Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Malicious Code-Signing Becomes Dark-Web Cottage Industry

Malicious Code-Signing Becomes Dark-Web Cottage Industry

Hackers are selling digital certificates that allow code-signing of malicious files—and, they’re making a whole cottage-industry business out of it.

According to a report from InfoArmor, hackers are using a malware creation tool called GovRAT, which is bundled with digital certificates for code-signing. It’s primarily an advanced persistent threat (APT) tool, active since early 2014. GovRAT victims so far include political, diplomatic and military employees of more than 15 governments worldwide, the firm said, along with seven banks, 30 defense contractors and more than 100 other corporations.

“Code-signing provides the assurance to users and the operating system that the software is from a legitimate source,” said Travis Smith, senior security research engineer for Tripwire, in an email. “Both obtaining and correctly applying the certificates to legitimate software is expensive and complex. Many protection mechanisms, rightfully so, check for the digital certificate. However, it's possible that additional security measures stop investigating the software beyond this.”

Attackers can thus exploit this lapse in security by obtaining certificates and signing their malware. 

“This decreases the ability for attacker automation, but will increase the value of potential loot,” Smith added. “For organizations which have valuable data, attackers are going to sacrifice automation for stealthier attacks such as code-signed malware.”

GovRAT tool uses Microsoft SignTool and WinTrust to digitally sign malicious code and evade antivirus detection. And once malware signed with the tool is embedded, it can communicate over SSL, obscuring the exfiltration of sensitive data. It also has advanced self-encryption and anti-debugging tools.

Originally offered on the Dark Web for 1.25 Bitcoin ($420, at current rates, or $1,000 at the time), it’s now available only privately—and in an as-a-service model.

And GovRAT is not the only game in town. InfoArmor also has found code-signing certificates in various underground marketplaces that go for between $600-$900, including legitimate certificates issued by Comodo, Thawte DigiCert and GoDaddy.

“[The buyers are] black hats (mostly state-sponsored), malware developers,” Andrew Komarov, president and CIO at InfoArmor, told the Register. “It is [a] pretty professional audience, as typical script kiddies and cyber-criminals don’t need such stuff. It is used in APTs, organized for targeted and stealth attacks. The appearance of such services on the black market allows [hackers] to perform them much more easily, rather like Stuxnet.”

He added, “It is a pretty specific niche of modern underground market. It can’t be very big, as the number of certificates is pretty limited, and it is not easy to buy them, but according to our statistics, the number of such services is significantly growing.”

Hackers can sign not only executable files, but also drivers, Microsoft Office documents, Java content and many other file types—widening the attack surface considerably.

“Organizations should rely on a defense-in-depth security posture so if one defensive mechanism fails, another is in line to detect the attack,” Tripwire’s Smith said. “For attacks such as this, monitoring the list of both signed and unsigned software in the environment will give security administrators an early indication of compromise.”

Source: Information Security Magazine

Zero-Day Attack Compromises a Half-Million Web Forum Accounts—Report

Zero-Day Attack Compromises a Half-Million Web Forum Accounts—Report

Forum software-makers vBulletin and Foxit Software may have been breached by a hacker claiming to have made off with personal data belonging to some 479,895 users between the two.

“Coldzer0” said in a post co-authored with @Cyber_War_News that he exploited the same zero-day vulnerability for both domains, and was able to access user IDs, full names, email addresses, security questions and corresponding answers (both in plain text) and salted passwords for hundreds of thousands of users.

For its part, vBulletin has confirmed that an attack happened: “Very recently, our security team discovered a sophisticated attack on our network,” the company said in a post. “Our investigation indicates that the attacker may have accessed customer IDs and encrypted passwords on our systems.”

The issue affects vBulletin versions 5.1.4 to 5.1.9, it said, and has issued a patch, presumably for the zero-day, and has also forced a password reset for all of its users.

Tod Beardsley, principal security research manager at Rapid7, said in an email that it looks like the vBulletin attack was due to an SQL injection bug in vBulletin's forum software.

