Firewall Firm is a Managed Cyber Security Company in India
Home » Tag: cyber security news

Tag Archives: cyber security news

Home » Tag: cyber security news

Facebook admits to storing hundreds of millions of user passwords in plain text

  • The social media giant has revealed that a large number of user passwords were stored in a ‘readable format’ in its internal systems.
  • Most of the passwords found belonged to users of Facebook Lite — a smaller version of the Facebook app meant for low data usage.

Facebook disclosed another major privacy revelation in its platforms. In an official blog post, Pedro Canahuati, VP Engineering – Security and Privacy at Facebook told that millions of user passwords were being stored in readable formats. This shocking admission comes days after the social media company’s Messengerapplication was exposed to a user data-revealing security flaw.

What happened?

  • Facebook revealed that millions of passwords of Facebook Lite and Facebook app users were stored in plain text.
  • Passwords of a significant number of Instagram app users were also stored in the same way.
  • The company blog also mentions that other information such as access tokens had problems that were resolved later.
  • In the revelation, Facebook mentioned that it has implemented security measures to store passwords from then on.
  • As of now, Facebook has said that no security incidents have occurred due to this issue.

Passwords were not visible to outsiders

Canahuati explained that those ‘readable’ passwords were obscured for outsiders. “To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them. We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” he wrote in the company statement.

The company said that it has boosted security measures for protecting all accounts on the platform. Furthermore, it has advised users to enable security keys or 2FA to secure their account from external attacks.

Magecart group breaks into MyPillow and Amerisleep websites, potentially stealing credit card information

  • While MyPillow was hit with Magecart attacks in 2018, Amerisleep is said to be targeted as early as 2017.
  • The pillow manufacturing company has reworked the site after the attack but Amerisleep is still to respond with a fix.

The Magecart group — known for its notorious credit card skimming attacks, makes headlines again. This time, it has found targeting websites of mattress companies MyPillow & Amerisleep. The security incident was uncovered and detailed by Yonathan Klijnsma of RiskIQ. With its continuously evolving tactics, the group has slowly been rising to dominate the cyberspace in 2019.

MyPillow

  • In October 2018, Magecart registered a false typo-squat site of MyPillow revealing the possibility of an attack infrastructure.
  • The group then injected a script into the company’s web store which was hosted on the false site.
  • The script had a malicious JavaScript library for execution along with the code of a skimmer.
  • They registered another new domain to insert a script as well as a skimmer into the LiveChat service of MyPillow.
  • Altogether, these two skimmers were detected by Klijnsma and were active till November 2018.

Amerisleep

  • In April 2017, Magecart began its credit card-skimming operation on Amerisleep. Just like the MyPillow case, an obfuscated skimmer was used.
  • The group also deployed multiple scripts during their attack on the mattress company.
  • The site had skimmers active from April to October 2017. However, after a year, Magecart started deploying skimmers again.
  • In fact, Magecart created a GitHub account in the name of Amerisleep to store their skimmer tools. This was taken down shortly.

Why it matters – While the threat group earlier targeted large firms such as British Airways, Newegg, and others, it has now eyed smaller companies.

Security Of Enterprise Wireless Networks

Providing enterprise network security is becoming an increasingly complex undertaking, as the number of threats emanating from the Internet continues to grow. Hackers continue to find new ways to attack systems and steal data. Dealing with these threats is highly complex. While numerous reviews like this may indicate that virtual private networks can protect you against all threats, getting on top of enterprise network security is much more difficult.

Multiple Systems

Dealing with enterprise network security means securing multiple related and connected systems, mainframes, and devices. And it doesn’t only apply to private companies – enterprise security is also applicable to organizations such as educational establishments and government departments. As networks run by these organizations grow in size and complexity, so security concerns multiply.

Virtually all enterprise systems today operate wireless networks, and this immediately compromises their security, as the wireless access point is always vulnerable to being infiltrated. Hackers have a variety of techniques available to them, such as packet sniffing, creating rogue access points, stealing passwords and other network access information, spear phishing, and so-called man-in-the-middle attacks. Each of these has the potential to compromise sensitive information, or even bring down the entire network.

Security Protocols

However, there are a variety of techniques available to help secure enterprise networks. Network security protocols are constantly evolving in order to deal with attacks, although staying one step ahead of the hackers is far from easy. This is why the contribution of white hat hackers to the security community is so valuable.

