Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for the News Category

Nokia: IoT Botnets Comprise 78% of Malware on Networks

Nokia: IoT Botnets Comprise 78% of Malware on Networks

Nokia is warning of a deluge of IoT malware after revealing a 45% increase in IoT botnet activity on service provider networks since 2016.

The mobile networking firm’s Threat Intelligence Report for 2019 is is based on data collected from its NetGuard Endpoint Security product, which it says monitors network traffic from over 150 million devices globally.

It revealed that botnet activity represented 78% of malware detection events in communication service provider (CSP) networks this year, more than double the 33% seen in 2016.

Similarly, IoT bots now make up 16% of infected devices on CSP networks, a near-five-fold increase from 3.5% a year ago.

"Cyber-criminals are switching gears from the traditional computer and smartphone ecosystems and now targeting the growing number of vulnerable IoT devices that are being deployed,” said Kevin McNamee, director of Nokia's Threat Intelligence Lab. “You have thousands of IoT device manufacturers wanting to move product fast to market and, unfortunately, security is often an afterthought.”

This is a threat that first came to light with the Mirai attacks of 2016, when the infamous IoT malware sought out and infected tens of thousands of smart devices protected only by factory default passwords.

That ended up launching some of the largest DDoS attacks ever seen, although Nokia also called out crypto-mining as a potential new use of IoT botnets made up of compromised smartphones and web browsers.

“Cyber-criminals have increasingly smart tools to scan for and to quickly exploit vulnerable devices, and they have new tools for spreading their malware and bypassing firewalls. If a vulnerable device is deployed on the internet, it will be exploited in a matter of minutes," McNamee warned.

IoT adoption is expected to accelerate with 5G, potentially exposing even more devices to cyber risk, Nokia claimed.

Yossi Naar, co-founder at Cybereason, argued that attackers can also use compromised IoT endpoints to move into corporate networks and high-value servers.

“Simply put, security needs to be a primary design consideration, as fundamental as any other measure of performance,” he added. “There should be a focus on tight mechanisms for strong authentication and the minimization of the potential attack surface. It’s a fundamental design philosophy that responsible companies have, but it’s not a reflex for all companies — yet."

For more information, listen again to our webinar with Nokia, featuring insight from HardenStance founder and principal analyst Patrick Donegan and Kevin McNamee from Nokia's Threat Intelligence Lab, on the report's findings around IoT, crypto-coins and smart devices.

Source: Information Security Magazine

HackEDU and HackerOne Partner to Offer Free Training

HackEDU and HackerOne Partner to Offer Free Training

In a newly developed partnership with HackEDU, HackerOne announced that it has released a free web hacker training, adding to its Hacker101 offerings. Based on five popular, publicly disclosed vulnerability reports for which top bug bounty hackers initially earned up to $5,000 for reporting, HackerOne and HackEDU have created an interactive cybersecurity sandboxed training environment modeled after these real-world vulnerability reports.

Through training in this safe and legal simulated environment, hackers will learn the techniques of clickjacking, a vulnerability that can be used to create a worm; and XXE, a vulnerability that can be exploited to steal files. In addition participants will learn remote code execution (RCE), a vulnerability on a server that first earned a $5,000 bounty; and an SQL injection attack using sqlmap that steals data. Rounding out the the top-five vulnerabilities is an XSS attack, which causes a user to send you data without their knowledge.

Committed to growing and empowering the white hat community, HackerOne and HackEDU are providing free access to their training materials. The new HackEDU-developed vulnerability sandboxes are the latest in their interactive coursework available to hackers, who can also join existing Hacker101 interactive content, coursework and capture the flag (CTF) challenges, according to a press release.

“Hacking is a highly sought after skill, but it is not always clear how to get started or advance to the next level. This is why we started Hacker101,” said Cody Brocious, HackerOne security researcher and head of hacker education, in the release. “Now with HackEDU’s sandboxes and interactive lessons, hackers can test their skills like never before. With simulated real-world bugs – originally discovered by top bug hunters in the community – you will learn something new with these latest sandboxes, no matter your skill level.”

