Firewall Firm is a Managed Cyber Security Company in India
Home » Tag: cyber security news

Tag Archives: cyber security news

Home » Tag: cyber security news

Attackers continue to enhance their performance, apply smart business techniques

During the second half of 2018, attackers bulked up existing tactics, rapidly evolvied new performance enhancements, and applied smart business techniques to vastly accelerate attack growth rate, according to the latest Threat Landscape Report by Netscout.

attackers evolve new performance enhancements

IoT’s countdown to attack

  • Constant targets of DDoS malware, IoT devices come under attack within five minutes of being plugged in and targeted by specific exploits within 24 hours.
  • IoT security is minimal to nonexistent on many devices, making this an increasingly dangerous and vulnerable sector, particularly as items ranging from medical devices to cars are IoT-equipped.

The ‘TerrorBit attack’ and beyond

  • Overall, the number of DDoS attacks in 2018 was up 26 percent compared to the year previously, and attacks in the 100-400 Gbps range exploded, showing continued interest by bad actors in this attack vector and maturity of tooling in the mid-range of attacks.
  • The global maximum DDoS attack size grew by 19 percent in the second half of 2018 versus the same period in the year previously, as threat actors launched strategic campaigns that compromised and used a vast array of devices related solely by internet connectivity. And “carpet bombing,” a new variant of the more common reflection or flooding DDoS attack, emerged, requiring different detection techniques.

Nation-state innovation

  • DDoS attacks against the international affairs sector, which includes the United Nations, the International Monetary Fund and the State Department, increased by nearly 200 percent between 2H 2017 and 2H 2018.
  • The volume of nation state APT group activity has increased in the space of the last year, as have the number of targets. Subsequently, NETSCOUT is now monitoring the activities of at least 35 groups across several countries, which include Iran, China, Russia, and North Korea.
  • These groups are employing new techniques, combining custom-made tools with commodity crimeware as in the case of STOLEN PENCIL to extend their reach and impact.

attackers evolve new performance enhancements

Commercialization of crimeware

  • The cybercriminal underground operates much like legitimate businesses using the conventional business practice of the affiliate model to rapidly generate profits. Increases in attack size reflect the continued monetization of the threat landscape.
  • Campaigns like DanaBot increased distribution efficiency and cut labor costs by using an affiliate model to rapidly establish its presence across the globe, with 12 separate affiliates targeting financial institutions in many countries.
  • However, collaborative crime fighting is also on the rise, illustrated by recent efforts with the ASERT team and the FBI during an investigation into MedusaHTTP DDoS, a botnet from a hacker known as stevenkings, that ultimately led to charges being filed.

Through telemetry on a massive scale, ATLAS delivers visibility into the backbone networks at the core of the internet. NETSCOUT gathers data shared by organizations around the world, including 90 percent of Tier 1 service providers, representing approximately one third of internet traffic.

New Flaws Re-Enable DMA Attacks On Wide Range of Modern Computers

Security researchers have discovered a new class of security vulnerabilities that impacts all major operating systems, including Microsoft Windows, Apple macOS, Linux, and FreeBSD, allowing attackers to bypass protection mechanisms introduced to defend against DMA attacks.

Known for years, Direct memory access (DMA)-based attacks let an attacker compromise a targeted computer in a matter of seconds by plugging-in a malicious hot plug device—such as an external network card, mouse, keyboard, printer, storage, and graphics card—into Thunderbolt 3 port or the latest USB-C port.

The DMA-based attacks are possible because Thunderbolt port allows connected peripherals to bypass operating system security policies and directly read/write system memory that contains sensitive information including your passwords, banking logins, private files, and browser activity.

That means, simply plugging in an infected device, created using tools like Interception, can manipulate the contents of the memory and execute arbitrary code with much higher privileges than regular universal serial bus peripherals, allowing attackers to bypass the lock screen or control PCs remotely.

