Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
340 Million Records Exposed in Exactis Breach
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpt: When we say “secure”…
…we mean it. Our solution starts with a proven hardware root-of-trust. Multi-factor authentication is an established best-practice for strong authentication: the TPM-based virtual smart card is one factor (something you have) and the user PIN is a second factor (something you know).
https://www.infosecurity-magazine.com/news/340-million-records-exposed-in/?utm_source=dlvr.it&utm_medium=twitter
Another major data breach has left roughly 340 million records exposed by data aggregation firm Exactis after information was left on a publicly accessible server. The 2 terabytes' worth of data appears to include the personal details of the individuals listed, including phone numbers, home addresses, email addresses and other highly personal characteristics for every name.
The type of personal information that was potentially compromised should be concerning to consumers, given the enormous volume of information that is collected, spliced together and housed in databases such as the one that was leaked by Exactis, said Anurag Kahol, Bitglass CTO.
“Exposing that amount of data to the public internet is a significant offense by the organization and one that we’ve seen dozens of times in the past year, yet it is unlikely that we’ll see anything change unless organizations take the initiative in protecting corporate data,” Kahol said.
News of the breach raises questions about whether Exactis knew what type of information it had and whether it considered the potential implications if that information were compromised. “The problem with most enterprises today,” said Ruchika Mishra, Balbix director of products and solutions, “is that they don’t have the foresight and visibility into the hundreds of attack vectors – be it misconfigurations, employees at risk of being phished, admin using credentials across personal and business accounts – that could be exploited.”
It could be months before the real impact of the breach can be measured, but what has initially been reported is alarming and there would not be any surprise if Exactis confirmed that 340 million individuals were indeed impacted.
“The Exactis data leak should enrage consumers and businesses alike. The sheer amount of cloud databases left accessible on the Internet is astounding, especially when one considers the type and amount of data that users store on it without giving it second thought,” said John “Lex” Robinson, cybersecurity strategist at Cofense.
“It is worth noting that just because the server was left open to the public does not mean it was stolen by malicious hackers, but we cannot be certain. The data reported to have been leaked is incredibly comprehensive and can be used by hackers to develop more targeted phishing scams.”
Do employees open your network to the bad guys by using hacked passwords?
A better way for companies and governments to avoid bad password harm than what is suggested in this article imo, see:
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpt: The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
https://blog.knowbe4.com/do-employees-open-your-network-to-the-bad-guys-by-using-hacked-passwords
A whopping 25% of employees are using the same password for all logins. What if that password is available on the dark web? A massive amount of passwords are compromised due to data breaches and used by the bad guys for attacks. Are any hacked passwords in use within your organization?
Using breached passwords puts your network at risk. Password policies often do not prevent employees using known bad passwords. Making your users frequently change their passwords isn’t a good solution either. It only takes one compromised password match for the bad guys to gain access.
KnowBe4’s complimentary NEW Breached Password Test (BPT) checks to see if your users are currently using passwords that are in publicly available breaches associated with your domain. BPT checks against your Active Directory and reports compromised passwords in use right now so that you can take action immediately!
Here’s how Breached Password Test works:
checkmark Checks to see if your company domains have been part of a data breach that included passwords
checkmark Checks to see if any of those breached passwords are currently in use in your Active Directory
checkmark Does not show/report on the actual passwords of accounts
checkmark Just download the install and run it
checkmark Results in a few minutes!
Meet MyloBot malware turning Windows devices into Botnet
For a strong possible solution to this see:
https://www.wavesys.com/malware-protection
Good quote at the link, 'Among other things, you'll know immediately whether any one of your devices - computers, laptops, tablets, smartphones- has been tampered with.'
https://www.hackread.com/meet-mylobot-malware-turning-windows-devices-into-botnet/
The IT security researchers at deep learning cybersecurity firm Deep Instinct have discovered a sophisticated malware in the wild targeting Microsoft’s Windows-based computers.
Adding devices to Botnet
The malware works in such a way that upon infecting, it allows hackers to take over the device and make it part of a botnet to carry out different malicious activities including conducting Distributed Denial of Service (DDoS) attacks, spreading malware or infecting the system with ransomware etc.
A Botnet is a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge, e.g., to send spam messages.
Apart from these, the malware not only steals user data, it also disables the anti-virus program and removes other malware installed on the system. Dubbed MyloBot by Deep Instinct; based on its capabilities and sophistication, researchers believe that they have “never seen” such a malware before.
Furthermore, once installed, MyloBot starts disabling key features on the system including Windows Updates, Windows Defender, blocking ports in Windows Firewall, deleting applications and other malware on the system.
See: 13 Ways Cyber Criminals Spread Malware/Trojan
“This can result in loss of the tremendous amount of data, the need to shut down computers for recovery purposes, which can lead to disasters in enterprises. The fact that the botnet behaves as a gate for additional payloads, puts the enterprise in risk for the leak of sensitive data as well, following the risk of keyloggers/banking trojans installations,” researchers warned.
Dark Web connection
Further digging of MyloBot sample reveals that the campaign is being operated from the dark web while its command and control (C&C) system is also part of other malicious campaigns.
Although it is unclear how MyloBot is being spread, researchers discovered the malware on one of their clients’ system sitting idle for 14 days which is one of its delaying mechanisms before accessing its command and control servers.
It is not surprising that Windows users are being targeted with MyloBot. Last week, another malware called Zacinlo was caught infecting Windows 10, Windows 7 and Windows 8 PCs. Therefore, if you are a Windows user watch out for both threats, keep your system updated, run a full anti-virus scan, refrain from visiting malicious sites and do not download files from unknown emails.
Deep Instinct is yet to publish research paper covering Mylobot from end to end.
FIs Facing $100B A Year In Cyberattack Losses
How about using excellent cybersecurity tools to all but nullify the risk of attack? wavesys.com....
https://www.pymnts.com/news/security-and-risk/2018/imf-financial-institutions-cyberattack-losses/
The impact from a cyberattack on financial institutions (FIs) could reach as high as a few hundred billion dollars annually, chipping away at profits and threatening the stability of financial firms, the International Monetary Fund (IMF) warned in a new report.
According to an IMF staff modeling exercise, the IMF found that FIs could lose that much each year because they are a target of hackers, and due to the role they plan in managing and handling funds. The IMF report said a successful hack of an FI could spread quickly through the interconnected financial system. What’s more, the IMF said that lots of FIs use older systems that may not be able to fight off a cyberattack. That attack could result in financial losses, as well as a hit to the FIs’ reputation, which could lead to more losses.
To ascertain the risk, the IMF used techniques from actuarial science and operational risk measurement to come up with total losses from cyberattacks. Taken “at face value,” the IMF said the study suggests the average annual potential losses from cyberattacks could be nearly 9 percent of banks’ net income globally, or around $100 billion. In a severe scenario where cyberattacks are frequent, the hit would be two-and-half to three-and-a-half times as high, or between $270 billion and $350 billion. In the worst 5 percent of cases, the average potential loss could be as high as half of a bank’s net income, which would place the entire financial sector at risk.
In addition, the IMF noted that the estimated losses are much bigger than the cyber insurance market, with premiums remaining small globally at around $3 billion as of last year, and most FIs not carrying cyber insurance. When they do, they get limited coverage with insurers, having a tough time evaluating the risk of cyberattack exposure, noted the IMF. The IMF said there is a way to improve the risks, pointing to governments collecting more “granular, consistent and complete data on the frequency and impact of cyberattacks.” The IMF said that would help assess risk for the financial sector.
The IMF wrote in the report, “Requirements to report breaches — such as considered under the EU’s General Data Protection Regulation [GDPR] — should improve knowledge of cyberattacks. Scenario analysis could be used to develop a comprehensive assessment of how cyberattacks could spread and design adequate responses by private institutions and governments.”
New fears over Chinese espionage grip Washington
http://thehill.com/policy/cybersecurity/393741-new-fears-over-chinese-espionage-grip-washington
=============================================================
Red-teaming by DHS 'quietly and slowly' uncovers agency vulnerabilities
The testing scenario in the second article would be stopped with Wave's products as explained on the website (partially under The Wave alternative). imo.
https://www.cyberscoop.com/red-teaming-dhs-quietly-slowly-uncovers-agency-vulnerabilities/?utm_campaign=CyberScoop%20-%20Editorial&utm_content=73447112&utm_medium=social&utm_source=twitter
The Department of Homeland Security has carried out quiet “red-teaming” exercises at three federal agencies, breaking into networks and telling agency officials how it was done. The goal is for officials to more quickly realize when a hacker has a foothold in their systems to keep them from exfiltrating data.
“We go really quietly and slowly, just like an adversary would,” Rob Karas, the DHS official leading the red-team exercises, said Wednesday at the Cybersecurity Leadership Forum presented by Forcepoint and produced by CyberScoop and FedScoop.
Karas said his team has carried out five such red-team drills at three agencies, declining to name them. The 90-day assessments begin with about two weeks of reconnaissance that might culminate in a carefully crafted spearphishing email.
“We send a phishing email and it beacons back to our host in Arlington, and then we have a foothold” into the organization, said Karas, DHS’s director of national cybersecurity assessments and technical services. “From there, we pivot to other computers, to domain controllers, to enterprise computers.”
His team of security testers litters the target network with signatures representing ransomware or other malware — no actual malicious code is used. They check to see if the agency’s security operations center (SOC) detects malicious scans of the network and how it responds. The ethical hackers also attempt to exfiltrate large volumes of data over various channels.
Cybersecurity experts say rigorous red-team exercises are key to giving an organization a clear understanding of its vulnerabilities. A recent Office of Management and Budget report suggests many agencies still lack that clear understanding. Just 27 percent of agencies say they can detect and investigate “attempts to access large volumes of data,” and even fewer agencies test that capability annually, according to the report.
One of the more infamous cases of an undetected data heist at an agency was the 2015 hack of the Office of Personnel Management. Hackers sat unnoticed on the agency’s network for months and made off with the personal data of 22 million current and former federal workers.
Karas is trying to keep that from happening again.
At the end of a red-team assessment, Karas’s team sits down with officials from the target agency to deliver their security verdict. It might take three or four days for an agency to notice Karas’s testers had created or deleted accounts on the network, he said. “Other things might take them weeks — or they might not notice at all.”
After the initial assessment, the plan is to do another test in six months or a year’s time, he said.
Ransomhack; a new attack blackmailing business owners using GDPR
Wave has three products which can help protect against these ransomhacks: Wave VSC 2.0, Wave Endpoint Monitor, and Wave SED Management. They are a unique and excellent set of products that could help prevent a ransom fee and a GDPR fine (which can be hefty). imo. To keep these ransom hackers off the network there is also known devices (TPMs) which can keep these bad guys (unknown devices) from obtaining sensitive data from the network.
https://www.hackread.com/ransomhack-gdpr-attack-blackmailing-business-owners/
Hackers are threatening companies to leak stolen user data online to hurt them through GDPR regulations – In return they are demanding ransom money.
On 25 May 2018, the new European General Data Protection Regulation (GDPR) which aims to improve information security on a global scale came into force. At the same time, this provoked the emergence of a new method for blackmailing the market.
Business owners are reporting that they are being a subject to cyber attacks related to ransomware where personal data that belongs to users or customers is exposed and the ransom demand is made in return for its retrieval.
Experts from Bulgaria based TAD GROUP point out the difference in the ransom methodology. This time cybercriminals aim to disclose private information to the public eye rather than encrypt it so it is unobtainable unless paid for.
Hackers threaten to publish the entire content of the database, containing personal data records, on a public server, that according to the regulation, means that the company will be severely fined.
This is the warning that Ivan Todorov, the founder of TAD GROUP, is issuing. According to him, the victims are medium and large-scale Bulgarian companies which are requested to pay a ransom in an untraceable cryptocurrency.
The ransoms vary from $ 1,000 to $ 20,000, while the fines for companies that the new EU regulation envisions account for 4% of the global annual turnover for the previous year or up to 20 million euros. In short, Ivan Todorov calls this type of hacker attacks “ransomhack“.
According to TAD GROUP, from credible sources, it has become clear that the attacked companies have taken in GDPR protection measures by creating policies for personal data storage and security in their offices but have not conducted information security tests to verify whether they are actually susceptible to virtual attacks from cybercriminals.
In other words, they did what is necessary to achieve compliance with the requirements of the Commission for Personal Data Protection. However, most companies did not consider securing their Internet-facing infrastructure.
The opinion of companies offering cybersecurity solutions (such as TAD GROUP) is that the only way to ensure a higher grade of security against cyber attacks is to undertake tests for information security – otherwise known as penetration tests.
The tests are a simulation of targeted cyber attacks, except that they are not done with criminal intentions but deliberately with the exclusive permission from clients and in accordance with their specific needs. The goal is to use methods and techniques utilized by malicious third-parties in order to detect and patch security vulnerabilities. This is done with a signed contract and confidentiality agreement.
After performing the service, the results are documented in a penetration test report that is stored in the client’s profile where it can be viewed and downloaded. It can also be deleted from the TAD GROUP’s system if requested from the client.
“The cybersecurity as a whole is ever changing – if a system is not prone to successful attacks today, this does not necessarily mean that it will not be vulnerable in a month’s time. New vulnerabilities and exploits that lead to information leaks are emerging every day. This is why the more often these tests are performed, the more secure companies can feel”, explains Ivan Todorov and recommends that penetration tests are undertaken at least twice a year.
As the disruption in cybersecurity is often a consequence of human error, companies would benefit from the so-called social engineering tests. They are a set of tests carried out against employees operating from within the company’s headquarters and offices – usually via phone or e-mail, without employee’s knowledge. A wide variety of techniques are applied in order to force employees to disclose sensitive or confidential business information to affiliates who should not have access to it otherwise.
Companies that have already become a victim of a cybercrime have the obligation to inform the regulatory authority within 72 hours of confirming the data breach. For Bulgaria, the regulatory authority is the Commission for Personal Data Protection, which has to assess what sanctions to impose after a data breach occurs. However, if a company does not inform the regulator in time, sanctions will surely be imposed and their severity will differ for the worse.
Note: These are the findings of TAD GROUP, to contact the company for more information on the issue visit their official website.
Software Attacks on Hardware Wallets
If EXO5 is still owned by Wave, it could have positive implications for Wave given that the typical phone can be hacked when a hacker is in possession of the phone as summarized in the Black Hat presentation. EXO5 could possibly kill the phone before the hacker has a chance to hack it or find it. Could a hacker have a more difficult time with the Boeing phone which has a TPM? Could there be a Samsung TPM in a phone in the future? Samsung/Wave agreement was a 15 year agreement.
https://www.blackhat.com/us-18/briefings/schedule/index.html#software-attacks-on-hardware-wallets-10665
Almost all security research has a question often left unanswered: what would be the financial consequence, if a discovered vulnerability is maliciously exploited? The security community almost never knows, unless a real attack takes place and the damage becomes known to the public. Development of the cryptocurrencies made it even more difficult to control the impact of an attack since all the security relies on a single wallet's private key which needs to stay secure. Multiple breaches of private wallets and public currency exchange services are well-known, and to address the issue a few companies have come up with secure hardware storage devices to preserve the wallet's secrets at all costs.
