Week in review: Zero-login, Magecart threat, cybersecurity expert shortage

Here’s an overview of some of last week’s most interesting news and articles:

Dealing with a system launch: It requires more than just testing
Rolling out new IT systems or software can be a challenge and fraught with issues from day one – and the recent IT crisis with TSB has shown how damaging these can be if managed poorly.

Only 65% of organizations have a cybersecurity expert
Despite 95 percent of CIOs expecting cyberthreats to increase over the next three years, only 65 percent of their organizations currently have a cybersecurity expert, according to a survey from Gartner.

Magecart presents an unprecedented threat: Here’s what you can do
Magecart activities show that attackers are looking for economies of scale and are searching for and able to attack hundreds of companies at once.

Diffy: A triage tool for cloud-centric incident response
The name of the tool comes from its function: it identifies differences between instances that might point to a compromise (an unexpected listening port, a running process with an unusual name, a strange crontab entry, a surprising kernel module, etc.).

Attention all passengers: Airport networks are putting you at risk!
Coronet released a report identifying San Diego International Airport, John Wayne Airport-Orange County (CA) International Airport and Houston’s William P. Hobby International Airport as America’s most cyber insecure airports.

How hackers exploit critical infrastructure
The traditional focus of most hackers has been on software, but the historical focus of crime is on anything of value. It should come as no surprise, therefore, that as operational technology (OT) and industrial control system (ICS) infrastructure have become much more prominent components of national critical infrastructure, that malicious hacking activity would be increasingly targeted in this direction.

Cisco plugs serious flaws in Policy Suite, SD-WAN, and Nexus switches
Cisco has issued another batch of fixes, plugging a number of critical and high severity holes in its Policy Suite, SD-WAN, and Nexus products.

Microsoft tops list of brands impersonated by phishers
The number one brand spoofed by phishers in Q2 2018 in North America was Microsoft, says email security company Vade Secure. The company credits the surging of adoption of Microsoft Office 365 for this unfortunate statistic.

Do you have what it takes to become a Chief Scientist in the infosec industry?
Igor Baikalov, Chief Scientist at security analytics firm Securonix, was fortunate to accumulate the “essential ingredients” for the Chief Scientist role during his earlier career.

How to use the cloud to improve your technology training
Informal on-the-job training has been the norm for most IT teams. However, the rise of cyberthreats and the pace at which they arise leaves companies looking for more structured and timely security education.

Inside look at lifecycle of stolen credentials and extent of data breach damage
Shape Security released its Credential Spill Report, shedding light on the extent to which the consumer banking, retail, airline and hospitality industries are impacted by credential stuffing attacks and account takeover.

Only 20% of companies have fully completed their GDPR implementations
Key findings from a survey conducted by Dimensional Research highlight that only 20% of companies surveyed believe they are GDPR compliant, while 53% are in the implementation phase and 27% have not yet started their implementation.

Zero login: Fixing the flaws in authentication
We are moving into a post-password zero-login age, with new biometric technologies and other PII innovations helping to secure a fast, easy, frictionless personalised experience for every single application we need to access on a daily basis.

Microsoft offers bug bounties for holes in its identity services
Microsoft is asking security researchers to look for and report technical vulnerabilities affecting its identity services and OpenID standards implementations, and is offering bug bounties that can reach as high as $100,000.

Many infosec professionals reuse passwords across multiple accounts
Lastline announced the results of a survey conducted at Infosecurity Europe 2018, which suggests that 45 percent of infosec professionals reuse passwords across multiple user accounts – a basic piece of online hygiene that the infosec community has been attempting to educate the general public about for the best part of a decade.

Rain Capital: Venture fund seeks to back cybersecurity companies led by women and minorities
A new venture fund that will focus on providing capital, strategy, critical resources and unique insights to early-stage cybersecurity companies in Silicon Valley has been officially launched last month.

Cyber Chief Magazine: GDPR Winning Moves
This issue delivers a ready-to-use GDPR kit packed full of how-to’s and practical tips that companies need to implement so they don’t end up on the wrong side of an audit.

