The escalation of high-profile hacking and data dumps recently has underscored the increasing boldness of digital threat actors, culminating in July’s Democratic National Committee email leak and its ripple effect through American politics. The group behind the hack and its attack patterns were known, and yet the attack was not thwarted, leaving many questions as to the overall state of the Internet’s security.
The dangers in cyberspace in 2017 will only increase – most likely with even more sophisticated attacks such as advanced IoT DDoS invasions and ransomware campaigns, not to mention sensitive data hacks with a variety of end goals – from stealing our most critical corporate and personal data to stealing elections.
Standard security solutions don’t seem to be working. What, if anything, can be done?
State sponsored actors as well as criminal bodies seem to have unlimited resources and extremely high levels of coordination at their disposal to carry out their pernicious attacks. But defense against cyberattacks has been characterized by a lack of collaboration within the cybersecurity community.
Moving forward, this will have to change. Cyber defenders should take a page out of the enemy’s playbook. Crowd intelligence will need to be organized and harnessed as a major tactic to improve security strategies against growing threats. Just as cyber attackers collaborate and share their attack techniques and latest methods with each other, cyber defenders should do the same with best defense practices. Cyber criminals are actually generous with each other – they welcome collaboration within their community, symbiotically enhancing each other’s methods and techniques. Shouldn’t we ‘good guys’ be doing the same?
Sure, some info-sharing databases for cybersecurity experts do exist, such as open virus databases allowing for searching and sharing of malware samples to facilitate the detection of viruses, and updated reputation sources which share information about sites associated with malware infection, phishing campaigns, and the like. But almost all of these collaborative projects focus on sharing attack-side information like specific vulnerabilities, attack techniques, or specific intrusion patterns. Sharing this kind of information is basically useless, as it takes too long for security experts to analyze the threat information, plan a defense strategy, and then deploy it.
What could be quite effective in meeting these kill chains head-on are detection solutions in the form of security orchestration models – but currently, there is no forum within the security community for creating and sharing these models. The lack of preventative collaboration is a gaping hole in the security industry which must be rectified. State actors and organized crime are just that – organized. We, the protectors, are not.
Multiple security technologies are involved in protecting against advanced attack campaigns – network security, endpoint security, threat intelligence, etc. All of these must work in synch and must be activated in the correct sequence to provide maximum protection against increasingly sophisticated threats. We need our own “generals” coordinating our security arsenal, orchestrating our battles and rallying the cyber troops.
The industry must learn to pool its resources better and develop the ability to share preemptive avenues of detection, investigation, and mitigation of advanced attack campaigns. No existing forum allows security experts to write orchestration models (which define the defense strategies) and share them with each other for collaboration and communal enhancement.
What’s needed is a platform through which the cybersecurity community can create and share vendor-neutral security orchestration models (defense strategies) which can then be internally rated by community members and updated as needed, rendering them ready for adaptation by organizations – no matter which security products they use.
If an organization is lacking a security function that the model requires, the organization can be alerted and the gap filled. Orchestration models can also be created for specific verticals and tailored to the needs of specific organization types such as banks, retail, healthcare, or critical infrastructure, for example, or developed to specifically combat known hacker groups and their attack patterns, or both.
Hacking organizations have been alarmingly successful in the scope of their attacks over the last couple of years, and they are becoming bolder, more technically proficient, and better organized, creating an air of cyber unease which has left much of the Western world unsettled. But we are far from raising the white flag to the black hats. Taking the right steps to form expert communities and impart our accumulated knowledge and innovations to preemptively combat the cyber scourge could eventually put them out of business – we just need to learn to share more effectively than they do.
Security remains top of mind as over 70 per cent of consumers noted they always think about their security/privacy when shopping online, according to Centrify. Unfortunately, despite the changing attitudes towards security, some consumers are still making basic security faux pas online.
Password hygiene is also a continuing problem when shopping online. Nearly 14 per cent admitted that they share passwords with friends and family so they can login to their accounts, whilst over 50 per cent said they save them to the retailer’s websites so as not to forget them. Over half also said that they only sometimes use different passwords for different retailer’s websites.
