Monthly Archives: April 2017

Week in review: Lure10 attack, DoublePulsar exploit proliferation

Here’s an overview of some of last week’s most interesting news and articles:

BrickerBot bricked 2 million IoT devices, its author claims
The author of BrickerBot, which “bricks” IoT devices by rewriting the flash storage space and wiping files, has emerged to explain that the malware first attempts to secure the units without damaging them.

Security improvements primary reason for Windows 10 migration
Migration to Windows 10 is expected to be faster than previous OS adoption, according to a survey by Gartner. The survey showed that 85 percent of enterprises will have started Windows 10 deployments by the end of 2017.

Russian carding industry pioneer sentenced to 27 years in prison
Under the nickname “Track2,” Seleznev created two automated vending sites, an innovation that made it possible for criminals to efficiently search for an purchase stolen credit card data through a process as easy as buying a book on Amazon.

Lure10: Exploiting Wi-Fi Sense to MITM wireless Windows devices
Karma has long been a staple man-in-the-middle attack used in authorised wireless security assessments and unsanctioned ones, but as many modern operating systems now provide effective countermeasures, other approaches for tricking wireless clients into automatically associating with a rogue access point are wanted. Enter Lure10 – a new attack that, by taking advantage of Wi-Fi Sense, tricks wireless devices running Windows into doing exactly that.

IT service providers, many other orgs targeted in long-standing attack campaign
According to preliminary analysis, threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates, along with placing sophisticated malware implants on critical systems.

Industry reactions to the Verizon 2017 Data Breach Investigations Report
Nearly 2,000 breaches were analyzed in this year’s Verizon 2017 Data Breach Investigations Report and more than 300 were espionage-related.

Know your enemy: Defining the new taxonomy of malicious emails
Familiarity can breed contempt, and all users are now at risk from increasingly more advanced email attacks, which have become vastly more sophisticated in the last few years.

Tens of thousands Windows systems implanted with NSA’s DoublePulsar
Has your Windows machine been implanted with NSA’s DoublePulsar backdoor? If you haven’t implemented the security updates released by Microsoft in March, chances are good that it has. The good news is that the backdoor can now be remotely uninstalled from any infected Windows machine thanks to the updated detection script provided by security firm Countercept, as well as by rebooting the affected machines.

How secure are mobile banking apps?
Accenture and NowSecure have performed vulnerability assessments of customer-facing mobile banking apps of 15 banking institutions in the North American market.

Alleged Kelihos botmaster indicted
Pyotr Levashov, who went online under several nicknames – the most memorable of which was “Peter Severa” (i.e. Peter of the North) – was arrested in Barcelona on April 7, 2017, while on vacation with his family.

How to securely deploy medical devices within a healthcare facility
The risks insecure medical devices pose to patient safety are no longer just theoretical, and compromised electronic health records may haunt patients forever.

Will fileless malware push the antivirus industry into oblivion?
The death of antivirus has been prophesied for years now, but the AV industry is still alive and kicking. SentinelOne, though, believes that in-memory resident attacks, i.e. fileless malware, just might be the thing that pushes it into oblivion.

Executive spotlight: iovation’s new Vice President of Product
Last week iovation announced that Dwayne Melancon was leaving Tripwire after 17 years and joining the company as the new Vice President of Product, so we decided to get in touch and see what are his future plans.

Behavioural profiling: Spotting the signs of cyber attacks and misuse
Behavioural profiling is increasingly recognised as a new level of protection against cyber attacks and systems abuse, offering the potential to pick out new and unknown attacks, or to spot activities that may be missed.

Cybercrime can come in any shape or size, and not always the form you’d expect
Cyberespionage is now the most common type of attack seen in manufacturing, the public sector and now education, warns the Verizon 2017 Data Breach Investigations Report. Much of this is due to the high proliferation of propriety research, prototypes and confidential personal data, which are hot-ticket items for cybercriminals.