But, how secure are they? In this research, we show how software attacks can be used to break in the most protected part of the hardware wallet, the Secure Element, and how it can be exploited by an attacker. The number of identified vulnerabilities in the hardware wallet show how software vulnerabilities in the TEE operating system can lead to a compromise of the memory isolation and a reveal of secrets of the OS and other user applications. Finally, based on the identified vulnerabilities an attack is proposed which allows anyone with only physical access to the hardware wallet to retrieve secret keys and data from the device. Additionally, a supply chain attack on a device allowing an attacker to bypass security features of the device and have full control of the installed wallets on the device.
3,000+ mobile apps leaking data from unsecured Firebase databases
Another reason companies and governments should be happy to use Wave VSC 2.0.
https://www.helpnetsecurity.com/2018/06/20/unsecured-firebase-databases/
Appthority published research on its discovery of a new HospitalGown threat variant that occurs when app developers fail to require authentication to Google Firebase databases.
Appthority security researchers discovered the HospitalGown vulnerability in 2017 which leads to data exposures, not due to any code in the app, but to the app developers’ failure to properly secure backend data stores (hence the name). The new Firebase variant exposes large amounts of mobile app-related data stored in unsecured Firebase databases.
Exposed data from includes personally identifiable information (PII), private health information (PHI), plaintext passwords, social media account and cryptocurrency exchange private access tokens, financial transactions, vehicle license plate and registration numbers, and more data leaking from vulnerable apps.
“The Firebase vulnerability is a significant and critical mobile vulnerability exposing vast amounts of sensitive data,” said Seth Hardy, Appthority Director of Security Research. “The large number of vulnerable apps and the wide variety of data shows that enterprises can’t rely on mobile app developers, app store vetting or simple malware scans to address data security. To keep their data safe and stay in compliance with regulations like GDPR, HIPAA and PCI, they need to be investing in deep app analysis that detects these types of vulnerabilities.”
Key findings
•3,000 mobile iOS and Android apps – over 620 million Android downloads, alone — are leaking data from 2,300 unsecured Firebase databases
•Multiple app categories are impacted including tools, productivity, health and fitness, communication, cryptocurrency, finance and business apps
•Most enterprises are impacted: 62% of enterprises have at least one vulnerable app in their mobile environment.
More than 100 million records are exposed, including:
•2.6 million plain text passwords and user IDs
•4 million+ PHI (Protected Health Information) records (chat messages and prescription details)
•25 million GPS location records
•50,000 financial records including banking, payment and Bitcoin transactions
•4.5 million+ Facebook, LinkedIn, Firebase, and corporate data store user tokens.
Over half of Americans would stop using an app if their messages could be read by others
It appears that the market could be ready for Wave's Scrambls!
https://www.zdnet.com/article/over-half-of-americans-would-stop-using-an-app-if-their-messages-could-be-read-by-others/
Social media platforms must evolve to higher privacy standards -- to stop their users leaving for more secure channels.
Our social sharing behaviour drives us to tend to trust that whatever we say on social media is for our own eyes. But the furor over Cambridge Analytica's access to our data has shown consumers are not happy at all that our data is being used for gain.
Platforms such as Twitter and Facebook are not only watching what we post, but Facebook is also listening to our verbal conversations to deliver more targeted ads to us.
Our attitudes are changing. Social consumers now demand better security across their social media sites -- and they're forcing the social platforms to listen to them.
The social media giants are listening. Twitter is testing an encrypted messaging feature, Yahoo is testing an invite-only group messaging app called Squirrel, and Facebook has introduced its 'Clear History' privacy control to reassure users that their data is secure and private.
Secure messaging app platform Viber has released an online survey showing what US consumers think about their personal information being shared online.
It polled a representative sample of 1,500 US online consumers in March 2018 and asked them about privacy, security, and data sharing.
Consumers do not check their privacy settings, but expect their messages to be secure.
Almost a third of respondents (32.5 percent) only check their privacy settings once every six months, yet 63.2 percent of men and 67.1 percent of women expect that the person they are messaging is the only one allowed to see that message.
If social posts or chat messages were shared publicly, 38.9 percent of male respondents (45.6 percent female) said they were concerned about identity theft.
Another 4.4 percent were worried that they could lose their jobs (3.8 percent female), and 3.3 percent thought that their significant other might leave them (1.6 percent female).
Customers have no tolerance for data shared to advertisers, or political managers. Over half of consumers (55 percent) would stop using a messaging app, and one in three (33.3 percent) would be most upset if their contact details were shared.
Consumers want strong end-to-end encryption across their chosen platforms. Currently, the efforts made by Twitter and Facebook do not quite reach the huge expectations of users. Consumers want secure social apps with encryption that advertisers can not access.
Future social apps must be developed with encryption in mind -- encrypted channels reassure users that they can have more open conversations with their connections.
With the app upgrades coming from platforms like Facebook and Twitter, will it be enough to reassure consumers that their data really is secure?
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
If Financial Services companies knew about the greatness lurking in Wave VSC 2.0 and other Wave products the problems in these articles wouldn't be occurring as they are. Known devices could go a long way in keeping the bad guys off the network. Unknown devices could be kicked off the network and keep the attackers from tunneling. imo.
https://www.darkreading.com/hidden-tunnels-help-hackers-launch-financial-services-attacks/d/d-id/1332109
Hackers are using the infrastructure, meant to transmit data between applications, for command and control.
The security tools and strategies financial services organizations use to protect their data could be leveraged by cybercriminals who sneak in undetected via "hidden tunnels" to conceal their theft, according to a new report published by Vectra.
Ironically, financial firms have the biggest non-government security budgets in the world, Vectra says. Bank of America invests more than $600 million in cybersecurity each year, while JPMorgan Chase spends $500 million. Equifax, while smaller than both, spends an annual $85 million on security.
Yet, in Equifax's case – despite budget, staff, and a security operations center – in 2017 it took 78 days for it to detect a massive breach of its network, in which attackers accessed 145.5 million Social Security numbers, 17.6 million driver's license numbers, 20.3 million phone numbers, and 1.8 million email addresses.
The question of how attackers were able to exfiltrate so much data, and whether the same thing could happen at another financial firm, prompted Vectra researchers to take a closer look at exactly what happened.
A Review of the Equifacts
Equifax's breach started when a Web server was exploited to access the corporate network. The attackers avoided using tools that would alert the company's security team, instead building command-and-control (C&C) tunnels into Equifax. They installed more than 30 Web shells with different addresses to burrow into Equifax and, once inside the network, customized their hacking tools to exploit Equifax software, evade firewalls, and exfiltrate information.
For six months following the Equifax breach, Vectra researchers combed metadata from 246 opt-in customers and more than 4.5 million devices to learn more about attacker behaviors and network trends. They found the same activity that led to the Equifax breach is prevalent throughout the financial services industry.
What stood out most is the use of hidden tunnels in HTTP, HTTPS, and DNS traffic, which threat actors use to get into networks protected with strong access controls. These tunnels have been used for about three to four years, says Chris Morales, head of security analytics at Vectra, where researchers had been looking into this tactic long before Equifax was hit.
"Attackers don't use hidden tunnels unless they have to," he explains. When enterprise security defenses are strong, threat actors have to seek new ways to break through them.
Tunneling Into Financial Services
Financial firms have stronger security than most, securing Web applications with layers upon layers of access controls. Because apps are locked down, data has to be sent through "hidden tunnels" to move across an organization. There are legitimate use cases for this: Specific stock-tickers commercial apps and internal financial services use tunnels to communicate.
The high volume of traffic flowing to and from enterprise Web applications creates an ideal place for attackers to hide, Morales says. Hidden tunnels are tough to detect because communications are hidden within connections that use normal, permitted protocols. Messages can be embedded as text in headers, cookies, and other fields, researchers say.
Morales breaks down how an attack might work: A threat actor might start with an entry point as simple as a phishing campaign. With a foothold in the organization, the attactor can use reconnaissance techniques to learn the network – the number of devices and how he can make his footprint more durable and infect more machines.
"As he does all those things, he'll need to find ways to look like normal traffic," Morales explains. "Maybe he'll find a network scanning machine and perform recon from there because it'll look more normal." Once a tunnel is established, the hacker passes data in small chunks so it isn't picked up by anomaly detection systems.
Attackers could leverage tools purchased on the Dark Web to exfiltrate data and bypass access controls. "The tools are out there, and attackers have a great ecosystem for sharing them," says Mike Banic, vice president of marketing at Vectra. "In some cases, their ecosystem could be better than the defenders."
Compared with the industry average, there are fewer C&C behaviors in financial services, and HTTP C&C communications are lower overall, the report states. However, there are significantly more tunnels per 10,000 devices in financial services than all other industries combined.
=========================================================
Attackers Spy and Steal from Financial Firms
https://www.infosecurity-magazine.com/news/attackers-spy-and-steal-from/?utm_source=dlvr.it&utm_medium=twitter
In an attempt to steal sensitive data, cyber-criminals have been targeting financial firms by building hidden tunnels in order to break into networks. According to a report released today by Vectra, these attack behaviors are the same as those that led to the 2017 Equifax breach.
According to a new report, 2018 Spotlight Report on Financial Services, attackers are able to gain remote access through the use of command-and-control (C&C). In the data analyzed, attackers had established nearly 30 web shells accessible from approximately 35 different public IP addresses, which allowed them to exfiltrate data while going undetected.
Attackers often leverage hidden tunnels to infiltrate networks with strong access controls because legitimate applications also use hidden tunnels to bypass security controls that can sometimes compromise full functionality. That's why it's a successful attack method.
"Every industry has a profile of network and user behaviors that relate to specific business models, applications and users," said Chris Morales, head of security analytics at Vectra. "Attackers will mimic and blend in with these behaviors, making them difficult to expose."
In this latest discovery, Vectra detected more hidden C&C tunnels and more than twice as many hidden data-exfiltration tunnels per 10,000 devices in financial services than all other industries combined.
To evade firewalls, attackers use special tunneling tools to move laterally, stockpiling data from database after database as they go. They were able to amass so much data that it then needed to be divided into smaller stockpiles so that no alarm bells went off during exfiltration.
"All this points to one painful fact: The largest enterprise organizations in the world remain lucrative targets for sophisticated cyber-attackers. Security breaches across multiple industries forge ahead in an upward trajectory, and the financial services industry is no exception," the report said.
Chinese Hackers Target Satellite, Geospatial Imaging, Defense Companies
Wave could have eliminated these attacks with known devices (or the use of TPMs throughout the defense companies' fleet) and Wave Endpoint Monitor could have helped stop the APT. imo. The attackers would have had a difficult time blending in with the network being an unknown device. Wave's products would have fared much better than whoever was responsible for stopping the hacks in the first place. imo. Wave Endpoint Monitor could do a better job overall of detecting custom made malware than a blacklisting anti virus product like Symantec. imo.
https://www.bleepingcomputer.com/news/security/chinese-hackers-target-satellite-geospatial-imaging-defense-companies/
A cyber-espionage group believed to be operating out of China hacked companies who develop satellite communications, geospatial imaging, and defense contractors from both United States and Southeast Asia.
The hacks were detected by US cyber-security firm Symantec, who said today in a report that intruders showed particular interest in the operational side of the breached companies.
Hackers tried to reach and paid close attention to infecting computer systems used for controlling communications satellites or those working with geospatial data collected by world-mapping satellites.
"This suggests to us that [the group]’s motives go beyond spying and may also include disruption," Symantec said. There are fears that hackers might be able or even attempt to sabotage satellites or poison geospatial data.
Thrip APT behind the hacks
The company said that responsible for the attacks was an advanced persistent threat (APT, a term used to describe cyber-espionage groups) known under the codename of Thrip.
Symantec says it's been tracking this group since 2013, and it has historically believed the group to be operating out of China.
The recent attacks were difficult to detect, the company said. Hackers used a technique known as "living off the land," which consists of using local tools already available on the operating system to carry out malicious operations.
"The purpose of living off the land is twofold," Symantec explained. "By using such features and tools, attackers are hoping to blend in on the victim’s network and hide their activity in a sea of legitimate processes. Secondly, even if malicious activity involving these tools is detected, it can make it harder to attribute attacks."
According to Symantec, hackers used the following locally-installed and completely legitimate tools...
PsExec: Microsoft Sysinternals tool for executing processes on other systems. The tool was primarily used by the attackers to move laterally on the victim’s network.
PowerShell: Microsoft scripting tool that was used to run commands to download payloads, traverse compromised networks, and carry out reconnaissance.
Mimikatz: Freely available tool capable of changing privileges, exporting security certificates, and recovering Windows passwords in plaintext.
WinSCP: Open source FTP client used to exfiltrate data from targeted organizations.
LogMeIn: Cloud-based remote access software. It’s unclear whether the attackers gained unauthorized access to the victim’s LogMeIn accounts or whether they created their own.
...to install custom-made malware such as:
Trojan.Rikamanu: A custom Trojan designed to steal information from an infected computer, including credentials and system information.
Infostealer.Catchamas: Based on Rikamanu, this malware contains additional features designed to avoid detection. It also includes a number of new capabilities, such as the ability to capture information from newer applications (such as new or updated web browsers) that have emerged since the original Trojan.Rikamanu malware was created.
Trojan.Mycicil: A keylogger known to be created by underground Chinese hackers. Although publicly available, it is not frequently seen.
Backdoor.Spedear: Although not seen in this recent wave of attacks, Spedear is a backdoor Trojan that has been used by Thrip in other campaigns.
Trojan.Syndicasec: Another Trojan used by Thrip in previous campaigns.
Hacks detected as back as January 2018
Symantec says it detected these attacks only after one of its artificial intelligence and machine learning-based triggered an alert for a suspicious use of a legitimate tool.
Experts say they've used this initial alert to uncover initial signs of compromise and then pulled on a thread to uncover a broader operation targeting multiple companies across multiple countries and industry sectors. The purpose of this hacking campaign was obvious cyber-espionage.
The company says it uncovered this operation in January, but the Thrip hacking campaign could be broader than the company has currently reported.
DHS, FBI Share Details of North Korea's 'Typeframe' Malware
This could be where Wave Endpoint Monitor really sets itself apart from the other anti virus and anti malware products. The other products need to first identify the signature of the malware. Wave's WEM product uses a white list approach rather than a black list approach which in this case could be more effective. imo.
https://www.securityweek.com/dhs-fbi-share-details-north-koreas-typeframe-malware
The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have published another report on the US-CERT website detailing a piece of malware allegedly used by the North Korean government.
A dozen reports have been published by the DHS and the FBI over the past year on the North Korea-linked threat group tracked by the U.S. government as Hidden Cobra. The list of tools detailed by the agencies includes Sharpknot, Hardrain, Badcall, Bankshot, Fallchil, Volgmer, and Delta Charlie.
The latest report describes a piece of malware dubbed “Typeframe” and it covers a total of 11 samples related to the threat, including executable files and malicious Word documents containing VBA macros.