Wi-Fi Protected Access 2 (WPA2) incorporates the Advanced Encryption Standard (AES), with the majority of enterprise security providers delivering this at 256-bit encryption level. This standard of encryption makes it practically impossible to crack the protection; even for advanced supercomputers.

Wi-Fi Alliance and WPA3

However, in June 2018, the Wi-Fi Alliance – a non-profit organization that promotes Wi-Fi technology and which is involved in the establishment of standards – certified WPA3. This will eventually replace WPA2, although this is a slow and steady process, much as the switch from 3G to 4G and then 5G takes a considerable period of time.

However, although encryption is extremely valuable, it is just the start of securing an enterprise network. Second, on the list of priorities should be the deployment of a wireless intrusion detection system (WIDS) and a wireless intrusion prevention system (WIPS). These are network devices that continually monitor traffic and activity on Wi-Fi networks, and help recognize and eliminate unauthorized access.

Regular Patching

IT professionals responsible for network security should also ensure that all software and hardware is patched on a regular basis. Updating software, in particular, is absolutely critical, as vulnerabilities appear in even the best-known programs with alarming regularity. You simply must be running the most up-to-date and fully patched programs, otherwise, you run the risk of completely compromising all other security measures taken. All it takes is for hackers to exploit one known vulnerability, and you can be rapidly up a creek without a paddle.

Security Standards

As the authorities attempt to assist businesses in protecting their data, so a range of security standards have been established. One of these is the Federal Information Processing Standards (FIPS) 140-2 compliance for encryption, which can be considered particularly important for enterprise networks, which require particularly robust encryption. You should ensure that your network is fully compliant with this standard. And if you’re unsure how this is to be achieved then don’t shy away from contacting the authorities, as they will be more than happy to assist you.

Training Employees

The next port of call for all enterprise security should be dealing with everyday members of staff. This is where things can go horribly wrong. There are other things you can implements which we’ll get on to in a minute, but first of all, make sure staff are on the same page as you. Emphasize to employees that security is all important, and don’t neglect training them in network security principles. Again, your network is only as secure as the weakest password, and the laxest worker, so make sure everyone is trained up and diligent.

Multi-Factor Authentication

And while you’re at it, ensure that you initiate multi-factor authentication across your network. This just makes it so much harder to crack your enterprise system. Strong passwords combined with multiple layers of security and authentication will simply make your network way more secure.

Secure Protocols

Another layer of security that you can consider is a bit of a mouthful…namely, Extensible Authentication Protocol-Transport Layer Security! This is another authentication framework that makes it harder for attackers to gain access to your network, and it also helps enhance authentication transaction and communication.

There are other protocols that can be used as well, but one final process that we’d like to mention is the implementation of a guest Wi-Fi network. This can be kept separate from the main network, providing a vital failsafe mechanism for network security. By employing routers with multiple Service Set Identifiers you can isolate your valuable enterprise network access points, and ensure that your key data is kept under lock and key.

Keep Renewing

Finally, we should mention the importance of continually renewing your approach. This is one area where you can’t stand still, as hackers and network attackers are continually crafting new approaches to circumventing security. You must keep up-to-date with all of the latest security and encryption technology, and ensure that it is implemented across your network.

LAW ENFORCEMENT AGENCIES ACROSS THE EU PREPARE FOR MAJOR CROSS-BORDER CYBER-ATTACKS

The possibility of a large-scale cyber-attack having serious repercussions in the physical world and crippling an entire sector or society, is no longer unthinkable. To prepare for major cross-border cyber-attacks, an EU Law Enforcement Emergency Response Protocol has been adopted by the Council of the European Union. The Protocol gives a central role to Europol’s European Cybercrime Centre (EC3) and is part of the EU Blueprint for Coordinated Response to Large-Scale Cross-Border Cybersecurity Incidents and Crises1. It serves as a tool to support the EU law enforcement authorities in providing immediate response to major cross-border cyber-attacks through rapid assessment, the secure and timely sharing of critical information and effective coordination of the international aspects of their investigations.

In 2017, the unprecedented WannaCry and NotPetya cyber-attacks underlined the extent to which incident-driven and reactive responses were insufficient to address rapidly evolving cybercriminal modus operandi effectively.

The EU Law Enforcement Emergency Response Protocol determines the procedures, roles and responsibilities of key players both within the EU and beyond; secure communication channels and 24/7 contact points for the exchange of critical information; as well as the overall coordination and de-confliction mechanism. It strives to complement the existing EU crisis management mechanisms by streamlining transnational activities and facilitating collaboration with the relevant EU and international players, making full use of Europol’s resources. It further facilitates the collaboration with the network and information security community and relevant private sector partners.

