Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

US to Axe Drone Fleet Containing Chinese Tech

US to Axe Drone Fleet Containing Chinese Tech

The US government is planning to ground a fleet of nearly 1,000 drones it fears could be compromised by the People's Republic of China (PRC).

As reported by the Financial Times yesterday, the Interior Department is halting the use of over 800 drones that contain parts developed in the PRC. 

The decision to ground the unmanned flying fleet was triggered by concerns that the Chinese parts could be utilized by the PRC government for the purpose of spying on the activities of the United States.

A total of 810 remotely controlled quadcopters were grounded in October 2019 pending an investigation into their security. Now officials have warned that the PRC government has the ability to access images captured by the drones together with their location data. 

The Times was informed of the plan to permanently ground the fleet by two individuals who had been party to a briefing on the subject. Documents obtained by the paper indicate that the proposal has met with objections from various agencies.   

“Unmanned aircraft systems are a unique tool that fit into this mission and allow us to make high-quality surface observations at a fraction of the price of manned aircraft operations,” an Interior Department staff member wrote in an email obtained by the Times

The grounding has not yet been officially approved by Interior Secretary David Bernhardt. However, the Times' sources have said that it is likely that Bernhardt will take the drones out of service, reserving them for training purposes and providing assistance in emergency scenarios such as tackling wildfires. 

Drones are already used by the Interior Department as a cheaper and safer alternative to tracking natural resources, mapping terrain, inspecting dams, and monitoring wildfires with manned aircraft. 

An all-American drone designed and manufactured completely in the United States is still years away from becoming a reality, according to the Times' official sources. 

Legislation banning the US government from using drones manufactured by countries deemed to be "non-cooperative" with America is currently being considered by Congress. The two pieces of legislation proposed are the American Drone Security Act in the Senate and the Drone Origin Security Enhancement Act in the House.

Source: Information Security Magazine

#THIREurope: How Target Improved its Threat Hunting Capabilities

#THIREurope: How Target Improved its Threat Hunting Capabilities

A threat hunting team can be better enabled when given the time and interest to focus on what it wants.

Speaking at the SANS Institute Threat Hunting and IR Europe conference in London, David Bianco, principal engineer, cybersecurity and Cat Self, lead information security analyst, Target, explained how the threat hunting team was evolved at the company.

Bianco said that Target had the idea to develop the threat hunting team “into something more modern, as we had the same program for several years.” 

Looking at the existing program, the company asked what was working well and what was not working as well, and assessed what else could be accomplished. Self said that by working with level 2 and 1 analysts and engaging them on what they were frustrated by and what they would like to make changes on, they were able to determine three ways to improve the threat hunting efforts:

  • Program focus – change focus to align with what Target needed the program to do
  • Operational consistency – so they know how things are running
  • Hunt topic strategy – to gain a layer of strategy on top of hunting

“The program was created to find new incidents that had been missed,” Bianco added, saying that over time the focus of the program shifted and moved from finding incidents and ensuring visibility, to being a source of knowledge transfer between SOC analysts.

He said that human scale detection cannot be relied upon, and the “number one goal was to tweak the focus from finding incidents to figuring out how to do better at automated detection.”

Self also said that an analyst would determine and research a topic as well as carry out associated work and writing, on top of the full-time job, and this was being done for one week in an eight-week cycle. “It was asking too much to do all the work,” she said.

Bianco said the concept was changed to include a mix of long term projects and special requests, as well as asking the analysts what they wanted to hunt on.

They concluded by recommending a working strategy which includes hiring threat hunters, allowing them time to prepare and doing threat hunting effectively to find what is not known and not being exploited, and to avoid “hitting everyone everywhere.”

Source: Information Security Magazine

TSA Desires "Cybersecurity by Design"

TSA Desires "Cybersecurity by Design"

The United States Transport Security Administration (TSA) has publicly announced that it's on a "quest to merge cybersecurity and information technology."

Instead of cybersecurity's being an add-on or afterthought, the TSA wants the industry to adopt a culture of "cybersecurity by design" when dreaming up and manufacturing security equipment. 

The transport-focused sub-tier of the Department of Homeland Security has not taken on this mission alone, but rather says that it's acting with the support of America's airport facilities. 

The joint call for a new mindset from the security industry was announced in a special notice on January 7.

"The purpose of this special notice is to inform [the] industry of TSA's and airport facilities' quest to merge
cybersecurity and information technology," wrote the TSA.

"This and future notifications will provide [the] industry with ongoing meeting overviews and actions that specifically address information security and security screening technologies."

Along with its desires for an integrated approach, the TSA listed 17 key requirements for the information security and security screening technologies industry, with the aim of ensuring all parties are working toward a common goal.