“HackEDU is proud to offer real-world applications with real-world vulnerabilities found on HackerOne’s platform,” said Jared Ablon, HackEDU’s CEO, in the release. “With this addition to HackEDU’s current offerings, users can explore how vulnerabilities manifest themselves in applications that people use everyday which enhances the learning process for both attackers and defenders.”

Source: Information Security Magazine

STOLEN PENCIL Targets Academic Institutions

STOLEN PENCIL Targets Academic Institutions

A new campaign, potentially originating from North Korea, has been targeting academic institutions since at least May 2018, according to new research published by NETSCOUT.

Dubbed "STOLEN PENCIL," the spear phishing campaign delivers emails that send unsuspecting users to a website displaying a document that tricks them into installing a malicious Google Chrome extension so that the threat actors can then scavenge for credentials.

“In keeping with tried and true tactics, the operators behind the STOLEN PENCIL campaign used spear-phishing as their initial intrusion vector,” NETSCOUT wrote in a blog post. “First reported by Twitter user @MD0ugh, a target of STOLEN PENCIL receives a spear-phishing message containing a link to one of several domains controlled by the threat actor.”

Once the malicious actors gain a foothold, they use Microsoft’s Remote Desktop Protocol (RDP) for remote point-and-click access. According to NETSCOUT, this tactic indicates that a person – rather than a remote access Trojan (RAT) with a command-and-control site – is actually behind the keyboard interacting with a compromised system. The threat actors are then able to use an RDP to maintain persistence.

Additionally, the attackers rely on built-in Windows administrator tools and other commercial software to sustain the attack. Once they have exploited the victim’s system, they leverage multiple off-the-shelf sources, such as process memory, web browsers, network sniffing and key logging, to harvest passwords. Oddly, the researchers have not yet seen any evidence of data theft, which has left them unable to determine the motivation of the attackers; however, many of the victims were experts in biomedical engineering, according to NETSCOUT.

“Using a combination of stolen passwords, backdoor accounts, and a forced-open RDP service, the threat actors are likely to retain a foothold on a compromised system,” the research team wrote.

While the tactics and procedures of the threat actors are quite basic and they rely on off-the-shelf tools, they spent a lot of time doing reconnaissance. In addition, the operators also demonstrated poor OPSEC and exposed their Korean language in both viewed websites and keyboard selections.

Source: Information Security Magazine

Unpatched Vulnerabilities Enable Adobe Flash Zero-Day

Unpatched Vulnerabilities Enable Adobe Flash Zero-Day

Adobe has issued security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS after another active exploitation of a zero-day vulnerability in Adobe Flash via a Microsoft Office document was identified.

The critical vulnerability (CVE-2018-15982) exists in the wild and could lead to arbitrary code execution and privilege escalation, according to the advisory.

According to Gigamon’s applied threat research team, the vulnerability “allows for a maliciously crafted Flash object to execute code on a victim’s computer, which enables an attacker to gain command line access to the system. The document was submitted to VirusTotal from a Ukranian IP address and contains a purported employment application for a Russian state healthcare clinic.”

Adobe Flash makes up 10 of the top 20 application vulnerabilities that impact the most businesses, with 79% of those vulnerabilities being rated high severity and having public exploits available, according to Tenable’s recently published Vulnerability Intelligence Report. In addition, when looking at affected enterprises and assets, Microsoft .Net and Office, Adobe Flash and Oracle’s Java have the most widespread impact. 

Even more alarming, the report noted that Tenable discovered considerable amounts of known – but unpatched – Oracle Java, Adobe Flash, Microsoft IE and Office vulnerabilities in enterprise environments, going back over a decade.

“Exploits against zero-day vulnerabilities that allow for command execution using relatively stock enterprise software are valuable. Flash exploitation can be expected to continue as long as there are valid weaponization vectors that permit reliable execution,” Gigamon wrote.

As many experts look to 2019 in anticipation of what is to come, they warn that there will be an increase in cyberattacks. The Information Security Forum (ISF) has announced the top global security threats that businesses will face in 2019. Among them is the increased sophistication of cybercrime and ransomware.