“These files have the capability to download and install malware, install proxy and Remote Access Trojans (RATs), connect to command and control (C2) servers to receive additional instructions, and modify the victim's firewall to allow incoming connections,” the agencies said.
The alert contains indicators of compromise (IoCs) for each of the files, including a description of their functionality, hashes, IPs, antivirus detections, metadata, and YARA rules.
The goal of the report is to “enable network defense and reduce exposure to North Korean government malicious cyber activity.” However, security experts argued in the past that these types of alerts from government agencies are actually not enough to help improve defenses.
The previous Hidden Cobra report, published on the US-CERT website in late May, attributed the Joanap backdoor trojan and the Brambul worm to the North Korean government.
While it has always denied accusations, experts say North Korea continues to be highly active in cyberspace, with some claiming that the country is even more aggressive than China. Recent attacks attributed to North Korea involved new malware and even zero-day vulnerabilities.
Danalock V3 is First Retrofit HomeKit-Compatible Smart Lock Available in Europe
The TPM for security appears to be 'the' trusted technology for many diverse applications such as Danalock. The Wave VSC 2.0 also has TPM technology to use in companies' computer fleets. As more companies are more comfortable and continue to chose the TPM, the technologies that surround it should flourish. (Wave VSC 2.0, Wave Endpoint Monitor, and Wave SED management) imo. Also, it is interesting to see the iphone and ipad involved with a product that has the TPM.
https://www.businesswire.com/news/home/20180615005075/en/Danalock-V3-Retrofit-HomeKit-Compatible-Smart-Lock-Europe
Consumers can purchase Danalock V3 HomeKit for use With iPhone and iPad at Apple retail and online stores across Europe
AARHUS, Denmark--(BUSINESS WIRE)--Danalock, a leading provider of smart lock solutions for smart homes and businesses, announced today that the HomeKit version of its Danalock V3 smart lock is now available for purchase in Apple retail and online stores in more than 20 countries across Europe. Danalock V3 is the first and only available retrofit smart lock compatible with Apple HomeKit and Home app on the European market, enabling European users to add a wireless smart lock to their HomeKit ecosystem and easily control access to their home with their iPhone and/or iPad.
With its simple Danish design and advanced AES-256 encryption algorithm, Danalock offers a secure yet elegant door-locking experience. Danalock V3 HomeKit is a globally compatible retrofit smart lock that is mounted on the inside of the door, enabling users to use a regular key for locking and unlocking the door if needed. Unlike other smart lock solutions that store access keys in memory, Danalock uses a Trusted Platform Module (TPM) chip, which is the same encryption technology used by governments and military to secure data.
Consumers using the HomeKit ecosystem need not worry about remembering their key when leaving home. They just bring along their iPhone or iPad and use Siri voice commands or Apple’s Home app to unlock the door. Additionally, users can personalize and manage the Danalock smart lock via a single app, so as to give keyless access to family members. For added convenience, users can connect the Danalock with other HomeKit accessories such as cameras, lights, thermostats, switches and security systems.
“The launch of Danalock V3 HomeKit across numerous Apple online and retail stores enables us to answer the strong European demand for a smart lock that is compatible with the HomeKit home automation ecosystem,” said Henning Overgaard, CEO and co-founder of Danalock. “Our Danalock V3 is the first and only available retrofit smart lock compatible with HomeKit on the European market and will provide consumers an entry point for connecting other smart devices and granting secure home access to service providers.”
Availability and Pricing
The Danalock V3 HomeKit version is available at more than 40 Apple retail stores in Austria, Belgium, France, Germany, Italy, Netherlands, Spain, Sweden, United Arab Emirates, and the UK; online at more than 20 Apple stores; and from the Danalock web shop at http://shop.danalock.com/products/7-danalock-v3/. For pricing, please consult your local Apple online store at www.apple.com.
MirageFox Malware: the Latest Addition to APT15 Hack Arsenal
Wave Endpoint Monitor could stop this malware before a standard anti-virus or anti-malware product could. imo. That would be highly beneficial to governments and companies. (see post 245183)
https://securityboulevard.com/2018/06/miragefox-malware-the-latest-addition-to-apt15-hack-arsenal/
The APT15 hacking group which became well-known for its high profile attacks against US Military has developed a new dangerous malware tool called MirageFox. It is believed that it is an updated version of previously-released threats. A detailed technical analysis shows that it is capable of inflicting a lot of damage to the target computers.
The MirageFox Malware Is The Latest Weapon Used By the APT15 Hackers
The APT15 hacking group is one of the most well-known criminal organizations that is believed to be affiliated with the Chinese government. Over the years they have been spotted at attacking mainly high-profile government and military targets using sophisticated methods of infection. Other targets include multi-national companies in industries like oil and the like. A signature mechanism that they employ is that they target the installed applications on the workstation computers. Once the network has been breached they will use custom solutions in order to continue the attacks.
The MirageFox malware was discovered by a hybrid signature that appears to hold signatures of previous weapons used by he group. The security analysts note that the new tool is programmed in a way that avoids instant discovery. The detection ratings show that a majority of the security software cannot identify it as a virus signature.
A full analysis is not yet available as the analysts were not able to capture a complete sample of MirageFox’s code. The available snippets showcase how the threat will react once the initial infections are done. However details on how the exact mechanism works are not yet available.
MirageFox Malware Capabilities
The partial information that is available for MirageFox shows that it includes several properties allowing it to infect the targets on a deep level. The following infection tactics (Read more...)
*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum | SensorsTechForum.com authored by Martin Beltov. Read the original post at: https://sensorstechforum.com/miragefox-malware-apt15-hackers/
Europe and Russia home to half of credential theft victims worldwide
With insurance companies selling cyber insurance in Europe, it would seem paramount that their customers have a best of breed two factor authentication product like Wave VSC 2.0 to achieve a high cybersecurity rating and a product that delivers.
https://www.helpnetsecurity.com/2018/06/14/credential-theft-victims/
According to Blueliv’s credential detection data, since the start of 2018 there has been a 39% increase in the number of compromised credentials detected from Europe and Russia, compared to the same period in 2017 (January-May). In fact, Europe and Russia are now home to half of the world’s credential theft victims (49%).
When Russian credential victims are removed from the dataset, this year-over-year comparison jumps to 62%. The Eurasian growth figures tracked by Blueliv are surprisingly higher than North America’s, which actually recorded a decline by almost half (48%) year over year.
These startling increases in cybercriminal success rates suggest that the credential theft industry is growing in the European region both in innovation and scope.
“All it takes is a single good credential for a threat actor gain access to an organization and cause havoc, so as a European threat intelligence company, we are concerned to see significant credential theft growth rates in our home territory. Cybercriminals are constantly improving their weaponry and TTPs – industry collaboration and intelligence-sharing around these is crucial,” said Daniel Solís, CEO at Blueliv.
Malware families neck-and-neck
The report also observes some interesting trends in malware families being used to harvest these credentials. Pony, KeyBase and LokiPWS (also known as Loki Bot) have consistently been the most active stealers since the start of 2017, but Pony has always been several lengths ahead of its malware counterparts in terms of popularity. However, since the start of 2018, Blueliv has observed that LokiPWS has been narrowing the gap: the highest number of stealer samples detected by Blueliv’s infrastructure each month has now become a two-horse race between LokiPWS and Pony.
In fact, LokiPWS malware distribution has increased by more than 300% in the past year. More recently, since January to May 2018, there has been a 167% increase in samples classified by Blueliv. Currently, it is possible to purchase LokiPWS from a variety of underground markets as a modular product (stealer, wallet stealer and loader) with prices ranging between $200-400, depending on the desired functionality.
Daniel Solís continued, “According to our analyst team, the number of LokiPWS samples detected implies that its popularity among cybercriminals is increasing. Source code leaks of different versions of in recent years have probably influenced this increase and helped it become one of the fastest-growing credentials stealer families. Pony meanwhile has been active since 2011, and might be experiencing ‘fatigue’ through more successful detection and remediation.”
Kaspersky freezes partnership with Europol after EU calls for company ban
There is possibly a lot of potential customers looking for a great anti malware product in the EU now. It seems that there could be a lot of business for the Wave Endpoint Monitor. In many ways its better than standard anti malware products. imo. Would AXA want Kaspersky anti malware products protecting its customers or Wave Endpoint Monitor?
https://www.cyberscoop.com/kaspersky-europol-eu-ban/
Kaspersky Lab pulled out of a partnership with Europol on Wednesday after the European Parliament passed a resolution characterizing Kaspersky “confirmed as malicious” and calling for a company ban.
The measure passed 476 to 151.
The “European Parliament decision welcomes cybercrime,” Kaspersky founder Eugene Kaspersky tweeted on Wednesday.
The company has worked with Europol for years on cybercrime investigations. Kaspersky also has a notable partnership with Interpol, where the company has supplied threat intelligence, hardware, software, digital forensics and other operations.
Kaspersky also pulled out of the No More Ransom project, a partnership between public and private organizations to detect and prevent the spread of ransomware.
The European Parliament resolution is not a ban or legally binding, but it does recommend banning the company as part of a wide review of information technology used throughout the European Union.
Wednesday’s vote signals a new wave of challenges for the company. Kaspersky Lab is already banned from U.S. federal systems, banned from sensitive United Kingdom systems and it’s being phased out of Dutch systems.
U.S. officials accuse the company of being a national security threat complicit in Russian spying. The U.S. ban goes into full effect as of Oct. 1, 2018.
In response, Kaspersky has been waging several lawsuits against the U.S. government and even promised to move “a good part” of the company’s infrastructure to Switzerland in an effort toward transparency.
William Evanina, the Director of the National Counterintelligence and Security Center, told CyberScoop that the Switzerland move doesn’t make a difference to him. The company remains, in his eyes, a national security threat.
The Google Pixelbook power button is now a 2FA token
It appears that Google could be coming around to using the TPM for 2FA and a favorable trend for a product like Wave VSC 2.0. Managing the TPM has been one of many strengths for Wave. imo.
https://nakedsecurity.sophos.com/2018/06/12/the-google-pixelbook-power-button-is-now-a-2fa-token/
If you own a Google Pixelbook, intriguing news – it appears the power button can now double as an alternative to using U2F (Universal 2nd Factor) tokens for two-factor authentication (2FA).
As the name implies, U2F tokens such as the YubiKey are hardware tokens that plug into a USB port to authenticate users who enter a username and password on supported websites.
The U2F protocol (co-developed by Google and others) improves security because an attacker has to have the token in their possession to access an account. Just having the password and username aren’t enough.
It resists phishing too because the token’s private key is cryptographically tied to the website(s) it will be used on, e.g. Gmail. Anyone tricked into visiting the wrong site will find that the token won’t work.
Now, it seems the same – or something approximating it – can be achieved simply with a short press of the power button on a Pixelbook.
Given that the Pixelbook only has two USB-C ports, it’s not hard to see why Google might want to enable the feature for users who begrudge having to use one for a token.
It sounds alien but it seems the feature has been in the works since around the time of the Pixelbook’s launch last September but nobody beyond the developer community noticed.
Enabling the feature involves loading May’s Chrome OS 66.0.3359.203 or later from the stable channel, putting it into developer mode, opening the Chrome OS developer shell and executing the correct command.
The feature must also be enabled as an additional security key via the Google 2-step verification (2SV) account settings, repeating this process for third-party sites that support U2F authentication.
Before we move on to the caveats, this remains an experimental feature, and we don’t recommend enabling it if you’re not experienced at using developer mode and its shell.
How does it work and is it a secure alternative to using a U2F key?
The ‘how it works’ bit isn’t yet clear, which leaves us having to overlay the general workings of the U2F protocol over whatever Google has cooked up on its Pixelbooks. (Notice we’re assuming this is U2F and not the less secure Time-based One-Time Password or TOTP.)
In principle (and we’re guessing here), the private key that would normally be stored on the U2F token must be squirrelled away somewhere such as the Trusted Platform Module (TPM), which every Chromebook has.
That implies the need for firmware support, which is probably why people who have tried have found that it doesn’t work on any Chromebook other than the Pixelbook.
Or perhaps this is a completely different authentication initiative connected to the development of new technologies such as WebAuthn.
Interestingly, not everyone is enamoured with the idea of blurring the physical separation between token and device, starting with Kevin C. Tofel, a security writer who covers Chromebooks and has worked for Google in the past:
To me, this is like having your personal PIN code printed on your ATM card. There’s no way I’d enable 2FA with this particular method because it essentially eliminates the strength of a second authentication factor
This is a valid point which could partly be overcome by making it harder to access the Pixelbook itself, for example by adding an equivalent to Apple’s Face ID or Microsoft’s Hello authentication (although that would still leave open the small possibility of a security vulnerability on the device through which the private key might be remotely compromised).
Still, the idea of turning devices such as smartphones or computers into tokens is a trend that appears to be here to stay. It now looks as if Chromebooks will soon be joining the party.
Security Ratings Answer Big Questions in Cyber Insurance
see post 245175 also. Protecting data and preventing unintended data leakage could be a direct consequence of using Wave VSC 2.0 and Wave SED management. In addition to these two Wave products, using Wave Endpoint Monitor could also be a huge plus for the companies obtaining cyber insurance from AXA.
https://www.darkreading.com/vulnerabilities---threats/security-ratings-answer-big-questions-in-cyber-insurance/d/d-id/1332019?_mc=KJH-Twitter-2018-06
More insurers are teaming up with security ratings firms to learn more about their clients, define policies, and determine coverage.
The certainty and severity of cybercrime has driven demand for insurance policies to cover the cost of damage when the inevitable occurs. Insurers, needing a clearer picture of clients' risk so they can create policies and determine coverage, are turning to security ratings firms for help.
As technology has become more complex, so, too, have data breaches, explains Aleksandr Yampolsky, co-founder and CEO at SecurityScorecard. He points to the cloud shift as a turning point for cybersecurity.
"We started seeing an intensification of data breaches," he says. "As a result, companies started calling insurance companies and asking for cyber insurance."
Insurance companies started jumping into the budding space, offering policies to address demand. Now the industry is skyrocketing as companies transfer cyber-risk onto insurers.
Cyber insurance policies are complicated for buyers and sellers alike, and several questions around how to underwrite cyber-risk still remain. Unlike auto or homeowners insurance, there is little continuity from policy to policy in the cyber insurance marketplace. It's difficult to gauge the time, impact, and potential total cost of a security breach using limited information.
"Many of those insurers who offer [cyber] insurance policies have done absolutely no legwork to verify the companies are totally secure," Yampolsky says.
To underwrite cyber-risk, insurers often provide questionnaires in which they ask clients about factors such as business continuity or how they typically handle incidents, such as ransomware attacks. But many of their answers are subjective, Yampolsky says, and most insurers lack insight on historical data loss. What they need is concrete information to inform a growing number of cyber insurance policies, and they're finding it through partnerships in the cybersecurity space.
Dynamic Duo
Indeed, a new trend sees cyber insurers teaming up with security ratings firms to get the data they need to create policies. A recent partnership came from AXA and SecurityScorecard, which will provide AXA underwriters with both risk rating and view into their clients' security posture.
