News

Cyber-criminals Lure Victims with Coronavirus Cure Conspiracy Theories

Cyber-criminals Lure Victims with Coronavirus Cure Conspiracy Theories

Threat actors exploiting public interest in the ongoing coronavirus outbreak have baited their phishing traps with a new lure—conspiracy theories about unreleased cures.

The new tactic was noted by researchers at Proofpoint, who have been monitoring global malicious activity related to the life-threatening virus in the form of hundreds of thousands of messages. 

Alongside a flurry of phishing scams that hook victims with tall tales of secret remedies, researchers observed the emergence of campaigns that abuse perceived legitimate sources of health information to manipulate users. 

One malicious message, titled “Confidential Cure Solution on Corona virus,” presented the sickness as a “deadly virus developed and sprayed by wicked scientists to reduce the population of the world so the government will have control over you.”

The message then invited victims to download a document allegedly containing information about a cure for the virus.  

It’s not just the subject matter of coronavirus phishing scams that is changing; researchers also detected differences in the malware being used to net victims.

In a report published today, Proofpoint researchers wrote: “In this latest round of campaigns, attackers have expanded the malware used in their Coronavirus attacks to include not just Emotet and the AZORult information stealer, but also the AgentTesla Keylogger and the NanoCore RAT—all of which can steal personal information, including financial information.

Researchers also reported seeing fake Office 365, Adobe, and DocuSign sites, linked to coronavirus-themed emails, that had been specifically set up to steal credentials.

Initial coronavirus-themed attacks focused on the United States and Japan, which recorded its first fatality from COVID-19 today. More recently, researchers have observed threat actors targeting Australia and Italy, using lures written in Italian against the latter.

Other noticeable differences observed by the researchers include an increase in the number and variety of industries that these threat actors are hitting. 

“We have previously written about Coronavirus-themed attacks centered on concerns around economic disruptions in light of the outbreak, specifically around shipping. This trend is continuing and has expanded to include manufacturing as well,” wrote researchers.

“Consistent with this level of tailoring and focus on economic concerns, we are also seeing dedicated attacks against construction, education, energy, healthcare, industry, manufacturing, retail, and transportation companies.”

The prolonged focus on coronavirus as a theme suggests that the topic is proving to be a successful earner for the morally bankrupt cyber-criminals who have no qualms exploiting human suffering for financial gain.

Premium Domain Names – transcom.uk
Transcom ISP – The UK’s Best Business ISP
DoubleCheck any website at doublecheck.uk

Report Finds Cybersecurity Issues with US 2020 Census

Report Finds Cybersecurity Issues with US 2020 Census

A report looking into the US 2020 Decennial Census has flagged concerns over cybersecurity and questioned whether the personal data collected during the study can be kept private. 

The US Census Bureau kicked off the 2020 Census count of the population with the enumeration of Alaska in January. However, a report into the ongoing operation by the Government Accountability Office (GAO) has found that the bureau faces “significant cybersecurity challenges in securing its systems and data.”

Pressure to resolve these challenges is great, as the online launch of the census is just one month away. 

According to the GAO report, published on Wednesday, the 2020 Census was designated a high-risk operation in February 2017 and remains so to this day.

The report states: “Our prior and ongoing work has identified significant challenges that the Bureau faces in securing systems and data for the 2020 Census. Specifically, the Bureau continues to face challenges related to addressing cybersecurity weaknesses, tracking and resolving cybersecurity recommendations, and addressing numerous other cybersecurity concerns.”

Over the past decade, the GAO has made 112 recommendations for the 2020 Census to help address a raft of concerns over IT system testing, recruiting census staff, securing partnerships, cybersecurity, safe data storage, and more, but many remain unaddressed. 

“As of February 2020, 28 of the recommendations have not been fully implemented of which six are designated priority recommendations,” states the report.

Priority recommendations are defined as those that the GAO believes warrant priority attention from heads of key departments or agencies because, upon implementation, they may significantly improve government operations; for example, by saving money, eliminating fraud, or addressing a duplication issue.

The GAO found that a contingency plan developed in August 2019 for the bureau’s internet response system had not yet been finalized. A further cybersecurity concern flagged in the report was the bureau’s recent decision to change the primary system it intends to use to provide the internet response capability.