Modern threat landscape: Seismic shifts in motivation and focus
Cybercriminals revealed new levels of ambition in 2016 – a year marked by extraordinary attacks, including multi-million dollar virtual bank heists and overt attempts to disrupt the U.S. electoral process by state-sponsored groups.

Phishing attacks responsible for three-quarters of all malware
While technical attacks on the newest vulnerabilities tend to dominate the media, many attacks rely on less technical means.

SquirrelMail opens users to remote code execution
Users of open source webmail software SquirrelMail are open to remote code execution due to a bug (CVE-2017-7692) discovered independently by two researchers.

New infosec products of the week​: April 28, 2017
A rundown of infosec products released last week.

from Help Net Security – News

10 Cybercrime Myths that Could Cost You Millions

10 Cybercrime Myths that Could Cost You Millions

Don’t let a cybersecurity fantasy stop you from building the effective countermeasures you need to protect your organization from attack.

Cybercrime is all over the place, with damages, according to one estimate by Cybersecurity Ventures, expected to double from $3 trillion in 2015 to $6 trillion by 2021. In a prominent 2016 ransom attack, according to the 2016 McAfee Threat Report, a criminal was supposedly able to pocket $121 million within just six months, netting $94 million after expenses. Still, too often people believe in myths that prevent them from building effective countermeasures. Here are some examples:

Myth #1: Only large enterprises need to worry
No one is immune. Cybercrime is affecting everybody – people and businesses of all sizes alike. Radware concluded in their 2016-2017 Global Application & Network Security Report that 98% of organizations experienced cyberattacks in 2016. A reported 31% of these attacks were directed at small and mid-sized companies with less than 250 employees.

Myth #2: Threats are completely overrated; it’s not a big deal!
That’s wishful thinking; the frequency of incidents is eye-opening. According to McAfee Labs’ Threats Report, the average mid-sized organization (1,000–3,000 employees) encounters 11–20 incidents in a single day. Larger organizations (3,001–5,000 employees) are slightly busier, with the median at 21–30 incidents per day. The largest organizations (more than 5,000 employees) are busiest, with the median at 31–50 incidents daily.

Myth #3: Bad guys are always outsiders
According to the Radware report, roughly one-third (27%) of all incidents are caused by insiders due to malicious or accidental actions. Some sources believe that number to be much higher. Indeed, users are often unaware and easy to dupe. In a more recent Verizon study, 30% of phishing messages were opened by the target across all campaigns. Some 12% even went on to click the malicious attachment or link and thus enabled the attack to succeed.

Myth #4: Companies are prepared to combat cybercrime
New research this year from by BMC and Forbes (registration required) suggests that 68% plan to enhance incident response capabilities in the next 12 months. This seems to be overdue as companies are still pretty unprepared. The report notes that 40% have no incident response plans, while 70% have no cyber-insurance.

Myth #5: I’d sign up for an insurance policy if I could. I just wish life was that easy.
It’s a booming market. Perhaps one of the areas experiencing the strongest growth within the insurance area is cybersecurity. As a matter of fact, annual gross written premiums are set to triple– from around $2.5 billion in 2015 to $7.5 billion by 2020, according to PWC.

Myth #6: All of our PCs are equipped with antivirus and encryption – we’re fine!
Even so, bad news: by 2020, PCs will only play a minor role as the vast majority of users will opt for mobile devices such as tablets and smartphones instead. According to a 2015 prediction from Cisco, traffic from wireless and mobile devices will account for 66% of all IP traffic worldwide. Data stored on connected devices will be five times higher than data stored in data centers. Devices are used in highly insecure environments, including Wi-Fi hotspots, where intruders could potentially interfere. Moreover, according to a 2013 Ernst & Young whitepaper, millions of cell phones and smartphones are lost or stolen every year. Over their lifespan, approximately 22% of the total number of mobile devices produced will disappear, and over 50% of these will never be recovered.