Demonstrable "cybersecurity by design" for security equipment topped a list that also called for password control that allows airport operators to change system-level passwords and the vetting of all maintenance personnel, both local and remote, via background checks. 

Systems must be updatable as vulnerabilities are discovered, and security assessment tools should run on devices to scan for them. In addition, systems must ensure the unique identification of people, activity, or equipment access and be able to audit, analyze, and monitor events.

To protect supply-chain integrity, a complete list of all software and hardware making up screening equipment will be required from vendors.

Vendors are also expected to protect screening algorithms from compromise with systems that issue alerts when accessed. Steps must also be taken to prevent unauthorized physical access—via USB ports, for example.

"Sharing these requirements with [the] industry and the public will: Increase security levels; raise the bar of cybersecurity across screening solutions; provide vendors an opportunity to demonstrate their cybersecurity credentials; and provide an aligned approach across the industry—making it easier for vendors to adapt to end user requirements," wrote the TSA.

Source: Information Security Magazine

Seattle to Host Major New Cybersecurity Event

Seattle to Host Major New Cybersecurity Event

The verdant city of Seattle is to host a new three-day event dedicated to cybersecurity and the cloud.

CSA SECtember will feature in-depth training sessions, networking opportunities, and the chance to interact with a score of global experts. 

The event is the brainchild of global non-profit the Cloud Security Alliance (CSA), which is headquartered in Seattle. The organization is known around the world for its popular cloud security provider certification program, the CSA Security, Trust & Assurance Registry (STAR).

The inaugural SECtember will go down at the Sheraton Grand Seattle hotel from September 14 to 17, 2020. 

"Seattle is well-established around the world as the center of cloud computing, and with the introduction of SECtember, it can be the focal point of cybersecurity, as well," said Jim Reavis, CEO and co-founder, Cloud Security Alliance.

A major focus of the event will be to educate the industry on key trends and issues affecting the cloud and cybersecurity industry. Close attention will also be paid to where and how cybersecurity and the cloud intersect.  

Reavis said: "In 2020, cloud computing is now the primary mode of computing around the world and is also the foundation for cybersecurity writ large and the means by which we secure all forms of computing, such as the Internet of Things."

According to Reavis, the CSA's new September spectacular is unlikely to be a one-off event. 

He said: "CSA is making a permanent commitment to bring this signature event to our home city on an annual basis, which is rapidly becoming a magnet for companies in the technology and cloud space.” 

Attendees of the first ever SECtember will be spoiled for choice when it comes to training opportunities. Courses already confirmed include the Certificate of Cloud Security Knowledge (CCSK) Foundation (1 day), CCSK Plus (2 days) along with CCSK Plus AWS and Azure, Cloud Governance & Compliance (1 day), Advanced Cloud Security Practitioner (2 days), and Certificate of Cloud Auditing Knowledge (2 days).

Though the event is primarily educational, the CSA has factored in a little playtime. 

"SECtember will bring together thought leaders from five continents to provide a global perspective on strategic cloud and cybersecurity issues and will provide state-of-the-art educational activities," said Reavis.

"While the topic of our conference is serious, we guarantee that the event will also be fun."

Source: Information Security Magazine

#THIREurope: APT Groups Now Using Similar Tools in Espionage and Cybercrime Attacks

#THIREurope: APT Groups Now Using Similar Tools in Espionage and Cybercrime Attacks

Speaking at the SANS Institute Threat Hunting and IR Europe conference in London, Tom Hall, principal consultant for incident response and Mitch Clarke, incident response consultant UK&I, at Mandiant, talked about lessons learned from the APT41 detection last summer, and how tools are being used by different threat actors.

The speakers said that they believed that APT41 are “sponsored by the Chinese government” and not part of the state’s offensive operations, and the group have been seen conducting espionage operations during daytime working hours, and doing “cybercrime activities” in the evening. This includes targeting healthcare and telco companies for IP theft.

Clarke explained that the group “flip the infrastructure and use it for cybercrime and non espionage tasks” and this has involved stealing source code and certificates, and in the day job they flip back to espionage and use those certificates to sign malware to run in their operations.

Hall explained that APT41 have used stolen certificates to sign tools and hide from incident responders and forensic investigators. “It is not a case of if it is signed you can trust it.”

However, in attacks conducted by the APT34 group, the Mandiant researchers said that another tool called “SEASHARPEE,” which comprises of a loader and embedded payload, was used as a second stage webshell.

Hall explained that SEASHARPEE has “anti-forensic capabilities and extended functionality dependent on the sample” and while they were first seen in APT34 intrusions in October 2015, the APT34 toolsets were leaked and reported in April 2019 and were reported as being used by the APT27 attackers in 2019.

Clarke said that the presence of this particular type of malware shows that attribution cannot be completely relied upon, as you need to keep an open mind for who or what is being used and for which activity.