Only cyber security events of a malicious and suspected criminal nature fall within the scope of this Protocol; it will not cover incidents or crises caused by a natural disaster, man-made error or system failure. Therefore, in order to establish the criminal nature of the attack, it is fundamental that the first responders perform all required measures in a way to preserve the electronic evidence that could be found within the IT systems affected by the attack, which are essential for any criminal investigation or judicial procedure.

MULTI-STAKEHOLDER PROCESS

The protocol is a multi-stakeholder process and entails in total seven possible core stages from the early detection and the threat classification to the closure of the Emergency Response Protocol.

“It is of critical importance that we increase cyber preparedness in order to protect the EU and its citizens from large scale cyber-attacks”,  Wil van Gemert, Deputy Executive Director of Operations at Europol, said. “Law enforcement plays a vital role in the emergency response to reduce the number of victims affected and to preserve the necessary evidence to bring to justice the ones who are responsible for the attack.”

IT Act Amendment Bill to be tabled in ongoing winter session of Parliament

With social media gaining prominence, the Union Ministry of Electronics and IT has made amendments to Information Technology (IT) Act 2000, which is likely to be introduced in the ongoing winter session of Parliament.

A Cabinet note has been readied by the ministry. The note has already received a legal vetting from the law ministry, a senior government official told DNA Money. The Cabinet note is expected to come up for approval next week.

The Information Technology (Amendment) Bill, 2018, has already been listed in one of the upcoming Bills for consideration in the winter session.

The IT Act was last amended in 2008 and it’s been a decade since then. Technology has changed rapidly and with government’s thrust on digital India, cyber safety and data protection, there was a dire need of changes in the Act, the official said.

The current IT Act is a thoroughly outdated legislation. The last amendments were done in 2008, that were too less changes and all issues were not addressed. The amendments may include a framework for strengthening of cyber security standards.

Though the plans of introducing the data protection Bill in this session have been postponed.

The ministry had as many as 650 responses so far to the draft version of the data protection Bill submitted by Justice BN Srikrishna Committee in July this year. The Srikrishna committee had recommended storing one copy of all personal data in India, while critical information can be stored only locally.

However, the definition of ‘critical personal data’ has been left for the government to decide. It was open for public comments, but the inter-ministerial consultations are yet to be completed. The draft Bill had suggested measures for safeguarding personal information, defines obligations of data processors as also rights of individuals, and proposes penalties for violation.

Minister for IT and Electronics Ravi Shankar Prasad had earlier said digital medium has to be safe and secure to ensure equitable spread of benefits. India’s digital inclusion initiative is already being acknowledged globally. In less than five years, the government has made 307 government services available on the Umang platform and efforts are on to bring all central and state services on it.

HOW DISRUPTIVE TECHNOLOGIES ARE TRANSFORMING THE CYBER SECURITY LANDSCAPE

In this digital savvy world, what could be the most daunting nightmare of a technophile? Cyber-crime, evidently! Yes, online privacy and data breaches can shoot nervous breakdown of a tech-geek. And the way to ride out this issue is efficient cyber security, for sure! The nexus of techniques and tools to protect computer networks, programs, and data from illegitimate access or attacks is termed as cyber security.

With an influx of prevailing disruptive technologies such as artificial intelligence (AI), machine learning, and IoT, cyber security has attained yet another height of confidence in digital space. Rather than being a damage controller, it has become a prioritized commercial investment for a number of businesses. Organizations dealing in IT technologies in any form are enforcing artificial intelligence in the very security surface for enriched outcomes.

Observing the recent developments in AI, we can say that it can bring something great to the table. The technology has driven smart autonomous security systems which are able to learn themselves. Exploiting the flavors of machine learning and apt AI software, drawing the parallels alongside big data has become simpler. For a fact, AI algorithms are valuable for recognizing oddities from regular arrangements. The combination of cyber security and AI provides the path in creating a guideline of what is normal and what’s going wrong with the pattern. Other than this, AI with its supervised algorithms is capable of detecting threats on which they have been trained.

Advancements of such technologies in reference to global cyber security trends have played the role of market drivers as well.

Some of the major market players who have leveraged AI/ML for cyber defense are contributing significantly to the global plethora of cyber security. These tycoons are definitely setting the cyber security market stats to new bars. A recent report projects the cyber security market to be around $245 billion by 2023 globally.