Myth #7: We have great firewalls and network security, why bother?
Survey results from F5 Networks infer that network security is often not the issue; 57% struggle with the application layer instead. The frequency and severity of attacks on the application layer are considered much greater than at the network layer. Fifty-five percent say the application is attacked more often, with 58% thinking these attacks are more severe than at the network layer. Furthermore, there is a big mismatch in terms of budget allocation: on average, 18% of the IT security funding is dedicated to application security. More than twice that amount (39%) is pumped into network security.

Myth #8: Millennials are digital natives and more cautious
The common assumption that young talent, especially millennials, are digital natives and tech-savvy enough to safeguard corporate data is probably wrong. In fact, it’s likely going to be the opposite. Young people tend to be more relaxed and less concerned about privacy. They need even more awareness of today’s threats as they’re used to a completely different mindset where life is all about sharing – via social media and other channels that aren’t necessarily secure.

Myth #9: Strong passwords solve the issue
Strong passwords are powerful, but only when combined with other measures such as a two-factor authentication, for example. If strong passwords are too complicated to remember or users are forced to change them too frequently, people won’t be able to memorize them and will start making notes in one form or the other, thereby undermining even the most sophisticated security tools.

Myth #10: Let’s just hire a few more capable IT security gurus and we’ll be fine
Being understaffed remains the prime issue when it comes to countering cybercrime. Despite 47% of executives surveyed in 2017 by BMC and Forbes being willing to allocate more resources, the key question is how to find them. In a Trustwave 2016 report (registration required), 57% of respondents reported that finding and recruiting talented IT security staff is a “significant” or “major” challenge. Retaining these people is also viewed as a difficult problem by 35% of the respondents. There was a severe cybersecurity workforce gap, with 1 million vacancies in 2016, says Cyber Security Ventures. The shortage is expected to worsen and reach 1.5 million by 2019. Thus, hiring is a great idea, but much easier said than done.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry’s top cybersecurity experts will share the latest data security trends and best practices.]

Related Content:


Marc Wilczek is an entrepreneur and senior executive with more than 20 years of leadership experience within the ICT space. He’s passionate about all things #digital with emphasis on cloud, big data and IoT services. Before serving as VP portfolio, innovation & architecture … View Full Bio

More Insights

from Dark Reading – All Stories

WikiLeaks Reveals CIA Tool ‘Scribbles’ For Document Tracking

WikiLeaks released details of what it said is a Central Intelligence Agency document tracking program called Scribbles, part of the agency’s toolkit for keeping tabs on documents leaked to whistleblowers and journalists. Scribbles allegedly embeds a web beacon-style tag into watermarks located on Microsoft Word documents that can report document analytics back to the CIA.

WikiLeaks released information Friday about Scribbles as part of its ongoing  Vault 7 Dark Matter release that began last month. Also released is what WikiLeaks said is Scribbles’ source code.

A user manual describing Scribbles said the tool can be used to generate batch copies of identical or unique files, each with distinctive watermarks that includes a web beacon-like tag. A web beacon (or web bug) is a transparent graphic image that can be used to report back if a document has been opened and the IP address of the computer that requested the image file.

According to WikiLeaks, Scribble works exclusively with Microsoft Office documents. The tool, according to the user guide has been “successfully tested” to work with Microsoft Office 2013 (on Windows 8.1 x64) and Office 97-2016 running on Windows 98 and above.

WikiLeaks’ copy of the CIA’s Scribbles user manual says the tool will not work on encrypted or password-protected documents. The CIA also warns that if a document with a Scribbles’ watermark is opened in an alternative document viewing program, such as OpenOffice or LibreOffice, it may result in revealing watermarks and URLs for the user.

According to alleged CIA’s documentation, the tool is for “pre-generating watermarks and inserting those watermarks into documents that are apparently being stolen by FIO (Foreign Intelligence Officers) actors.”