George Gerchow, CSO at Sumo Logic: Our DevSecOps strategy
Sumo Logic was founded in 2010 by experts in log management, scalable systems, big data, and security. Today, their purpose-built, cloud-native service analyzes more than 100 petabytes of data, more than 16 million searches, and delivers 10s of millions of insights daily – positioning Sumo among the most powerful machine data analytics services in the world. In this podcast, George Gerchow, CSO with Sumo Logic, talks about their DevSecOps strategy.

Free training courses on DDoS protection, from introduction to mitigation
The DDoS Protection Bootcamp is the first online portal to provide in-depth technical training in the field of DDoS protection.

GitHub adds Python support for security alerts
GitHub has announced that its recently introduced feature for alerting developers about known vulnerabilities in software packages that their projects depend on will now also work for Python packages.

from Help Net Security – News http://bit.ly/2uWiiYv
via IFTTT

RidRelay – SMB Relay Attack For Username Enumeration

RidRelay is a Python-based tool to enumerate usernames on a domain where you have no credentials by using a SMB Relay Attack with low privileges.

SMB Relay Attack For Username Enumeration



How RidRelay SMB Relay Attack Works

RidRelay combines the SMB Relay attack, common lsarpc based queries and RID cycling to get a list of domain usernames. It takes these steps:

  1. Spins up an SMB server and waits for an incoming SMB connection
  2. The incoming credentials are relayed to a specified target, creating a connection with the context of the relayed user
  3. Queries are made down the SMB connection to the lsarpc pipe to get the list of domain usernames. This is done by cycling up to 50000 RIDs

For best results, use with Responder.



Using RidRelay to Enumerate Usernames

First, find a target host to relay to. The target must be a member of the domain and MUST have SMB Signin off. CrackMapExec can get this info for you very quick!

Start RidRelay pointing to the target:







python ridrelay.py t 10.0.0.50


OR

Also output usernames to file







python ridrelay.py t 10.0.0.50 o path_to_output.txt


You can download RidRelay here:

ridrelay-master.zip

Or read more here.

from Darknet – The Darkside http://bit.ly/2O3yj7T
via IFTTT

What the Incident Responders Saw

What the Incident Responders Saw

New report on IR professionals’ experiences reveals just how advanced attackers such as nation-state hackers dig in even after they’re detected.

When incident response teams shut down an advanced attack, most of them then find a backup command-and-control infrastructure lying in wait to trigger after first one gets taken down. Overall, nearly half end up battling attackers who try to thwart incident response and remediation efforts.

That’s just some of the activity IR professionals say they experience, according to a new study by Carbon Black of 37 large incident response teams running Carbon Black’s next-generation endpoint security tool. The new Quarterly Incident Response Threat Report is based on surveys and interviews with large IR partners - such as Kroll and Rapid7 - who on average conducted one IR engagement per day in 2017, and handle three to five IR engagements per quarter.

“Sixty-four percent found a secondary C2 on sleep cycle,” says Tom Kellerman, chief security officer at Carbon Black. “This highlights how the adversary has gone from burglary to home invasion: they intend on staying and will take counter attempts … and could get destructive.”

Russia and China, not surprisingly, are the main sources of attacks: 81% of IR pros say Russia is the number one offender, and 76% say China. But that doesn’t mean all of the security incidents they investigated were cyber spying: just a third of responders say the cases were cyber espionage. Nearly 80% say the financial sector is the most targeted industry followed by healthcare (73%), and government (43%).

Close to 60% of attacks involve lateral movement, where the attacker travels from its initial victim machine to other machines in a targeted organization. PowerShell is one of the most popular tools for moving about the victim’s network: 100% of IR pros say they’ve seen the Microsoft Windows automation and configuration management tool employed by the attackers, and 84% see Windows Management Interface (WMI) as a key tool weaponized by attackers.

This so-called “living off the land” approach of running legitimate tools to remain under the radar is classic behavior of persistent hacker teams such as nation-states. Some 54% of IR prods say legit operating system applications like these are being abused by attackers. In addition, 16% have spotted attackers running Dropbox to assist in their movements.

