Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

NCA and Trend Micro Team Up to Arrest Alleged Cybercriminals

NCA and Trend Micro Team Up to Arrest Alleged Cybercriminals

Two suspects from Essex have been arrested as part of a joint operation between Trend Micro and the National Crime Agency (NCA) designed to root out cyber-criminals.

A 22-year-old man and a 22-year-old woman from Colchester were arrested on suspicion of running a website designed to help cyber-criminals bypass traditional malware filters with their attacks.

The site in question, reFUD.me, provided various capabilities including counter anti-virus (CAV) scanning.

This will test a piece of malware against current AV tools to show the cyber-criminal how successful it would be if released in its current form. Crucially it will hide the results of these tests from the AV companies themselves.

Another service they offered is known as “crypting” and involves modifying a piece of malware until it is no longer detectable by the major AV vendors.

At that time it is known as “FUD”—fully undetectable—although modern heuristics tools can still often spot and block malware where traditional filters fail.

The “Cryptex Reborn” service allegedly run by the two suspects was labelled as “among the most sophisticated developed in recent years.”

The arrests are the first major breakthrough for the NCA and Trend Micro following a landmark MoU which was signed in July formalizing their co-operation in the form of a ‘virtual team’ comprising members of the NCA’s NCCU (National Cybercrime Unit) and Trend Micro’s Forward Looking Threat Research team (FTR).

“As such the FTR team have been involved in the whole investigation from its inception, through identifying the workings of the alleged criminal activity, and working to identify suspects behind it,” Trend Micro FTR EMEA manager, Robert McArdle told Infosecurity.

“This mirrors other investigation work we have carried out with law enforcement in other areas of the world—albeit with a stated goal from the outside to see how closely public and private partners can work together, and how successful the outcomes can be.”

However, these arrests are likely to represent only the tip of the iceberg when it comes to alleged crypting and CAV, he added.

“However, unlike a botnet takedown which at best has a temporary impact on a single criminal group's operations, our operations aim towards core parts of the overall criminal business model—such as a crypters and CAV—as this has a more lasting effect on the wider criminal activity on the internet,” McArdle argued.

“In doing so we aim to create as much of a deterrent and effect on criminal business models as possible for the resources we put into the investigation, and ultimately push Trend Micro’s mission to make the world safe for the exchange of digital information.”

Photo © Karramba Production

Source: Information Security Magazine

Networking Engineer Crowned UK Cybersecurity Champion

Networking Engineer Crowned UK Cybersecurity Champion

Peter Clarke, a 38-year-old network engineer for a high-end car dealer in Leicester, has won the 2015 Cyber Security Challenge UK competition.

The Challenge comprises a series of virtual and face-to-face competitions that would identify talented people for the cybersecurity industry in the UK. In it, 42 contestants used their skills to defend Church House on the Grounds of Westminster Abbey from a fictional biological cyber terror attack. Over the course of the competition, contestants had to demonstrate real life technical skills that the industry relies upon, while adhering to strict legal framework, very closely based on UK government legislation.

Now entering its sixth year the Challenge is backed by over 50 public, private and academic organizations in the UK such as QinetiQ which led and designed the program. IT was supported by experts from Bank of England, GCHQ, National Crime Agency, BT, Cisco, Falanx Group, Roke Manor Research, Simudyne, and CyberCENTS Solutions. The competition is designed to unearth hidden cyber talent in the general public, and attract them into the cybersecurity industry.

Commenting on his victory, Clarke said: “I feel like it’s been a rollercoaster ride. I only entered the Cyber Challenge eight or nine weeks ago without anything higher than a GCSE and a few Microsoft qualifications in my back pocket so to be here now is unbelievable. I’ve had an interest in cyber for several years now and keep a breadth of the current trends and tools in the industry but this is the first step towards a future career in the area. I really want this to become my profession and the Cyber Security Challenge has given me a catapult into the industry that you can’t find anywhere else.”

More than half of 2015’s finalists were gamers, suggesting, said the organizers, that the 33 million of such people in the e UK was very likely to be a strong source of future cyber-defense talent to keep our country safe online.