Yet when companies leave known vulnerabilities unpatched for the better part of a decade, cyber-criminals don’t need to advance their tactics and procedures to spread targeted attacks, particularly when organizations don't understand their risk. According to the Tenable report, the Common Vulnerability Scoring System is an inadequate prioritization metric, and companies must prioritize vulnerabilities based on actual risk.

Source: Information Security Magazine

#BHEU: We Must Update Cybersec Education to Develop More Security Experts

#BHEU: We Must Update Cybersec Education to Develop More Security Experts

Speaking at Black Hat Europe in London, Nahman Khayet, security researcher and Shlomi Boutnaru, CTO at Rezilion, explored the current cybersecurity skills shortage and its link to the education system.

Khayet explained that there are three main characteristics of security experts, which are ‘thinking outside the box,’ ‘adversarial thinking’ and ‘technical knowledge.’

He also cited a quote from M Gladwell regarding the 10,000 Hour Rule, “…the key to achieving world-class expertise in any skill, is, to a large extent, a matter of practicing the correct way, for a total of around 10,000 hours…”

“This sentence has two meanings for us,” Boutnaru said. “The first, is we believe that each person in the world should practice and experience as much as they can in order to become an expert,” and the second is that “every cybersecurity expert should have a lot of experience in the industry before they actually become an expert.”

However, Boutnaru argued that teenagers studying computing in schools are suffering from limitations of the education system. They are being taught less technical material like safe internet use, privacy controls, password safety and computer safety, he added, but some “cybersecurity deep knowledge is missing” from the curriculum.

“What about network threats? What about denial of service? What about IP spoofing? What about code vulnerabilities, and others? If you think about it, a lot of teenagers are today developing applications for mobile, web apps, but they don’t have the basic understanding of those [aforementioned] specific threats. Why? Because we are not teaching them that.”

“Students, when they are not getting the right education of cybersecurity, they are not understanding (later on) when they apply for work in the industry the security risks,” said Khayet. “If we look at the characteristics of security experts, they lack all of them.

So, both speakers argued that there is a great need to upgrade the current approach to teaching cybersecurity to teenagers by:

  • Adding practical cybersecurity training in schools as early as possible
  • Exposing girls in middle school to female cybersecurity leaders systematically
  • Teach cutting edge technology with hands-on experience
  • Invest more in pedagogical concepts

Source: Information Security Magazine

#BHEU: Did the 'Grain of Rice Chip' Drive New Risk Assessments?

#BHEU: Did the 'Grain of Rice Chip' Drive New Risk Assessments?

Speaking at the Black Hat Europe conference in London, trainer and researcher Joe FitzPatrick from asked delegates if their risk assessment considers $5 hardware attacks and if not, “why worry about $1m [hardware attacks], as what is more likely?”

In his talk 'A Measured Response to a Grain of Rice,' which took a strong look at the controversial Bloomberg article about tiny chips found on motherboards, FitzPatrick said that we first heard of malicious implants as part of the Snowden leaks in 2013, and the “Ant Catalogue” as reported by Der Spiegel.

“Usually we think of keystroke loggers via USB but they have been around for decades, as have Modchips,” he said.

Asking when hardware attacks make sense, he said it makes sense to have air gaps and heavily monitored networks, as well as to be aware of physical access which would not be possible remotely, and supply chain access to firmware.

Focusing on the Bloomberg story, which alleged that a chip affected 30 companies, FitzPatrick said that there was a lot of reaction to the story, as well as questions on how to test and what the indicators of compromise are. “By the time the board gets to you, something has changed to the schematics to figure out what chips are what,” he added.

FitzPatrick said that there was little in the article on what the chip did, and using the term “component graffiti” he argued that the article caused “a lot of assumptions and doom and gloom.”

He said: “Was it real or a hoax? I don’t know: we don’t have information and I am no expert, however I can say it is possible and the things described are possible and I see challenges as a technical person.”

