on such matters have backfired, after rights groups and technology giants came out against the Cybersecurity Information Sharing Act, which was nevertheless passed by the Senate last month.

Its opponents argue that the law could introduce major privacy issues and even make it harder for international firms to do business with their US counterparts.

Source: Information Security Magazine

New POS Malware Lands Ahead of Busy Festive Shopping Season

New POS Malware Lands Ahead of Busy Festive Shopping Season

Security researchers are warning of a new POS malware strain which has the potential to cause yet more pain for retailers and their customers in the run up to the busy festive season.

AbaddonPOS was initially discovered by Proofpoint analysts as it was being downloaded as part of a Vawtrak infection, they wrote in a blog post.

Specifically it was delivered via either weaponized Office documents downloading Pony malware or an Angler EK Bedep infection. Downloader TinyLoader was then loaded by Vawtrack to download more shell code—finally triggering AbaddonPOS.

AbaddonPOS is only around 5KB in size but has been fitted with anti-analysis and obfuscation techniques to prevent manual and automatic analysis.

For example, it uses a CALL instruction to hinder static analysis.

Most of the malware’s code is not obfuscated, however, except for the code used to encode and transmit stolen credit card data.

It then relies on a custom binary protocol to exfiltrate the stolen data, rather than HTTP.  

The firm concluded:

The practice of threat actors to increase their target surfaces by leveraging a single campaign to deliver multiple payloads is by now a well-established practice. While using this technique to deliver point of sale malware is less common, the approach of the US holiday shopping season gives cyber-criminals ample reason to maximize the return on their campaigns by distributing a new, powerful PoS malware that can capture the credit and debit card transactions of holiday shoppers.

AbaddonPOS isn’t the only piece of malware set to cause problems for retailers as they prepare for the busy Christmas shopping period.

Cherry Picker has been active since 2011 but remained under the radar thanks to its highly covert nature, according to Trustwave.

The POS malware apparently cleans itself from an infected system once it has found what it was looking for, using remote software TeamViewer to remove and overwrite files and logs.

Source: Information Security Magazine

Google Preps New Service after Global Email Encryption Warning

Google Preps New Service after Global Email Encryption Warning

Email encryption is getting better but certain countries are deliberately preventing SSL requests from initiating, undermining industry efforts, according to a new report from Google.

The study, in partnership with the University of Michigan and the University of Illinois, reveals that overall email security is better than it was two years ago.

To this end, the number of encrypted emails received by Gmail from non-Gmail senders during the period increased from 33% to 61%.

In addition, the percentage of messages encrypted with TLS sent from Gmail to non-Gmail addresses increased from 60% to 80%.

And over 94% of inbound messages to Gmail were said to have carried some form of authentication.

But there were also causes for concern, as Google wrote in a supporting blog.

“First, we found regions of the internet actively preventing message encryption by tampering with requests to initiate SSL connections. To mitigate this attack, we are working closely with partners through the industry association M3AAWG to strengthen ‘opportunistic TLS’ using technologies that we pioneered with Chrome to protect websites against interception.

Second, we uncovered malicious DNS servers publishing bogus routing information to email servers looking for Gmail. These nefarious servers are like telephone directories that intentionally list misleading phone numbers for a given name. While this type of attack is rare, it’s very concerning as it could allow attackers to censor or alter messages before they are relayed to the email recipient.”

In Tunisia, Iraq, Papua New Guinea, Nepal, Kenya, Uganda and Lesotho, over 20% of emails are delivered without encryption because computers force communication in plain text. In Tunisia the figure is above 96%.

This so-called “STARTTLS stripping” happens on over 60% of the 700,000 SMTP servers Google found in the world that are still failing on encryption.

The Mountain View giant said that to help notify users of possible dangers, it is looking to roll-out new functionality which will alert them when they receive an email through a non-encrypted connection.

Source: Information Security Magazine

Key Positive Enterprise Trends Emerge in Cybersecurity

Key Positive Enterprise Trends Emerge in Cybersecurity

Although cybersecurity incidents are daily news, with reports of escalating impacts and costs that are sometimes measured in the billions, at least one survey has identified new reasons for optimism.

According to the Global State of Information Security Survey 2016 from PricewaterhouseCoopers (PwC), the vast majority of organizations—91%—have adopted a security framework or, more often, an amalgam of frameworks.

The most frequently followed guidelines are ISO 27001, the US National Institute of Standards and Technology (NIST) Cybersecurity Framework and SANS Critical Controls. Respondents say adoption of these types of guidelines enable them to identify and prioritize threats, quickly detect and mitigate risks and understand security gaps.

A risk-based framework allows companies to better communicate and collaborate on cybersecurity efforts, internally and externally. These frameworks also can help businesses design, monitor and measure goals toward an improved cybersecurity program. And many say that risk-based standards have helped ensure that sensitive data is more secure.

In another extremely positive trend, PwC noted that technology advances can dim the focus on the cybersecurity competencies and training of people. So it is encouraging to find that top security executives and Boards of Directors are playing increasingly prominent roles.

This year, 54% of respondents reported they have a CISO in charge of their security program, and 49% have a CSO. Today’s CISO is a business manager who should have expertise not only in security but also risk management, corporate governance and overall business objectives.