In the next couple of years, the market size of cyber security is expected to show a positive acceleration in India as well. The country is amongst the fastest growing region for the cyber-companies and technologies which lures a hefty investment overall. India is undoubtedly well-geared in taking possible measures in securing networks across cyber space.

Widening the lenses, if we zoom into region-wise shielding for cyber-attacks, the US followed by Israel and Russia leads the strive for network security. The urge to survive in the rush of cyber-crimes has prepared these countries in the best way possible to discover and protect cyber threats. Canada, UK, Malaysia, China, France, Sweden, and Estonia are stationed next to them in curbing malware infections.

Cyber risk possesses a serious threat to a nation affecting the government, economic, organizational and citizen’s affair. Enterprises across the globe are emerging as countermeasure sheriffs for cyber-attacks. Understanding the certitude of network threats, cyber security is no longer a national affair, rather it has emerged out as an international concern where every commercial, non-commercial, governmental or non-governmental entity needs to adopt disruptive technologies to outperform profanity of malicious maneuver.

DLL Hijacking attacks: What is it and how to stay protected?

  • DLL Hijacking attacks are broadly categorized into three types – DLL search order attack, DLL side-loading attack, and Phantom DLL Hijacking attack.
  • For DLL hijacking attack to be successful, it would require an attacker to trick victims to open a file using a vulnerable application from a remote network location.

DLL Hijacking is an attack vector that could allow attackers to exploit Windows applications search and load Dynamic Link Libraries (DLL). If a web app is vulnerable to DLL Hijacking, attackers can load malicious DLLs in the PATH or other location that is searched by the application and have them executed by the application.

Types of DLL Hijacking attacks

DLL Hijacking attacks are broadly categorized into three types,

  • DLL search order attack
  • DLL side-loading attack
  • Phantom DLL Hijacking attack

DLL search order attack – If Windows OS search for the malicious DLL path in a specific order then it is DLL search order attack. Therefore, a malicious DLL can be placed in the search order, and the executable will load it.

DLL side-loading attack – DLL side-loading attack leverages WinSxS directory.

Phantom DLL Hijacking – Phantom DLL Hijacking attack uses very old DLLs that are still attempted to be loaded by apps. Attackers use this tactic and give the malicious DLL name in the Search Path and the new malicious code will be executed.

How does it work?

For DLL hijacking attack to be successful, it would require an attacker to trick victims to open a file using a vulnerable application from a remote network location. If the vulnerable application tries to load an external DLL from the same location, the attack will most likely be successful.

Examples of DLL Hijacking

Example 1 – Farseer malware employs DLL sideloading technique

Unit 42 research team recently uncovered a new malware dubbed Farseer that frequently-targets the Microsoft Windows operating system. Farseer malware leverages the ‘DLL sideloading’ technique to drop legitimate, signed binaries to the host. The malware uses ‘DLL sideloading’ to evade detection from antivirus software.

Example 2 – KerrDown distributed via DLL side-loading

Researchers recently spotted a custom downloader ‘KerrDown’ which is used by the OceanLotus threat actor group to infect victims with payloads such as Cobalt Strike Beacon.

OceanLotus was responsible for multiple attack campaigns against private sectors across multiple industries, foreign governments, activists, and dissidents connected to Vietnam.

Ocean Lotus threat actors leveraged two methods to deliver the ‘KerrDown’ downloader to the victims

  • Microsoft Office document with malicious macro, and
  • RAR archive which contains a legitimate program with DLL side-loading.

How to stay protected?

  • Researchers recommend enabling SafeDllSearchMode to prevent attackers from exploiting the search path.
  • It is also recommended to ensure that only signed DLLs are loaded for most systems process and applications.
  • In order to avoid DLL Hijacking, it is best to write secure code for loading DLL from specified path only.

Cybercriminals leverage ‘Fake CDC Flu’ warning to distribute GandCrab 5.2 ransomware

  • The attack begins with users receiving a fake CDC email.
  • In order to make it less suspicious, the email is distributed under the subject line of ‘Flu Pandemic Warning’.

The infamous GandCrab is back in a new phishing campaign. Here, the attackers are using fake Center for Disease Control (CDC) warning to distribute the GandCrab 5.2 ransomware onto the victims’ systems.