“We would like to encourage any individual with an inquisitive mind, a passion for problem solving and desire to learn, to sign up and have a go at some of the games on our play-on-demand gaming platform – they are ready to play now,” added Bob Nowill, Chairman of Cyber Security Challenge UK. “You could have a hidden talent for cyber and be joining us for our big finale next year. Our past winners have included postmen, car park attendants, web designers and gamers – we simply don’t know who could be next.”

Source: Information Security Magazine

TrueCrypt Gets Thumbs Up from German Auditors

TrueCrypt Gets Thumbs Up from German Auditors

A German government audit of once-famed encryption service TrueCrypt has given it a tentative thumbs up after a no-doubt exhaustive six-month process.

The audit was undertaken for the German Federal Office for Information Security (BSI) by members of the Fraunhofer Institute for Secure Information Technology and others, after TrueCrypt was abandoned by its developers in 2014.

The open source disc encryption platform had been favored by many, but doubts were cast over it after those same anonymous developers claimed in a parting shot that it “may contain unfixed security issues.”

That prompted a review led by noted cryptographic expert Matthew Green, which claimed back in April that TrueCrypt contained “no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.”

Now the German auditors are claiming that the service is actually “safer than previous examinations suggest.”

Heading up the research, Technische Universität Darmstadt professor Eric Bodden revealed in a blog post that his team found some weaknesses in the way TrueCrypt retrieves the random numbers used for encryption.

He explained:

“With a lack of randomness, an attacker can theoretically guess your encryption key more easily. This problem only occurs in non-interactive mode, though, or when using certain access-control policies on Windows. In result, it is unlikely that this problem has actually affected users in the wild. The problem is that if volumes were created with a weak key, then afterwards there is no way to tell. To be on the safe side it would therefore be advisable to re-encrypt volumes with a version of TrueCrypt in which this flaw has been fixed.”

All in all, however, the platform is described by Bodden as “probably all right for the most parts”—with the flaws uncovered minor and probably present in other encryption services.

“Code quality could be improved, though, as there are some places that call for a refactoring and certainly for better documentation,” he added. “But generally the software does what it was designed for.”

The results of the audit will be good news for firms looking for alternatives to products currently on the market.

In fact, in June 2014, a group of developers decided to make existing versions of the product available again, with servers located in Switzerland to keep them theoretically out of the reach of the NSA and its partners.

Photo © Oscity

Source: Information Security Magazine

Russian Cybercrime Gangs Flourish with 1,000 New Employees

Russian Cybercrime Gangs Flourish with 1,000 New Employees

Russian language cybercrime gangs have recruited up to 1,000 new ‘employees’ over the past three years, although there are only around 20 people who make up the core of the average group, according to Kaspersky Lab.

The security vendor’s chief investigator, Ruslan Stoyanov, used a new report, Russian financial cybercrime: how it works, to uncover the cyber-criminals behind global attacks.

He claimed that law enforcers around the world have arrested over 160 Russian-speaking cyber-criminals since 2012 from gangs of all sizes.

In fact, they’ve been responsible for attacks that have harvested over $790 million—most of which ($509m) was stolen from outside the former USSR—although even this figure could be merely the tip of the iceberg.

The Russian-speaking cybercrime underground is flourishing, and motivated primarily by making money, the report claimed. Of the 330+ incidents investigated by Stoyanov and his team, 95% were connected with the theft of money or financial info.

Although the exact number of gangs working across the region is unknown, Kaspersky Lab revealed that they contain around 20 people on average.

It continued:

“We can calculate fairly precisely the number of people who make up the core structure of an active criminal group: the organizers, the money flow managers involved in withdrawing money from compromised accounts and the professional hackers. Across the cyber-criminal underground, there are only around 20 of these core professionals. They are regular visitors of underground forums, and Kaspersky Lab experts have collected a considerable amount of information that suggests that these 20 people play leading roles in criminal activities that involve the online theft of money and information.”

After uncovering five such groups in 2012-13, Kaspersky Lab has been able to understand more about their operation and structure.

Key roles include programmers, web designers, system administrators, testers and cryptors—the latter tasked with ensuring that malware evades detection.

Staff are paid either a fixed wage or employed on a project basis as freelancers and recruited on underground and some mainstream job sites.