“vBulletin is a popular target, since compromising a forum site can provide an effective platform for a watering-hole attack,” he said. “In a watering-hole attack, customers of a particular company, or users that share a common interest, can be effectively targeted via the trusted, but now compromised, website. vBulletin itself is a popular community and forum platform, so an unpatched bug in the platform can expose those downstream users to serious risk.”

Organizations that rely on vBulletin to power their community forums should apply this patch immediately.

Foxit has not yet addressed the hacking claims.

Source: Information Security Magazine

Android Users Warned of Trojanized Auto-Root Adware

Android Users Warned of Trojanized Auto-Root Adware

Security researchers are warning of a new epidemic of 20,000 repackaged apps injected with trojanized Android adware designed to root users' smartphones.

Lookout Security claimed that some of the most popular apps on Google Play including Facebook, Okta, Twitter and WhatsApp have been repackaged, injected with one of three adware families and distributed via third party app stores.

These three families—Shuanet, Shedun and ShiftyBug—are said to share between 71% and 82% of the same code, and use publicly available exploits to root the victim’s device.

ShiftyBug comes with at least eight exploits, Lookout claimed.

After rooting the device they install as a system application, making the malware almost impossible for a regular user to remove.

Rooting the device in this way could leave it exposed to other malicious applications as it effectively enables apps to bypass Android’s sandboxing capabilities, the vendor said.

The trojanized apps can be tricky to spot given that many are merely repackaged legitimate applications, which retain a full set of functionality alongside the malicious code.

The highest detection rates for the adware are the United States, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia, Lookout claimed.

Apart from the risk to enterprise users from having their phone covertly rooted, there’s also a reputation issue at stake for developers of some of these big name titles, the firm added.

The advice from Michael Bentley, senior manager of research and response at Lookout, was simple.

“We always take great care to inform organisations we believe to be affected by any malware, before we go public. In this situation, these apps are not in Google Play, but instead they're copied and distributed via popular third party app stores,” he told Infosecurity by email.

“Stay clear of third party app stores if possible, and if you do use them, check who the app is authored and listed by. You can also use security apps to monitor for suspicious behavior.”

There is a fear that malware writers may progress from trojanized adware to more malicious code using the same infection techniques.

Source: Information Security Magazine

Mac OS X Malware Soars in 2015

Mac OS X Malware Soars in 2015

Mac malware is set to accelerate over the coming months after having its most prolific year ever so far in 2015, according to new research from endpoint security firm Bit9 + Carbon Black.

After an analysis of the year so far, the vendor concluded that five times more Mac malware appeared in 2015 than the previous five years combined.   

It collected 1,400 unique samples over the period using custom built sandboxes and tools such as such as fs_usage, dtrace, and opensnoop.

It found that Mac malware as a whole does not borrow very heavily from Unix or Linux malware, which was unexpected given OS X’s roots in the open source FreeBSD.

Another interesting find was that more than 90% of the Mac malware it discovered still uses the old load command (LC_THREAD and LC_UNIXTHREAD) to define the entry point into the Mach-O format.

This makes it easier to spot potential malware—if a new system is still using the old command.

In addition, the Bit9 + Carbon Black researchers concluded that the vast majority of Mac malware uses one of just seven persistence techniques to remain on an infected system.

These include LaunchAgents; LaunchDaemons; Login items; Browser plugins; StartupItems; Binary infection; and Cron job.

It appears the growing prevalence of Mac malware is unsurprisingly linked to a rising market share among consumers and enterprises.

“For years, Mac users have watched their PC-using counterparts struggle with cyber-attacks, while enjoying the relative immunity that their hardware provides from malware. This view is becoming increasingly outdated; our research shows that Mac users should be just as worried,” argued Bit9 + Carbon Black Emea MD, David Flower.

“With 45 per cent of businesses now offering Macs as an option to staff, our research should be seen as a timely reminder that every device on the network is a potential target—businesses can’t just rely on a clearly outdated perception of invulnerability.”