"What I see more and more is discovery and ratings are key tools to accelerate the decision-making process," says AXA partner Sebastien Loubry. The tools used by ratings firms to gauge security posture will inform insurers' policy decisions.
"We can't predict when they'll get breached but can measure good and poor security practices," Yampolsky says. SecurityScorecard monitors 200,000 businesses and rates them on a scale from A to F. Every security breach correlates with a letter grade; firms with poor marks (D or F) are 5.4 times more likely to be breached than those with an A or B security rating.
He refers to April's Panera Bread security incident as an example. "We weren't particularly surprised," he says. Panera had consistently trended below the industry average; as a result, it suffered a breached. Newtek, which also scored poorly, was breached in February.
SecurityScorecard uses outside indicators to gauge a firm's security habits. Yampolsky likens the process to assessing a person's physical health: If you see someone who is coughing, flushed, and overweight, you can reasonably guess that person is not in the best health. You can't predict when he'll get sick, but outside signals show his lifestyle could be improved.
To assess security health, the ratings firm collects signals across 10 categories of risk: network security, DNS health, patching frequency, endpoint security, IP reputation, Web application security, exposed admin portals, hacker forums, leaked credentials, and social engineering. Threat actors are also watching these; if they notice something amiss, they'll succeed, he says.
"The most relevant part for the insurance company is the level of protection that's put around the data," AXA's Loubry says. The better a client protects its data, the lower the risk for an insurer. This is especially relevant in Europe, he notes, with the onset of GDPR.
Data Drives Security Improvement, Loss Control
The partnership between AXA and SecurityScorecard is neither the first of its kind, nor will it be the last. Jake Olcott, vice president of strategic partnerships for security ratings firm BitSight, points to three main use cases for security ratings in cyber insurance.
The first, as previously mentioned, is understanding clients' security posture: collecting quantitative measurements, analyzing performance over time, and using that data to create and price policies. Ratings firms collect data after a breach, and what they find can help clients lessen the risk of future attacks through portfolio management.
"When some of these incidents break out – WannaCry or the MongoDB vulnerability being exploited – with any name-brand vulnerabilities, people get concerned about how it will impact their portfolio," Olcott says.
In the second use case, carriers can leverage BitSight's data to see how many underwritten companies are experiencing WannaCry today. Olcott calls it "accumulation risk," or seeing how an incident accumulates across different parts of an insurer’s portfolio. Insurance companies can use this data to determine the extent and severity of a threat. Aggregation risk, a separate measurement, looks at how different policies all commonly depend on a third-party service provider like Amazon or Azure.
The third use case is loss control. More insurers are interested in improving their clients' security posture after a policy is signed. Sure, they want to know about security habits before the policy is created, but they also want security to continue being top of mind. Olcott says more companies are working with vendors and supply chain partners to improve security.
"We see a lot of carriers focusing on this," he explains. "They want to work directly with their customers on ways to improve: How do we improve? How do we mitigate breaches as best we can? How do we identify things quickly?"
Kentucky Man Indicted for Selling Hacking Software
Just one more compelling reason for companies to use Wave VSC 2.0 and Wave Endpoint Monitor. imo.
http://www.govtech.com/security/Kentucky-Man-Indicted-for-Selling-Hacking-Software.html
The software, LuminosityLink, was capable of allowing unauthorized remote access to computers.
(TNS) — A federal grand jury has indicted a central Kentucky man on charges that he conspired with others to use software to get unauthorized and undetected access to other people's computers and steal information.
The indictment against Colton Grubbs seeks a judgment of $134,131 that represents "the proceeds from the felony crimes." The government also seeks a total forfeiture of money and bitcoin valued at nearly $1 million.
The 10-count indictment includes charges of conspiracy to defraud; computer intrusion; obstruction of justice; money laundering affecting interstate or foreign commerce and conspiracy of money laundering.
Grubbs, 21, is the owner and organizer of a company incorporated in 2016 called Luminosity Security Solutions LLC, according to the Kentucky Secretary of State. Grubbs developed LuminosityLink software that included features allowing the unauthorized access and control of other people's computers, according to the indictment.
The alleged crimes occurred in Lincoln and Fayette counties; at the time the federal investigation began Grubbs lived in Stanford but he later moved to Lexington. He could not be reached for comment Friday and the telephone for his parents' home in Stanford had been disconnected. The indictment does not name the people with whom Grubbs allegedly conspired to sell and use the software.
The software made it possible for purchasers to access and view files, login credentials and personal identifying information, and to surveil and record user activity on victim computers, the indictment said. The software could be installed on computers without the victims' knowledge or permission.
A search warrant affidavit filed in federal court said the LuminosityLink software was sold to customers in more than than 75 countries "and has been used to steal personal information from numerous victims worldwide, including in England," where it first came to the attention of a British cyber crime unit.
Grubbs advertised the availability of the LuminosityLink software on a public Internet forum called HackerForums.net while using the alias "KFC Watermelon," the indictment said.
He used the forum and his website to provide information about other software LuminosityLink purchasers could use to conceal their identities and hide LuminosityLink from victim computer's anti-virus software. Grubbs also answered potential and actual LuminosityLink users' questions via Internet posts and private direct messages.
He also began a "LuminosityLink Support Thread" within the forum "Hacks, Exploits and Various Discussions," the indictment said.
The court document said Grubbs also recruited and encouraged unidentified co-conspirators to answer questions on Skype from potential and actual purchasers.
Grubbs sold, and organized co-conspirators to sell, LuminosityLink software on the Internet, the indictment said. But Grubbs operated a licensing system to prevent actual LuminosityLink purchasers from freely sharing the software with other users in order to maximize his proceeds from the software sales, the indictment alleged. He received proceeds in the form of money and virtual currency.
Grubbs arranged for a co-conspirator to receive payments via PayPal for software, the indictment said. PayPal is an Internet payment system from which Grubbs had been banned.
The government also seeks the forefeiture of $52,482.12 found in a JPMorgan Chase Bank account in the name of Grubbs; $45,007 in cash found during a search of Grubbs' bedroom; and 114.8 bitcoin found in five accounts controlled by Grubbs. The bitcoin as of Friday is worth roughly $877,000, according to bitcoin exchanges.
During a July 2017 search of the Lexington apartment where Grubbs lived, federal authorities seized various computer equipment and a cell phone, according to an inventory filed in court.
Grubbs is scheduled to be arraigned June 18 before U.S. District Judge Joseph Hood.
Auth0 Glitch Allows Attackers to Launch Phishing Attacks
https://threatpost.com/auth0-glitch-allows-attackers-to-launch-phishing-attacks/132554/
UPDATE
Researchers are warning of a glitch in the Auth0 identity-as-a-service offering, which could allow bad actors to spoof a legitimate website and collect sensitive information from visitors.
Researchers at Imperva on Tuesday found that the subdomain names of Auth0 are susceptible to security issues, allowing attackers to launch phishing attacks, harvest user credentials, or even possibly launching cryptomining attacks.
Auth0 after this article was originally published reached out to deny and call into question Imperva’s blog post, citing “factual inaccuracies” within the blog.
Imperva took down the blog for two hours on Wednesday, before re-posting the blog later in the day, unchanged, onto its website. Imperva then took down the post on Friday, only to re-post it hours later. This time Imperva released the following statement explaining why it took down and re-posted the blog post multiple times.
“On June 6, Auth0 informed us of their concerns with the blog. Out of respect for Auth0, we pulled down the blog while we reviewed their concerns. After careful consideration, we stand behind the original blog post and have reposted the blog. We disagree with the Auth0 comment that our blog post is inaccurate. This Imperva blog post is about phishing attempts more generally. As noted in the blog, we are referencing an unintended use and how someone could execute a phishing technique to steal credentials. As with all of our research, our point is to help customers and readers of the blog protect themselves from cybercriminals.”
Responding to Imperva’s original blog post, Joan Pepin, the CISO and vice president of operations at Auth0, told Threatpost on Wednesday in an email there are “thousands of ways to perpetrate the same kind of phishing attempt on any company, aside from Auth0.” He downplayed the severity of Imperva’s research.
“While Imperva recognizes Auth0 as a leader in the security space and singled us out for the purposes of this blog post, social engineering like this can be executed in countless ways, especially when someone chooses to take advantage of our platform’s extensibility and flexibility,” Pepin told Threatpost. “Our documentation provides specific guidelines that were not followed in this case, such as using a custom domain, that would eliminate the risk altogether.”
Researcher Daniel Svartman said Imperva was thinking of using Auth0 as one of its product’s authentication mechanisms, so he was conducting some research on the service. During this process, he found potential security problems with the service’s subdomain registrations.
“Essentially, an attacker could spoof a legitimate website using the subdomain name from a different region,” Imperva researchers said in a post on Tuesday. “The attack would be very difficult to identify and could result in visitors to the site not realizing it is fake and handing over sensitive information.”
Auth0 has three different subdomains, found Svartman: Auth0.com, which hosts sites from the Americas, Eu.Auth0.com, for sites in the EU, and AU.Auth0.com, for APAC access.
“Each subdomain is 100 percent independent of the other, meaning that if company A registered their domain under auth0.com but not under eu/au.auth0.com, then someone else could do it,” said Svartman.
That means that bad actors could potentially register under a domain under a different location purporting to be a legitimate product’s website that exists in another domain location.
To test this, Svartman said he was able to register under the eu.auth0.com and au.auth0.com sites with the same name as a product registered by his teammates on the product side (auth0.com was a real product, the other domain registrations were fake) and a slight difference in the name.
To make matters worse, Auth0 also provides users with flexibility to customize the “Login” and “Forgot Password” pages on their eu.auth0.com and au.auth0.com sites.
“This ‘flexibility’ includes the capability of writing/embedding JavaScript code within the custom pages,” said Svartman.
Because of this feature, Svartman said he could create same landing page for the fake sites as their real counterparts – but also write JavaScript code within the landing page that harvests users’ credentials (username and password), which then sends them to the bad actor via Asynchronous JavaScript And XML (AJAX) and later redirects users to the real login page, authenticating them.
“This step is fairly straightforward, and any moderately skilled hacker could do it within a short amount of time,” said Svartman.
Auth0 identity-as-a-service offering has around 2,000 enterprise customers in over 70 counties; the company boasts that it racks up 42 million logins a day. The implications of the ability to write JavaScript code in a widely deployed product used for single sign-on (SSO) could be disastrous, warned Svartman – especially with more attacks, like those of Target and Home Depot, on companies coming through third-party suppliers and vendors.
“Let’s just think about some previous attacks against big companies like Target and Home Depot,” he said. “They relied a lot on suppliers and vendors, who had access to their systems. A single mistake on one of their suppliers led to some of the biggest data breaches in history. Now imagine how easy I could compromise a vendor of one of these big companies if they use an SSO platform that lacks basic security controls?”
Auth0 for its part said that they can’t disable the Javascript coding capability, as it’s a feature for customers’ landing pages, but that they are working on getting rid of the ability to register the same account name in different regions.
The company also said that it provides additional security checks like breached password protection and anomaly detection.
The article was updated June 6 at 3:00 p.m. to reflect Auth0’s statements and the fact that the blog post was taken down and then reposted.
The article was updated June 8 at 11:15 a.m. to reflect the fact that the blog post was once again taken down.
The article was updated June 8 at 2:24 p.m. to reflect the fact that the Imperva blog post was once reposted.
71 percent of IT pros believe they can hack any organization
By having organizations use known devices, Wave VSC 2.0 and an anti malware product like Wave Endpoint Monitor that 71% figure should be lower. imo. Its sad to see this figure as high as it is when Wave has technologies that could help be a remedy for many organizations.
https://betanews.com/2018/06/07/it-professionals-hacking/
China hacked Navy contractor, secured trove of sensitive data on submarine warfare
If this contractor had 100% activated TPMs in its fleet of computers (known devices), unknown devices or the Chinese hackers could have been kept off the network and thus away from sensitive data. imo. In addition other Wave products like Wave VSC 2.0 and Wave Endpoint Monitor could have potentially helped keep the Chinese from this sensitive information.
http://www.chicagotribune.com/news/nationworld/ct-china-hack-navy-contractor-20180608-story.html
Chinese government hackers have compromised the computers of a Navy contractor, stealing massive amounts of highly sensitive data related to undersea warfare - including secret plans to develop a supersonic anti-ship missile for use on U.S. submarines by 2020, according to American officials.
The breaches occurred in January and February, the officials said, speaking on the condition of anonymity to discuss an ongoing investigation. The hackers targeted a contractor who works for the Naval Undersea Warfare Center, a military organization headquartered in Newport, Rhode Island, that conducts research and development for submarines and underwater weaponry.
The officials did not identify the contractor.
Taken were 614 gigabytes of material relating to a closely held project known as Sea Dragon, as well as signals and sensor data, submarine radio room information relating to cryptographic systems, and the Navy submarine development unit's electronic warfare library.
The Washington Post agreed to withhold certain details about the compromised missile project at the request of the Navy, which argued that their release could harm national security.
The data stolen was of a highly sensitive nature despite being housed on the contractor's unclassified network. The officials said the material, when aggregated, would be considered classified, a fact that raises concerns about the Navy's ability to oversee contractors tasked with developing cutting-edge weapons.
The breach is part of China's long-running effort to blunt the U.S. advantage in military technology and become the preeminent power in east Asia. The news comes as the Trump administration is seeking to secure Beijing's support in persuading North Korea to give up nuclear weapons, even as tensions persist between the United States and China over trade and defense matters.
The Navy is leading the investigation into the breach with the assistance of the FBI, officials said.
Navy spokesman Cmdr. Bill Speaks said, "There are measures in place that require companies to notify the government when a 'cyber incident' has occurred that has actual or potential adverse effects on their networks that contain controlled unclassified information."
Speaks said "it would be inappropriate to discuss further details at this time."
Altogether, details on hundreds of mechanical and software systems were compromised - a significant breach in a critical area of warfare that China has identified as a priority, both for building its own capabilities and challenging those of the United States.
"The United States consistently has been able to use highly compartmented security systems to protect its most innovative and dynamic defense advancements, and any time one of those is penetrated you give up an enormous advantage in surprise," said James Stavridis, dean of the Fletcher School of Law and Diplomacy at Tufts University and a retired admiral who served as supreme allied commander at NATO.
"So if it is true that this was a penetration of one of those very compartmented systems, that is a significant reversal for the United States," he said. Stavridis had no independent knowledge of the breach.
The Sea Dragon project is an initiative of a special Pentagon office stood up in 2012 to adapt existing U.S. military technologies to new applications. The Defense Department, citing classification levels, has released little information about Sea Dragon other than to say that it will introduce a "disruptive offensive capability" by "integrating an existing weapon system with an existing Navy platform." The Pentagon has requested or used more than $300 million for the project since late 2015 and has said it plans to start underwater testing by September.
Military experts fear that China has developed capabilities that could complicate the Navy's ability to defend U.S. allies in Asia in the event of a conflict with China.
The Chinese are investing in a range of platforms, including quieter submarines armed with increasingly sophisticated weapons and new sensors, Adm. Philip Davidson said during his April nomination hearing to lead U.S. Indo-Pacific Command. And what they cannot develop on their own, they steal - often through cyberspace, he said.