“Just because it is signed, it doesn’t mean it is trusted,” Clarke said. “You can add malicious certificates into root stores and an invalid cert would be available in the store.”

Speaking to Infosecurity, and asked if they felt that groups were exchanging tools or selling them on dark markets, Clarke said that sharing was very rare among threat actors, but it was more likely that different actors were using a similar kit.

Source: Information Security Magazine

St Louis Man Jailed for $12m Tax Refund Scam

St Louis Man Jailed for $12m Tax Refund Scam

A St Louis man has been sentenced to four years behind bars for his part in a major identity fraud campaign in which a group claimed over $12m in tax refunds.

Babatunde Olusegun Taiwo will spend 48 months in prison plus three years of supervised release and will pay restitution of $889,712, according to the Department of Justice (DoJ).

That amounts to the total the IRS paid out in tax refunds to Taiwo and his co-conspirators after they filed over 2000 fraudulent returns, the DoJ said.

They apparently used personally identifiable information (PII) obtained from a breach at a payroll company to file returns on behalf of hundreds of school district employees in Alabama and Mississippi.

In a bid to try and conceal the fraud, they stole and used “electronic filing identification numbers” from businesses that help their clients with tax returns. However, they directed the IRS to send refunds to their homes in St Louis, which is likely to have raised internal red flags.

“Today’s sentencing of Babtunde Taiwo highlights how seriously IRS Criminal Investigation and our law enforcement partners take the issue of identity theft,” said Thomas Holloman, special agent in charge, of the Atlanta IRS Criminal Investigation field office.

“We will continue to pursue criminals who prey on innocent victims and we will continue to enforce our nation’s tax laws. Today’s sentencings should send a clear message to would-be criminals — you will be caught and you will be punished.”

Co-conspirator Kevin Williams has already been sentenced to 78 months behind bars for his role in the scheme, as well as voter fraud and re-entering the US after having been removed.

The IRS, and the UK’s HMRC, are frequently targeted by scammers impersonating legitimate taxpayers, and are often themselves spoofed in phishing emails sent to victims.

The “Dirty Dozen” list of tax scams circulated by the IRS last year highlighted the most popular tricks used by fraudsters, but the tax office warned that such “aggressive” schemes are constantly evolving.

Source: Information Security Magazine

Hundreds of Millions of Broadcom Modems “Haunted” by New Bug

Hundreds of Millions of Broadcom Modems “Haunted” by New Bug

Security researchers are warning of a new critical vulnerability affecting multiple cable modem manufacturers that use Broadcom chips — exposing hundreds of millions of users to remote attacks.

Discovered by three researchers from security consultancy Lyrebirds and an independent, the so-called “Cable Haunt” bug (CVE-2019-19494) is described as a buffer overflow, “which allows a remote attacker to execute arbitrary code at the kernel level via JavaScript run in a victim's browser.”

Specifically, the flaw is found in Broadcom chip’s spectrum analyzer component, which is designed to identify problems with the modem cable connection. If attackers can first trick the user into opening a web page containing malicious JavaScript, possibly via a phishing email, then they can effect the buffer overflow, giving them access to the modem.

This opens up a range of potential options to the hackers, including: changing the default DNS server, disabling ISP firmware upgrades and covertly changing the code themselves, man-in-the-middle attacks and conscripting the device into a botnet.

Basically, it means being able to snoop on all traffic flowing into the modem, send users unwittingly to malicious domains and launch botnet attacks.

The scale of the problem is potentially immense — affecting many more devices than the 200 million estimated in Europe.

“The reason for this is that the vulnerability originated in reference software, which has seemingly been copied by different cable modems manufacturers when creating their cable modem firmware,” the researchers warned. “This means that we have not been able to track the exact spread of the vulnerability and that it might present itself in slightly different ways for different manufacturers.”

ISPs have been contacted by the team with a fix prior to disclosure, but the quartet claimed only to have had “limited success” with this approach. Models from Netgear, Sagemcom, Technicolor and Compal are among the 10 identified as affected.

However, the vulnerable spectrum analyzer in question is not directly exposed to the internet, making this attack a relatively complex endeavor and therefore not likely to be used in mass campaigns given the numerous other flaws that can be more easily exploited in routers.

Source: Information Security Magazine

National Lottery Hacker Jailed for Nine Months

National Lottery Hacker Jailed for Nine Months

A cyber-criminal has been jailed for nine months for committing offences against the National Lottery.

Following a National Crime Agency (NCA) investigation, Anwar Batson, 29, of Notting Hill, London, was sentenced at Southwark Crown Court on 10 January. He admitted four offences under the Computer Misuse Act 1990 and one fraud charge.

The NCA was notified of the attack against National Lottery accounts in November 2016. The customer database affected contained around nine million records.

