Tag Archives: infosecnews

19 M California Voter Records Held for Ransom in MongoDB Attack

19 M California Voter Records Held for Ransom in MongoDB Attack

The records were first exposed in an unsecured MongoDB database, continuing a cyber-extortion trend.

Voter registration data for over 19.2 million California residents that was residing on an unsecured MongoDB database has been deleted and held for ransom by attackers, according to researchers at Kromtech, who discovered the incident.

This continues a series of cyber-extortion attacks that exploit the MongoDB database management system. Similar to others, in this instance, the attacker scanned the internet for unsecured MongoDB databases, found the one containing the voter data, wiped the data and left a ransom request for 0.2 Bitcoin (around $3,500 US today), Bleeping Computer reports

The Kromtech researchers state they have not been able to identify the owner of the database. They “believe that this could have been a political action committee or a specific campaign based on the unofficial title of the repository (‘cool_db’), but this is only a suspicion.”

For more information see here.


Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2AyEREd

Triton Malware Targets Industrial Control Systems in Middle East

Researchers found malware called Triton on the industrial control systems of a company located in the Middle East. Attackers planted Triton, also called Trisis, with the intent of carrying out a “high-impact attack” against an unnamed company with the goal of causing physical damage, researchers said.

FireEye’s Mandiant threat research team revealed the existence of the malware on Thursday. They said adversaries behind Triton are targeting Triconex Safety Instrumented System controllers sold by Schneider Electric.

Researchers are comparing Triton’s targeting of industrial control systems to malware used in watershed attacks Stuxnet and Industroyer (or Crashoverride).

“It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016,” researchers said in a blog post outlining their research. “Triton is consistent with these attacks, in that it could prevent safety mechanisms from executing their intended function, resulting in a physical consequence.”

On Wednesday, Schneider Electric warned its customers of Triton (PDF).

“Schneider Electric is aware of a directed incident targeting a single customer’s Triconex Tricon safety shutdown system. We are working closely with our customer, independent cybersecurity organizations and ICSCERT to investigate and mitigate the risks of this type of attack. While evidence suggests this was an isolated incident and not due to a vulnerability in the Triconex system or its program code, we continue to investigate whether there are additional attack vectors,” the company said in a statement.

According to researchers at Dragos, credited for discovering the malware last month, Triton targets the Triconex Safety Instrumented System (SIS) by “enabling the replacement of logic in final control elements.”

“It is not currently known what exactly the safety implications of Trisis would be. Logic changes on the final control element implies that there could be risk to the safety as set points could be changed for when the safety system would or would not take control of the process in an unsafe condition,” Dragos stated in a report detailing the malware.

According to FireEye, Triton masquerades as a legitimate Triconex Trilog application used for reviewing system logs.  “The malware was delivered as a Py2EXE compiled python script dependent on a zip file containing standard Python libraries, open source libraries, as well as the attacker-developed Triconex attack framework for interacting with the Triconex controllers,” researchers wrote.

Triton attack scenarios include using the malware to shut down the Triconex SIS process that is in a safe state. The impact would be disruption of plant operations and service downtime.

Attackers could also reprogram the SIS controller not to shut down in an unsafe environment, creating risks to human safety or damage to equipment, according Mandiant researchers.

Each of the attack scenarios assume an adversary already has a foothold on targeted systems.

Lastly, attackers could manipulate Triconex’s distributed control system to create unsafe conditions at the same time program SIS to allow the unsafe state resulting in possible equipment failure or human harm.

“FireEye has not connected this activity to any actor we currently track; however, we assess with moderate confidence that the actor is sponsored by a nation state,” researchers said. “We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations,” Mandiant researchers said.

Dragos said Triton as having a “game-changing” impact on industrial control systems and specifically safety systems. “Targeting SIS equipment specifically represents a dangerous evolution within ICS computer network attacks. Potential impacts include equipment damage, system downtime, and potentially loss of life. Given these implications, it is important to ensure nuance in how the industry responds and communicates about this attack,” Dragos researchers said.