Source: Information Security Magazine

IBM’s SoftLayer Pegged as Number One Spammer

IBM’s SoftLayer Pegged as Number One Spammer

IBM subsidiary SoftLayer Technologies has been accused of being the world’s largest spammer with levels of unsolicited mail sent by the company rising seven times since a year ago.

Security vendor Cloudmark claimed in its latest Security Threat Report that 42% of all outbound email from the Dallas-based hoster and cloud computing firm in the third quarter was spam.

The seven-fold increase from 12 months ago is mainly due to malicious emails sent to recipients in Brazil, the security player claimed.

Links in these mails will frequently lead recipients to downloading trojan malware or to phishing pages designed to elicit credentials for the Boleto bank payment system popular in the country.

The SoftLayer spam problem has spiked in the past six months, as Cloudmark explained:

“SoftLayer was one of the main pioneers of cloud computing. By automating the provisioning of virtual hardware resources, it enabled the exponential growth of other successful Internet companies. At one point it was consistently adding fifty new servers a day just to support a single client, Tumblr. However, automation in the rapid provisioning of new resources is just as valuable to criminal spammers as it is to growing social networks. SoftLayer has responded to complaints by closing down accounts used by particular spammers, but the spammers are simply coming back with new accounts.”  

Cloudmark said the problem is so bad it is currently blacklisting 30,000 IP addresses—1.4% of the total—from SoftLayer, up from just 11,000 in April.

The security vendor urged IBM to work with Brazilian law enforcers to bring the spammers to justice.

Elsewhere in the report, Cloudmark warned of a continuing rise in successful phishing attacks, citing Verizon figures that nearly one quarter (23%) of recipients open phishing messages.

There’s also a clear link to targeted nation state attacks, with phishing associated with 95% of such threats a couple of years back, the report claimed.

Cloudmark engineering director, Angela  Knox, argued that awareness raising in combination with good internal processes and filtering tools can help organizations.

“An effective anti-phishing strategy should start with awareness of the different types of phishing, and a review of the risk to an organization if an employee falls for one of the various types of phishing,” she told Infosecurity by email.

“The different types of phishing can cause differing levels of harm to an organization and the attackers can be after different items of value, from wiring money, to access to confidential company data, to getting access to the company’s network for ongoing attacks.” 

Two-factor authentication, data encryption, restricted privileges and DNS monitoring can all help reduce risk, she added.

Source: Information Security Magazine

Frost & Sullivan: IoT, Web Intelligence and Big Data Analytics Set To Transform Global Security Markets

Frost & Sullivan: IoT, Web Intelligence and Big Data Analytics Set To Transform Global Security Markets

Changing global dynamics are driving security stakeholders to re-evaluate resources and operational requirements to protect against a range of evolving threats, posing increasingly complex challenges specially to governments and across critical infrastructure says a new Frost & Sullivan report.

The analyst believes cybersecurity continues to grow as one of the largest challenges facing both governments and critical infrastructure operators with engagement between industry and key stakeholders critical to better protect from the increasingly complex cyber- threats. In addition, it sees economic and financial instability, as well as political and social unrest, as having brought controversy and insecurity across a number of countries, impacting security decisions worldwide.

In response to these challenges, the analyst believes that it has identified the top five Mega Trends in the security industry that will shape the way in which governments will protect their citizens and critical assets in the future.

These are: rapid development of technologies that allow greater flexibility and security to end users; the emergence of Internet of Things programed in public safety; rapid growth of IP-enabled devices used by law enforcement departments; increased debate on intelligence and privacy, following the soaring terrorism threat levels across the globe; rising use of Web intelligence and Big Data analytics throughout law enforcement.

The analyst also expects constraints on budgets and an increased focus on business efficiency to squeeze security provider prices with a focus on affordable security solutions that show a clear return on investment both for protection and operation. Frost & Sullivan expects the ‘cyber-problem’ will continue with a call for greater collaboration between government and industry, focus in the boardroom, and better cybersecurity hygiene.