He asked why there were no first-hand accounts of what it did, and went on to say that a typical server has more than 10 components with firmware, hundreds of active components, and thousands of passive components, meaning that there is a “huge surface to look at.”

Concluding by discussing what we can do, FitzPatrick said that ripping up servers “is a waste of time” and asked delegates if they review what a supplier does and where hardware was acquired, and if they look inside systems.

“Actual risk is a combination of impact and frequency,” he said. “We need to respond to the threat and not to the hype.”

Source: Information Security Magazine

Finance IT Overconfident in Machine Identity Tools

Finance IT Overconfident in Machine Identity Tools

A new study found that a majority of financial services security professionals are overly confident about the ability of machine identity protections to defend their organizations's networks, according to Venafi.

The report, Securing the Enterprise with Machine Identity Protection, conducted by Forrester Consulting on behalf of Venafi, surveyed 116 IT security professionals from financial services and insurance organizations across the US, UK, Germany, France and Australia. It found that 80% of respondents who are responsible for identity and access management (IAM) trust that automated communications between machines on their networks are mostly or completely secure.

In addition, 70% of respondents feel confident that effective protection of machine identities is critical to the long-term security and viability of their companies, the study found. Still, financial services organizations are only tracking an average of 43% of the most common types of machine identities.

Looking at the number of respondents who follow the progress of specific machine identities, the study found that just over half (56%) are tracking cloud platform instance machine identities and 55% are tracking physical server machine identities. Yet less than half (48%) track mobile device machine identities, according to a press release.

Even fewer, only 34%, track the machine identities of SSH keys. Those numbers continue to decline when looking at tracking the machine identities of containers (28%) and micro-services (26%).

“Financial services organizations have more work to do in order to make sure their machine identities are protected, and we know these issues are not unique to a specific industry,” said Jeff Hudson, CEO of Venafi, in a press release.

“Despite the importance of machine identities, most organizations are overwhelmed by the sheer number of them on their networks, and they don’t have the visibility, intelligence or automation necessary to take the necessary steps to close the gaping hole in security.”

The report also noted that 41% of financial services IT security professionals confessed that the lack of system administrator focus on machine identity use is a major challenge, while the same number identified lack of automated processes to inventory machine identities as a major problem.

Source: Information Security Magazine

Emotet and Trickbot Are the Future of Malware

Emotet and Trickbot Are the Future of Malware

Malware authors have been incorporating new infection methods that have resulted in a whole new category of attacks that are likely to represent the future of malware, according to a new research report from Malwarebytes.

Released today, the research report Under the Radar – The Future of Undetected Malware revealed that malware authors are using new skills that help them evade detection, giving them an edge against security tools and enterprise defenders. These new infection methodologies enable the malware to persist after compromise have resulted in the emergence of a whole new category of attacks in 2018.

The report analyzed the latest data in fileless attack methodology, frequency, remediation resistance and adaptive attacks and found that TrickBot, SamSam, Emotet, and Sorebrect represent the future of attacks. According to the research, not only is fileless malware estimated to account for 35% of all attacks in 2018, but it is also 10 times more likely to succeed than file-based attacks.

“Emotet has been terrorizing systems worldwide for much of the year, with heavy campaigns in both Q1 and Q3 of 2018. In July 2018, US-CERT released an alert about Emotet and its capabilities,” wrote Adam Kujawa, director of Malwarebytes Labs.  

The malware reportedly borrows the propagation and anti-forensic techniques seen in previous complex nation-state attacks, which means that the unique behaviors and tactics of these newest malware are able to withstand attempts at cleanup.

According to Malwarebytes, Emotet malware was detected and removed more than 1.5 million times between January and September 2018, while its telemetry further revealed the detection and removal of TrickBot within a single industry nearly half a million times in the first nine months of 2018.

“Most malware is not spread by a shady guy in a fedora putting USB sticks into every computer he can see, it is spread through exploit kits and through malicious spam campaigns and often through avenues that can be monitored and protected,” wrote Kujawa.

