Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Spear-Phishing Campaign Targeted Ukrainian Government as Early as 2014

Spear-Phishing Campaign Targeted Ukrainian Government as Early as 2014

A spear-phishing email campaign targeting government entities in Ukraine could have been active as early as 2014, according to FireEye.

In a blog post published on April 16, 2019, FireEye Threat Intelligence found the latest spear-phishing email in early 2019, which included a "malicious LNK file" with PowerShell script to download the second-stage payload from the command-and-control (C&C) server. The email was received by military departments in Ukraine and included lure content related to the sale of demining machines.

According to FireEye, "This latest activity is a continuation of spear phishing that targeted the Ukrainian Government as early as 2014." The company also wrote that the infrastructure analysis indicated the actors behind the intrusion activity may be associated with the so-called Luhansk People's Republic (LPR).

The email, sent on January 22, 2019, used the subject "SPEC-20T-MK2-000-ISS-4.10-09-2018-STANDARD," and the sender was forged as Armtrac, a defense manufacturer in the United Kingdom. An attachment included a 7z package with two benign documents and a one malicious LNK file.

"Compilation times indicate that this actor, who focused primarily on Ukraine, may have been active since at least 2014," the blog post says. "Their activity was first reported by FireEye Threat Intelligence in early 2018. They gradually increased in sophistication and leveraged both custom and open-source malware."

Ukraine legislation describes so-called LPR as "temporarily occupied territory" and its government as an "occupying administration of the Russian Federation," according to FireEye. 

"While cyber-espionage is regularly leveraged as a tool of state power, this capability is not limited to states," said John Hultquist, director of analysis, FireEye. "Just as new state actors are consistently drawn to this practice, many sub-state actors will inevitably develop capabilities as well, especially those with the resources of a state sponsor or nominal control of territory.

"It is not uncommon for nascent, geographically limited operations to mature over time and step outside of their region. This has been the case with several actors we regularly track in the Ukraine, where threats to elections and industry developed into the operations we saw during the 2016 elections and the NotPetya event."

Example of Spear-Phishing Email. Source: FireEye
Example of Spear-Phishing Email. Source: FireEye

Source: Information Security Magazine

Support Services Websites Cut Off from UK Public by Gov-Backed ISPs

Support Services Websites Cut Off from UK Public by Gov-Backed ISPs

Charity, school and social support websites are being blocked by "overzealous" web filters, which have been designed to protect children from harmful online content. 

According to a study from VPN comparison service Top10VPN.com and Open Rights Group, "In the last two years around 700,000 websites have been blocked by UK ISPs in a Government-backed attempt to protect vulnerable users online."

The report analysed the results of tests on 35 million unique domains across 15 ISPs and mobile providers. The content filters are active in 3.7 million British households, plus mobile phone users who haven't opted out.

The study says that "due to a combination of keyword-based, crude and highly opaque filtering systems," over 400 UK charities, social support and school websites have been hit the hardest. These systems have been found to prevent adults from accessing vital information about drug and alcohol addiction, mental health support and sexual and domestic abuse.

The indiscriminate nature of these filters is underlined by the fact that fewer than 5% of cases of previously blocked sites have failed to be overturned since 2017, while 1,300 blocks were reversed, suggesting that many more have been, and remain, incorrectly censored. The issue is compounded by the fact that many businesses and charities are rarely aware that ISPs are blocking their websites unless their own providers are also filtering them.

Jim Killock, executive director at Open Rights Group, said: “Filters are fundamentally bad products that block too much and too little. Our report shows that website publishers are suffering the consequences. The only decent solution is to be very cautious about using filters. People should only use them if they are clear that they are necessary. Unfortunately, many filters are opt-out, so too many people and homes are using them needlessly.

“ISPs are using out-of-the-box solutions from third parties and so tend to pass the buck on queries about filtering. What we need is greater transparency into how ISPs are blocking sites. It should not be down to the volunteer efforts of donation-driven services such as blocked.org.uk to deal with the problems that this government policy has created.”

The study also found that small businesses had fallen foul of the "aggressive" filters. Drainage companies, for example, had been caught up in ISP filters for using terms like "unblock" under the assumption they are censoring web anonymizers and proxies.

Simon Migliano, head of research at Top10VPN.com, explained: “A well-intentioned scheme by the government to protect children from harmful content online has become a textbook example of ill-thought-out and ham-fisted censorship. The irony is that the original intent was to protect the vulnerable online whereas now in-need adults are struggling to find vital information, and charities and support centers are being stifled by indiscriminate filters.

“This is a prime example of what happens when you use a blunt instrument for a delicate task. These crude and decidedly intransparent filters are hurting more than they are helping, and the responsibility to improve this dire situation should now sit with the ISPs and the government.” 