Schneider offers a number of detection and mitigation measures in its advisory that range from making sure Triconex  systems are deployed on isolated networks and that USB drives, CDs or laptops connecting to that network should be scanned for malware ahead of time.

from Threatpost – English – Global – thr… http://bit.ly/2zeEFf6

Lazarus Group Targets Bitcoin Company

Lazarus Group Targets Bitcoin Company

The cybercrime group blamed for attacks on the SWIFT financial network launches a spearphishing campaign to steal employee credentials at a London cryptocurrency company.

Security researchers believe the Lazarus Group – believed to be responsible for the massive 2014 breach at Sony and the 2016 attacks on the SWIFT network – is now targeting employees of a London cryptocurrency company with a phishing campaign, in an effort to gain remote control of employees’ devices, Reuters reports.

Researchers at Secureworks Counter Threat Unit discovered the campaign, which aims to lure employees to click on a link for a chief financial officer job opening. The link then downloads malware onto users’ devices and gives attackers remote control of the device.

The technology used in this particular campaign is similar to ones used in other campaigns tied to Lazarus, which is linked to the North Korean government, Reuters reports.

Secureworks, which came across the Lazarus phishing campaign as recently as last month, believes the group’s efforts are still ongoing, Reuters notes.

Read more about the phishing campaign here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2AT3WxW

Simple research tool detects 19 unknown data breaches

Every now and then researchers come up with a security insight so simple you wonder why nobody has noticed it before.

If there was an award for such discoveries, a contender for this year’s prize would surely be a data breach early warning tool called Tripwire, the work of engineers at the University of California San Diego (UCSD).

In real-world tests, not only did Tripwire detect a number of unknown or undisclosed breaches, the team believes it could be used to detect many breaches long before organisations realise they’ve happened or stolen data appears on the dark web.

Too good to be true? Not if you harness the power of inference.

As anyone who studies data breaches knows, the first thing cybercriminals do when they steal and unscramble credentials is to try to them on lots of other sites, particularly the email services that underpin people’s online identity.

For instance, passwords taken from breaching small sites will be used to attack larger and more valuable ones (Gmail, say) in the hope that users have re-used the same passwords.

As numerous incidents show, it’s a strategy criminals use to amplify the effect of almost every breach.

The team’s reasoning was to detect when re-use attacks were happening by creating multiple honeypot accounts on each of 2,302 different online organisations, each tied to single email addresses at an unnamed email provider who’d agreed to collaborate with them.

If a honeypot account was breached, it followed that this would become apparent when the cybercriminals used the stolen credentials to access its accompanying email address.

Which means:

This approach allows a wide array of Internet sites to be efficiently monitored for compromises and admits no false positives – presuming the email provider itself is not compromised.

The clever bit is it worked.

19 of the test sites were breached and passwords reused in the nine months to February 2017, including one at a “well-known American startup” with 45 million customer accounts.

Sixteen of these were unknown breaches, either because the organisation affected was keeping that fact secret or, very possibly, didn’t know it had been breached at all.

A further three, including the site with 45 million users, showed minor public indications of compromise, that had not been confirmed (one was eventually confirmed during the study period).

To account for some sites storing passwords more securely than others, the researchers registered honeypot accounts with an “easy” password (8-character, containing a dictionary word), and a “hard” one (10-character, alpha-numeric, mixed case).

This meant that if Tripwire subsequently detected a breach on a given account, it could infer the level of security being used to secure passwords (i.e. a breach of a hard password might imply it was stored as a simple hash, or even as plain text).

One criticism might be to question how representative the test sites (adult, classified, gaming, wallpapers, BitTorrent, etc.) are of the internet more widely.

Which misses the point – the fact a breached account is at a small, obscure online company matters not if the user reuses the same password to secure their Gmail, Yahoo or Facebook accounts.

How might attackers evade Tripwire?

Only by choosing not to try password reuse attacks on big email providers, or by targeting smaller numbers of accounts in the hope the honeypot account wasn’t among them.

But, as its creators acknowledge, Tripwire’s biggest hurdle might simply be convincing breached providers to take its evidence seriously.