“Given that internet response for the 2020 Census starts in March 2020—approximately 1 month away—it is important that the Bureau expeditiously finalize and test the contingency plan for its internet response capability and ensure that the plan reflects the approach the Bureau has recently decided to implement,” states the report.

Premium Domain Names – transcom.uk
Transcom ISP – The UK’s Best Business ISP
DoubleCheck any website at doublecheck.uk

Puerto Rico Government Loses $2.6m in Phishing Scam

Puerto Rico Government Loses $2.6m in Phishing Scam

A Puerto Rican government agency unintentionally gave cyber-criminals $2.6m after being taken in by an email phishing scam.

A senior official of the island’s government confirmed that money allocated for remittance payments had been wired by a government agency to what appeared to be a genuine bank account on January 17. It later transpired that the account was fraudulent. 

The money was transferred by an unsuspecting employee of Puerto Rico’s Industrial Development Company, a government-owned corporation whose mission is to work with local and foreign investors to drive economic development on the island along. 

The agency’s finance director said a complaint was filed with police on Wednesday in relation to the incident, which was uncovered earlier this week.

According to a police statement, director of the Industrial Development Company Rubén Rivera said the government agency made the transfer after receiving an email regarding a change in how remittance payments should be processed.

The email falsely claimed that the existing bank account used for remittance payments should no longer be used for this purpose and informed the agency that the money should be sent to a new bank account. It was this new account that turned out to be fraudulent and in the control of cyber-criminals. 

Word of the incident was first reported yesterday by the Associated Press, though no details were given as to how the deception was uncovered. It is unclear whether Puerto Rican officials have been able to recover any of the $2.6m or who may have been behind the scam. 

“This is a very serious situation, extremely serious,” Manuel Laboy, executive director of the Industrial Development Company, told the Associated Press. 

“We want it to be investigated until the last consequences.”

Email phishing scams were a top crime complaint reported to the Federal Bureau of Investigation (FBI) in 2019, according to the IC3 annual cybercrime report released by the bureau earlier this week. 

Last year, this type of attack swindled media conglomerate Nikkei out of $29m, scammed $2.3m from a Texas school district, and conned a British community housing non-profit into forking over $1.2m.

Premium Domain Names – transcom.uk
Transcom ISP – The UK’s Best Business ISP
DoubleCheck any website at doublecheck.uk

#teissLondon2020: Be Aware of Malicious and Non-Malicious Insider Behavior

#teissLondon2020: Be Aware of Malicious and Non-Malicious Insider Behavior

Speaking at the TEISS conference in London, ClubCISO chair Dr Jessica Barker said that both non-malicious and malicious insiders can be detected by common behaviors.

Displaying ClubCISO’s research from 2019, which showed that non-malicious insiders accounted for 42% of incidents in the last 12 months, and malicious insiders accounted for 18%, Barker said that this is the biggest threat after a malicious external attacker (46%) where they can often “take advantage of a non-malicious insider.”

Barker explained that people don’t often expect to be impacted by these sorts of people, but often they can be people who have worked for an organization for a long time, and may appear to be loyal, but they can have grudges, feel overlooked for promotions and pay rises. “They don’t feel what they are doing is criminal, but they justify their activity in righting a wrong.”

Also, someone may feel like they can get away with actions such as leaking data or stealing information for a period of time, “but it takes a level of arrogance to steal and not be identified.”

For the non-malicious insider, Barker said that this is a result of people not understanding the complexities of cybersecurity, and press about cybersecurity can make it feel like the responsibility is out of their control.

“Using fear to trick behavior is not that easy, as if it was we wouldn’t have smokers or drink drivers,” she said.

Barker recommended communicating with staff who may be non-malicious insiders, as they could “have usable skills and knowledge to engage in behaviors.

“We can have all the awareness we want, but it needs to be usable,” Barker said, saying that you cannot just tell people that they need a better password, you need to tell them what they should do, and give them the tools to do it. “You cannot force people to change, you have to work to their knowledge” she said, adding that people commonly want to do the right thing at work but security controls usually get in the way of priorities.