Most concerning is that one in eight said they would accept discounts and special offers from retailers in exchange for their passwords, highlighting the risks consumers are willing to take in order to save money online.
83 per cent would sometimes, or never, check the security and privacy terms and conditions of the retailer, leaving them wide open to hacking and data theft if shopping with an unknown or untrusted retailer.
On top of this, more than a fifth would still not ensure there is a secure padlock icon in the browser before making their purchases, and 27 per cent said they would only do this on some occasions.
With Black Friday around the corner and the Christmas shopping season well under way for most, frugal shoppers need to consider their online safety before making any purchases.
Centrify offers ten tips for consumers when shopping online:
The recently spotted Telecrypt ransomware can be thwarted: malware analyst Nathan Scott has created a tool that decrypts the encrypted files.
Telecrypt Decryptor works only if the affected user has .NET 4.0 and above (every Windows version since Windows XP has it by default), and if he or she has at least one of the encrypted files in unencrypted form. It also needs to be run from an Administrator account.
The tool comes with instructions and a warning: don’t use it if you haven’t been infected with this particular ransomware, as it could corrupt some of your files.
Telecrypt was first spotted a few weeks ago, targeting Russian-speaking users.
Its specificity is that it uses Telegram’s communication protocol to deliver the decryption key to the crooks and, in general, to keep in touch with them.
The message it shows puts the ransom at 5,000 rubles (around 78 USD), and the crooks thank the victims for helping the “Young Programmers Fund.”
“Telecrypt will generate a random string to encrypt the files that is between 10-20 length and only contain the letters vo, pr, bm, xu, zt, dq,” Malwarebytes explained.
“[It] encrypts files by looping through them a SINGLE byte at a time, and then simply adding a byte from the key in order. This simple encryption method allows a decryption application to be made.”
Telecrypt is distributed in the form of an executable, via spam emails, exploits, and drive-by download schemes.
It encrypts a wide variety of files and, depending on its configuration, it either adds the extension ‘.Xcri’ to the encrypted files or leaves it unchanged.
For the sixth year in a row, Internet freedom is declining.
According to the latest Freedom on the Net report, 67 percent of all Internet users now live in countries where online criticism of the government, ruling family or the military is subjected to censorship, and such activity can result in individuals getting arrested.
Also, more governments have come to realize the power of social media and messaging apps, and are actively trying to censor them or prevent their use, particularly during anti-government protests, but also because they help thwart their surveillance efforts.
“The increased controls show the importance of social media and online communication for advancing political freedom and social justice. It is no coincidence that the tools at the center of the current crackdown have been widely used to hold governments accountable and facilitate uncensored conversations,” says Freedom House, the NGO that compiled the report that focuses on developments that occurred between June 2015 and May 2016.
“Authorities in several countries have even resorted to shutting down all internet access at politically contentious times.”
The “problem” with some communication apps is that they encrypt the exchanges, but it’s interesting to note that the use of some online voice and video calling apps is being blocked or restricted in a number of countries, mainly because they eat away at the profit margins of national telecommunications firms.
The range of censored online content is also expanding, and includes news outlets that favor political opposition, sites that launch calls for protest, sites expounding LGBTI issues, and images.
China, Syria, Iran, Ethiopia and Uzbekistan lead the pack of countries with the smallest amount of Internet freedom. On the other end of the spectrum are Estonia, Iceland, Canada, the US, and Germany.
“Of the 65 countries assessed, 34 have been on a negative trajectory since June 2015. The steepest declines were in Uganda, Bangladesh, Cambodia, Ecuador, and Libya,” Freedom House noted.
“In Uganda, the government made a concerted effort to restrict internet freedom in the run-up to the presidential election and inauguration in the first half of 2016, blocking social media platforms and communication services such as Facebook, Twitter, and WhatsApp for several days. In Bangladesh, Islamist extremists claimed responsibility for the murders of a blogger and the founder of an LGBTI magazine with a community of online supporters. And Cambodia passed an overly broad telecommunications law that put the industry under government control, to the detriment of service providers and user privacy. Separately, Cambodian police arrested several people for their Facebook posts, including one about a border dispute with Vietnam.”