To block DMA-based attacks, most operating systems and devices leverage Input/Output Memory Management Unit (IOMMU) protection technique to control which peripheral device (usually legitimate) can access memory and which region of the memory.

ThunderClap Flaws Bypass IOMMU to Re-Enable DMA Attacks

Now, a team of cybersecurity researchers from the University of Cambridge, Rice University, and SRI International has unveiled a set of new vulnerabilities in various major operating systems that could allow attackers to bypass IOMMU protection.

By mimicking the functionality of a legitimate peripheral device, an attacker can trick targeted operating systems into granting it access to sensitive regions of memory.

In a paper [PDF] published earlier this week, researchers detailed technical information of all new vulnerabilities that they claimed to have discovered using a hardware/software stack, called Thunderclap, which they build and also released in the open-source.

Besides this, the researchers also stressed that since IOMMU does not come enabled by default on most operating systems and since modern devices have USB-C, the attack surface of DMA attack has significantly increased which was earlier primarily limited to Apple devices with Thunderbolt 3 ports.

thunderbolt dma attack

 

“The rise of hardware interconnects like Thunderbolt 3 over USB-C that combine power input, video output, and peripheral device DMA over the same port greatly increases the real-world applicability of Thunderclap vulnerabilities.”

 

“In particular, all Apple laptops and desktops produced since 2011 are vulnerable, with the exception of the 12-inch MacBook. Many laptops, and some desktops, designed to run Windows or Linux produced since 2016 are also affected – check whether your laptop supports Thunderbolt.”

 

How to Protect Against Thunderclap Vulnerabilities

Researchers have reported their findings to all major hardware and operating system vendors, and most of them have already shipped substantial mitigation to address the Thunderclap vulnerabilities.

“In macOS 10.12.4 and later, Apple addressed the specific network card vulnerability we used to achieve a root shell,” researchers said. “Recently, Intel has contributed patches to version 5.0 of the Linux kernel.”

 

“The FreeBSD Project indicated that malicious peripheral devices are not currently within their threat model for security response.”

Though not all software patches can entirely block DMA attacks, users are still advised to install available security updates to reduce the attack surface. According to the researchers, the best way to fully protect yourself is to disable the Thunderbolt ports on your machine, if applicable.

thunderbolt dma attack

Additionally, researchers also developed a proof-of-concept attacking hardware that can execute the ThunderClap vulnerabilities on targeted systems, but they chose not to release it in public at this time.

Hackers Favorite CoinHive Cryptocurrency Mining Service Shutting Down

Coinhive, a notorious in-browser cryptocurrency mining service popular among cybercriminals, has announced that it will discontinue its services on March 8, 2019.Regular readers of The Hacker News already know how Coinhive’s service helped cyber criminals earn hundreds of thousands of dollars by using computers of millions of people visiting hacked websites.

For a brief recap: In recent years, cybercriminals leveraged every possible web vulnerability [in Drupal, WordPress, and others] to hack thousands of websites and wireless routers, and then modified them to secretly inject Coinhive’s JavaScript-based Monero (XMR) cryptocurrency mining script on web-pages to financially benefit themselves.

Millions of online users who visited those hacked websites immediately had their computers’ processing power hijacked, also known as cryptojacking, to mine cryptocurrency without users’ knowledge, potentially generating profits for cybercriminals in the background.

Now, while explaining the reason to shut down in a note published on its website yesterday, the Coinhive team said mining Monero via internet browsers is no longer “economically viable.”

“The drop in hash rate (over 50%) after the last Monero hard fork hit us hard. So did the ‘crash’ of the cryptocurrency market with the value of XMR depreciating over 85% within a year,” the service said.

“This and the announced hard fork and algorithm update of the Monero network on March 9 has lead us to the conclusion that we need to discontinue Coinhive.”

So users who have an account on Coinhive website with above the minimum payout threshold balance can withdraw funds from their accounts before April 30, 2019.