"One of the main concerns that we have," he told the Senate Armed Services Committee, "is cyber and penetration of the dot-com networks, exploiting technology from our defense contractors, in some instances."
In February, Director of National Intelligence Daniel Coats testified that most of the detected Chinese cyber-operations against U.S. industry focus on defense contractors or tech firms supporting government networks.
In recent years, the United States has been scrambling to develop new weapons or systems that can counter a Chinese naval buildup that has targeted perceived weaknesses in the U.S. fleet. Key to the American advantage in any faceoff with China on the high seas in Asia will be its submarine fleet.
"U.S. naval forces are going to have a really hard time operating in that area, except for submarines, because the Chinese don't have a lot of anti-submarine warfare capability," said Bryan Clark, a naval analyst at the Center for Strategic and Budgetary Assessments. "The idea is that we are going to rely heavily on submarines in the early effort of any conflict with the Chinese."
China has made closing the gap in undersea warfare one of its three top military priorities, and although the United States still leads the field, China is making a concerted effort to diminish U.S. superiority.
"So anything that degrades our comparative advantage in undersea warfare is of extreme significance if we ever had to execute our war plans for dealing with China," Stavridis said.
The U.S. military let its anti-ship weaponry languish after the Cold War ended because with the Soviet Union's collapse, the Navy no longer faced a peer competitor on the seas. But the rapid modernization and buildup of the Chinese navy in recent years, as well as Russia's resurgent forces at sea, have prompted the Pentagon to renew heavy investment in technologies to sink enemy warships.
The introduction of a supersonic anti-ship missile on U.S. Navy submarines would make it more difficult for Chinese warships to maneuver. It would also augment a suite of other anti-ship weapons that the U.S. military has been developing in recent years.
For years, Chinese government hackers have siphoned information on the U.S. military, underscoring the challenge the Pentagon faces in safeguarding details of its technological advances. Over the years, the Chinese have snatched designs for the F-35 Joint Strike Fighter; the advanced Patriot PAC-3 missile system; the Army system for shooting down ballistic missiles known as Terminal High Altitude Area Defense; and the Navy's new Littoral Combat Ship, a small surface vessel designed for near-shore operations, according to previous reports prepared for the Pentagon.
In some cases, suspected Chinese breaches appear to have resulted in copycat technologies, such as the drones China has produced that mimic U.S. unmanned aircraft.
Speaks, the Navy spokesman, said: "We treat the broader issue of cyber intrusion against our contractors very seriously. If such an intrusion were to occur, the appropriate parties would be looking at the specific incident, taking measures to protect current information, and mitigating the impacts that might result from any information that might have been compromised."
The Pentagon's Damage Assessment Management Office has conducted an assessment of the damage, according to the U.S. officials. The Office of the Secretary of Defense declined to comment.
Theft of an electronic warfare library, Stavridis said, could give the Chinese "a reasonable idea of what level of knowledge we have about their specific [radar] platforms, electronically and potentially acoustically, and that deeply reduces our level of comfort if we were in a close undersea combat situation with China."
Signals and sensor data is also valuable in that it presents China with the opportunity to "know when we would know at what distance we would be able to detect their submarines" - again a key factor in undersea battles.
Investigators say the hack was carried out by the Chinese Ministry of State Security, a civilian spy agency responsible for counterintelligence, foreign intelligence and domestic political security. The hackers operated out of an MSS division in the province of Guangdong, which houses a major foreign hacking department.
Although the Chinese People's Liberation Army is far better-known than the MSS when it comes to hacking, the latter's personnel are more skilled and much better at hiding their tracks, said Peter Mattis, a former analyst in the CIA counterintelligence center. The MSS, he said, hack for all forms of intelligence: foreign, military and commercial.
In September 2015, in a bid to avert economic sanctions, Chinese President Xi Jinping pledged to President Barack Obama that China would refrain from conducting commercial cyberespionage against the United States. Following the pact, China appeared to have curtailed much, although not all, of its hacking activity against U.S. firms, including by the People's Liberation Army.
Both China and the United States consider spying on military technology to fall outside the pact. "The distinction we've always made is there's a difference between conducting espionage in order to protect national security and conduct military operations, and the theft of intellectual property for the benefit of companies inside your country," said Michael Daniel, the White House cybersecurity coordinator under Obama
AXA Partners With SecurityScorecard to Set Cyber Insurance Premiums
Given that AXA tested with Wave (VSC 2.0) and approved it for the IT division one would think that AXA would want to see this technology being used in the companies they provide cyber insurance for especially given some other products have been known to have been hacked. Using excellent cybersecurity (Wave VSC 2.0) could help AXA and the companies paying premiums.
https://www.securityweek.com/axa-partners-securityscorecard-set-cyber-insurance-premiums
AXA Will Use Ratings From SecurityScorecard to Help Set Premiums for Insurance Agreements
Cyber insurance is a problem. It is a new industry with huge potential but great difficulties. Getting premiums right is an example -- the cyber insurer needs to fully understand the financial risk it incurs in able to set premiums high enough to cover the risk and still make a profit, but low enough not to kill the market.
Steve Durbin, managing director of the Information Security Forum, describes the problem. "We have already seen that the financial impact of some information security risks is being transferred through cyber insurance," he told SecurityWeek.
"However, moving forward, I anticipate that several large data breaches will expose aggregated risks and cause insurers to suffer significant financial losses. As a result of this mispricing debacle, several insurers will be forced out of business while others will raise premiums significantly, expand contract exclusions and restrictions, or avoid cyber insurance altogether. This will make cyber insurance no longer financially viable for many organizations, and the market will contract and take several years to recover."
Quite simply, data breaches are happening with increasing frequency (another 92 million passwords exposed by MyHeritage this week). At the same time, the cost of recovery continues to escalate rapidly, and the quantity and severity of cyber regulations, such as GDPR, is expanding.
The insurance industry traditionally relies on actuarial tables -- effectively a database of experience -- to set its premiums. While insurance companies are currently busy compiling such data on historical breaches, they have nothing like the depth of, for example, motor insurance actuarial tables.
"Currently, most policy premiums are based on self-assessments," comments Greg Reber, CEO at consulting firm AsTech. This leads to its own problems. False assessments, even unintentional errors, could lead to reduced payouts in extremis. It is a strange irony that the best premiums will only be obtainable by the organizations that least need to transfer their risk to the insurance industry. At the same time, any companies that seek to rely on insurance alone to handle their risk are likely to come unstuck.
SecurityScorecard and AXA (the world's largest insurance company) believe they have found a solution to the premium problem. SecurityScorecard is a firm that rates the cybersecurity posture of web-enabled firms. It does not wait to be asked -- and the result is a growing database of independent security ratings on the world's web-enabled businesses. Currently, it continuously monitors more than 200,000 businesses and gives them a security score from A to F. Empirical evidence suggests it works: "Companies that rate as a D or F are 5.4 times more likely to be breached than companies that rate as an A or a B," claims the company.
AXA has now entered an agreement with SecurityScorecard to have access to these ratings, and will use them to help set the premium for its insurance agreements. "The SecurityScorecard platform," explains Scott Sayce, global chief underwriting officer of cyber at AXA, "will help us rapidly evaluate companies to understand their cyberhealth and provide our underwriters with crucial information needed to evaluate an insured's risk.”
"AXA and SecurityScorecard are pioneering the cyber insurance industry,” adds Aleksandr Yampolskiy, CEO and co-founder at SecurityScorecard. This partnership demonstrates the value of the SecurityScorecard platform and the trust top business leaders have in our score. Our vision is to create a ubiquitous language for cybersecurity that facilitates collaboration and communication between business partners.”
Rather than relying on subjective, manual self-assessments from the customer, "They're going to be using the objective, automated, security metrics that we provide to make their insurance decisions," Yampolskiy told SecurityWeek. "They will feed that data into their algorithms and then decide, do I increase the premium because the customer's security posture looks risky, do I lower the premium, or maybe in some cases do I just flat out refuse to provide the cyber insurance?"
Our data, he continued, provides "objective measurements to create the scientific basis for making those insurance decisions. AXA plans to start underwriting thousands and thousands of European businesses." It is the small to medium sized business that most needs cyber insurance. "If you're an Equifax or a Target and you get hacked," continued Yampolskiy, "you might survive. But if you're a small company, you will not. So, AXA is planning to start using our technology to start making those cyber insurance policies that apply to thousands of those businesses," The advantage for those small businesses is they will be able to realistically set premiums, but will also learn their SecurityScorecard rating. "And that provides a lot of reciprocal benefit," he added.
Will this relationship be enough to kickstart a serious cyber insurance industry? It will probably happen anyway, but it may take time if left to its own devices. SecurityWeek asked Yampolskiy if cyber insurance might join the ranks of other insurances that are required by law.
"My belief is, yes," said Yampolskiy, "at some point in the future. We've reached the point where all companies are part of a larger interconnected ecosystem." He raised the example of Target, a large company breached through a small member of its supply chain. Target lost millions of dollars because of a smaller company, that would not of its own resources be able to provide recompense. "It's hard to predict the future," he said, "but I can see a time when all companies are required to have cyber insurance."
By providing a scientific basis for the insurance industry to use for premium-setting, Yampolskiy believes SecurityScorecard and AXA are moving the market toward the time when cyber insurance is not merely standard, but possibly required.
SecurityScorecard is based in New York. It was founded in 2013, and raised $12.5 in Series A funding led by Sequoia Capital in 2015; $20 million Series B in 2016; and $27.5 million Series C in 2017. Its stated mission is "to empower every organization with collaborative security intelligence."
Sophisticated keyloggers target financial services companies
Using Wave products like Wave VSC 2.0 and Wave Endpoint Monitor could be highly beneficial for the finance industry and any other industry that potentially becomes impacted by this sophisticated malware. imo.
https://betanews.com/2018/06/05/financial-services-keyloggers/
Analysis of malware samples found among finance firms has uncovered an unusually large number of iSpy keylogger samples. iSpy is a variant of the notorious HawkEye logger.
Network-based malware protection specialist Lastline intercepted the logger's communication with the command and control server and detected the active exfiltration of website, email and FTP credentials, as well as license key information for installed products.
The company's analysis also detected sophisticated Emotet and URSNIF keyloggers being delivered via Microsoft Office documents. These two strains of malware share an evasion module for detecting dynamic analysis environments, and use common methods for infiltrating financial transactions such as a man-in-the-middle network sniffing capability and hijacking automated transfer payments. They are modular in nature and criminals have developed and added new features over time, including lateral movement, additional credential theft, and spam capabilities.
One in 10 of the threats detected used advanced behaviors to avoid static analysis, evade dynamic analysis and remain stealthy. In addition 27 seven percent of files detected had previously not been submitted to VirusTotal for analysis.
"We definitely detected a higher than usual incident of very sophisticated malware," says Andy Norton, Lastline's director of threat intelligence. "This is not surprising considering that finance has long been a target for cybercriminals and accordingly has elevated their security capabilities. Because of this, criminals are forced to up their game, which was very clearly seen in these recent samples."
Cyber security: We need a better plan to deter hacker attacks says US
Hardware security (TPM) is known to be better than software security alone and this is what has been sorely missing in the governments' strategy. imo.
https://www.zdnet.com/article/cyber-security-we-need-a-better-plan-to-deter-hacker-attacks-says-us/
Stopping digital attacks by rival states has proved impossible up to now; can a new cyber deterrence strategy help fix that?
The US needs to fundamentally rethink its strategies for stopping cyber attacks and should develop a tailored approach to deterring each of its key adversaries, according to a new government report.
The report published by the US State Department -- like a recent paper on botnets -- comes in response to an executive order signed by President Donald Trump last year, which called for a report "on the nation's strategic options for deterring adversaries and better protecting the American people from cyber threats."
The report said that while the US has become dependent upon sophisticated networked information systems, its rivals have been learning to exploit that dependence to "steal from Americans, disrupt their lives, and create insecurity domestically and instability internationally."
The cyber threat posed by rival states -- and by Russia, China, Iran and North Korea in particular -- is often alluded to by intelligence agencies, but the US and its allies have struggled to find a way to deter these cyber intrusions.
The unclassified cyber-deterrence overview published by the State Department doesn't mention particular countries, but said that strategies for deterring malicious cyber activities "require a fundamental rethinking". The report said that the US has made efforts to promote a framework for "responsible state behaviour in cyberspace", but noted that this has not stopped state-sponsored cyber incidents.
"The United States and its likeminded partners must be able to deter destabilizing state conduct in cyberspace," the State Department warned.
Of course, the US has plenty of military muscle should it come to full-on cyberwarfare, but it's much harder to tackle cyber attacks that don't necessarily deserve an armed response -- which make up the majority of attacks.
The report said the US should develop a broader menu of consequences that it can impose following a significant cyber incident. The US should also take steps to make it easier to prove who is behind cyber attacks, it said.
Another big problem is the poor state of cyber security. "Efforts to deter state and non-state actors alike are also hindered by the fact that, despite significant public and private investments in cybersecurity, finding and exploiting cyber vulnerabilities remains relatively easy," the report said.
"Credibly demonstrating that the United States is capable of imposing significant costs on those who carry out such activities is indispensable to maintaining and strengthening deterrence," the report added.
According to the State Department, the three key elements of cyber deterrence should include:
•Creating a policy for when the United States will impose consequences: The policy should provide criteria for the types of malicious cyber activities that the US government will seek to deter. The outlines of this policy must be communicated publicly and privately in order for it to have a deterrent effect.
•Developing a range of consequences: There should be "swift, costly, and transparent consequences" that the US can impose in response to attacks below the threshold of the use of force.
•Building partnerships: Other states should work in partnership with the US through intelligence sharing or supporting claims of attribution.
Windows 10 update problem: Microsoft offers EXTREME solution to latest bug
Wave VSC 2.0 could be a better solution than Windows Hello given VSC 2.0 works with Windows 7 and many users may want to stick with Windows 7 and avoid the aggravation of Windows 10 as outlined in this article.
https://www.express.co.uk/life-style/science-technology/966405/Windows-10-bug-Microsoft-fix-fresh-start-app
MICROSOFT has yet another Windows 10 bug affecting users and now the fix could be the most extreme solution so far, but it does work for those who don't mind starting fresh.
Following the Windows 10 April update many users have suffered from various bugs which Microsoft has been fighting to fix.
But of all the bugs experienced by users since the Windows 10 April update, the latest one has the most extreme solution yet.
The recently reported issue comes from a user who says Windows 10 "destroyed" his laptop. There are no icons, no toolbars, no Wi-Fi and no drivers, leaving the user near disabled.
Microsoft does have a solution for users suffering with this or similar issues, called Start Fresh. As the name suggests this is a program to begin everything again.
The Windows 10 Start Fresh allows you to reinstall Windows 10 as if anew for the first time – minus the bugs that any update has caused.
Microsoft warns that using the tool will mean: "You may lose your digital licenses, digital content associated with applications, or other digital entitlements for applications as a result of using the tool, which may impact your ability to use apps you paid for or app-related content you paid for."
Microsoft has already been hard at work to fix a bug that was caused by the rollout of the April update.