Daniel Thompson, 27, of Newcastle, and Idris Kayode Akinwunmi, 21, of Birmingham, were jailed for eight months and four months respectively for the attack in July 2018, having used an online application to bombard victims’ web domains with thousands of attempts to log in to customer accounts.

The NCA stated that Batson was responsible for using a widely available hacking tool – Sentry MBA – to create a file that launched the attack, telling others they could make quick cash by using the tool against Camelot (which runs the National Lottery) and also giving the username and password of one lottery player to Akinwunmi, who stole £13 from his account before sending Batson £5.

Batson was arrested in May 2017 and, whilst he first denied any involvement in the crime, police officers discovered conversations between him and others about hacking, buying and selling of username and password lists, configuration files and personal details. His computer also contained a conversation with Akinwunmi about stealing the £13, the NCA added.

NCA senior investigating officer Andrew Shorrock said: “Even the most basic forms of cybercrime can have a substantial impact on victims.

“No one should think cybercrime is victimless or that they can get away with it. The NCA will pursue and identify offenders and any conviction can be devastating to their futures.”

Source: Information Security Magazine

Citrix Admins Urged to Act as PoC Exploits Surface

Citrix Admins Urged to Act as PoC Exploits Surface

IT administrators are being urged to put in place mitigations for a serious Citrix vulnerability which the vendor says won’t be patched until next week at the earliest, after proof-of-concept (PoC) exploits were published.

The tech giant revealed the CVE-2019-19781 vulnerability in its Citrix Application Delivery Controller (ADC) and Citrix Gateway back in mid-December last year.

If exploited, it could allow an unauthenticated attacker to perform arbitrary code execution, the firm warned, strongly advising customers to apply the relevant mitigations and update the firmware when a new version becomes available.

However, in a new blog post, Citrix revealed that these fixes would not be available until January 20 at the earliest, with version 10.5 not receiving one until January 31.

That could give attackers enough time to compromise organizations which have not applied the relevant mitigations. PoCs have started to emerge on GitHub over the past few days which could allow attackers to gain full control over affected devices.

Troy Mursch, chief research officer at Bad Packets, warned that he had detected multiple exploit attempts from a host in Poland over the weekend.

“Given the ongoing scanning activity detected by security researcher Kevin Beaumont and SANS ISC since January 8, 2020 – it’s likely attackers have enumerated all publicly accessible Citrix ADC and Citrix (NetScaler) Gateway endpoints vulnerable to CVE-2019-19781,” he added.

It’s believed that tens of thousands of systems could be at risk.

Tripwire researcher Craig Young claimed that 39,378 of the 58,620 IP addresses he detected likely to be NetScaler or ADC VPN portals did not have mitigations enabled.

“The list contains countless high value targets across a swath of verticals including finance, government, and healthcare,” he added. “In total, there were 141 distinct domain names ending .gov plus another 351 distinct names containing .gov. in the domain.”

Source: Information Security Magazine

Cyber-Attack Makes Pennsylvania Students Learn "Old School" Style

Cyber-Attack Makes Pennsylvania Students Learn "Old School" Style

Students in the Pittsburg Unified School District of Pennsylvania were left without internet access on Monday as the result of a ransomware attack.

With schools' internet servers and email compromised, youngsters returning to classes after the winter break were forced to enrich their brains the old-fashioned way, through books and direct teaching. 

“We will be teaching and learning like ‘back in the day,’ without laptops and internet,” wrote Pittsburg Unified School District Superintendent Janet Schulze on social media on Monday night. 

“Our schools have access to student information and our phones are working.”

Alongside her message that students would be going back to "old school," Schulze said that a ransomware attack had disabled the district’s network systems during the festive break.

According to The Mercury News, the district took all the servers affected by the attack offline, along with any servers that may have potentially been compromised. 

No personal data is reported to have been accessed as a result of the incident, and normal teaching schedules were resumed on Tuesday. 

"At this time, we do not have any indication that personal data/information has been compromised," wrote Schulze. 

"We are continuing to investigate and work with a cybersecurity team and experts. Since the investigation is continuing, complete findings are not available, and it is still too early for us to provide further details."

It was reported on Tuesday that the district was working with two internet technology companies to find a remedy for the attack. Contact has also been established with attorneys who specialize in dealing with the fallout from ransomware attacks.

The latest ransomware attack is the second such incident to befall a Contra Costa County system since the new year began. On Friday, January 3, a similar attack on Contra Costa County Library System resulted in a network outage in which services at 26 branches were impacted.

Library services are yet to be restored, and visitors to the system’s website are being greeted with the message: "Our network is currently down, and patrons are unable to login at this time. We are investigating the issue and will establish service as soon as possible."

Source: Information Security Magazine