A CIA spokesperson declined to comment on this latest WikiLeaks release. Instead, it reiterated a statement to Threatpost it made on March 8 regarding the initial Vault 7 dump by WikiLeaks.

“We have no comment on the authenticity of purported intelligence documents released by Wikileaks or on the status of any investigation into the source of the documents. However, there are several critical points we would like to make.

CIA’s mission is to aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nation states and other adversaries. It is CIA’s job to be innovative, cutting-edge, and the first line of defense in protecting this country from enemies abroad. America deserves nothing less.

It is also important to note that CIA is legally prohibited from conducting electronic surveillance targeting individuals here at home, including our fellow Americans, and CIA does not do so. CIA’s activities are subject to rigorous oversight to ensure that they comply fully with U.S. law and the Constitution.”

Microsoft did not return requests for comment for this story.

According to security expert Udi Yavo, CTO and co-founder of enSilo, Scribbles is taking advantage of a feature in Microsoft Office that allows users to embed remote objects, such as images, in documents. “Similar tracking mechanisms are used by document protection security companies in order to track them,” Yavo said.

He said Scribbles and similar tools such as web beacons are used by organizations to determine questions like: Did the document leak? Where was it opened? Who was the owner of the document that was opened? When was it opened?

Similar digital rights management products are sold commercially by firms like IntraLinks, which sells a tool called DocTrack, a file tracking service that gathers document analytics. Inserting web beacons into Word documents was also a technique described by the Privacy Foundation at the University of Denver Sturm College of Law in 2000. With the release of Office 2016 Microsoft introduced Data Loss Protection, a tool to prevent data leakage and manage file permissions. The tool offered admins the ability to track some document usage.

WikiLeaks contends Scribbles is intended for use against “insiders, whistleblowers, journalists or others.”

“Regarding privacy concerns, I don’t see here a major concern, since we are dealing with internal classified documents – they should be protected from data leakage,” said Omer Schneider, CEO of CyberX.

However, Schneider and Yavo point out remote objects features in Office document have been leveraged in several Office document based attacks. “Sandworm leveraged this feature, as did the latest major Office vulnerability (CVE-2017-0199) that with HTA files,” Schneider said.

from Threatpost – English – Global – thr…

Hajime Botnet Reaches 300,000 Hosts With No Malicious Functions

This is not the first IoT heavy botnet, Mirai takes that title, the interesting part is the Hajime botnet appears to be benign.

Hajime Botnet Reaches 300,000 Hosts With No Malicious Functions

So far no malicious functions have been detected in the codebase, other than the ability to replicate itself and block other malware, Hajime seems to have no DDoS or offensive mechanisms.

Hajime – the “vigilante” IoT worm that blocks rival botnets – has built up a compromised network of 300,000 malware-compromised devices, according to new figures from Kaspersky Lab.

The steadily spreading Hajime IoT worm fights the Mirai botnet for control of easy-to-hack IoT products. The malware is billed as a vigilante-style internet clean-up operation but it might easily be abused as a resource for cyber-attacks, hence a growing concern among security watchers.

Hajime, like Mirai before it, takes advantage of factory-set (default) username and password combinations to brute-force its way into unsecured devices with open Telnet ports. The malware was first discovered [PDF] by security researchers at Rapidity Networks in October 2016. Since then it has spread steadily but inexorably. Most of the targets have turned out to be Digital Video Recorders, followed by webcams and routers, according to Kaspersky Lab.

Hajime avoids several networks, including those of General Electric, Hewlett-Packard, the US Postal Service, the United States Department of Defense, and a number of private networks. Infections had primarily come from Vietnam (over 20 per cent), Taiwan (almost 13 per cent) and Brazil (around 9 per cent).

The console messages state the worm was written by a White Hat hacker who is just seeking to protect the systems he/she infects. This seems rather unlikely, but it’s very possible. It might also just be a curious experiment by someone with the skills to use the Mirai code base (which was open-sourced) to do something so widespread.