The bug caused Chrome to freeze and also for Microsoft's own Cortana voice assistant to lock up.
The issue was, allegedly made known to Microsoft a month before the update rolled out.
The Windows 10 April update release was already delayed after a previous bug was found that caused machine crashes.
If this bug is still affecting you there is a way to quick fix it.
As a quick fix in the interim, before the bug fix update rolls out, Microsoft suggests the follow steps:
1. Try a Windows key sequence to wake the screen. If you have a keyboard connected, simultaneously press the Windows logo key + Ctrl + Shift + B. If you’re on a tablet, simultaneously press both the volume-up and volume-down buttons, three times within 2 seconds. If Windows is responsive, a short beep will sound and the screen will blink or dim while Windows attempts to refresh the screen.
2. If you’re using a laptop, close and open the laptop lid.
Public Google Groups Leaking Sensitive Data at Thousands of Orgs
The use of a certain two factor authentication product (ie Wave VSC 2.0) for Fortune 500 companies and global companies could be an excellent layer of protection with regard to a weakness presented in the article below. With sensitive data like passwords potentially being exposed, Wave VSC 2.0 could be a good choice for companies to protect their data.
https://threatpost.com/public-google-groups-leaking-sensitive-data-at-thousands-of-orgs/132455/
Thousands of organizations out there are leaking some form of sensitive email, according to an analysis, thanks to a widespread misconfiguration in Google Groups.
According to Kenna Security, the afflicted include Fortune 500 companies, hospitals, universities and colleges, newspapers and television stations and U.S. government agencies. Out of just one sample of 9,600 organizations with public Google Groups settings (out of 2.5 million examined domains), the Kenna team found that 31 percent of them (about 3,000) are exposing data. That means that the global footprint of affected organizations could total tens of thousands.
Google Groups is a web forum that’s part of Google’s G Suite of workspace tools. It allows an administrator to create mailing lists to send specific content to specific recipients via email; and at the same time, that content (including email attachments) is published on a web interface that’s made available online to users. The privacy settings can be adjusted on both a domain and a per-group basis. In affected organizations, the Groups visibility setting is configured to be “Public on the Internet,” and the options to share information outside of the organization have been – likely unwittingly – configured to be open.
“Due to complexity in terminology and organization-wide vs. group-specific permissions, it’s possible for list administrators to inadvertently expose email list contents,” Kenna researchers said, in a post Friday on the issue.
Google said that because it’s a misconfiguration issue, there are no plans to issue a specific mitigation for it. However, the search giant published its own post on the situation on Friday, explaining in detail how to lock down a Google Groups environment and reiterating its position on the shared responsibility model of cloud security.
“If you allow users in your domain create public Google Groups and give anyone in your domain the ability to create groups, you’re trusting your users to manage their settings and use these groups appropriately,” it said. “It’s worth carefully considering whether this configuration makes the most sense for your organization.”
The kind of information that’s being made available varies, but it includes everything from accounts payable and invoice data to customer support emails and password-recovery mails.
“Apart from exposing personal and financial data, misconfigured Google Groups accounts sometimes publicly index a tremendous amount of information about the organization itself, including links to employee manuals, staffing schedules, reports about outages and application bugs, as well as other internal resources,” said independent researcher Brian Krebs, who published his own examination of the problem on Friday. “In most cases, to find sensitive messages it’s enough to load the company’s public Google Groups page and start typing in key search terms, such as ‘password,’ ‘account,’ ‘HR,’ ‘accounting,’ ‘user name’ and ‘http:.'”
In a Boston College incident made public in April by the student newspaper, public Google Groups pages containing hundreds of university communications and associated documents with restricted, confidential or otherwise sensitive information were open to anyone who could access the BC G Suite, which includes all faculty and staff, and enrolled students.
“Given the sensitive nature of this information, possible implications include spear-phishing, account takeover and a wide variety of case-specific fraud and abuse,” the Kenna researchers said.
The good news is that no attacks have been spotted in the wild yet leveraging the situation, although the researchers said that “exploitation requires no special tooling or knowledge” even as Google Groups remain open.
G Suite administrators can protect themselves and their companies by checking their settings immediately (available at this link).
The misconfiguration has been a common reality for some time; last year, security firm Redlock published an advisory on the issue, although it wasn’t widely publicized.
FBI fingers North Korea for two malware strains
The malware could be modified to get past many of the current anti virus products in existence. imo. It could be best for companies to use Wave VSC 2.0 and Wave Endpoint Monitor to combat these malware strains. imo.
https://www.theregister.co.uk/2018/05/30/north_korea_joanap_and_brambul_malware/
'Joanap' and 'Brambul' harvest info about your systems and send it home
US CERT has issued a Technical Alert that says two strains of malware are tools of the North Korean government.
The Alert says that the United States’ Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) “identified IP addresses and other indicators of compromise (IOCs) associated with two families of malware used by the North Korean government.”
One of the malware strains is called “Joanap” and is said to be a two-stage malware that establishes peer-to-peer communications links “to manage botnets designed to enable other operations.” The alert says Joanap lets North Korea “exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device.”
The other malware is a Server Message Block (SMB) worm called “Brambul”.
This one’s a “dynamic link library file or a portable executable file often dropped and installed onto victims’ networks by dropper malware.”
“When executed, the malware attempts to establish contact with victim systems and IP addresses on victims’ local subnets. If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks.”
If the malware gets in, it “communicates information about victim’s systems to HIDDEN COBRA actors using malicious email addresses. This information includes the IP address and host name—as well as the username and password—of each victim’s system. HIDDEN COBRA actors can use this information to remotely access a compromised system via the SMB protocol.”
“HIDDEN COBRA” is the USA’s code for North Korean cyber-ops.
The Alert says both Joanap and Brambul have been active since 2009 and have targeted “multiple victims globally and in the United States—including the media, aerospace, financial, and critical infrastructure sectors.”
The Alert includes downloadable lists of IP addresses with which the malware communicates, to help you block them. It also offers generic advice on stopping the malware – keep patches up to date, run A-V, turn off SMB, don’t allow unknown executables – to prevent infection
Canadian banks warn: Hackers might have stolen data from nearly 90,000 customers
A couple of large banks that could have benefited from using Wave Systems' products. imo.
https://www.cnbc.com/2018/05/28/canadian-banks-hackers-might-have-stolen-data-from-thousands-of-customers.html
•Bank of Montreal and Canadian Imperial Bank of Commerce said Monday that cyber attackers may have stolen the data of nearly 90,000 customers.
•It appears to be the first significant assault on financial institutions in Canada.
•Other Canadian banks said they had not been affected.
Bank of Montreal and Canadian Imperial Bank of Commerce said Monday that cyber attackers may have stolen the data of nearly 90,000 customers in what appeared to be the first significant assault on financial institutions in the country.
Bank of Montreal, Canada's fourth biggest lender, said it was contacted by fraudsters Sunday who claimed they were in possession of the personal and financial information of a limited number of the bank's customers.
A spokesman for the bank said it believed that less than 50,000 of the bank's 8 million customers across Canada were hacked. He declined to say whether any customers lost money as a result of the attack.
The fraudsters had threatened to make the data public, the spokesman said, adding that the bank was working with the authorities and conducting a thorough investigation.
Bank of Montreal said it believed the attack originated from outside the country and was confident the exposures that led to the theft of customer data had been closed off.
Canadian Imperial Bank of Commerce, Canada's fifth biggest lender, said fraudsters contacted the lender on Sunday claiming they had electronically stolen personal and account information of 40,000 customers of its Simplii direct banking brand.
CIBC said it has not yet confirmed the cyber breach but is taking the claim seriously. CIBC said customers at its main banking division were not affected.
Both banks said they were contacting customers and advising them to monitor their accounts and report any suspicious activity.
Other Canadian banks said they had not been affected.
Government investigation finds federal agencies failing at cybersecurity basics
The government does not appear or hasn't come around to a new and better way of thinking with regard to its cybersecurity. The status quo is not working very effectively as evidenced in this article. There could be great and positive impact Wave Systems and its products have on the federal government with regard to its cybersecurity posture. imo.
https://techcrunch.com/2018/05/30/government-investigation-finds-federal-agencies-failing-at-cybersecurity-basics/
The Office of Management and Budget reports that the federal government is a shambles — cybersecurity-wise, anyway. Finding little situational awareness, few standard processes for reporting or managing attacks and almost no agencies adequately performing even basic encryption, the OMB concluded that “the current situation is untenable.”
All told, nearly three quarters of federal agencies have cybersecurity programs that qualified as either “at risk” (significant gaps in security) or “high risk” (fundamental processes not in place).
The report, which you can read here, lists four major findings, each of which with its own pitiful statistics and recommendations that occasionally amount to a complete about-face or overhaul of existing policies.
1. “Agencies do not understand and do not have the resources to combat the current threat environment.”
The simple truth and perhaps origin of all these problems is that the federal government is a slow-moving beast that can’t keep up with the nimble threat of state-sponsored hackers and the rapid pace of technology. The simplest indicator of this problem is perhaps this: of the 30,899 (!) known successful compromises of federal systems in FY 2016, 11,802 of them never even had their threat vector identified.
So for 38 percent of successful attacks, they don’t have a clue who did it or how!
This lack of situational awareness means that even if they have budgets in the billions, these agencies don’t have the capability to deploy them effectively.
While cyber spending increases year-over-year, OMB found that agencies are not effectively using available information, such as threat intelligence, incident data, and network traffic flow data to determine the extent that assets are at risk, or inform how they to prioritize resource allocations.
To this end, the OMB will be working with agencies on a threat-based budget model, looking at what is actually possible to affect the agency, what is in place to prevent it and what specifically needs to be improved.
2. “Agencies do not have standardized cybersecurity processes and IT capabilities.”
There’s immense variety in the tasks and capabilities of our many federal agencies, but you would think that some basics would have been established along the lines of best practices for reporting, standard security measures to lock down secure systems and so on. Nope!
For example, one agency lists no fewer than 62 separately managed email services in its environment, making it virtually impossible to track and inspect inbound and outbound communications across the agency.
Only half of the agencies the OMB looked at said they have the ability to detect and whitelist software running on their systems. Now, while it may only be needed on a case by case basis for IT to manage users’ apps and watch for troubling processes, well, the capability should at least be there!
When something happens, things are little better: 59 percent of agencies have some kind of standard process for communicating cyber threats to their users. So, for example, if one of their 62 email systems has been compromised, the agency as likely as not has no good way to notify everyone about it.
And only 30 percent have “predictable, enterprise-wide incident response processes in place,” meaning once the threat has been detected, only one in three has some kind of standard procedure for who to tell and what to tell them.
Establishing standard processes for cybersecurity and general harmony in computing resources is something the OMB has been working on for a long time. Too bad the position of cyber coordinator just got eliminated.
Attacking hard disk drives using ultrasonic sounds
Besides GDPR, this article shows the need for the use of encrypted SSDs. imo.
https://www.helpnetsecurity.com/2018/05/30/attacking-hard-disk-drives/
Another group of researchers has demonstrated that hard disk drives (HDDs) can be interfered with through sound waves, but they’ve also shown that ultrasonic signals (i.e., sounds inaudible to the human ear) can be used to damage their integrity and availability.
see link for infographic -
Attacking HDDs
HDDs are non-volatile data storage devices that store and retrieve digital information by using rapidly rotating disks coated with magnetic material and magnetic heads that read and write data to the disks’ surfaces. They are usually found in personal computers, cloud servers, consumer electronics, CCTV systems, medical monitors, ATMs, and so on.
Late last year, a group of researchers from Princeton and Purdue University demonstrated a new denial-of-service (DoS) attack against HDDs, which exploited a physical phenomenon known as acoustic resonance.
They showed that vibrations caused by specially crafted acoustic signals can cause significant vibrations in HDDs’ internal components and therefore negatively influence the performance of HDDs embedded in real-world systems.
As effective as they could be, such attacks are unlikely to remain unnoticed. But, according to a recently released paper by researchers from the University of Michigan and Zhejiang University, even ultrasonic signals (above 20 KHz) can bring about physical errors in hard disk drives and therefore lead to system level errors.
Ultrasonic attacks
“A HDD read/write head floats (~10 nm) above the surface of each spinning disk. Data is organized in tracks that circle the disk. To read or write data, the head stack assembly must position the head above the desired track. There is a narrow margin of error (on the scale of nm) within which the read/write head can operate,” the researchers explained.
“Ultrasonic waves can alter the HDD shock sensor’s output, causing a drive to unnecessarily park its head. Audible tones can vibrate the read/write head(s) and disk outside of operational bounds. Both of these different methods result in improper function of the drive.”
These attacks can be executed via nearby sound emitters and, occasionally, even through the target system’s own built-in speakers (it all depends on their frequency response).
“Ultrasonic attacks are less likely to cause a head crash, but could be damaging the drive in other ways such as causing the head to become unstable over time because of excessive parking. This instability could make the drive less reliable in its reads and writes, leading to sectors being marked as bad,” the researchers noted.
They propose a number of defenses that can be used to detect or prevent these attacks, including a feedback controller that could be easily deployed as a firmware update to attenuate the intentional acoustic interference.
DoD Is Auditing the Process that Won Tanium Government Contracts
If the government spent a fraction of the funds they spent for Tanium on Wave's cybersecurity products, the government could have better cybersecurity. imo.
https://www.bloomberg.com/news/articles/2018-05-29/dod-is-auditing-the-process-that-won-tanium-government-contracts
The Pentagon’s watchdog will review whether government agencies followed proper contracting procedures in hiring the cybersecurity startup.
The Pentagon’s watchdog is reviewing the process that won cybersecurity startup Tanium hundreds of millions in federal contracts.
According to a Defense Department document, the Inspector General began an audit last month involving the U.S. Army, the U.S. Air Force and the Defense Innovation Unit Experimental (DIUx). The audit is being performed in response to an allegation made via the department’s hotline over whether the Air Force and DIUx followed proper processes and procedures governing contract awards to Tanium, according to the same document.
“We are not involved in the audit, since it is an internal government audit that is reviewing procurement processes rather than vendor actions,” the Emeryville, California-based company said in a statement. “That said, we are confident that Tanium's portion of all transactions have been conducted appropriately.” A spokeswoman for the Department of Defense declined to comment.
A spokeswoman for the department’s Inspector General also declined to comment on the audit other than to say it is ongoing. The department hotline received 7,106 contacts and opened 4,182 cases for the six month period ending Sept. 30, 2017, according to Defense Department documents. It closed 4,056 cases during that same period, although it is unclear how long those cases had been under review or what the outcomes were.
Valued earlier this month by investor TPG Growth at a reported $5 billion, Tanium is the world’s most richly valued private cybersecurity company. It is also one of Andreessen Horowitz’s largest holdings, with board partner Steven Sinofsky once calling its endpoint detection and response software “magic.”
Tanium, along with partner World Wide Technology, won a $750 million contract to increase security of Army networks late last year. It was the largest contract of its kind to originate from the DIUx office, which was created in 2015 to reach newer technology companies that aren't traditional Pentagon contractors.
It was not immediately clear what impact the audit could have on the contract.