She concluded by saying it is not about creating a separate security culture, but about understanding it is a culture, as “culture underpins what is normal in an organization, and what is acceptable.”

Premium Domain Names – transcom.uk
Transcom ISP – The UK’s Best Business ISP
DoubleCheck any website at doublecheck.uk

Ukrainian Blackout Malware at Large on Dark Web

Ukrainian Blackout Malware at Large on Dark Web

Sophisticated backdoor malware techniques used by state-backed attackers to cripple Ukrainian power stations in 2015 are now being deployed more widely by the black hat community, Venafi has warned.

The malware in question targets SSH keys, which are designed to secure remote commands to and communications between machines. As such, they are central to securing cloud workloads, VPN connections, connected IoT devices and more.

Compromise of a single SSH key could give attackers undetected root access to mission critical systems to spread malware or sabotage processes, the security vendor warned.

It is now seeing malware adding attackers’ SSH keys to a list of authorized key files on victim machines, meaning their machine trusts the key. Other techniques include brute-forcing weak SSH authentication to gain access and move laterally across networks.

These techniques have been observed in use over the past year by crimeware botnet TrickBot, cryptomining campaign CryptoSink, Linux Worm and Skidmap, said Venafi. That’s a far cry from the relatively rare sight of a backdoored SSH server being used by the BlackEnergy gang in December 2015. That attack caused mass power outages in parts of Ukraine.

“SSH keys can be potent weapons in the wrong hands. But until recently, only the most sophisticated, well-financed hacking groups had this kind of capability. Now, we’re seeing a ‘trickle-down’ effect, where SSH capabilities are becoming commoditized,” warned Yana Blachman, threat intelligence specialist at Venafi.

“What makes this commoditization so worrying is that if an attacker is able to backdoor a potentially interesting target, they may monetize this access and sell it through dedicated channels to more sophisticated and sponsored attackers, such as nation state threats for the purpose of cyber-espionage or cyber-warfare.”

This has happened before, when the TrickBot gang were found to have been selling a “bot-as-a-service” to North Korean hackers, she claimed.

To combat such threats, organizations need to have a clear visibility of and protection for all authorized SSH keys in the enterprise, to prevent them being hijacked and to block attempts by attackers to insert their own malicious SSH machine identities into systems.

Stay up-to-date with the latest information security trends and topics by registering for Infosecurity Magazine’s next Online Summit. Find out more here.

Premium Domain Names – transcom.uk
Transcom ISP – The UK’s Best Business ISP
DoubleCheck any website at doublecheck.uk

#teissLondon2020: Blanket Approaches to Security Awareness Efforts Often Fail

#teissLondon2020: Blanket Approaches to Security Awareness Efforts Often Fail

Employee awareness needs to be holistic, and not use a blanket approach.

Speaking on a panel at the TEISS conference in London exploring tailoring security awareness programs to overcome colleagues’ inbuilt biases, business strategist Dr Dave Chatterjee said that benchmarks can be used, and help you to know that if you are talking awareness, whether you are addressing your goals. “At a deeper level, it can convince you to be more careful on phishing and to be motivated and driven to be secure,” he added.

Dr Jessica Barker, chair of ClubCISO, said she had found “phishing awareness and detection to be very good and strong” but the issues of emailing personally identifiable information and storage of data were not addressed, and often these issues need to be covered and benchmarks can help you know in six to 12 months if you have targeted these areas.

Also speaking on the panel was Marilise de Villiers, founder and CEO of MDVB Consulting, who said that awareness solutions need to be designed to allow you to measure awareness, and let “you know what you want to know” as well as “what will trip us up later down the road.”

The panellists were all agreed that a check box methodology is not enough, and Chatterjee said that you “need to put enough thought into what you’re measuring.”

Panel moderator Jeremy Swinfen Green, head of consulting at TEISS, asked what some of the problems around awareness campaigns can be. “A fear of speaking up” was cited by de Villiers, while Barker said that a fear of speaking up “engenders a culture of fear.” Chatterjee added that companies often try to create a workplace of happy employees, but that is often “easier said than done.

“Companies have to survive and treat their employees well,” he said, while de Villiers argued that awareness campaigns need to be done on a “case-by-case basis.”