Either way a DDoS attack from this many hosts would REALLY hurt.

The resiliency of Hajime surpasses Mirai, security researchers say. Features such as a peer-to-peer rather than centralised control network and hidden processes make it harder to interfere with the operation of Hajime (meaning “beginning” in Japanese) than comparable botnets.

Botnets of compromised devices can be harnessed for a variety of cyber-crimes ranging from DDoS attacks on targeted web sites to running credential-stuffing attacks or scanning websites for SQL injection vulnerabilities. The malware – which is not doing anything malign, at least for now – displays a message that says a “white hat” is “securing some systems”. The worm blocks access to ports 23, 7547, 5555, and 5358, common entry points for the rival Mirai worm and other threats.

There is no attacking code or capability in Hajime – only a propagation module. Despite its (current) benign state Hajime is a still concern, not least because the malware’s real purpose remains unknown.

“The most intriguing thing about Hajime is its purpose. While the botnet is getting bigger and bigger, its objective remains unknown. We have not seen its traces in any type of attack or additional malicious activity. Nevertheless, we advise owners of IoT devices to change the password of their devices to one that’s difficult to brute force, and to update their firmware if possible,” said Konstantin Zykov, senior security researcher at Kaspersky Lab.

The worm is blocking the common ports used by Mirai and other IoT threats, so it is aggressive in that aspect.

Other than that, there’s no proof it is actually malicious so we, as usual, will just have to wait and see.

Source: The Register

from Darknet – The Darkside

Google, Facebook Swindled in $100M Payment Scam

Google, Facebook Swindled in $100M Payment Scam

Lithuanian man impersonated an Asian-based manufacturer to trick Facebook and Google into paying him $100 million.

A new investigation has uncovered details of a payment scam targeting Facebook and Google, Fortune reports. Lithuanian Evaldas Rimasauskas impersonated an Asian-based manufacturer, which often did business with both companies, to trick them into paying for products.

Rimasauskas used fake email addresses, invoices, and corporate stamps to convince accounting departments at Google and Facebook to transfer money over the span of two years. By the time they caught on, he had tricked the two companies out of $100 million.

At the time Rimasauskas was arrested in March 2017, a press release from the Department of Justice did not specify the victim companies. The manufacturer Rimasauskas impersonated was Quanta Computer, a prominent supplier for US tech companies.

Both Facebook and Google confirmed they were targeted in the attack and have recovered the bulk of funds stolen.

“This case should serve as a wake-up call to all companies – even the most sophisticated – that they too can be victims of phishing attacks by cyber criminals,” said acting US Attorney Joon H. Kim in the March release.

Read more about the investigation on Fortune.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories

FTC Offers ID Theft Victims Online Crime Reporting Tool

FTC Offers ID Theft Victims Online Crime Reporting Tool

ID theft victims can report their cybercrime attack to the Federal Trade Commission, without having to file a police report in most cases.

ID theft victims now have an alternative to filing a police report, a self-service online reporting tool from the Federal Trade Commission (FTC).

The FTC’s link offers a form that asks victims questions about the breach. The then provides a personal recovery plan, template letters that can be submitted to banks, merchants, and other entities that were affected by the victim’s identity theft. It also creates an identity theft report that serves as the official record for the crime and could be used if needed in place of a police report.

Under certain circumstances, an ID theft victim will still need to contact the police to submit a report. Those cases include if the victim knew the ID thief, the ID thief used the victim’s identity in any encounters with police, or a debt collector, creditor, or other entity affected by the crime demands a police report, the FTC stated. 

The FTC said the goal of the online self-service form is take the pressure off of local police and help ID victims speed their recovery process after the crime.

Read more about the FTC’s ID theft reporting tool here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories

Fileless Malware Attacks Continue to Gain Steam

Fileless Malware Attacks Continue to Gain Steam

Endpoint woes grow as fileless attacks grow in prevalence and file-based attacks remain largely undetected by AV engines.