Since its founding in 2007, Tanium has grown into a darling of Silicon Valley investors. It’s known for software that protects networks by scanning laptops, phones and other endpoint devices and flagging potential problems in 15 seconds. Customers include Barclays, Whirlpool and the federal government.
The startup hasn’t been without its challenges, however. Along with competition—research group CBInsights reports more than 550 cybersecurity startups raised $7.7 billion last year alone—it suffered an exodus last year that gutted the company’s executive suite, triggered in part by
a reportedly harsh culture. Tanium Co-Founder and Chief Executive Orion Hindawi later apologized for being “hard-edged” and other mistakes, including exposing potential vulnerabilities on a hospital’s computer network during sales pitches without the permission of the hospital.
Since last year, the company has been rebuilding its leadership team—hiring a chief technology officer, chief financial officer, chief revenue officer and chief people officer.
Want to Keep Your Data Safe? Secure Your Organization’s Privileged User Accounts
The author leaves out a technology like Wave VSC 2.0 to provide second factor authentication to 'all' employees in an organization. This is one of the most critical protections against cyber criminals who are stealing credentials as outlined in this article. imo.
https://www.infosecurity-magazine.com/opinions/data-safe-privileged-user-accounts/?utm_source=dlvr.it&utm_medium=twitter
These days, when it comes to stealing your data, cyber-criminals aren’t worried about bypassing your perimeter security and firewalls because they’ve found another way in, using rather simple tactics.
Bad actors are using social engineering as their tool of choice to obtain privileged user credentials. According to Forrester, 80% of security breaches involve privileged credentials, and while they are the ones who need it the most, privileged users are seldom audited at the depth that would allow employers to become suspicious of their activity. This leaves intruders using these accounts free to pilfer organizations information and resources. Consequently, companies are adopting the technology to monitor behavior and secure their sensitive data.
Focus on Behavior
Detecting and stopping the use of compromised privileged user credentials requires a powerful combination of technologies to save time and resources.
Organizations can use monitoring technology to spot anomalies in user behavior, and the use of behavioral analytics is also a best practice: tracking users’ past behavior to predict future behavior. This gives organizations more accurate insight into users’ activity.
In addition to monitoring exports and employee activity, these technologies look for deviations in user behavior such as time of login, disparities in geo location and access of internal systems.
An organization’s networks now include third-party contractors and business partners who may have unnecessary access to company data. Mission-critical applications should be monitored to oversee who is accessing what information.
Access to sensitive information, such as trade secrets, consumer information and payment card data makes insiders a particular threat to the organization.
For instance, imagine that your vice president of HR starts to look at your trade secrets or into the infrastructure layout of your network within your Salesforce instance, something they have never done before. Behavioral analytics would proactively alert you about such unusual behavior, allowing you to block access immediately upon detection and prevent an incident from becoming a full-blown breach.
Train for Security
The majority of cyber-attacks originate from well-meaning insiders accessing a malicious email, so in addition to these monitoring technologies, organizations should implement training to mitigate risk associated with compromised privileged user credentials.
Creating a mobile device policy that leads employees toward password protection and secure usage will also reduce risk. In addition to your own rules, make sure your employees are fully aware of the laws they must comply with when handling your organization’s or customer’s data.
Devise a deterrent in the form of a well-defined sanctioning policy, and inform employees that their activity is being recorded through monitoring technology and that they are held accountable for any misuse of the organization’s resources. Training on your acceptable use policies, monitoring technology, current cyber threats and sanctioning will aid in defining a strong culture of security.
Finally, organizations should apply the “Principle of Least Privilege” to their employees’ permissions, which allows the least amount of privilege necessary for a user to properly perform their role.
A People-Centered Approach
Cyber-criminals are industrious and endlessly innovative, which means that organizations must maintain constant vigilance. Attackers are keen to steal the credentials that would give them privileged access so they can take their time exfiltrating your data without detection.
Securing your network today is about more than securing your perimeter; it requires a people-focused approach that both trains employees in security best practices and monitors their behavior to detect insider threats. Early detection means quicker resolution, taking the keys to your “vault” out of the hands of bad actors.
Microsoft Azure AD Connect Flaw Elevates Employee Privilege
An improper default configuration gives employees unnecessary administrative privilege without their knowledge, making them ideal targets for hackers.
https://www.darkreading.com/cloud/microsoft-azure-ad-connect-flaw-elevates-employee-privilege/d/d-id/1330616
Persistent Bots: Five Ways They Stay Enmeshed in Your Network
Please see Method 2 for a benefit of the TPM.
http://www.eweek.com/security/persistent-bots-five-ways-they-stay-enmeshed-in-your-network
Attackers have created the first persistent internet-of-things botnet, Hide 'N Seek, using a well-known tactic from server- and desktop-based systems. Here are five ways the attackers stay on your system following a compromise.
Earlier this year, the developers of a malicious program created to infect Linux-based internet-of-things (IoT) devices found a way for it to automatically reinstall the malware following a reboot.
The malware, known as Hide ‘N Seek, is the first known example of an IoT botnet that can stick around after the user restarts a device. Known as persistence, such a feature makes malware much harder to clean from compromised systems and will likely cause significant headaches for service providers and the owners of the devices, said Bogdan Botezatu, senior e-threat analyst with software security firm Bitdefender, which published an analysis of the malware on May 7.
"The rest of the (IoT) botnets, even if they have impressive numbers, fluctuate because they do not have persistence," Botezatu said. "While compromising an IoT device is pretty simple, achieving persistence is usually extremely difficult, because writing a binary to an IoT device requires root privileges."
Persistence Has Become a Major Problem
Persistence has become a significant aspect of malicious software, one of 11 major tactics that online attackers incorporate into their code, according to the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) database managed by MITRE, a non-profit research/development center.
While most botnets have lost ground in the first quarter of 2018, persistence remains an issue for companies, according to the Q1 Threat Landscape Report published by network-security firm Fortinet. About 2.8 percent of networks are “infested,” which means they host 10 or more bots; more than 7 percent of infections last more than three days. With attackers focusing on persistence, even these seemingly small numbers can result in significant headaches for security professionals.
The result is that infections are lasting longer than they should be, Anthony Giandomenico, senior security strategist and researcher at Fortinet, told eWEEK.
"It is a combination between attackers getting better at persistence and defenders not paying enough attention," Giandomenico said. "Organizations will often buy the technology but not put an actual plan in place to direct the people and the process."
Attackers need to keep their code on a system until they have achieved their goals, so persistence will continue to be a sought-after feature. Currently, there are some 50 different ways of achieving persistence, according to the ATT&CK list, but the most common approaches follow a simple rule, said Viktors Engelbrehts, director of threat intelligence for managed security firm eSentire.
"The attacker will always use the path of least resistance," Engelbrehts said. “They prefer to avoid spending a lot amount of time and resources on something new."
Here are five common ways that attackers stay on your system or device:
Method 1: Infecting the Registry
For the most common target, Windows systems, one approach rules them all: Modifying the registry. The technique is both simple and easy, because the attacker does not have to first gain administrative user rights.
"It is working perfectly, it has been tested over time, and it is enough to fool the users," Bitdefender's Botezatu said.
There are many ways to modify the registry to run code: Attackers can change the default file associations; they can abuse a variety of dynamic linked libraries (DLLs) whose values are stored in the Windows registry; or they can change existing services.
The registry is complex, and most people do not know what is in their database, said Fortinet's Giandomenico.
"When you load up a typical Windows machine, there are so many different processes that load, that many organizations don't know what their baseline build is," he said.
Method 2: Gaining Control from Bootup
Attackers can copy malware into the boot sectors of a hard drive, which are run whenever a computer is booted up. The ransomware programs, Petya and NotPetya, both infected boot records to immediately take control of a system.
The technique, called a bootkit, allows the attacker to gain persistence but can be easily detected, especially if the operating system is running integrity functions that uses cryptographic features, such as the Trusted Platform Module, to verify the integrity of the boot sequence.
"It is complicated, it is complex, and it is noisy," said Bitdefender's Botezatu. "When you have a program that messes with the master boot record, it will prevent modern versions of operating systems from booting."
Method 3: Execution-path Hijacking
Attackers can also take advantage of the standard way that operating systems look for programs and binaries. On Windows system, for example, they can place programs with the same name as commonly used libraries in the DLL search path to automatically execute the code. On MacOS systems, a similar technique places programs in the dynamic library, or dylib, search path.
The Hide 'N Seek IoT bot used this technique, copying itself to the init.d directory on compromised Linux-based devices, which is run every time the device is restarted.
"Once the botnet manages to get control of the device via telnet, then the bot script copies the binary to the init.d folder, which is the default startup on Linux and Unix systems," Bitdefender's Botezatu said.
Method 4: Lateral Movement Allows for Reinfection
While not true persistence, automatically infecting vulnerable devices is frequently used by malware authors to infest a network, compromising as many devices as possible. In 2001, for example, the Nimda worm infected Windows computers, hammering systems on the same network and causing outages and days-long cleanup efforts.
More recently, the Andromeda botnet, which was taken down by law enforcement last year, still tops the list of botnet detected by Fortinet, because many companies remain infected with the malware, the company stated in its latest report.
"Those infected systems are still phoning home, and it is ironic that the prevalence was one of the highest threats in the botnet section of the report this quarter," Fortinet's Giandomenico said.
Good network hygiene—especially segmentation—is a good defense against botnets such as Andromeda, he said.
Method 5: Beware Malicious Apps
Traditional computer systems are the easiest for malware to maintain a presence, while embedded and internet-of-things devices are much more difficult. Mobile phones are somewhere in between.
Android-based devices can be vulnerable, especially if the user downloads apps from third-party providers. Once an app gains permissions to install itself, persistence is part of the package, said Bitdefender's Botezatu.
"It is trivial to achieve persistence on an Android device, if you don't have antivirus up to date," he said.
However, a well-maintained phone which is configured to use one of the major app stores is a much harder target. Manufacturers and operating system providers frequently update the apps on the phones, which means that attackers have to adapt to the new software.
Overall, botnets are usually only able to maintain persistence if the user or security team is not managing the security of their devices.
As Fortinet states in the conclusion of its report: "We hate to beat a dead horse, but talking to inactive botnets is not behavior you want to condone among hosts in your organization. Rather than reactively chastising every endpoint, mature your capability to detect and sever botnet communications (live or dead) at key choke points in your network through a combination of smart tools and good intel."
Trisis masterminds have hacked U.S. industrial firms, research claims
Wave VSC 2.0 could help here along with Wave Endpoint Monitor. imo.
https://www.cyberscoop.com/xenotime-ics-cyber-attacks-trisis-dragos/
A group known for infecting a Saudi petrochemical plant with highly sophisticated industrial control malware has expanded its operations, according to new research, with a former U.S. official telling CyberScoop that companies inside the United States have been breached.
The group behind the malware, which ICS-focused cybersecurity startup Dragos refers to as “Xenotime,” has expanded its operations to include attacks on multiple U.S. companies. The malware shows similarities to what’s commonly known as Trisis, which was used in an attack last year in Saudi Arabia. While Trisis exploited one particular industrial control system, researchers say a new variant impacts a variety of safety instrumented systems.
Safety instrumented systems, or SIS for short, are hardware and software controls that protect large-scale industrial processes and equipment typically found in nuclear, petrochemical or manufacturing plants. There are few companies who create and manage SIS systems, including but not limited to St. Louis-based Emerson, New Jersey-based Honeywell, and Tokyo-based Yokogawa.
Dragos has declined to name any of the newly affected systems or targeted industrial companies, although a former U.S. official with knowledge of the situation told CyberScoop those impacted operate in the Middle East and United States.
The company has turned over relevant information to the federal government and been in contact with the targeted companies.
It’s unclear how Xenotime is able to successfully manufacture and maintain such sophisticated malware. The Dragos report is largely absent of technical indicators, doesn’t state how many new cases exist, where they occurred or how the activity differs from the Saudi Arabia incident.
What is apparent, however, is that a dangerous and imminent threat looms over critical infrastructure providers inside the U.S., said Sergio Caltagirone, Dragos’s director of threat intelligence and analytics.
“The reason we put this out there, even though we can’t say much, is to let people really know that this threat exists,” Caltagirone told CyberScoop. “People need to start thinking about auditing their safety systems. This is a much bigger problem than what we maybe all first thought it was.”
Caltagirone said in some of these recent incidents, Xenotime was able to successfully breach the organization’s IT systems and move into safety instrumented systems. Another system hop and hackers could have reached actual control processes and caused significant, life-threatening damage.
According to Caltagirone, Xenotime is using phishing emails and so-called “watering hole” websites to hack engineers working at industrial companies. The specific lures are designed to grab the attention of engineers in order to breach their accounts and steal administrative credentials.
After compromising engineers, Xenotime will usually remain hidden for weeks or months, traversing the breached company looking for soft barriers between the IT and operational technology (OT) network.
It’s not uncommon for hackers to initially attack an industrial company’s IT system in order to gain a foothold for future attacks that are aimed at vital safety systems.
In the Saudi Arabia incident, hackers exploited software vulnerabilities in French energy technology developer Schneider Electric’s SIS system in an attempt to cause heavy physical damage. However, a misconfiguration in the malware triggered the safety system, stopping the attack before it could be fully completed. The attack still disrupted operations for several days.
When Trisis first appeared, researchers told CyberScoop the malware was an engineering feat. Months of careful and meticulous research went into understanding how Schneider’s system works and what Trisis did to send it into a shutdown mode.
Trisis has yet to be publicly attributed to a known set of actors. The original infection vector for Trisis has never been disclosed. Code overlaps do exist between Xenotime and other advanced persistent threat groups, said Caltagirone. Some of Xenotime’s tools date back to 2014.
Over the last year, there have been a few publicly visible incidents focused on the U.S. energy sector. For example, in April, Dallas-based pipeline company Energy Transfer Partners saw a third-party transaction system hit by an attack.
Caltagirone declined to comment on whether any publicly known disruption in the sector is related to Xenotime activity.
The Department of Homeland Security did not respond to a request for comment.
Pen testers find weaknesses in banks’ cyber security
Apparently many banks don't use Wave VSC 2.0 and/or Wave products or these pentesters wouldn't be getting into their internal networks. imo.
https://www.computerweekly.com/news/252441525/Pen-testers-find-weaknesses-in-banks-cyber-security
Humans are the biggest weakness in banks’ cyber defences, but there are several others that also need attention, penetration testers have revealed
Banks have formidable barriers to external cyber attacks, but some are still vulnerable to internal attacks using social engineering, vulnerabilities in web applications and the help of insiders, a report reveals.
As soon as attackers access the internal network, they find friendly terrain that is secured no better than companies in other industries, according to a report on cyber attacks on banks by Positive Technologies.
The weakest link in bank security is the human factor, the report said, with attackers able to bypass the best-protected network perimeter easily with the help of phishing.
Phishing messages can be sent to bank employees both at their work and personal email addresses, and this method for bypassing the network perimeter has been used by almost every criminal group, including Cobalt, Lazarus, Carbanak, Metel, and GCMAN, the report said.