“The uptick of WMI is concerning,” notes Kellerman, as well as the use of process-hollowing and unsigned digital certificates. “It speaks to the level of sophistication [being used] to colonize that infrastructure.”

Meantime, 36% say victim organizations are mainly hacked for the purpose of reaching their supply chain members (think customers and partners).

A key technique for defending against attackers that are burrowing in for the long haul is to quietly investigate and hunt them so they don’t have time to switch gears and retool their attack, according to Kellerman. “The number one thing we need to evolve in as defenders is to become more quiet and clandestine in how we hunt,” he says.

That means not immediately shutting off a C2 you discover it if you can further study its activity with deception or other advanced techniques, for example, he says.

According to Carbon Black’s report, “Deciding when to reveal oneself is critical, as counter-incident response measures as destructive attacks are becoming the norm.”

Related Content:


 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.


Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

More Insights

from Dark Reading – All Stories https://ubm.io/2uS1eTj
via IFTTT

US Intel Officials Share Their National Cybersecurity Concerns

US Intel Officials Share Their National Cybersecurity Concerns

Leaders in the security sector discuss the most pressing cyberthreats threatening the United States and what can be done to mitigate them.

National Intelligence director Dan Coats put the threat to national cybersecurity into context on July 13, 2018, when he said “the warning lights are blinking red again” in a speech before the Hudson Institute, a Washington, DC-based conservative think tank.

Coats was trying to get our attention, says Tonya Ugoretz, director of the Cyber Threat Intelligence Integration Center at the Office of the Director of National Intelligence. She was one of several national security experts to take the stage today at Cyber Live 202, an event hosted by The Washington Post and focused on modern cyber threats to national security.

The system was also “blinking red” back in 2001, when intelligence and law enforcement agencies detected activity signifying a threat to the United States. Now it’s happening again, but it’s our digital infrastructure that could be under attack, Ugoretz explained. She cited Russia as the most aggressive foreign actor the department sees in cyberspace, “with good reason.”

“Aggression is widespread, it’s against multiple sectors, it’s against multiple types of networks,” she said. If we create a dialogue around sharing information, notifying victims if they’re hit with intrusion or influence campaigns, we can better plan our defense.

For example, the DHS and FBI issued alerts this year about Russia’s efforts against the US and allies, warning defenders to protect against Russian activity in critical infrastructure. The Justice Department now has a brand-new policy to disclose the existence of information warfare attacks against the US political system when there is high confidence in the foreign actor behind it.

These practices are helpful but ultimately weak without leadership from the top. “The President himself does not take seriously the capability of Russian intelligence services,” said Mike Rogers, former chairman of the House Intelligence Committee and national security commentator for CNN. “It’s very, very concerning to me.”

Rogers was referring to the recent meeting between President Trump and Russian President Vladimir Putin in Helsinki, during which the US President dismissed Russian interference indictments related to activity during the US presidential election. While Putin was prepared for the meeting and knew what he would get out of it, Trump “was not prepared,” Rogers said.

The meeting played right into the information operations Russia had been conducting and will continue, he added. “They’re getting better at it and they’re getting more aggressive about it … this is what I worry about,” Rogers emphasized. Intelligence officials monitor Russian bot operations trying to influence different topics every day, and the volume is getting bigger.

Intelligence experts agree a full government approach is needed to tackle the threat. “One of the things no one’s really done a good job of so far is imposing a cost on bad state actors for their activities,” said Chris Painter, former and first-appointed cyber coordinator for the US State Department. The cost would both punish them and deter them from future activity, he said.

“The President hadn’t said, ‘If this happens again there will be consequences’ … and I think a lot of people in government are waiting for that leadership,” Painter continued.

Jason Matheny, director of the Intelligence Advanced Research Projects Activity (IARPA), spoke to the future and said one of cybersecurity’s biggest threats “is sort of boring”: 70-80% of threats from nation-states and cybercriminals are social engineering attacks, he noted.