Also, 46% of survey respondents said their Board participates in information security budgets, which may have contributed to this year’s significant boost in security spending. Other notable outcomes include identification of key risks, helping foster an organizational culture of security and better alignment of information security with overall risk management and business goals.

Also, the report noted that 59% of respondents leverage Big Data analytics to model and monitor for cybersecurity threats, respond to incidents, and audit and review data to understand how it is used, by whom and when.

This is important, considering that a data-driven approach can shift cybersecurity away from perimeter-based defenses and enable organizations to put real-time information to use in ways that can help predict cybersecurity incidents. Data-driven cybersecurity allows companies to better understand anomalous network activity and more quickly identify and respond to cybersecurity incidents.

Some businesses are combining Big Data with existing security information and event management (SIEM) technologies to generate a more extensive view of network activity. Others are exploring the use of data analytics for identity and access management to monitor employee usage patterns, flag outliers and identify improper access.

And finally, speaking of data sets, another positive trend is partnering up to sharpen security intelligence. Over the past three years, the number of organizations that embrace external collaboration has steadily increased, the report found. This year, 65% of respondents said they collaborate to improve cybersecurity and reduce cyber-risks, up from 50% in 2013.

And those that do work with others cite clear benefits. Most organizations say external collaboration allows them to share and receive more actionable information from industry peers, as well as Information Sharing and Analysis Centers (ISACs), government agencies and law enforcement. Many also say information sharing has improved their threat awareness.

Source: Information Security Magazine

InstaAgent Pulled After Stealing User Names and Passwords

InstaAgent Pulled After Stealing User Names and Passwords

A popular mobile app has been pulled from Google Play and the App Store after a researcher warned that it lifted users' names and passwords without their knowledge.

Users of InstaAgent have been urged to change their Instagram passwords immediately after the news came to light.

The app, which was popular in the UK and downloaded by hundreds of thousands of users, promised to show users who was viewing their profile.

But German developer David Layer-Reiss took to Twitter on Tuesday to warn users that the app was stealing their log-in credentials in order to do so. It was also found to be posting ads into users’ accounts.

The developer allegedly behind the controversial app, Turker Bayram, has issued an apology in broken English.

“Please be relax. Nobody account is not stolen,” he said. “Your password never saved unauthorized servers. There is nothing wrong. But again and again we apologize from our precious users.”

Not content, Layer-Reiss has raised question marks over the man behind the app and his company, “Zunamedia.”

“Another strange fact is that it is nearly impossible (for me) to identify the developer of InstaAgent (his AppStore dev name was Turker Bayram). And why didn't the #InstaAgent developer sign his statement?” he wrote in a blog post.

“And if you are making an WHOIS to the zunamedia.com server you cannot get any informations because of domains proxy. Why is he hiding his identity? Who is Zunamedia ?”

Rapid7 security research manager, Tod Beardsley, claimed it was unusual that both Google and Apple approved such a dubious looking app.

"While the direct motive for the malicious app developer was to spread spam links via hijacked Instagram accounts, he now has a library of about a half a million username and password combinations,” he explained.

“Since people routinely reuse passwords for various social media sites, we recommend that anyone who mistakenly installed the InstaAgent app immediately change not only their Instagram password, but also the password for any other site where they use the same password, as well as any password that is similar enough that it could be easily guessed.”

Source: Information Security Magazine

Former Council Worker Aces SANS Cyber Academy Exams

Former Council Worker Aces SANS Cyber Academy Exams

A civil servant who worked for Newcastle City Council for 15 years has come top of the class at the new SANS Cyber Academy with one of the highest ever scores in the GIAC information security exams.

Ross Bradley, who spent the past decade and a half processing parking fines for the local authority, has a bright future ahead of him in the cybersecurity industry after aceing the internationally recognized qualifications.

The results are a coup for SANS but also highlight the possibility of finally reducing chronic skills shortages in the industry.

The training institute launched what it claimed to be the world’s first ‘cyber boot camp’ back in April with the aim of getting recent graduates up to speed with real world infosecurity skills so they can more easily walk into a paid job.

With this in mind, the Cyber Academy compresses two years’ worth of training into just eight weeks, with only 31 “high potential” students chosen from over 25,000 candidates after completing an aptitude test.

Bradley and his fellow students completed the GIAC exams with scores which put them in the top 10% worldwide, SANS said.

"I was wary of quitting my job and starting the Academy, especially when I saw that people working in forensics and with degrees were going. I thought to myself, ‘I don’t have a degree, I just work for the council’, but I’m glad I went,” said Bradley.

“I wasn’t expecting to do so well but I knew I had to work extremely hard. I put a lot of work in and I’m glad it paid off.”

Fellow student, Kate Booth, a former university lecturer, praised the academy for offering an alternative way for women to enter what is still a very male-dominated industry.

“I was always interested in maths and science when I was at school and my parents gave me a lot of encouragement to do what I was interested in, but we need to do more as a country to support women into cybersecurity,” she explained.

“There is still a way to go, but initiatives like this can really help women to break through.”

Source: Information Security Magazine