Though Coinhive was launched as a legitimate service for website administrators to alternative generate more revenue from their websites, its extreme abuse in cyber criminals activities forced tech companies and security tools to label it as “malware” or “malicious tool.”

To prevent cryptojacking by browser extensions that mine digital currencies without users’ knowledge, last year Google also banned all cryptocurrency mining extensions from its Chrome Web Store.

 

An unprotected server exposed almost 2.7 million call recording for six years

  • Of the 2.7 million exposed call recordings, almost 57,000 call recordings have filenames containing the telephone numbers of those who called the helpline.
  • Researchers noted that the unprotected server available at nas.applion.se might have been impacted by almost 23 vulnerabilities with CVEs assigned between 2013 and 2018.

A storage server containing real-time call recordings made to the 1177 Swedish Healthcare Guide helpline for health care information was found publicly available without any password protection.

The unprotected server which was left open without a password, exposed almost 2.7 million health-related call recordings that dated back to 2013.

23 vulnerabilities in the server

Lars Dobos in a blog noted that a Shodan search query revealed that the unprotected Apache HTTP Server 2.4.7 available at nas[.]applion.se might have been impacted by almost 23 vulnerabilities with CVEs assigned between 2013 and 2018. Therefore, even if the server wouldn’t have been left publicly available, it would have been breached at some point in time.

What information was exposed?

Computer Sweden, who detected the open web server, listened to some of the call recordings to learn the extent of the leak and the damage to the public.

  • The call recordings included sensitive information about diseases and other ailments of callers.
  • Callers’ symptoms and the medications taken for previous treatments.
  • Children’s symptoms and social security numbers.

Dobis noted that of the 2.7 million exposed call recordings, almost 57,000 call recordings have filenames containing the telephone numbers of those who called the 1177 Swedish Healthcare helpline.

“The fact that the calls are recorded is in itself permitted, it may be necessary for the patient’s safety, or to be able to prove abuse, but the saved audio files should be treated with confidentiality according to the patient data law. It is also clearly the question of information that is considered as sensitive personal data according to GDPR,” the report read.

Unprotected storage server used by Medicall

The unprotected server which exposed 2.7 million call recordings was used by Medicall which is based in Hua Hin, Thailand. The call recordings that have been exposed includes calls made to Medicall which is a subcontractor to Medhelp, who receives patient calls via the 1177 Care Guide Helpline.

“We have checked this out with our IT, and what you say is completely impossible,” said Davide Nyblom, CEO at Medicall.

“This is catastrophic, it’s sensitive data. We had no idea that it was like this. We will, of course, review our systems and check out what may have happened,” said Tommy Ekström, CEO of Voice Integrate Nordic.

Russian cyberattackers are in and gone in less than 20 minutes

Russian threat actors are almost eight-times faster at taking advantage of a compromised system compared to other nation-state actors, a tribute to their operational tradecraft, according to Crowdstrike’s 2019 Global Threat report.

An analysis of what Crowdstrike calls “breakout time” shows the Russians are quicker, by a factor of eight, at moving laterally through a system and accomplishing their primary objectives then their next closest competitor, the North Koreans.

The report noted this level of accomplishment is even more impressive considering the North Korean threat teams themselves are twice as fast as the third-place Chinese crews. Iran was the fourth quickest while various cybercrime actors were fifth. Russians are typically able to do this in just under 19 minutes, compared to two and a half hours for the North Koreans and four hours eight minutes for the Chinese.

One bit of good news in this category is that overall the average breakout time across all threats in 2019 was four hours and 37 minutes, more than twice as long as the one hour and 58 minutes logged by Crowdstrike in 2017. The report credited two possible factors for this jump. An increase in the number of slower attackers and more organizations deploying next-generation endpoint security.

In order to combat effective attackers like the Russians, Crowdstrike recommends companies employee the 1-10-60 rule. This requires an intrusion be detected in under a minute, a full investigation be performed in 10 minutes and the adversary eradicated from the system within an hour.