Premium Domain Names – transcom.uk
Transcom ISP – The UK’s Best Business ISP
DoubleCheck any website at doublecheck.uk

Ransomware Costs May Have Hit $170bn in 2019

Ransomware Costs May Have Hit $170bn in 2019

There were nearly half a million ransomware infections reported globally last year, costing organizations at least $6.3bn in ransom demands alone, according to estimates from Emsisoft.

The security vendor analyzed submissions to the ID Ransomware identification service during 2019 and found a total of 452,121 records.

However, around half of these were related to a type of ransomware called STOP which is mainly targeted at home users, so its financial calculations are based on more like 226,000 victims.

What’s more, the firm estimated that only around 25% of organizations affected by ransomware use the ID Ransomware service, so it provided both a minimum cost based on 50% of submissions and a larger figure based on four-times that number.

With the average ransom demand around $84,000 and roughly a third of firms paying up, Emisoft estimated minimum global costs at $6.3bn and a higher figure at $25bn.

Working out downtime costs was harder, the firm admitted.  

Gartner previously put the average at more than $5600 per minute – so we have used the extremely conservative figure of $10,000 per day,” it explained. “This figure has no basis in reality and we have included it simply to illustrate the enormity of the costs. The actual costs are almost certainly much higher.”

When combined with ransom payments, downtime of 16 days would mean that globally, firms spent at least $42.4bn on ransomware last year. The higher figure, taking into account those that didn’t report incidents to ID Ransomware, is estimated at a staggering $170bn.

That’s in stark contrast to the FBI report released this week, which claimed that losses reached just $9m last year. However, the caveats are that just 2047 cases were reported to the Feds in 2019, and the FBI admitted that its calculations did not include “lost business, time, wages, files, or equipment, or any third party remediation services acquired by a victim.”

Stay up-to-date with the latest information security trends and topics by registering for Infosecurity Magazine’s next Online Summit. Find out more here.

Emisoft claimed that an accurate estimation of the scale of financial damage caused by ransomware was not the point of the exercise.

“The intention of this report is not to accurately estimate the costs, which is impossible due to a dearth of data, but rather to shine a light on the massive economic impact of these incidents in the hope that doing so will help governments and law enforcement agencies formulate a proportionate response to the ransomware crisis,” it concluded.

Premium Domain Names – transcom.uk
Transcom ISP – The UK’s Best Business ISP
DoubleCheck any website at doublecheck.uk

Estée Lauder Database Exposes 440 Million Records

Estée Lauder Database Exposes 440 Million Records

Estée Lauder is the latest big-name brand to suffer an embarrassing data leak after a researcher discovered 440 million records including plain text emails exposed via an online database.

Security Discovery’s Jeremiah Fowler made the discovery on January 30, claiming the non-password protected database exposed a total of 440,336,852 records.

It’s unclear how many user emails were exposed, but the cosmetics giant claimed in an emailed statement that they were “non-consumer” and instead came from an internal “education platform.” Fowler confirmed that many of the emails he saw in plain text belonged to the @estee.com domain.

There was no sign of payment data or sensitive employee information in the database either. However, although the direct risk to customers and staff appears to have been negligible from this data leak, Fowler warned that other information contained in the database may have been of interest to attackers.

“There were millions of records pertaining to middleware that is used by the Estée Lauder company. Middleware is software that provides common services and capabilities to applications outside of what’s offered by the operating system. Data management, application services, messaging, authentication, and API management are all commonly handled by middleware,” he explained.

“Another danger of this exposure is the fact that middleware can create a secondary path for malware, through which applications and data can be compromised. In this instance anyone with an internet connection could see what versions or builds are being used, the paths, and other information that could serve as a backdoor into the network.”

Although it took Fowler multiple attempts to pass on details of his discovery to the right team, Estée Lauder has been praised as acting “fast and professionally” to block public access to the database on the day of the discovery.

Stay up-to-date with the latest information security trends and topics by registering for Infosecurity Magazine’s next Online Summit. Find out more here.

Premium Domain Names – transcom.uk
Transcom ISP – The UK’s Best Business ISP
DoubleCheck any website at doublecheck.uk