Too many don’t care or don’t want to know about breaches, viewing it as a private concern. Until this changes, or governments enforce better behaviour, Tripwire could find itself with plenty of work ahead of it.

from Naked Security – Sophos http://bit.ly/2BsWHw4

To avoid phishing hooks don’t swim with the shoal

For phishing to work, it needs clicks. Victims have to open an email, reply, click on a link, or open up an attachment.

And click they do, in droves. The Anti-Phishing Working Group (APWG) estimates that there were at least 592,335 unique phishing attacks in the first half of 2017, while there are estimates that as many as 85% of organizations have fallen victim to at least one such attack.

Case in point: a study last year found that up to 56% of email recipients and about 40% of Facebook users clicked on a link from an unknown sender that could have been crawling with malware, for all they knew.

So who are these mad clickers? Researchers wanted to know. What they found: people from crotchety cultures that aren’t all that into group harmony are the least likely to click.

That’s according to a paper, Understanding susceptibility to phishing emails: Assessing the impact of individual differences and culture, presented last month at the Eleventh International Symposium on Human Aspects of Information Security & Assurance (HAISA 2017) in Adelaide, Australia.

Researchers from the Defence Science and Technology Group, in Edinburgh, South Australia, and from the University of Adelaide, also in South Australia, found that the strongest predictor of people’s ability to sniff out a malicious email was cultural orientation towards the needs of the individual rather than the needs of society.

For both phishing and spear-phishing, there was also a positive association between self-reported information security awareness and detection ability. Impulsivity in decision making predicted poorer detection of phishing emails, they found, but not so for spear-phishing emails.

The researchers’ review of current literature came up with contradictory results when it came to the Big Five personality traits and how they relate to susceptibility to phishing.

Those are the personality traits – openness, conscientiousness, extraversion, agreeableness, and neuroticism – that psychologists use to describe human personality.

Some researchers have previously found positive correlation between levels of neuroticism and phishing susceptibility, for example, but only in the women taking part in the experiment. Other researchers have found an association between phishing susceptibility and neuroticism, but the effect was evident for both genders. They also found evidence for an association between phishing email susceptibility and conscientiousness.

As far as phishing susceptibility and national origin goes, previous research has shown less gullibility in countries with high levels of individualism – i.e., those whose inhabitants prefer loosely knit social frameworks wherein an individual is more likely to focus on their own needs or the needs of immediate family.

Countries with low levels of individualism have tightly-knit social frameworks wherein individuals are more focused on the needs of the wider group than their own personal needs. The Australian researchers theorized that individualism may predict how a user responds to certain email requests, given that “someone with a focus on the group’s needs may be more inclined to comply with a request in order to maintain interpersonal harmony.”

Phisher’s gold, in other words. One previous study looked at how likely Swedes, Indians and Americans are to fall for phishing and found that Americans are least likely to take the bait, while Indians are moreso. The problem with such previous studies, though, is that they relied on self reporting.

For their recent study, the Australians worked with a small group of participants: 121 students. 68% were female, and most – 62% – were young, between 20 to 29 years of age. They hailed from 23 countries, and only 34% considered Australia to be their home.

The researchers set out to explore the role of a multitude of differences – age, gender, personality traits, cognitive impulsivity, information security awareness (ISA) for emails, and culture (i.e., how they rated on the Individualism scale) – on their success in detecting phishing and spear-phishing attempts.

Then, the researchers hit the participants up with a mix of legitimate emails and phishing emails based on actual, successful email attacks provided by the IT staff from an associated university.

The results: the strongest predictors were national culture and ISA. Those who had training on security concerned with email were better able to detect deceitful emails. Plus, those who came from countries with high levels of Individualism were better at detecting malicious emails. In fact, being from a country associated with higher levels of Individualism was the single strongest predictor of success at detecting email.

It’s the making the group happy impulse – the tendency to maintain group harmony, that prompts people to respond to requests from others, the researchers suggest – including requests in malicious emails.

But when it comes to spear-phishing, what really pays off is being neurotic. From the report:

This may be due to the link between neuroticism and compulsive thinking about possible threats (Nolan et al. 1978). In other words, heightened rumination may improve our ability to detect actual spear-phishing threats. Such rumination may be limited to spear-phishing emails due to the highly personalised nature of such cyber attacks where an individual may feel singled out.