Lockheed Martin, UCF Open $1.5 Million Cyber Lab in Orlando

Lockheed Martin and the University of Central Florida (UCF) celebrated the grand opening of a Cyber Innovation Lab on UCF’s campus that will help meet the growing local and national need for cybersecurity talent.

“This lab will serve as the campus’ primary hub for students to develop and expand their information security skills, preparing them to enter this high demand field and take on the cybersecurity threats of the future,” said UCF President Dale Whittaker. “We are grateful for Lockheed Martin’s longtime partnership and strong commitment to our students’ success.”

The National Institute of Standards and Technology estimates there are more than 13,000 unfilled cybersecurity jobs in Florida alone. That trend will continue, as the U.S. Bureau of Labor Statistics predicts jobs for information security analysts will grow 28 percent by 2026.

In 2018, Lockheed Martin donated $1.5 million to UCF to help create the Cyber Innovation Lab and encourage the next-generation of science, technology, engineering and math (STEM) talent to collaborate and solve today’s challenging cyber problems. The company’s donation will fund software and technology support to the lab, and employees will also provide cyber training and professional mentoring to engineering students.

“Having a centralized space will streamline the way we organize our meetings and practices,” said Hack@UCF President David Maria, a senior studying computer engineering.  “With this lab, we can practice for competitions, host workshops and speakers, provide cyber security tools and resources, and give our student members a sense of community and help get them ready for future careers. It’s not just a practice space. It’s a home for us.”

The 970-square-foot lab is located in UCF’s Engineering I building and will serve as a learning hub for the more than 350 students participating in cyber programs at UCF. Hack@UCF, a four-time national champion in competitions like the Collegiate Cyber Defense Competition and the U.S. Department of Energy CyberForce Competition, will also use the lab as its primary practice center.

In Orlando, Lockheed Martin employs approximately 2,500 UCF graduates, with plans to expand its cyber workforce. The company’s local Cyber Solutions business grew 400 percent over the past five years and expects that growth to continue as the nation seeks offensive and defensive cybersecurity capabilities to address the evolving cyber threats.

8 Cybersecurity Risks That May Impact Organizations in 2019

Aon’s 2019 Cyber Security Risk Report features eight risks that may impact organizations in the next 12 months, no matter where they are on their digital journey.

“In 2018 we witnessed that a proactive approach to cyber preparation and planning paid off for the companies that invested in it, and in 2019, we anticipate the need for advanced planning will only further accelerate,” said J. Hogg, CEO of Cyber Solutions at Aon. “Leaders must work to better insulate their companies and their processes, while simultaneously identifying the ways they can benefit from the opportunities offered through technology and digital transformation.”

Hogg continued: “Our 2019 report also shows that organizations must recognize the need to share threat intelligence across not only their own network but with others as well. While it may seem counter-intuitive when thinking about cybersecurity, collaboration within and across enterprises and industries can keep private data of companies and individuals alike safer. Working together can result in improved efforts to hunt bad actors, while also raising the bar and making all parties more prepared for the inevitable day when a disruption does happen.”

The “What’s Now and What’s Next” report focuses on eight specific risk areas that companies may face in 2019. The risks illustrate how, as organizations transition to a digital-first approach across all transactions, the attack surface of global business expands rapidly and sometimes in unexpected ways. In other words, thanks to the rapid enhancements and constant changes in technology, the number of touch points that cyber criminals can access within a business is growing exponentially.