This issue is compounded by the complexity of getting innocent sites unblocked and the response rate in rectifying these issues. Almost three in 10 (27.6%) unblock requests to ISPs from 2018 are still unresolved, with TalkTalk and Virgin Media as the worst offenders.

Source: Information Security Magazine

Fortinet to Pay $545,000 for Violating False Claims Act

Fortinet to Pay $545,000 for Violating False Claims Act

Network security company Fortinet has agreed to pay $545,000 to resolve allegations that it violated the US's False Claims Act.

According to the settlement agreement made public on April 12, 2019, "Fortinet acknowledged that during the more than seven years between January of 2009 and the fall of 2016, a Fortinet employee responsible for supply chain management arranged to have labels on certain products altered to make the products appear to be compliant with the Trade Agreement Act (TAA). A portion of the products was resold through distributors and subsequent resellers to U.S. government end users." 

“Today’s announcement illustrates the continuing commitment of the US Attorney’s Office and our law enforcement partners to identify and prosecute fraudulent schemes relating to the sale of goods to the United States,” said US Attorney David L. Anderson.  

“Contractors that supply the US government with Chinese-made technology will be pursued and held accountable when violating the Trade Agreement Act,” said Defense Criminal Investigative Service (DCIS) Special Agent in Charge Bryan D. Denny. “The DCIS and its law enforcement partners are committed to combating procurement fraud and cyber-risk within US Department of Defense programs.”

The TAA prohibits certain government contractors from purchasing products that are not entirely from, or “substantially transformed” in, the United States or certain designated countries. According to the public announcement, in this case Fortinet acknowledged that the "Responsible Employee" directed certain employees and contractors to change product labels so that no country of origin was listed or to include the phrases “Designed in the United States and Canada,” or “Assembled in the United States.”  

According to Fortinet's website, the company serves government organization customers. Some of these include Alamance County in North Carolina and Salt Lake County in Utah. 

The company has agreed to pay $400,000 and to provide the United States Marine Corps with additional equipment valued at $145,000.  

The lawsuit was filed by former Fortinet employee Yuxin “Jay” Fang under the qui tam provisions of the False Claims Act. It was then investigated by the U.S. Attorney’s Office of the Northern District of California, along with other government organizations.

“This settlement displays the steadfast commitment of our agents and our federal law enforcement partners,” said the U.S. Army Criminal Investigation Command’s (USACIDC's) director of major procurement fraud unit, Marion "Frank" Robey. “This settlement is a clear signal to the supply community doing business with the Department of the Army; fraud will not be tolerated in any way, shape or form.” 

Source: Information Security Magazine

NCSC Launches 2019 Cybersecurity Accelerator

NCSC Launches 2019 Cybersecurity Accelerator

The UK’s National Cyber Security Centre (NCSC) has launched its latest annual search for the hottest cybersecurity start-ups in the country.

The NCSC Cyber Accelerator is a government-funded initiative that claims to have doled out £20m in investment since its launch in 2017, offering up the expertise of NCSC and its parent organization GCHQ to help nurture talent.

It’s ultimately hoped that these star companies will go on to build products and services that not only enrich the UK economy but also make the country the safest place in which to live and work online.

“This call will allow us to cast the widest net possible for attracting start-ups developing technologies that will better protect us now and in the future,” said NCSC deputy director for skills and growth, Chris Ensor.

“We’ve worked with 23 companies over the past few years, offering them unique technical insights that have helped them grow their ideas and business.”

Some 16 of these firms have graduated from the nine-month program. As well as exclusive access to NCSC and GCHQ, it offers a £25,000 grant and access to the investor network of Telefonica start-up accelerator Wayra, which is co-hosting the program.

“The NCSC Cyber Accelerator, powered by Wayra UK, is representative of how Britain’s intelligence, cyber and security services, have evolved to counter emerging threats by supporting businesses on the frontiers of new tech innovation,” argued Wayra UK director, Gary Stewart.

“We’re proud to be a leading partner in identifying and nurturing the fourth cohort of start-ups that will help keep Britain safe for the next 100 years.”

Interested companies have until 23:59 on April 28 2019 to apply.

Source: Information Security Magazine

TSB Offers to Cover APP Fraud Losses

TSB Offers to Cover APP Fraud Losses

UK bank TSB has promised to refund any customers that may be hit by so-called “authorized push payment” (APP) fraud, which is on the rise around the globe.

The high street lender is hoping to differentiate from its rivals, many of whom take a more uncompromising stance on this type of scam.

Unlike transaction fraud, account takeovers or account creation fraud, where the malicious activity happens without the victim’s knowledge, APP fraud occurs when an account holder is tricked into making a payment to another account.