In tests by Positive Technologies, employees at 75% of banks reviewed had clicked on links in phishing messages, and those at 25% of banks entered their credentials in a fake authentication form. At 25% of banks, at least one employee ran a malicious attachment on their work computer.
With access to the internal network of client banks, Positive Technologies penetration testers succeeded in obtaining access to financial applications in 58% of cases.
At 25% of banks, they were able to compromise the workstations used for the management of automatic teller machines (ATMs), which means the banks tested were vulnerable to techniques similar to ones used by Cobalt and other cyber criminal gangs in actual attacks.
Moving money to criminal-controlled accounts through interbank transfers, a favourite method of the Lazarus and MoneyTaker groups, was possible at 17% of tested banks, while at the same proportion of banks, card processing systems were poorly defended, which would enable attackers to manipulate the balance of card accounts. Such attacks were recorded in early 2017 against banks in Eastern Europe.
The Carbanak group, notorious for its ability to attack nearly any bank application, would have been able to steal funds from more than half of the tested banks, the report said. It added that on average, an attacker able to reach a bank’s internal network would need only four steps to obtain access to key banking systems.
Although the report notes that banks tend to do a better job than other companies of protecting their network perimeter, it is still a concern that penetration testers could access the internal network at 22% of banks, compared with 58% of all companies tested.
In all test cases, social engineering was not used and access was enabled by vulnerabilities in web applications, with such methods used in the wild by such Groups as ATMitch and Lazarus, the report said.
Penetration testers concluded that banks are at risk due to remote access, describing it as “a dangerous feature” that often leaves the door open to access by external users.
The most common types are the SSH (secure shell) and Telnet protocols, which are present on the network perimeter of over half of banks, as well as protocols for file server access, found at 42% of banks.
Another key finding of the report is that attackers often gain access to banks’ internal networks by compromising business partners and contractors, who may poorly secure their networks, and place malware on sites known to be visited by bank employees, as seen with Lazarus and Lurk.
Password problems
After criminals obtain access to the bank’s internal network, they need to obtain local administrator privileges on servers and employee computers. To continue their attack, the criminals rely on two key “helpers”: weak password policies, and poor protection against recovery of passwords from operating system (OS) memory, the report said.
Penetration testers found almost half of banks tested used dictionary passwords on the network perimeter and every bank had a weak password policy on its internal network. Weak passwords are set by users on roughly half of systems.
Testers also found default accounts with predictable passwords left behind after use for administrative tasks, including installation of databases, web servers, and operating systems.
A quarter of banks used the password “P@ssw0rd”. Other common passwords include “admin”, keyboard combinations resembling “Qwerty123”, blank passwords, and default passwords.
Once inside a network, the report said attackers could often move about freely using known vulnerabilities and legitimate software that does not raise red flags among administrators. By taking advantage of flaws in protection of the corporate network, attackers quickly obtain full control of the bank's entire digital infrastructure.
Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, said it is possible to stop an attack and prevent loss of funds at any stage, as long as the attack is detected in time and appropriate measures are taken.
“Attachments should be scanned in a sandbox, without depending on endpoint antivirus solutions. It’s critical to receive and immediately react to alerts with the help of an in-house or contracted 24/7 security operations centre,” she said.
The report notes the importance of detecting that an attack is in progress, saying: “It is critical to configure notifications from protection systems and react to notifications immediately.” It added that security events should be monitored constantly.
“Cyber crime is continuing to evolve and advance quickly, making it crucial that instead of hiding incidents, banks pool their knowledge by sharing information on industry attacks, learning more about relevant indicators of compromise, and helping to spread awareness throughout the industry,” the report said.
Lack of Cooperation between contractors creates lasting vulnerabilities for DOD, official says
Wave's software worked with all the various TPM manufacturers in the marketplace making it efficient for companies with multiple computer platforms. I believe Wave was unique with regard to this. This could be part of what makes Wave a great choice for contractors and companies in general.
https://www.cyberscoop.com/lack-cooperation-contractors-creates-lasting-vulnerabilities-dod-official-says/
Competition among U.S. weapons makers keeps them from collaborating on cybersecurity problems, and it’s causing new and lasting vulnerabilities for the military, a senior U.S. official said Tuesday.
Col. Tim Brooks, the mission assurance division chief in the Department of Army Management Office, said a lack of dialogue between contractors is causing headaches as the military looks to harden its systems. Broadly speaking, most weapons systems often overlay multiple different hardware and software products that are not all made by the same company.
“With our weapons assessment program, there’s been a lot of time spent trying to break down organizational boundaries and to think about systems of systems,” Brooks said at the Security Through Innovation Summit presented by McAfee and produced by CyberScoop and FedScoop.
“That’s compounded by the fact that all these systems of systems are produced by subprime contractors and everyones got non-disclosure agreements and no one wants to disclose their secret sauce,” he said. “And I understand that. But if we don’t break down some of these barriers and we don’t get industry talking amongst themselves about how we could develop a common standard to ensure that information can flow from one side of an organization to another … then we’re never going to get better than our weakest link.”
He added, “we got to get better than that or we’re never going to beat our adversary.”
The Defense Department is supposed to complete vulnerability assessments for a total of 31 different major weapons programs before 2019, based on a requirement in the 2016 National Defense Authorization Act (NDAA).
But the issue of securing what are usually clunky weapons systems, which often run on outdated or custom operating systems, has been a well known challenge for decades. With the U.S. government becoming increasingly aware of specific cyberthreats aimed at this type of technology, the military is now leaning on the private sector to prioritize digital security during the development cycle.
“This lack of knowledge and the effects it can have throughout a program’s acquisition life cycle can increase the risk of undesirable cost and schedule outcomes,” a previous Government Accountability Office (GAO) report on weapons system acquisition notes.
Misconfigured Reverse Proxy Servers Spill Credentials
https://threatpost.com/misconfigured-reverse-proxy-servers-spill-credentials/132085/
Researchers have created a proof-of-concept attack that allows unauthenticated adversaries to extract user credentials from misconfigured reverse proxy servers in order to delete, manipulate or extract data from websites and applications.
The proof-of-concept (PoC) attack targets major cloud customers of services such as Amazon Web Services, Microsoft Azure and Google Cloud, according to researchers at RedLock that published a report on their findings Tuesday.
Similar to misconfigured storage buckets that plagued businesses with leaky data, this PoC attack takes advantage of a common default configuration used by leading cloud services and too often unchanged by website admins.
The PoC targets APIs that provide access to the metadata associated with identity services such AWS’ Identity and Access Management (IAM), Microsoft’s Azure Managed Service Identity (MSI), and Google’s Cloud Cloud IAM. “[These] are features that… simplify the task of creating and distributing credentials and are popular features with developers,” wrote RedLock. As the PoC demonstrates, adversaries can also abuse them.
Gaurav Kumar, RedLock CTO, shared one PoC example with Threatpost.
“For example, WordPress servers use credentials to do things like connect to other cloud services. A website might use IAM credentials to automatically connect to an AWS storage bucket to backup daily transaction data,” said Kumar in an interview with Threatpost.
Kumar said IAM credentials rely on web server APIs to link cloud services. By using a simple CURL command, IAM role credentials are freely available for programs to obtain, researchers said.
And that’s where RedLock said API and IAM credential abuse can occur.
In its PoC attack, researchers created a typical configuration for a web server or application server using a reverse proxy server running a default NGINX installation. NGINX is web server software that can also be used as a reverse proxy. A reverse proxy server is a type of server that retrieves resources on behalf of a client from one or more servers.
“The RedLock CSI team had a hypothesis that some reverse proxies in AWS, MS Azure, and Google Cloud environments are set up such that anyone can set the host header to call the instance metadata API and obtain credentials,” wrote researchers.
Kumar explains: “When an HTTP request is made to a proxy server it contains instructions to the host. What we observed was the proxy server is reading a value from the host header and going to that destination and fetching a webpage. But an attacker can manipulate the header to ask it to fetch other data on proxy server, such as credential data from the API endpoint.”
Researchers said programs or potential attackers can use a simple CURL command via a specific URL to access IAM role credentials.
That credential data can then be used to access third-party cloud services linked to the website or application such as data stores, databases or website backups.
Kumar theorizes the threat landscape of misconfigured servers vulnerable to this type of attack is huge given reverse proxies are common in public cloud environments and in organizations moving on-premise applications to the cloud.
“What we found is there is a very popular configuration in reverse proxy servers that can be very problematic,” he said.
Dangers of Virtual Container Reuse
Researchers also created a “second exploitation method even scarier and potentially more far-reaching.” This type of PoC attack involves more social engineering and malicious Docker images.
The PoC is based on Docker creating an open source tool that can package an application and its dependencies in a virtual container that can run on any Linux server. Developers share docker images on stores such as Docker Hub, allowing developers to save time by using pre-built images for conventional tasks allowing them to focus on their areas of expertise.
“Suppose some crafty developer creates a super helpful, free-to-download docker image called ‘X’ and posts on Docker Hub along with millions of other popular resources. Then one fine day, after thousands or millions of downloads of the free service have been deployed, what if this malicious developer modifies and uploads an updated version of X (this happens all the time and others pull the latest version or make ‘calls’ to it) now containing the nefarious command: ‘ONBBUILD -<malcious_script.sh>’,” explains RedLock.
“Utilizing the instance metadata API, every application built upon the ‘X’ docker image will run this script (malcious_script.sh)unbeknownst to the dependent program and will request IAM role credentials. And here lies the risk,” researchers said.
How can Office 365 phishing threats be addressed?
Wave VSC 2.0 could be a better option than the one offered in the article. imo.
https://www.helpnetsecurity.com/2018/05/18/office-365-phishing-threats/
With the rapid expansion of Office 365, more and more threats can emerge within its infrastructure, particularly via email. This is due in part to the size and ease of compromising Office 365 accounts and comes to the detriment of the same broad audience among which Office 365 has seen such massive adoption.
Office 365 email security is now a common concern among many organizations small and large alike for exactly this reason. Some vendors have estimated that up to 35% percent of organizations are either using or have actively solicited third-party Office 365 email security, while a 2017 Osterman Research report stated that 41% of Office 365 organizations are unsure of what to do when it comes to supplementing their Office 365 security stack – particularly because the one-stop-shopping aspect of Microsoft’s security offerings fails to surface many of the email threats currently inherent to Office 365.
The primary threat to consider in this case is the frequency of phishing attacks within Office 365. While no global statistics are available from Microsoft, the frequency of phishing within Office 365 is estimated to cost the average organization 1.3 compromised accounts each month via unauthorized, third-party login using stolen credentials. While this adds up to nearly 16 compromised accounts per year per organization, the risks they pose are much higher.
For instance, Vircom’s threat intelligence indicates that the majority of accounts compromised within Office 365 fall victim to previously compromised Office 365 accounts. While it’s unlikely that we can ever determine an Office 365 “patient zero”, it’s clear that the ability of the threat to spread is the problem. This could have massive implications for Office 365’s 120 million commercial customers and its 1-billion-plus users, primarily because as more of those users are compromised, the risk of compromise also increases for every other user and organization.
While phishing within Office 365 isn’t yet a massive problem for most organizations, but with cyber criminals increasingly relying on advanced phishing techniques, it may become one. For example, would you enter a crowded theatre knowing that 1.3 of the theatre-goers were carrying a brutal virus you had little immunity against? With the general rate of email fraud and threats growing almost like a disease, one form that is causing particular harm within Office 365’s infrastructure is bound to affect any organization that subscribes to the platform.
see link for more material -
From only outside appearances, it can be hard to imagine why messages are passing between Office 365 tenants unfiltered. Is Microsoft’s security team simply missing the mark or busy addressing larger, unseen issues? Is Office 365 simply too large to remain a safe ecosystem out-of-the-box for most of its commercial customers? Is Microsoft whitelisting all Office 365 tenants, meaning that phishing messages from compromised accounts are never even subject to the scrutiny of a filter? Google doesn’t seem to have the same issues with GSuite filtering, so why is Microsoft in such dire straits?
The prevalence of Office 365 phishing and frequency of account compromise means that every time an account is compromised within Office, 365 each user and organization faces incrementally more risk. The potential for the runaway buildup of compromised accounts upon compromised accounts poses an exponentially greater risk to infect organizations within the Office 365 infrastructure, except of course for those that choose to use a 3rd party email security solution at their email gateway.
Cloud email security can be crucial to protecting your investment in Office 365. Effective 3rd party filtering can limit the possibility of phishing and compromised accounts within Office 365’s infrastructure to create costs for your organization. Whether it’s fraudulent transactions, compromising accounts, or infiltrating your networks with malware and ransomware, given the current state of Office 365, 3rd party email security is likely the most effective means to limit security risks.
Check out @OnBoardSec new blog post on use cases in #trustedcomputing and how they can help you improve your system management - Twitter Trusted Computin.
http://blog.onboardsecurity.com/blog/trusted-computing-primary-use-cases?platform=hootsuite
Trusted Computing Primary Use Cases
There are four primary use cases for implementing trusted computing with a Trusted Platform Module (TPM), the cryptographic module standardized by the Trusted Computing Group. This blog will give a brief overview of those use cases, which can be combined to create more complex and powerful solutions.
HSM and Smart Card Replacement
The Public-Key Cryptography Standards (PKCS) #11 defines an API for cryptographic tokens, such as hardware security modules (HSM) and smart cards. A TPM is essentially a traditional HSM that can also emulate a smart card but adds functionality for measuring the software of a system. Applications using PKCS#11 today can use a TPM rather than a smartcard or HSM to perform the same functions, while providing additional functionality, like code measurement and remote attestation, often at a reduced cost.
Create a Transitive Trust Chain
A key part of the TPM’s trusted computing functionality is storing software measurements of the system, which is enabled by a bank of programmable configuration registers (PCRs).
During the system boot, the first program to run is an immutable “core root of trust for measurement” firmware component. It starts an unbroken chain of software measurements and security event logging. Measurements are made by hashing each block of code before it is launched, hash extending these measurements into the PCRs, and then recording these operations in the TCG Event log. These PCR values can then be used to do remote attestation, key sealing, authorization of key use, etc. These measurements assure that the system software has not been altered in any way, even protecting against rootkits and bootkits.
see link for infographic-
Enhance Performance with Sealed Keys
Many processors have cryptographic acceleration hardware (e.g. AES acceleration) that allows them to handle many cryptographic functions. But the keys are vulnerable to attacks if the system has been compromised. Key sealing allows keys protected by the TPM to be released to the main processor if the system is deemed to be healthy by verifying the system measurements.
Establish a Permanent Strong Device Identity
Public/private key pairs can be assigned to a system as a permanent ID when provisioned during manufacturing. When stored in a TPM as non-migratable keys, a “strong” identity (permanent secret) for the system is established. TPMs are required to be bound to the system, unlike its HSM counterparts. In practice, this means the TPM, which is soldered onto the system’s motherboard, can ensure that the system you are managing is an authorized part of your ecosystem.
Improve Your Overall System Management
Using the use cases above, backend servers and systems management can be designed/enhanced to fully capitalize on powerful TPM security features, including remote attestation, key/certificate provisioning, secure boot and more.