While there have been improvements in 14 other countries, they are small, and not always the result of positive government actions.
The tug of war between protestors, digital activists, and companies offering social media services and communication apps on one side, and a wide variety of governments on the other continues.
Many organizations today are not equipped to defend against traditional cyberattacks, as demonstrated by the ever-increasing numbers of successful breaches reported daily – the Privacy Rights Clearinghouse’s latest number is 900,875,242 records breached in 5,165 attacks over the past decade – and that’s U.S. only.
Even the largest companies appear to be less equipped to deal with more sophisticated cyberattacks, like the latest IoT-based Mirai DDoS attack or the attacks detected months or years after the initial breach, such as the Yahoo and Dropbox attacks.
Inundated by alerts, analysts lack the automated and intelligence-driven processes to hone in on attacks across the kill chain and breaches continue far too long. To address this fundamental mismatch, organizations need a new perspective on the way they detect and respond to attacks.
Like police investigations in the real world, every cyber investigation starts with a lead upon which a hypothesis is built. As more evidence is gathered in the field, the case continues to build until investigators can confirm or refute the direction of the investigation. This process is iterative until a conclusion is reached, and it must be thoroughly documented for future reference. This same process needs to be followed when investigating a cyberattack.
Organizations can improve their detection, investigation and response processes and enable analysts to hone in on and stop cyberattacks more efficiently with these simple steps.
To really make a difference, saving time and resources, you need to automate the time-consuming analysis and investigation stages and not just the response. By automating the collection and analysis of leads across your security infrastructure, you can reduce the number of alerts and confirm real incidents worthy of investigation. Not only will this alleviate alert overload, it sharpens the skill set of less experienced analysts and frees senior analysts to let them focus on the complex, sophisticated attacks where human judgment is required.
Documentation is essential to presenting the chronology and context of an event, including situational and environmental information, such as initial findings, areas affected and evidence to support the incident storyline. Particularly in automated investigations using machine-based analysis, it is critical to document what decisions were made during the investigation process and why. Visualization tools create representative pictures that “connect the dots,” ensuring that analysts get a complete picture without missing critical details.
This information is important when a complex incident is handed off for manual investigation as well as scenarios where an investigation is passed from one analyst to another. With all evidence fully documented, security teams are better equipped to make decisions, conduct shift handover, and create managerial reports.
Machine-based analysis is essential for productivity and allowing professionals to focus their skills on the more complex tasks where human experience and intuition is needed. Machines can be built to simulate the way humans investigate – automatically take a lead and confirm or refute it by gathering intelligence from multiple sensors. Once the machine has collected all the relevant pieces of evidence and automatically pieced them together into an incident, humans can use their judgment to add new leads and evidence to the incident. In a continuous, self-learning process, this new evidence can be fed back into the machine, which applies it to past and future analyses to improve threat detection.
Savvy attackers use multiple methods and vectors – such as malware, phishing and social engineering – to reach their targets. They study your network topology and find the weak points in your defenses. To address this challenge, your security coverage needs to consider multiple elements including network topology, attack chain and IT assets. Whether your organization has one central site or multiple campuses, you need visibility into traffic coming into each site and among sites using a variety of attack vectors.
In terms of the attack chain, it’s becoming increasingly difficult to detect attacks at the perimeter due to the many ways in. Therefore, you need to be able to identify and verify indicators of compromise across the attack chain through detection of lateral movement and command and control communications. Your IT assets, such as endpoints, servers and files, should also be protected using endpoint analytics and forensics.
Once all the evidence has been gathered from multiple sensors across your network, it needs to be brought together and presented to the investigator in a coherent and logical manner designed for attack representation. Unified workflows and a single workspace enable analysts to access information from every sensor and perform network and endpoint forensics as needed to build the attack story.
The key to boosting the efficiency of cyber analysts is to provide them with better insight into raw data to simplify the decision-making process. Start by modeling an attack – the attack surface, the attack components, steps, methods, technology – and how all those might be linked into an attack operation. Then focus on the human investigation workflow so you can mimic it properly and scale it up with accuracy. For example, how to dissect leads into individual pieces of forensic information that can be fused, correlated, triaged and connected into an incident view or how to decide which forensic query option is the best next step at each point in the investigation flow. Then you need to figure out how to interpret and apply the results.