“By advertising ‘real’ job vacancies, cyber-criminals often expect to find employees from the remote regions of Russia and neighboring countries (mostly Ukraine) where problems with employment opportunities and salaries for IT specialists are quite severe,” said Stoyanov.

“The idea of searching for “employees” in these regions is simple—they carry a saving because staff can be paid less than employees based in large cities. Criminals also often give preference to candidates who have not previously been involved in cybercrime activity.”

Groups could be organized in “affiliate” programs, small groups of up to 10 people, and large organizations like Carberp and Carbanak—with the latter type apparently the most “destructive and dangerous.”

Major campaigns are preceded by months of preparation—developing and selecting the malware, building the attack infrastructure and studying the target organization(s).

Unfortunately for consumers and companies around the world, such gangs will continue to flourish in the absence of adequate international cybercrime laws, frameworks for co-operation between law enforcement agencies, and a sufficient number of cyber-trained police.

Photo © you

Source: Information Security Magazine

Exploit Kit DNS Activity Soars 75% in Q3

Exploit Kit DNS Activity Soars 75% in Q3

The third quarter saw the creation of DNS infrastructure for exploit kits rise 75% from the same time a year ago, pointing to a coming storm of cyber attacks, according to security vendor Infoblox.

The DNS protection service provider puts together a Threat Index to measure the creation of malicious domains used in malware, DDoS, data exfiltration, exploit kits and more.

The score for Q3 2015 stood at 122 – up 19% from a year ago but down slightly from the record high of 133 in Q2 this year.

When it comes to exploit kits, cybercriminals need to register domains to create the ‘drive-by’ location from which they can infect users, who typically arrive there after clicking on malicious spam or malvertising.

An attack on the Daily Mail website earlier this year led to potentially millions of users exposed to this kind of malicious advertising over 4-5 days.

Once clicked through, an EK will typically take advantage of known software vulnerabilities in common applications like Java and Flash to download malware onto the victim’s device.

“The significant increase in the use of exploit kits compared to the same period in 2014 highlights the growing popularity of these types of attacks, as sophisticated cybercriminals continue to profit from the sale of kits which can be used by relatively unskilled hackers to take advantage of known vulnerabilities,” explained Infoblox systems engineering manager, Malcolm Murphy.

“Equipping a greater number of operators with these tools translates to an increase in the number of potential attacks, so organizations must ensure that they are using reliable threat intelligence to enable them to disrupt malware as it communicates through the DNS.”

Angler – the EK connected to the Daily Mail attack – was the most prolific in Q3, accounting for 30% of activity. It’s particularly troublesome as it can be quickly updated to include zero day threats which can be hard for some anti-malware systems to stop and block.

Next came Magnitude (29%), which mainly affected users in the US, Canada and the UK, according to the report.

Infoblox warned that cybercriminals typically go through a two-phase cycle of ‘planting’ and ‘harvesting’ domains for malicious activity, with Q3 activity appearing to tally with the early stages of the latter.

Photo © Andrea Danti 

Source: Information Security Magazine

Cook: ‘We’ll Work with UK but Won’t Stop End-to-End Encryption’

Cook: ‘We’ll Work with UK but Won’t Stop End-to-End Encryption’

Tim Cook has refused to back down over iMessage end-to-end encryption in a stance which could see Apple on a collision course with the UK government, as clamor grows for the security services to be given more snooping powers following the Paris terror attacks.  

In an interview with the Irish Independent Cook explained his repeated position that Apple has never allowed access to its servers or “worked with any government agency from any country to create a backdoor in any of our products or services.”

"The UK government has been clear publicly that they are not seeking to weaken encryption," Cook is quoted as saying.

"And so I take them at their word that they would not do that. And at the moment as you know, we encrypt iMessage end-to-end and we have no backdoor. And we have no intention of changing that. Any change made would contradict the UK government's view that they would not weaken encryption.”

That might not entirely be true because of either confusion or deliberate vagueness by some politicians and intelligence bosses when they talk about not wanting to weaken “encryption” as opposed to “end-to-end” encryption.

In fact, the controversial Investigatory Powers Bill currently passing through parliament contains a passage stating that CSPs must assist with interception warrants and “maintain permanent interception capabilities, “including maintaining the ability to remove any encryption applied by the CSP to whom the notice relates.”