Source: Information Security Magazine

Identity and Access Management Market to Be Worth $24.55 bn by 2022

Identity and Access Management Market to Be Worth $24.55 bn by 2022

A rise in web-based applications and risk management solution  – such as policy-based compliance and audit management – combined with cost containment are set to drive the global identity and access management (IAM) market says Grand View Research.

Additional drivers projected to positively impact IAM include the growing popularity of connected devices, bring your own device (BYOD) and Internet of Things (IoT).

Such dynamics are prompting increased spending by large enterprises and government organizations, along with stringent regulatory compliances. Grand View calculates that this will be in the region of $24.55 billion by 2022.

This is all set to be very good news for the IAM technology market. The analyst believes that growing innovation with interoperable technologies are enabling providers in building advanced solutions including secure print authentication and EV charging station access.

Grand View estimates that cloud-based and hybrid solutions will extend their footprints in the industry with enhanced security and minimize error rates features. Commoditization of identity functions and the explosion of available applications are also expected to compel enterprises to seek more scalable options.

Looking at individual technology areas, the Grand View report predicts that cloud-based identity and access management market will witness ‘robust’ demand by 2022, growing at a CAGR of over 18% from 2015 to 2022. Rising demand for cloud-SSO is also a key factor supporting expansive adoption among enterprises. Public sector and utilities sector accounted for over 25% of the revenue in 2014 and is anticipated to exhibit significant growth over the next seven years.

The current leading players in the identity and access management market include IBM, NetIQ Corporation, Oracle, CA Technologies and HID Global Corporation.

Source: Information Security Magazine

Global Financial Leaders to Invest More Than $1bn in Blockchain Projects in Next 1-2 Years

Global Financial Leaders to Invest More Than $1bn in Blockchain Projects in Next 1-2 Years

Bitcoin’s longevity has been discussed as much as its legitimacy but it is set to become the sixth largest global reserve currency by 2030, according to research from Magister Advisors.

The survey from the M&A advisors to the technology industry claims to prove the  strategic significance of bitcoin and the Blockchain technology underpinning it, calculating that more than a million bitcoin transactions are now taking place daily, in excess of 10 times publicly reported data.

To date, Blockchain and bitcoin have captured equal attention but Magister predicts that Blockchain is set to impact far wider aspects of business and consumer life.  It noted that the majority of bitcoin transactions are currently taking place in developing economies, reflecting the appeal of the robustness of the technology in economies where an estimated two billion adults do not have bank accounts and especially in markets where corruption is endemic in financial services.  

By contrast Magister expects an estimated $1 billion to be spent by the top hundred financial institutions on Blockchain-related projects over the next 24 months. These leading banks are said to have portfolios of 10-20 bitcoin-related projects underway.

Magister Advisors sees the initial use of Blockchain is to typically not replace core infrastructure activities such as wire transfers, but to complement them, often by storing ‘meta-data’ in areas such as settlement and clearing.  Yet it asserts that Blockchain’s potential is much greater, given what it says is the flexibility and robustness of the technology, ranging from property registries to security infrastructure to direct payments. 

“Blockchain is without question the most significant advancement in enterprise IT in a decade, on a par with big data and machine learning,” commented Jeremy Millar, partner at Magister Advisors who led the research. “What JAVA is to the Internet, Blockchain is to financial services. We have now reached a fork in the road with bitcoin and Blockchain.  Bitcoin has proven itself as an established currency.  Blockchain, more fundamentally, will become the default global standard distributed ledger for financial transactions…Blockchain technology will underpin a growing number of routine transactions globally as trust grows.” 

That said, Millar accepted that initially banks would likely be unwilling to remove the core infrastructure that handles the process of clearance and settlement. “Ironically bitcoin has attracted negative publicity over its short life because attempts to rig it have been flagged by the Blockchain technology that underpins it,” he added. “It’s the inherent ability of the Blockchain infrastructure to expose these attempts that have impacted perceptions when in fact it should shore them up. This self-regulating capability in Blockchain will lend itself to array of applications where corruption has hitherto been a problem.”