The study had its limitations, the researchers note. Besides the small sample size, it also relied on participants self-reporting their cultural tendencies toward individual self vs. group.

from Naked Security – Sophos http://bit.ly/2CjG16O

Former Botmaster, ‘Darkode’ Founder is CTO of Hacked Bitcoin Mining Firm ‘NiceHash’

On Dec. 6, 2017, approximately USD $52 million worth of Bitcoin mysteriously disappeared from the coffers of NiceHash, a Slovenian company that lets users sell their computing power to help others mine virtual currencies. As the investigation into the heist nears the end of its second week, many Nice-Hash users have expressed surprise to learn that the company’s chief technology officer recently served several years in prison for operating and reselling a massive botnet, and for creating and running ‘Darkode,” until recently the world’s most bustling English-language cybercrime forum.

In December 2013, NiceHash CTO Matjaž Škorjanc was sentenced to four years, ten months in prison for creating the malware that powered the ‘Mariposa‘ botnet. Spanish for “Butterfly,” Mariposa was a potent crime machine first spotted in 2008. Very soon after, Mariposa was estimated to have infected more than 1 million hacked computers — making it one of the largest botnets ever created.

An advertisement for the ButterFly Flooder, a crimeware product based on the ButterFly Bot.

ButterFly Bot, as it was more commonly known to users, was a plug-and-play malware strain that allowed even the most novice of would-be cybercriminals to set up a global operation capable of harvesting data from thousands of infected PCs, and using the enslaved systems for crippling attacks on Web sites. The ButterFly Bot kit sold for prices ranging from $500 to $2,000.

Prior to his initial arrest in Slovenia on cybercrime charges in 2010, Škorjanc was best known to his associates as “Iserdo,” the administrator and founder of the exclusive cybercrime forum Darkode.

A message from Iserdo warning Butterfly Bot subscribers not to try to reverse his code.

On Darkode, Iserdo sold his Butterfly Bot to dozens of other members, who used it for a variety of illicit purposes, from stealing passwords and credit card numbers from infected machines to blasting spam emails and hijacking victim search results. Microsoft Windows PCs infected with the bot would then try to spread the disease over MSN Instant Messenger and peer-to-peer file sharing networks.

In July 2015, authorities in the United States and elsewhere conducted a global takedown of the Darkode crime forum, arresting several of its top members in the process. The U.S. Justice Department at the time said that out of 800 or so crime forums worldwide, Darkode represented “one of the gravest threats to the integrity of data on computers in the United States and around the world and was the most sophisticated English-speaking forum for criminal computer hackers in the world.”

Following Škorjanc’s arrest, Slovenian media reported that his mother Zdenka Škorjanc was accused of money laundering; prosecutors found that several thousand euros were sent to her bank account by her son. That case was dismissed in May of this year after prosecutors conceded she probably didn’t know how her son had obtained the money.

Matjaž Škorjanc did not respond to requests for comment. But local media reports state that he has vehemently denied any involvement in the disappearance of the NiceHash stash of Bitcoins.

In an interview with Slovenian news outlet Delo.si, the NiceHash CTO described the theft “as if his kid was kidnapped and his extremities would be cut off in front of his eyes.” A roughly-translated English version of that interview has been posted to Reddit.

According to media reports, the intruders were able to execute their heist after stealing the credentials of a user with administrator privileges at NiceHash. Less than an hour after breaking into the NiceHash servers, approximately 4,465 Bitcoins were transferred out of the company’s accounts.

NiceHash CTO Matjaž Škorjanc, as pictured on the front page of a recent edition of the Slovenian daily Delo.si

A source close to the investigation told KrebsOnSecurity that the NiceHash hackers used a virtual private network (VPN) connection with a Korean Internet address, although the source said Slovenian investigators were reluctant to say whether that meant South Korea or North Korea because they did not want to spook the perpetrators into further covering their tracks.

CNN, Bloomberg and a number of other Western media outlets reported this week that North Korean hackers have recently doubled down on efforts to steal, phish and extort Bitcoins as the price of the currency has surged in recent weeks.

“North Korean hackers targeted four different exchanges that trade bitcoin and other digital currencies in South Korea in July and August, sending malicious emails to employees, according to police,” CNN reported.