However, Cook seemed to suggest that parliamentary scrutiny and common sense would prevail.

“And so I think that we'll work closely with them,” he said. “And I have every faith that through this process of the next year, give or take a year, that the bill will become very clear.”

The fear among opponents of the bill is that recent terror attacks in Paris could be used as justification for extra state snooping powers as proposed in the legislation, including the de facto ban on end-to-end encryption and the forcing of ISPs to retain web browsing records for a year.

CipherCloud CEO, Pravin Kothari, argued that “dismantling privacy for the masses” will push the terrorists deeper underground.

“But diluting commercial encryption won’t prevent the bad guys from using their own proprietary encryption and won’t make us safer,” he added. “Weakening the technology that companies use to protect average users misses the mark. Nor will enacting the IPB better protect the homeland as many of its monitoring provisions already exist in France following Charlie Hebdo.” 

Meanwhile, Context Information Security lead investigative researcher, Tom Williams, argued in a lengthy note that ISIS faces numerous challenges in recruiting and retaining those with the cyber skills to launch major attacks.

He said the possibility of an attack on critical infrastructure, as mentioned by chancellor George Osborne in a speech in which he announced a doubling of the funding for the fight against cybercrime, was unlikely in the short term.

“Due to the likely fluid nature of their cyber capability, both in terms of skill and access to sophisticated malicious software, this prospect cannot and should not be ruled out as a possibility in the medium to long-term,” he claimed.

Any future threat would probably involve a malicious insider working at a targeted facility, Williams added.

Source: Information Security Magazine

Trend Micro: Major Q3 Attacks Could be Sign of Things to Come

Trend Micro: Major Q3 Attacks Could be Sign of Things to Come

Trend Micro blocked 12.6 billion threats in Q3, a 20% decrease from 2012, but warned that seismic security incidents during the period could be an indication of the kind of threats facing individuals and businesses going forward.

The third quarter saw some of the “worst-case security scenarios ever imagined," according to the vendor's Security Roundup report for the period.

First came the attack on Hacking Team reported back in July in which 400GB of stolen data was exposed, leading to the discovery of five new zero day flaws and specialist spying tools for iOS and Android.

One of these vulnerabilities was added into the Angler EK and used in attacks in South Korea and Japan and another in attacks on sites in Taiwan and Hong Kong.

Then came the Ashley Madison data dump, which it is claimed led to follow-up extortion and blackmail attacks on those exposed, even resulting in reports of suicide.

Trend Micro even discovered some honeypots it set up were used to create profiles on the site, leading some to speculate that some innocent netizens may also have been caught up in the fall-out from the attack.

The report had the following analysis:

“We believe we will see more of these chain reaction-type attacks. Bigger and better-secured organizations may experience breaches of their own if ever attackers successfully manage to leech off data from their smaller, less-secure partners. Consumers may also find their personal information at risk if companies continue to get breached due to this lateral progression of attacks.”

Elsewhere the quarter saw another major Android vulnerable—Stagefright—and even trojanized apps featuring a malicious version of Xcode were found on the App Store, putting iOS users at risk.

Despite blocking 1,588 threats per second, the figure continues to fall from 2012 highs, possibly due in part to attackers focusing their efforts on “well-chosen victims for better results,” Trend Micro said.

Trend Micro chief cybersecurity officer, Tom Kellermann, argued that incident response plans must be tweaked to manage the “secondary stages of attacks.”

“Intrusion suppression will become the goal of incident response as it is imperative that the dwell time of an adversary be limited. We must disrupt the capacity of an adversary to maintain a footprint on hosts, and thus inhibit their ability to conduct secondary infections,” he added.

“Virtual shielding, integration of breach detection systems with SIEMs, and file integrity monitoring will be key instruments in mitigating the punitive attacks of 2016.”

Source: Information Security Magazine

Casinos and Video Piracy Mark Malware Campaign Affecting 1 Million

Casinos and Video Piracy Mark Malware Campaign Affecting 1 Million

Three casino websites were the decoys in for one of the largest malvertising attacks seen to date.