New research shows that attackers are increasingly beating security detection at the gateway and on the endpoint by initiating attacks that don’t drop malicious files at all, thus evading file-based detection. And even when they do use malicious files, once they get past the gateway filtering, the typical detection mechanisms aren’t picking them up. 

The most recent study comes by way of SentinelOne, which published its Enterprise Risk Index today. This report examines attacks that made it past the gateway and onto endpoints. One of the most damning statistics from the study is the fact that once file-based malware has been filtered by the gateway, it’s largely undetectable by AV. 

“One of the more interesting findings from this study is how few pieces of malware actually have signatures within AV engines. Our research team found that only half of file-based attacks had been submitted to malware repositories and, of those, only 20 percent made it to AV engines,” says Jeremiah Grossman, chief of security strategy at SentinelOne. “This is yet another data point illustrating how incredibly quickly malware evolves and the impossibility for any signature-based AV solution to keep up.”

It’s startling considering how many of today’s enterprise compromises start at the endpoint and traditional endpoint protections can’t even keep up with the file-based malware attacks we’ve seen for years now. And now the landscape is getting even more complicated, as file-less malware attacks start to rise in prominence. File-less malware attacks evade detection by avoiding the drop of malicious files in favor of methods such as storing information in system memory, leveraging PowerShell or Windows registry, or using malicious macros.

According to SentinelOne’s risk index, nearly two in 10 attacks that reach the endpoint start as in-memory attacks that are virtually undetectable to AV systems, no matter how quickly they update signatures.

“In-memory attacks don’t leave detectable artifacts on the file system, and as such, modern anti-malware solutions must watch what processes are actually running, not just what is saved on the system,” explains Grossman. “If enterprises don’t have solid protections in place to address in-memory attacks, they’ll get infected; it’s just that simple.”

The four months’ worth of data from last fall that was compiled for this report, the percentage of endpoint attacks instantiated as in-memory attacks doubled. Last month, Carbon Black released a study among security researchers that showed that close to two-thirds of them have seen an increase in non-malware attacks since the beginning of 2016. This figure includes not only in-memory attacks, but also PowerShell-based attacks, remote logins, WMI-based attacks, and macro attacks. 

[Check out “Rise of the Machines: How Machine Learning Can Improve Cyber Security” during Interop ITX, May 15-19, at the MGM Grand in Las Vegas. To learn more about this presentation, other Interop security tracks, or to register click on the live links.]

Many organizations only look to identify threats at a single point in time – when a file is written to disk. Malicious files are only part of the problem.

“Cybercriminals are increasingly leveraging non-malware attacks because they provide the path of least resistance and are designed to evade traditional prevention approaches,” says Mike Viscuso, co-founder and CTO of Carbon Black. “Once an attack has gained foothold on an enterprise, an attacker will move laterally leveraging existing tools on the operating system. For organizations not prepared to sniff out this kind of behavior, the attack will remain virtually invisible and cause a number of problems.” 

Viscuso says that practitioners need to have non-malware attacks on their radar because at this point, more than half of successful breaches come at the hands of these types of attacks. Anecdotal evidence continues to mount to support the worries of researchers like Grossman and Vicuso. For example, today security start-up Morphisec published details about a politically-motivated attack campaign against Israeli organizations that leans heavily on file-less attack techniques.

In this example, attackers compromised email accounts for high-profile individuals at Ben-Gurion University and sent malformed Word documents in reply to legitimate emails that were designed to take advantage of a Word vulnerability that was patched earlier this month. The documents weaponized with malicious macros installed a fileless variant of the Helminth Trojan agent.

“With many organizations taking high-risk vulnerabilities seriously and patching them as fast as possible, attackers can no longer exploit them,” writes Michael Gorelik, vice president of research and development for Morphisec. “We therefore expect that the pendulum will swing back from vulnerability exploits to marco-based campaigns.”

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

More Insights

from Dark Reading – All Stories