Bitcoin’s blockchain ledger system makes it easy to see when funds are moved, and NiceHash customers who lost money in the theft have been keeping a close eye on the Bitcoin payment address that received the stolen funds ever since. On Dec. 13, someone in control of that account began transferring the stolen bitcoins to other accounts, according to this transaction record.

The NiceHash theft occurred as the price of Bitcoin was skyrocketing to new highs. On January 1, 2017, a single Bitcoin was worth approximately $976. On December 6, the day of the NiceHash hack, had ballooned to $11,831.

Today, a single Bitcoin can be sold for more than $17,700, meaning whoever is responsible for the NiceHash hack has seen their loot increase in value by roughly $27 million since the theft.

In a post on its homepage, NiceHash said it was in the final stages of re-launching the surrogate mining service.

“Your bitcoins were stolen and we are working with international law enforcement agencies to identify the attackers and recover the stolen funds. We understand it may take some time and we are working on a solution for all users that were affected.

“If you have any information about the attack, please email us at [email protected]. We are giving BTC rewards for the best information received. You can also join our community page about the attack on reddit.

However, many followers of NiceHash’s Twitter account said they would not be returning to the service unless and until their stolen Bitcoins were returned.

Tags: , , , , ,

from Krebs on Security http://bit.ly/2yEqvjM

How MP Nadine Dorries could have shared her passwords securely

Last week, British MP Nadine Dorries admitted doing something with her email password that a lot of people thought sounded a bit crazy.

Passwords are supposed to be top secret but Dorries, it seems, pays little attention to any of that and simply hands it out to her office staff so they can help manage her bulging email inbox of political correspondence.

She described this novel password system in a tweet:

That’s it – if staff such as interns want her password, she tells them (or perhaps they tell her, we’re not sure).

Twitter’s unforgiving vox populi were unimpressed, pointing out:

But what Dorries and others like her may like to know is that there are ways to share access to your resources safely, and there are even safe ways to share passwords with colleagues when shared access isn’t an option.

Sharing access has become essential in many offices where employees work behind company profiles on sites like Facebook and LinkedIn, or, as in Dorries’ case, where multiple employees need access to a single email account or calendar.

The best way to do this is with something like delegated access, available in both the Microsoft Exchange and Google for business environments, where each user has an individual account.

Sometimes, sharing passwords is the only option though. It is essential for services like Twitter that don’t provide ways for multiple accounts to access a single profile, for example. A password manager such as LastPass is the best option here.

In both cases, access can be granted without secondary users being able to see passwords, which means these can’t leak out in plaintext or be re-purposed as part of credential stuffing attacks. Access can also be revoked at any time (revoking access where everyone just knows the boss’s password means changing the password every time somebody leaves and since that inconveniences everybody who uses it, it often doesn’t happen).

Some might have qualms about doing this for email accounts (attackers might in theory compromise the secondary user’s PC and abuse its access) but it would still be better than writing down a password, shouting it out in the office where it can be overheard, or anything else that increases the number of people who have to display good password hygiene to keep a system secure.

It also avoids what Dorries might call the ‘Damian Green defence’ of plausible deniability – that MPs can’t be held responsible for what is downloaded to their computers because other people were accessing their email account from the same machine and might have been responsible.

Secure sharing makes clear that each person can access an account from their own computer, sidestepping the issue.

But perhaps simply finessing password sharing is to miss the bigger takeaway from the great Dorries password debate of 2017: that there is an urgent need to stop relying on passwords alone and move to better authentication.

On that score, a blog by the Parliamentary Digital Service analysing the cyberattack on the House’s email system last summer noted that the recent roll-out of multi-factor authentication (MFA) to new MPs had helped reduce the effects of the breach.

Said PDS director, Rob Greig, on the sudden importance of MFA:

What was going to be a planned and careful roll-out designed to tackle legacy systems going back years, became an intense period of activity to get every user account secured.

Presumably, the PDS will have read of the password-sharing shenanigans of Dorries and her fellow MPs and immediately moved all of them up the MFA priority list.

from Naked Security – Sophos http://bit.ly/2CzCGlk