Researchers at Malwarebytes Labs have identified a campaign that’s been active for at least three weeks, preying on visitors of sketchy websites offering things like free downloads of copyrighted movies, pirated live streams, pirated software and more. Those websites host malicious ads, which then redirect the victim to one of the casino websites (pennyslot.net, playcasino77.com and onlinecasinofun.org).

From there, the sites would silently load malicious iframes from disposable domains which ultimately led to the Angler exploit kit. In one case, the casino website was a direct gateway to Angler EK.

Further, the malvertising campaign used a surprising 30 or more different pieces of malware to infect victims. Researchers found the infamous CryptoWall ransomware as well as the Bunitu Trojan.

The impact is widespread.

“In all likelihood, a very large number of people were exposed to malware because of this campaign,” said Jerome Segura, senior security researcher at Malwarebytes Labs, in a blog. “When looking at the number of visitors to those websites, we see a troubling pattern. Before September, the traffic for all three combined was almost non-existent, but by mid-October, traffic spiked through the roof for a total of more than 1 million monthly visits.”

Because the campaign affected dubious publishers likely to turn a blind eye to ‘advertising issues’ and visitors knowing they were consuming illegal content, there was little reason for anybody to report the incident. The ad networks were almost all registered via Domains By Proxy LLC, meaning no information was available about the registrant.

“In fact, each of these malvertising attacks taken on its own does not stand out, but realizing that they were all connected gives us the bigger picture in how large of an operation this was,” Segura said.

But, they were all through GoDaddy, and on the same ASN: AS15169; this leads the researchers to believe they were actually all related to one another. Going through 10 ad domains, AdCash was one of the advertising networks affected—and it’s through this outlet that Malwarebytes was able to report the campaign.

A look at some of the stats behind those ad domains shows some staggering numbers. According to SimilarWeb, a service that estimates website traffic and provides various analytics, these ad networks generated over 2 billion visits in October.

“To be clear, this is not how many people were exposed to malvertising since this only affected a few particular rogue campaigns, and not all campaigns running on these networks,” Segura added.

Looking at the stats of the casino sites that acted as an intermediary for the exploit kit is interesting as well. Interestingly, before September, the traffic on those three domains was quasi-nonexistent; but, once the campaign started, traffic spiked through the roof for a combined total of more than 1 million visits.

Photo © monamis

Source: Information Security Magazine

IBM: Ransomware, Insider Threats Top 2015 Cyber-Trends

IBM: Ransomware, Insider Threats Top 2015 Cyber-Trends

2015 has been a challenging year as insider threats and malware as well as stealthy and evolving attacks affected enterprises. Taking stock, IBM Security has identified the top four cyber-threat trends of the year: amateur hacker carelessness, ransomware, insider threats and C-suite attention.

The first notable trend is amateur hackers exposing sophisticated criminals in onion-layered attacks. While 80% of cyberattacks are driven by highly organized and sophisticated online crime rings, it is often inexperienced hackers (“script kiddies”) who unknowingly alert companies to these larger, sophisticated hackers lurking on a network or inside an organization. These amateur hackers leave clues like unusual folders or files in a temporary directory, deface corporate web materials, and more. When organizations look into these mischievous attacks, they often find much more complex attacks.

“As the name suggests, an onion-layered security incident is one in which a second, often significantly more damaging attack is uncovered during the investigation of another more visible event,” the firm said in its Q4 2015 IBM X-Force Threat Intelligence Quarterly report. “The security team has to carefully peel back layers of forensic information in order to determine the root cause of each event under scrutiny.”

Also, it’s almost undeniable that 2015 was the year of ransomware, with this type of infection ranking as the most commonly encountered infection. In fact, the FBI reported Cryptowall ransomware attacks have netted hackers more than $18 million from 2014-2015. IBM researchers believe that it will remain a common threat and profitable business into 2016, migrating to mobile devices as well.

“For ransomware to succeed, attackers rely on a multitude of security and procedural breakdowns. In some cases, clients had recurring infections during the year,” IBM said. “This was because, although some of the factors leading to infection were addressed and resolved, nothing was done to resolve the fundamental breakdowns that facilitated the initial infection.”

Those breakdowns include not backing up data, poor patching procedures and a lack of user awareness.