There are two main types. In malicious payee fraud the victim authorizes a payment without realizing it's actually a scam, while in malicious redirection the victim intends to pay a legitimate payee but the fraudster directs them to pay a third-party instead.

TSB announced its Fraud Refund Guarantee on Monday, pointing to figures that over £1.2bn was stolen by fraudsters from UK banking customers last year.

Of that figure, a rather smaller sum of £354m was lost to APP fraud, although this had jumped 50% from 2017. APP fraud incidents soared by 90% from 2017 to 2018, although the surge could be down to more banks reporting these scams, according to industry body UK Finance.

“The vast majority of fraud claims across UK banking are from innocent victims of fraud, who have been targeted by criminals and organized gangs. However, all too often these customers must fight to be refunded and are not treated as victims of crime,” argued TSB executive chairman, Richard Meddings.

“We want to provide peace of mind to our customers, that’s why we’re proud to announce the TSB Fraud Refund Guarantee.”

As of January, new regulatory rules came into force designed to empower APP victims with greater powers of redress — by allowing them to complain to the bank that receives funds as well as their own.

However, lenders continue to take a hard line on customers who have fallen victim to such scams, which is why the Financial Ombudsman Service (FOS) and others are drawing up a voluntary code for the industry.

TSB will be hoping the new assurances on fraud reimbursements help to win back the support of its five million customers after major IT outages last year.

Source: Information Security Magazine

Huawei Poses 'No Threat' According to Belgium, Trump Not Convinced

Huawei Poses 'No Threat' According to Belgium, Trump Not Convinced

The Belgian Centre for Cybersecurity (CCB) has reportedly decided not to issue "a negative opinion" on Huawei following several months of investigation with no concrete evidence found. 

According to The Brussels Times, the CCB has been looking for evidence of spying by Huawei. This comes as the Chinese technology company has faced several accusations globally of spying. 

In Belgium, Huawei works with Proximus, Orange and Telenet/Base. It also opened a cybersecurity lab in Brussels back in March.

CCB spokesperson Katrien Eggers said, "A final report on the issue will not be produced as yet because the situation is still being monitored."

According to the Financial Times, the European Commission wants to monitor the company rather than issue a blanket ban on its technology, which is putting it at odds with the US.

US President Donald Trump has tweeted a complaint about the appointment of a former Obama cybersecurity official as a lobbyist for Huawei.

Samir Jain was the former senior director for cybersecurity policy at the White House National Security Council during the Obama administration, but he has now registered as a lobbyist for Shenzhen-based Huawei. He works for lobbying firm Jones Day.

According to the firm's website, Jain also served as associate deputy attorney general at the Department of Justice, where his responsibilities included overseeing the development of proposals to modernize the Computer Fraud and Abuse Act, supervising evaluation of telecommunications license applications for significant national security risks, and representing the department in White House cybersecurity meetings.

He also took part in international negotiations to get China's agreement not to engage in cyber-enabled intellectual property theft for commercial gain.

Source: Information Security Magazine

Kaspersky Labs Discovers 'Previously Unknown Vulnerability' in Microsoft Windows

Kaspersky Labs Discovers 'Previously Unknown Vulnerability' in Microsoft Windows

Today, Kaspersky Labs announced that it had detected a "previously unknown vulnerability" in Microsoft Windows, which was exploited by an unidentified criminal group. 

The company theorizes that it was an attempt to gain full control over a targeted device. The attack was aimed at the core of the system – its kernel – through a backdoor constructed from an essential element of Windows OS.

The vulnerability was reported to Microsoft and patched on April 10, 2019. HEUR:Exploit.Win32.Generic, HEUR:Trojan.Win32.Generic and PDM:Exploit.Win32.Generic were detected.

It was the fifth consecutive exploited local privilege escalation vulnerability in Windows that the company had discovered in recent months.

Kaspersky Lab's Exploit Prevention technology found the attempt to exploit the unknown vulnerability in Microsoft Windows OS, which some security solutions would not be able to recognize. This is because a backdoor that exploits a previously unknown bug in the system – a zero-day vulnerability – has significantly more chances to fly under the radar.

According to the company, "Once the malicious .exe file was launched, installation of the malware was initiated." The company explained that the infection exploited a zero-day vulnerability and achieved privileges for successful persistence on the victim’s machine. 

The malware then initiated the launch of a backdoor developed with a legitimate element of Windows, present on all machines running on this OS – a scripting framework called Windows PowerShell. This allowed threat actors to be stealthy and avoid detection, saving them time in writing the code for malicious tools. The malware then downloaded another backdoor from a popular legitimate text storage service, which in turn gave criminals full control over the infected system.