How does it work – As per My Online Security, the attack begins with users receiving a fake CDC email. In order to make it less suspicious, the email is distributed under the subject line of ‘Flu Pandemic Warning’. However, a close look reveals that the email comes from a sender ‘Peter@eatpraynope[.]com’ which has nothing to do with the CDC.

“To confuse the issue even more the subject line was written in what looks like a mix of cyrillic & western characters & encoded in UTF8 format so a computer will automatically translate / decode it. When I first tried to post this, I got a garbled mess of characters in the url to this post where the Copy & pasting from the email picked up the utf8 format,” the researchers explained.

The email includes a malicious doc that appears to contain the instructions on how to prevent flu. When users click the doc, the GandCrab 5.2 is unleashed and gets installed on the computers.

“The Word doc attachment is almost empty with just an Urgent Notice Heading. The scumbags trying to compromise you are hoping that you will enable content & editing to enable the macros that let this run,” said researchers.

Encryption process – Once installed, the ransomware encrypts the victims’ files and leaves behind a warning note, asking for ransom.

“The C2 for this is a well known site ‘https[:]//www.kakaocorp.link/static/tmp/eshe[.]png’ where the ransomware posts encrypted / encoded details about the compromised computer,” read the report.

In order to stay safe, users are urged to ignore such emails and should not click on the link or malicious doc as it can infect the systems.

Attackers compromised Pakistani government website to deliver Scanbox Framework payload

  • Researchers detected a compromised Pakistani government website that delivers Scanbox Framework payload whenever anyone visits the site.
  • Trustwave notified the Pakistani government website about the infection, however, the site still remains compromised.

What is the issue – Researchers from Trustwave detected a compromised Pakistani government website that delivers Scanbox Framework payload whenever anyone visits the site.

Worth noting – The compromised Pakistani government website (tracking.dgip.gov[.]pk) is a subdomain of the Directorate General of Immigration & Passport of the Pakistani government that allows passport applicants to track the status of their application.

The big picture

  • Once the Scanbox framework is on the visitor’s system, it collects system information and keystroke logs.
  • Scanbox also attempts to detect whether the visitor has installed any of the 77 endpoint products such as security tools, decompression, and virtualization tools.

“Scanbox Framework is a reconnaissance framework that was first mentioned back in 2014 and has been linked over the years to several different APT groups. Its intense activity during the 2014-2015 years has been well-covered in a paper written by PwC. It was then seen again in 2017 suspected to be used by the Stone Panda APT group, and once more in 2018 in connection with LuckyMouse,” Trustwave researchers said in a blog.

Why it matters – due to the lack of detection for the compromised website by security products

  • Most of the Antivirus and security products failed to detect this compromised domain, however, Trustwave detected the compromised site on March 2, 2019.
  • On that day alone, Scanbox managed to gather information including credentials on at least 70 unique visitors.
  • The impacted visitors were primarily from Pakistan (80%), while other visitors were located in Saudi Arabia, the United States, China, Qatar, Germany, UK, South Korea, Netherlands, and India.
  • Trustwave notified the Pakistani government website about the infection, however, the site still remains compromised.

The bottom line – The Scanbox server currently appears inactive, however, the infection indicated that it has some level of access to the compromised website.

“The Scanbox server currently appears inactive, but the infection indicates that the attack has some level of access to the site, and so it’s likely that the server could return to activity or be replaced with a different piece of malicious code at the attacker’s will,” researchers said.

SECURITY & FRAUDIndia Lender Warns Of WhatsApp Scam That Steals Bank Details

According to a report in BGR, SBI said messages from WhatsApp and other social media platforms are tricking customers into sharing details of their accounts.

The hackers are tricking the users by first sending a message in an effort to get them to share a one-time password. Some of the WhatsApp messages had an embedded link that installs an app in the background, which is used to get the one-time password from the user’s phone. State Bank of India is allowing customers to get a refund if they report the issue within three business days, noted BRG.

The scam targeting SBI account holders isn’t the only way hackers have been going after consumers in India in recent weeks. In late February, a man was able to trick people out of $250,000 using fake cryptocurrency. According to reports at the time, Pritam Patil asked victims to invest in an initial coin offering of his KBC Coin, which was named after a popular game show in India. He told investors the coin would see a substantial rise. With the cash in hand, he shut down the business and told investors they wouldn’t get their money back.

The use of WhatsApp to target Indian consumers makes sense, given its wide popularity in the country. As of June, the messaging app, which also facilitates digital payments, had more than one million users on its platform.

Read More »