The report also noted the ongoing danger of malicious attacks from inside a company. This is a continuation of a trend seen in 2014 when IBM’s 2015 Cyber Security Intelligence Index revealed that 55% of all attacks in 2014 were carried out by insiders, individuals with insider access to an organization’s system, knowingly or by accident.

A series of patterns emerged from the ERS team’s investigations:

• There were shared accounts with administrative privileges.

• Password sharing between team members was not discouraged.

• Passwords were routinely set to never expire.

• Passwords were “easy.”

The common thread is that accountability was not enforced.

“Bad password policies seriously compromised the efficacy of termination procedures,” IBM said. “Whenever a system or network administrator left the organization, disabling their personal accounts did not limit their ability to perform unauthorized activity on the network via one or more of the shared accounts they had routinely used in their job. As a result, ex-employees with ill will toward former employers held powerful weapons they could use to express their resentment. They simply needed a way to get back into the network.”

And, the final trend could be entitled, “C-Suite Cares.” In 2015, cybersecurity became a true concern at the boardroom level with more positions of power asking questions about their organizations’ security posture. In fact, a recent survey of CISOs by SMU and IBM, revealed that 85% of CISOs said upper-level management support has been increasing, and 88% said their security budgets have increased.

“Organizations today are going back to the basics. The major cybersecurity trends of 2015—the challenge of recognizing stealth attackers on the network, ransomware, malicious insider attacks and growing management attention to enterprise security readiness—can largely be addressed by focusing on security 101,” IBM said. “Think patch management, user education, proper password procedures and standard security practices.”

Photo © asylum

Source: Information Security Magazine

Threat Intelligence Will Be UK Firms’ Investment Priority For 2016

Threat Intelligence Will Be UK Firms’ Investment Priority For 2016

UK firms are filing to capitalize on holistic and integrated view of security performance as performance, skills, and costs remain biggest hurdles to true data-driven security over the coming year, research from IDC and SecureData has revealed.

Almost all (96%) of UK firms already use threat intelligence products and services and each and every one intend to do so within the next 24 months. There were clear benefits for doing so: companies saw that use of such products could bring about faster attack detection and response (55%), better understanding of threats and attacks (43%), and finding new or unknown threats (42%).

Yet the survey also revealed a number of major challenges that needed to be addressed such as optimizing performance and response times (75%), training and expertise (59%), and the costs of tools, maintenance and personnel (52%). Analytics-based issues were also found to be a significant hurdle. Correlating events (49%) and reducing false positives/negatives (36%) were the highest ranking worries in this regard. Two-thirds of organizations (66%) plan to invest in Big Data analytics engines, but only a quarter are ready to invest in third-party intelligence products or services.

Only a third of those surveyed by IDC believe that threat intelligence includes intrusion monitoring or the sharing of information within the security community (35%). An even smaller group includes analytics either based on behavior (6%) or correlation of security data (6%), while just 3% believe cloud-based intelligence sharing is part of threat intelligence.

Of the most concerning findings  in report was the trend for many  organizations to collect a substantial amount of information across their IT security infrastructure, but then fail to integrate this with their threat intelligence platform. Just under three-fifths of respondents were found to integrate data from their firewall or UTM devices while almost half (47%) of the 86% of organizations using an MDM to manage mobile devices integrate data from their system with their threat intelligence platform. only a third of firms correlate external data such as threats or attacks on peer companies with their threat intelligence platform.

“Threat intelligence is not simply information,” commented IDC research director Duncan Brown. “It is a service delivering a collated and correlated range of data feeds and sources to provide actionable advice to security operations. Getting this holistic view of security beyond IT is critical to understanding the full context of threat information, but our study suggests firms are taking a somewhat traditional view of intelligence that discounts more innovative developments.”

“IDC’s findings suggest Chief Information Security Officers are not considering the wider context in which their business operates, either from a physical security and application security perspective, or from a broader industry viewpoint,” added SecureData CEO Etienne Greeff. “Nevertheless, the fact they recognize the importance of increased context and intend to invest in such insight as a priority is encouraging as it will enable them to adopt an offensive security posture – one that mitigates the ever-expanding attack surface and better protects their infrastructure, applications and valuable information assets.”

Source: Information Security Magazine