“In this attack, we observed two main trends that we often see in Advanced Persistent Threats (APTs). First, the use of local privilege escalation exploits to successfully persist on the victim’s machine. Second, the use of legitimate frameworks like Windows PowerShell for malicious activity on the victim’s machine. This combination gives the threat actors the ability to bypass standard security solutions. To detect such techniques, the security solution must use exploit prevention and behavioral detection engines,” explains Anton Ivanov, a security expert at Kaspersky Lab.

Source: Information Security Magazine

Sophos Investigates Microsoft Reboot Failures Following Software Update

Sophos Investigates Microsoft Reboot Failures Following Software Update

Sophos is investigating user-reported issues of boot-up failures following a software update from April 9, 2019. 

Affecting Sophos Central users and systems running Windows 7, 8.1, 2008, 2008 R2, 2012 and 2012 R2, the security company has advised its Sophos Endpoint customers that Microsoft has “temporarily blocked devices from receiving this update” until a solution is available. The update was a security update that provided protections against Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754), according to the Microsoft's Windows Support website

Sophos Central manages all Sophos products, including its Synchronized Security platform, which uses Security Heartbeat for endpoint protection. 

Spectre and Meltdown exploit vulnerabilities in the processor and can work on personal computers and mobile devices and in the cloud, according to a Graz Univeritsy of Technology report. Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers, which makes it a real concern for businesses. 

“If you have not yet performed the update we recommend not doing so,” explained the Sophos website. “If you have performed the update but not yet rebooted we recommend removing the update prior to rebooting.

“In addition if you are using Windows Server Update Services (WSUS) or a third party patch provider to distribute your Windows updates we recommend removing the updates from your approved list or de-authorising the updates from being applied to your machines.”

This comes after Microsoft had to fix two zero-day patches only last week. 

Source: Information Security Magazine

Pregnancy Club Fined £400K After Illegally Sharing Data on Millions

Pregnancy Club Fined £400K After Illegally Sharing Data on Millions

The UK’s privacy watchdog has fined pregnancy club Bounty £400,000 after finding it guilty of sharing tens of millions of personal records with third parties including marketing agencies.

The parenting support company collects a range of sensitive information from its customers via its website, apps and offline forms: including names, dates of birth, email and home addresses, and gender and birth date of children.

However, it also operated up until the end of April 2018 as a data broker, providing that same information to companies like Sky, Equifax, Indicia and Acxiom without clearly informed consent from the data subjects.

Between June 2017 and April 2018, Bounty is said to have shared over 34 million personal records with 39 third-party organizations, including the details of new mothers and new born children.

Steve Eckersley, director of investigations at the Information Commissioner’s Office (ICO), described the number of those affected as “unprecedented.”

“Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organizations. Any consent given by these people was clearly not informed. Bounty’s actions appear to have been motivated by financial gain, given that data sharing was an integral part of their business model at the time,” he said.

“Such careless data sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organizations, including information about their pregnancy status and their children.”

Given the timing of the data sharing, the firm was prosecuted under the old data protection regime, the Data Protection Act 1998, rather than the GDPR.

A much larger fine would likely have been in the offing otherwise, given the large volume of data involved and the vulnerable nature of the victims.

Source: Information Security Magazine

‘Nasty List’ Phishing Scam Targets Instagram Users

‘Nasty List’ Phishing Scam Targets Instagram Users

Instagram users are being warned not to fall for a new phishing scam doing the rounds which aims to harvest log-ins and spread worm-like across the social network.

According to Twitter users who have posted screenshots of the scam, users typically first receive a direct message from an account they are following. This could include one of several variations on the same theme, which is that the recipient has been featured on a ‘nasty list.’

If they click on the link in the message they’ll be taken to one of several Instagram profiles apparently registered for the purpose, with names like “the_nasty_list_848.” The profile description of these accounts also typically contains the same breathless text as the initial message — something like “This is so horrible!! We are all on here,” or “WOW you are really on here.”

However, clicking on the link in this profile description will take the user to an official-looking but fake Instagram log-in page. If they fill their details in here the hacker will hijack their account to send the same ‘nasty list’ message to all the contacts following them.

Phishing remains one of the most popular techniques in the hacker’s arsenal, given that it takes advantage not of technical deficiencies but a lack of cyber-savvy on the part of the user.

According to Microsoft, the volume of phishing attacks jumped 250% year-on-year in 2018.

Like most online consumer-facing platforms, Instagram has its fair share of cybersecurity challenges. Back in August last year it made a slew of announcements designed to make accounts more transparent and harder to hack.

This included support for third-party authenticator apps, which make it harder for individuals to crack open accounts.

Source: Information Security Magazine