The eight risks include:

  1. Technology – While technology has revolutionized the way organizations today conduct business, broader and wider-spread use of technology also brings vulnerabilities. From publishing to automotive, industries are facing new, evolving services and business models. These new opportunities however, bring with them a radically different set of risks, which organizations will need to anticipate and manage as they continue the digital transformation process.
  2. Supply Chain – Two prevailing supply chain trends will heighten cyber risks dramatically in the coming year: one is the rapid expansion of operational data exposed to cyber adversaries, from mobile and edge devices like the Internet of Things (IoT); and the other trend is companies’ growing reliance on third-party—and even fourth-party—vendors and service providers. Both trends present attackers with new openings into supply chains, and require board-level, forward-looking risk management in order to sustain reliable and viable business operations.
  3. IoT – IoT devices are everywhere, and every device in a workplace now presents a potential security risk. Many companies don’t securely manage or even inventory all IoT devices that touch their business, which is already resulting in breaches. As time goes on, the number of IoT endpoints will increase dramatically, facilitated by the current worldwide rollouts of cellular IoT and the forthcoming transition to 5G. Effective organizational inventory and monitoring process implementation will be critical for companies in the coming year and beyond.
  4. Business Operations – Connectivity to the Internet improves operational tasks dramatically, but increased connectivity also leads to new security vulnerabilities. The attack surface expands greatly as connectivity increases, making it easier for attackers to move laterally across an entire network. Further, operational shortcuts or ineffective backup processes can make the impact of an attack on business operations even more significant. Organizations need to be better aware of, and prepared for, the cyber impact of increased connectivity.
  5. Employees – Employees remain one of the most common causes of breaches. Yet employees likely do not even realize the true threat they pose to an entire organization’s cybersecurity. As technology continues to impact every job function, from the CEO to the entry-level intern, it is imperative for organizations to establish a comprehensive approach to mitigate insider risks, including strong data governance, communicating cybersecurity policies throughout the organization, and implementing effective access and data-protection controls.
  6. Mergers & Acquisitions (M&A) – Projections anticipate that M&A deal value will top $4 trillion in 2018, which would be the highest in four years. The conundrum this poses to companies acquiring other businesses is that while they may have a flawless approach to cybersecurity enterprise risk, there is no guarantee that their M&A target has the same approach in place. Dealmakers must weave specific cybersecurity strategies into their larger M&A plans if they want to ensure seamless transitions in the future.
  7. Regulatory – Increased regulation, laws, rules and standards related to cyber are designed to protect and insulate businesses and their customers. The pace of cyber regulation enforcement increased in 2018, setting the stage for heightened compliance risk in 2019. Regulation and compliance, however, cannot become the sole focus. Firms must balance both new regulations and evolving cyber threats, which will require vigilance on all sides.
  8. Board of Directors – Cybersecurity oversight continues to be a point of emphasis for board directors and officers, but recent history has seen an expanding personal risk raising the stakes. Boards must continue to expand their focus and set a strong tone across the company, not only for actions taken after a cyber incident, but also proactive preparation and planning.

(ISC)2 Announces New Professional Development Institute to Train Cyber Professionals

(ISC)² has launched its Professional Development Institute (PDI) to combat the global shortage of skilled and trained cybersecurity professionals.

PDI is provided as a free portfolio of course offerings to (ISC)2 members and associates. It will help enhance their skills and abilities by providing access to rich continuing professional education (CPE) opportunities that augment the knowledge they’ve gained throughout their careers.

The multi-year strategy for PDI encompasses the addition of 18 new staff over the next two years, joining the more than 160 existing global employees of the association. These new staff will manage content development, curriculum building, quality control, communications, logistics and administration for the institute. The association will also build out a 765-square-foot video production studio in its Clearwater, Fla, headquarters to produce content for courses featuring leading cybersecurity professionals.

PDI builds on the successful 2018 pilot launch of three professional development courses provided at no additional fee to members and associates. Topics included GDPR for Security Professionals, DevSecOps and Building a Strong Culture of Security. Focus groups and member surveys provided insight into the professional development needs of security professionals and the results have and will continue to inform the evolution of PDI’s curriculum strategy. Member subject matter experts will guide the development of the course material, supported by a team of highly-qualified adult education experts and creative professionals. This will enable (ISC)to develop a robust catalogue of CPE courses and offerings with the ability to continuously refresh that catalogue based upon clearly articulated member need. In 2019 alone there will be up to 30 new courses released as part of the portfolio.