Holistically applying these principles to design, implementation, data modeling, APIs, user interfaces and other components will result in a purpose-built, mission-centric defense system that makes your analysts more effective and productive.
The time has come for a new approach to cyber defense – let the automated system do the heavy lifting, and then empower your analysts to use their intuition and experience to stop the attacks in their tracks.
A criminal group dubbed Cobalt is behind synchronized ATM heists that saw machines across Europe, CIS countries (including Russia), and Malaysia being raided simultaneously, in the span of a few hours. The group has been active since June 2016, and their latest attacks happened in July and August.
The group sent out spear-phishing emails – purportedly sent by the European Central Bank, the ATM maker Wincor Nixdorf, or other banks – to the target banks’ employees. The emails delivered attachments containing an exploit for an MS Office vulnerability.
“If the vulnerability is successfully exploited, the malicious module will inject a payload named Beacon into memory. Beacon is a part of Cobalt Strike, which is a multifunctional framework designed to perform penetration testing. The tool enables perpetrators to deliver the payload to the attacked machine and control it,” the researchers explained in a recently released paper.
Additional methods and exploits were used to assure persistence in the targeted machines, to gain domain administrator privileges, and ultimately to obtain access to the domain controller. From that vantage point, they were able to obtain Windows credentials for all client sessions by using the open source Mimikatz tool.
The attackers would ultimately gain control over a number of computers inside the bank’s local network. Some of them are connected to the Internet, and others not, but the latter would receive instructions from the central Cobalt Strike console through the former.
“After the local network and domain are successfully compromised, the attackers can use legitimate channels to remotely access the bank, for example, by connecting to terminal servers or via VPN acting as an administrator or a standard user,” the researchers noted. The attacker have also installed a modified version of the TeamViewer remote access tool on the compromised devices, just in case.
Once constant access was assured, the criminals searched for workstations from which they could control ATMs. They would load the ATMs with software that allows them to control cash dispensers.
The final strikes happened in a few hours on the same day, when money mules would go to the targeted ATMs, send an SMS with the code identifying the ATM to a specific phone number, the criminals would make it spit out all the cash, and the mules would leave with it.
The Cobalt gang uses a number of legitimate, open and closed source tools – Cobalt Strike (a tool for penetration testing), Mimikatz, SDelete (a free tool available on the Microsoft website that deletes files beyond recovery), and TeamViewer.
“Once an ATM is emptied, the operator launches the SDelete program, which removes les used with a special algorithm, which prevents information from being recovered. Thereafter, the ATM restarts,” the researchers explained. “In addition, operators disable the bank’s internal servers involved in the attack using the MBRkiller malware that removes MBR (master boot record). Such a careful approach significantly complicates further investigation.”
The ATM manipulation software also contains code that allows it to record a log containing information about the banknotes dispensed – the gang obviously does not trust the money mules to correctly report the amount that was stolen from each ATM.
IB Group did not name them, but only noted that they are based in Armenia, Belarus, Bulgaria, Estonia, Georgia, Kyrgyzstan, Moldova, the Netherlands, Poland, Romania, Russia, Spain, the UK and Malaysia.
According to Reuters, Diebold Nixdorf and NCR, the world’s two largest ATM makers, have provided banks with information on how to prevent or at least minimize the impact of these attacks.
It is unknown how much money the group was able to steal.
Oracle today announced that it has signed an agreement to acquire Dyn, a cloud-based Internet Performance and DNS provider that monitors, controls, and optimizes Internet applications and cloud services.
Dyn’s solution is powered by a global network that drives 40 billion traffic optimization decisions daily for more than 3,500 enterprise customers, including preeminent digital brands such as Netflix, Twitter, Pfizer and CNBC.
Adding Dyn’s DNS solution extends the Oracle cloud computing platform and provides enterprise customers with a one-stop shop for Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS).