Source: Information Security Magazine

Magecart Delivers Malware to 1-800-FLOWERS

Magecart Delivers Malware to 1-800-FLOWERS

Once again payment card data has been lifted from an e-commerce site, with the Canadian online outpost of 1-800-FLOWERS falling victim to Magecart. What’s alarming about this most recent disclose, though, is that the incident has lasted for over four years.

In its notice of breach disclosure shared with California’s attorney general, the company clarified that the incident “may have involved your payment card information used to place an order on our website, (the 'Canadian Website'). The incident did not involve orders placed on the website.”

During the course of an ongoing investigation that began on October 30, 2018, intelligence revealed that an unauthorized user had access to payment card data from cards used to make purchases on the Canadian website from August 15, 2014, to September 15, 2018, according to the notice.

Since discovering the breach, said it has taken appropriate actions to help prevent future attacks. “We have redesigned the Canadian Website and implemented additional security measures. We are also working with the payment card networks so that banks and other entities that issue payment cards can be made aware.”

Over the course of those four years, the card-skimming malware lifted full names, payment card numbers, security codes and expiration dates. While the Canadian company has not disclosed the total number of affected customers, it did disclose the breach to the California attorney general’s office, indicating that more than 500 Californians were affected. The company reported $238.5 million in its fiscal 2018 third-quarter results.

“Payment card-skimming malware continues to be a security challenge for retailers around the globe,” said Stephan Chenette, co-founder and CTO, AttackIQ. “British Airways, Newegg, Kitronik and now 1-800-FLOWERS have all been victimized by this malware this year, highlighting the need for enterprises to proactively invest in continuous security validation through automated testing if they want to detect security flaws and gaps before adversaries find them.”

Source: Information Security Magazine

#BHEU: Attribution & Offensive Capabilities Changed Cybersecurity in 2018

#BHEU: Attribution & Offensive Capabilities Changed Cybersecurity in 2018

Delivering the opening keynote at the Black Hat Europe conference in London, Marina Kaljurand, chair of the Global Commission on the Stability of Cyberspace, spoke of the 2007 attacks by Russia on her home nation of Estonia, and how it was “primitive by today’s standards” but enabled the country to build better defenses and its e-government services.

Kaljurand said that Estonia was one of the first countries to introduce e-government, e-police and e-taxation among thousands of services, and while the attacks were “humiliating and disturbing” it enabled its resilience to be “proof tested.”

She added: “More than 10 years have passed and many things have changed and improved, but some things are as important today as in 2007. What did we learn? The importance of decision making, and having cybersecurity high on the political agenda.”

She also discussed the need for an “all nation approach” with all stakeholders involved, including civil society, industry, academia and international cooperation. “Cyber doesn’t have borders, if we want to be efficient we need to operate with others,” she argued.

Echoing comments made in the conference opening by Black Hat founder Jeff Moss, Kaljurand said that in 2004, when Estonia joined NATO, no-one was talking about cybersecurity, but in 2018, everyone is.

She went on to say that for the first time in history, a single state working alone cannot be efficiently dealing with attacks “and in a sphere where civil society is the watchdog, our responsibility is to keep exchanges secure.” The state has a role to play in preserving trust, she said.

Looking back at 2018, Kaljurand said that two things changed: the evolving state practice of attribution and increased offensive capabilities.

For attribution, she said that “too little and too late had been done by nation states,” and she called the attribution of the NotPetya to Russia by the UK a “breakthrough” as it was backed by other nations, but not by western Europe.

In terms of offensive capabilities, she said that for years it was “not OK” to talk about them, and Australia was the first to confirm it had an offensive capability in 2016, while NATO embraced the use of cyber-weaponry in the same way as land, air and sea in November 2017.

“It is a good thing that conversations take place, as whatever countermeasures taken, they have to be in correspondence with international law,” she said. “It raises many questions including private hack backs, but better to have it than have it behind closed doors.”

Kaljurand concluded by saying that it is time for nation states to form real, working partnerships, and for “cyber-giants to take responsibility and operate.”

She said: “We have the ability to contribute to the discussion more than ever before, so the initiative starts at the bottom. Take it seriously and support each other and governments will listen to us more.”

Source: Information Security Magazine