PDI courses will help (ISC)members and associates enhance their professional skills through convenient, high-quality education. Making the courses available in an easily-accessible online format will help members maintain a work-life balance.

“There has been demand from (ISC)2 members for a wide array of professional development opportunities for education and CPE purposes. There are many such opportunities within the industry, but they are not readily accessible or only available at a significant cost, so I am very excited to see that (ISC)2 is offering these development programs,” said James McQuiggan, CISSP, Product & Solutions Security Officer for Siemens Gamesa Renewable Energy, Chapter President for the (ISC)2 Central Florida Chapter and (ISC)2 Advisory Council North America member. “I had the honor and pleasure to provide guidance for the content of one of the initial courses and shared my experience and expertise in its development because I agree with the focus on practical application of security principles. Many of us who are (ISC)2 certification holders need opportunities like PDI to stay educated and up to speed on the latest threats, techniques and tools.”

Ransomware attackers exploit old plug-in flaw to infect MSPs and their clients

Researchers are warning that hackers are exploiting a plug-in vulnerability to infect MSPs and their customers with GandCrab ransomware.

The bug, CVE-2017-18362, dates back to 2017, and is found in unpatched versions of the ConnectWise ManagedITSync integration plug-in tool, explains a Feb. 8 blog post by Chris Bisnett, security researcher at Huntress Labs. This plug-in is designed to sync data between the ConnectWise Manage professional services automation platform and the Kaseya remote monitoring and management system used by some MSPs.

Huntress Labs suspects that this exploit could be the culprit behind an attack reported on the MSP Reddit channel earlier this month. According to the Reddit user post, a mid-sized MSP had been recently attacked with ransomware that locked up 80 of its customers’ endpoints, including servers. “Owner of a company under the mentioned MSP came over to our shop to purchase a ‘clean’ system,” the post reads. “Seems the MSP is negotiating the ransom amount and will pay up.”

The NIST National Vulnerability Database’s entry for CVE-2017-18362 has been updated this month to reflect recent developments. “ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database,” the entry states. “In February 2019, attackers have actively exploited this in the wild to download and execute ransomware payloads on all endpoints managed by the VSA server. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentication”

“In 2017, Connectwise announced a vulnerability in their Plugin that allows multiple operations to be performed on a Kaseya server without authentication. Upon discovery of this flaw, Connectwise released an update intended to patch this vulnerability,” says Connectwise in a security advisory that was last updated around Feb. 10. “Kaseya has detected that an extremely small number of customers either may not have installed the update from Connectwise or may have installed this update incorrectly.”

About 21% Indian computers and phones are infected with malware: Study

The study conducted by Comparitech judged countries on the basis of malware attacks, cyber-attack preparedness and most up to date cybersecurity-related legislation.

India ranked 15th among 60 countries for the worst cybersecurity with over 25% of its phones and 21% of its computers infected with malware. The study conducted by Comparitech judged countries on the basis of malware attacks, cyber-attack preparedness and most up to date cybersecurity-related legislation.

India scored about 39% in its overall score, though both Pakistan and China are worse off in cyber-security. About 25.25% of Indian phones and 21.8% computers are infected with malware. The study found Japan to be the most cyber-secure country in the world. It scored incredibly low across the majority of categories, only scoring a little higher in the preparation for cyber- attacks and legislation categories. Only 1.34% of its phone and about 8% of its computers are susceptible to malware attacks.

Other top-performing countries included France, Canada, Denmark, and the United States. On the other end of the spectrum Algeria is the least cyber-secure country in the world with 22.88% of its phones and 32.41% of its computers infected with malware. It was the highest-ranking country for lack of legislation and computer malware rates, and also received a high score in the categories for mobile malware and preparation for cyberattacks. Other high-ranking countries were Indonesia, Vietnam, Tanzania, and Uzbekistan.

Germany has the most number of attacks related to financial malware while as a country China is where most telnet attacks originated from.

Read More »