“Oracle already offers enterprise-class IaaS and PaaS for companies building and running Internet applications and cloud services,” said Thomas Kurian, President, Product Development, Oracle. “Dyn’s immensely scalable and global DNS is a critical core component and a natural extension to our cloud computing platform.”
“Oracle cloud customers will have unique access to Internet performance information that will help them optimize infrastructure costs, maximize application and website-driven revenue, and manage risk,” said Kyle York, Chief Strategy Officer, Dyn. “We are excited to join Oracle and bring even more value to our customers as part of Oracle’s cloud computing platform.”
If you’re using a cheap Android smartphone manufactured or sold by BLU, Infinix, Doogee, Leagoo, IKU, Beeline or Xolo, you are likely wide open to Man-in-the-Middle attacks that can result in your device being thoroughly compromised.
A more detailed (but not complete) list of vulnerable devices can be found in an advisory by CERT/CC.
This discovery comes less than a week after researchers from Kryptowire identified several models of Android mobile devices that contain firmware that collects sensitive data about their owners and secretly transmits it to servers owned by a company named Shanghai Adups Technology Co. Ltd.
Among these mobile devices are also some BLU smartphones.
Those and other devices (roughly 55 device models) are open to attack because they sport the same firmware by Chinese software company Ragentek Group.
This firmware contains a binary that is responsible for enabling over-the-air (OTA) software updating, but unfortunately the mechanism is flawed.
For one, the update requests and supplied updates are sent over an unencrypted channel. Secondly, until a few days ago, two Internet domains that the firmware is instructed to contact for updates (the addresses are hardwired into it) were unregistered – meaning anybody could have registered them and delivered malicious updates and commands to compromise the devices.
Luckily, it was researchers from Anubis Networks that did it, and the move allowed them clock over 2.8 million devices that contacted the domains in search for updates. Many of these devices are located in the US, as most of the models are sold by Best Buy and Amazon.
But even though the domains are now owned by these security companies, the fact that updates are delivered over an unencrypted channel allows attackers with a MitM position to intercept legitimate updates and exchange them for malicious ones (the firmware does not check for any signatures to assure the updates’ legitimacy).
MitM attackers could also send responses that would make the devices execute arbitrary commands as root, install applications, or update configurations.
It does seem so. According to the researchers, the binary that performs OTA update checks – debugs, in the /system/bin/ folder – runs with root privileges, but its presence and the process it starts are being actively hidden by the firmware.
“It’s unclear why the author of this process wanted to purposely hide the presence of the process and local database on the device, although it’s worth noting that it did not attempt to do this comprehensively,” they researchers noted.
But they told Ars Technica that believe the backdoor capabilities were unintentional, and Ragentek is yet to comment on the discovery.
If you’re using one of the affected devices, the right solution is to implement an update with the fix – when it becomes available. But make sure to download the update only over trusted networks and/or use a VPN to encrypt and protect the traffic from tampering.
So far, only BLU has released such an update, but the fix has not yet been checked.
A workaround that should keep you safe until a security update includes using your device only on trusted networks (eg. your home network, as opposed to open or public Wi-Fi).
Michigan State University has announced on Friday that a university server and a database containing information on some 400,000 faculty, staff and students has been accessed by a unauthorised third party.
The database contains names, social security numbers, MSU identification numbers, and in some cases, date of birth of faculty, staff and students who were employed by MSU between 1970 and Nov. 13, 2016, and students who attended MSU between 1991 and 2016.
“MSU’s Information Technology team rapidly determined the cause and nature of the breach, and the MSU Police Department is working diligently with federal law enforcement partners to investigate the crime,” the university said.
The database in question was taken offline in less than 24 hours after it was breached by the attacker, but not quickly enough to prevent him or her to access records of 449 individuals.
The university has already notified affected parties, and has offered them two years of identity theft protection, fraud recovery, and credit monitoring services, for free.
They also made sure to note that the database did not contain passwords, financial, academic, contact, gift or health information.
The breach happened on November 13.
Michigan State University spokesman Jason Cody told News 10 that the hacker(s) demanded money for the stolen information, but that the university did not pay.
Recent Comments