Source: Information Security Magazine

SME Suppliers Falling Short of Security Expectations – Report

SME Suppliers Falling Short of Security Expectations – Report

Nearly 70% of procurement managers in large organizations believe SME suppliers could do more to protect sensitive client data, according to new research from KPMG.

The global consulting firm polled 175 UK procurement chiefs across several sectors and found reassuringly that standards are high when it comes to vetting suppliers.

A large majority (86%) said they would consider removing a firm if it suffered a data breach and nearly half (47%) claimed suppliers are contractually obliged to report such an incident.

Nearly all respondents (94%) agreed with the statement that standards were important when awarding a contract, with around two-thirds requiring their suppliers to demonstrate certification by Cyber Essentials, ISO, PCI DSS or another respected accreditation body.

If there is no accreditation to speak of, 41% of respondents claimed they would expect the supplier to foot the bill in the near future.

George Quigley, a partner in KPMG’s Cyber Security practice, argued that SMEs can find it difficult to understand the nature of the threat landscape and how they could be exposed to risk.

There are also challenges around “defining and identifying” which data is critical and therefore needs protecting.

“Finally budgets tend to be allocated to IT, rather than to cybersecurity more specifically, which generally means that only a fraction of the funds is invested in cybersecurity,” he told Infosecurity.

However, things are changing, Quigley argued.

“SME business partners are starting to look at certifications in order to gain some comfort that the potential SME supplier is dealing with security in an appropriate manner. All signs indicate that this trend is likely to continue,” he revealed.

“Cyber Essentials and ISO 27001 are perhaps the two most common certifications that are being requested. Overall, SMEs need to be able to articulate to their partners the threats that they face, the risks that they believe they are exposed to and the mitigants that they have in place to minimize that risk.”

Source: Information Security Magazine

US Government Launches New Cyber Security Strategy Plan

US Government Launches New Cyber Security Strategy Plan

US government CIO Tony Scott has announced a new plan designed to bolster cybersecurity among federal civilian agencies, following a series of damaging data breaches across departments.

The Cybersecurity Strategy Implementation Plan (CSIP) focuses on five objectives, Scott wrote in a blog post on Friday.

These are: identification and protection of high value assets and information; timely detection of and response to incidents; rapid recovery from incidents; recruitment and retention of the best infosecurity talent; and better use of new and existing technologies.

Scott continued:

“Across the Federal Government, a broad surface area of legacy systems with thousands of different hardware and software configurations contains vulnerabilities and opportunities for exploitation. Additionally, each Federal agency is responsible for managing its own IT systems, which, due to varying levels of cybersecurity expertise and capacity, generates inconsistencies in capability across government.

CSIP directs a series of actions to improve capabilities for identifying and detecting vulnerabilities and threats, enhance protections of government assets and information, and further develop robust response and recovery capabilities to ensure readiness and resilience when incidents inevitably occur.

The security enhancements don’t end at CISP.

Scott revealed that the Office of Management and Budget was also issuing guidance to agencies on the Fiscal Year 2015 – 2016 Federal Information Security Modernization Act (FISMA) and Privacy Management.

Crucially, the guidance will define for the first time what qualifies as a “major” incident and direct agencies to report such incidents to Congress within seven days.

The initiative follows the OMB’s 30-Day Cybersecurity Sprint—an attempt to quickly address some of the biggest security failings at the heart of government, which were exposed in the OPM hack.

That effort appears to have borne fruit, with a rise in the use of strong authentication by federal civilian agencies of 40% this year to over 80%.

However, Scott warned that security is a continuous process of evolution, with “no one-shot silver bullets.”

“Cyber threats cannot be eliminated entirely, but they can be managed much more effectively,” he added. “CSIP helps get our current Federal house in order, but it does not re-architect the house.”

Source: Information Security Magazine