Within the next 5- to ten years, both threats and defenses will become more sophisticated due to machine learning, which is being used to detect phishing emails as they arrive. “There’s now an arms race,” he said, as people developing phishing attacks use the same technology to create subtle attacks that bypass advanced filters.

Related Content:


 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.


Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

More Insights

from Dark Reading – All Stories https://ubm.io/2zWGboC
via IFTTT

Singapore Health Services Data Breach Exposes Data on 1.5 Million People

Singapore Health Services Data Breach Exposes Data on 1.5 Million People

Attackers, repeatedly and specifically, targeted Singapore Prime Minister Lee Hsien Loong’s medication data.

Personal information belonging to about 1.5 million patients who visited Singapore Health Services’ specialist outpatient clinics over the past three years has been compromised in a data breach that is being described as the biggest of its kind in the country.

The attackers specifically and repeatedly looked for data on medication being used by Singapore Prime Minister Lee Hsien Loong, though their motivation for doing so was not immediately apparent.

“Perhaps they were hunting for some dark state secret, or at least something to embarrass me,” Loong wrote on his Facebook page. “If so, they would have been disappointed. My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it.”

Singapore’s Ministry of Health Friday said the breach stemmed from a “deliberate, targeted and well-planned cyberattack.” In a statement, the Ministry pointedly noted the attack was not the work of criminal gangs or casual hackers – seemingly implying in the process that a nation-state actor was behind the incident.

The data that was taken included national registration identity card numbers, names, birthdates, addresses, gender, and race information on 1.5 million people who had visited SingHealth’s clinics between May 2015 and July 4, 2018. Other data such as patient diagnosis information, doctor’s notes, and test results remained untouched. However, information on medications that were dispensed to some 160,000 patients was also compromised in the incident.

The attack is familiar to countless others in recent years targeting the healthcare industry. Just this week, LabCorp, one of the largest healthcare diagnostics firms in the US disclosed in an SEC filing that it had to take several systems offline – disrupting test processing and customer access as a result – after discovering suspicious activity on its network. Privacy Rights Clearinghouse, which maintains a database of publicly disclosed breaches, counts 167 breaches so far this year involving healthcare, medical providers, and health insurers. A lot of the activity is being fueled by the high value of medical data in the criminal underground.

In the Singapore incident, the apparent fact that the attackers specifically targeted data belonging to the nation’s prime minister is concerning, says Itzik Kotler, CTO and co-founder of SafeBreach. “The healthcare vertical in particular is very interesting to attackers because their networks are often a key part of the national critical infrastructure, as in the case of SingHealth,” he says. “The fact that the attackers targeted the Singapore PM’s personal information and outpatient medicine information is a concern,” he notes. In the hands of the wrong people such data could potentially be used literally to trigger a life or death situation, Kotler says.

Unlike many data breach disclosure notices, the Singapore Ministry of Health’s disclosure offered at least some details of the incident based on investigations by the Cyber Security Agency of Singapore (CSA) and the country’s Integrated Health Information System.

According to the statement, database admins at SingHealth first spotted unusual activity on their network on July 4 and acted immediately to end it. A subsequent investigation showed that attackers had broken into the network and exfiltrated data between June 27, 2018 and July 4, 2018. The attackers had apparently accessed the SingHealth system by breaching a front-end workstation and using that foothold to obtain credentials for gaining privileged access to the backend database.

Following the incident, IT and security administrators at SingHealth have implemented several measures to shore up security, including additional controls on workstations and servers and resetting user and system accounts. Officials have also temporarily implemented “Internet surfing separation” as a precautionary measure, the SingHealth statement said.

Related Content:


 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights

from Dark Reading – All Stories https://ubm.io/2uPhy7l
via IFTTT

Singapore Health Services Data Breach Exposes Data on 1.5 Million People

Singapore Health Services Data Breach Exposes Data on 1.5 Million People

Attackers, repeatedly and specifically, targeted Singapore Prime Minister Lee Hsien Loong’s medication data.

Personal information belonging to about 1.5 million patients who visited Singapore Health Services’ specialist outpatient clinics over the past three years has been compromised in a data breach that is being described as the biggest of its kind in the country.

The attackers specifically and repeatedly looked for data on medication being used by Singapore Prime Minister Lee Hsien Loong, though their motivation for doing so was not immediately apparent.

“Perhaps they were hunting for some dark state secret, or at least something to embarrass me,” Loong wrote on his Facebook page. “If so, they would have been disappointed. My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it.”

Singapore’s Ministry of Health Friday said the breach stemmed from a “deliberate, targeted and well-planned cyberattack.” In a statement, the Ministry pointedly noted the attack was not the work of criminal gangs or casual hackers – seemingly implying in the process that a nation-state actor was behind the incident.

The data that was taken included national registration identity card numbers, names, birthdates, addresses, gender, and race information on 1.5 million people who had visited SingHealth’s clinics between May 2015 and July 4, 2018. Other data such as patient diagnosis information, doctor’s notes, and test results remained untouched. However, information on medications that were dispensed to some 160,000 patients was also compromised in the incident.

The attack is familiar to countless others in recent years targeting the healthcare industry. Just this week, LabCorp, one of the largest healthcare diagnostics firms in the US disclosed in an SEC filing that it had to take several systems offline – disrupting test processing and customer access as a result – after discovering suspicious activity on its network. Privacy Rights Clearinghouse, which maintains a database of publicly disclosed breaches, counts 167 breaches so far this year involving healthcare, medical providers, and health insurers. A lot of the activity is being fueled by the high value of medical data in the criminal underground.

In the Singapore incident, the apparent fact that the attackers specifically targeted data belonging to the nation’s prime minister is concerning, says Itzik Kotler, CTO and co-founder of SafeBreach. “The healthcare vertical in particular is very interesting to attackers because their networks are often a key part of the national critical infrastructure, as in the case of SingHealth,” he says. “The fact that the attackers targeted the Singapore PM’s personal information and outpatient medicine information is a concern,” he notes. In the hands of the wrong people such data could potentially be used literally to trigger a life or death situation, Kotler says.

Unlike many data breach disclosure notices, the Singapore Ministry of Health’s disclosure offered at least some details of the incident based on investigations by the Cyber Security Agency of Singapore (CSA) and the country’s Integrated Health Information System.

According to the statement, database admins at SingHealth first spotted unusual activity on their network on July 4 and acted immediately to end it. A subsequent investigation showed that attackers had broken into the network and exfiltrated data between June 27, 2018 and July 4, 2018. The attackers had apparently accessed the SingHealth system by breaching a front-end workstation and using that foothold to obtain credentials for gaining privileged access to the backend database.

Following the incident, IT and security administrators at SingHealth have implemented several measures to shore up security, including additional controls on workstations and servers and resetting user and system accounts. Officials have also temporarily implemented “Internet surfing separation” as a precautionary measure, the SingHealth statement said.

Related Content:


 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights

from Dark Reading – All Stories https://ubm.io/2LAf5Vu
via IFTTT

Microsoft: Three Hacking Attempts Made on Midterm Elections

Microsoft: Three Hacking Attempts Made on Midterm Elections

Microsoft detected data indicating three congressional candidates were being hit with cyberattacks – the first to target midterm elections.

The first hacking attempts have been made on the 2018 midterm elections, reports Microsoft, which detected phishing attacks against three congressional candidates and helped block them.

Microsoft’s Tom Burt, vice president for security and trust, discussed the attacks at this year’s Aspen Security Forum. Earlier this year, experts found a fake Microsoft domain had been registered as a landing page for phishing campaigns against candidates. He did not name the candidates and confirmed the attacks did not succeed against any of them.

“They were all people who, because of their positions, might have been interesting targets from an espionage standpoint as well as an election disruption standpoint,” Burt explained in a panel discussion on election security, as reported by NBC News.

Security researchers, at Microsoft and across the industry, agree the cyber activity preceding this year’s midterm elections is not the same level of activity detected ahead of the 2016 presidential election. Attackers are not targeting academia or think tanks, Burt said.

Read more details here.

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.


Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories https://ubm.io/2uRtrdb
via IFTTT