STE WILLIAMS

Center foundational to new government-led ‘collective defense’ strategy for sharing and responding to cyberthreats, DHS secretary says.

The US Department of Homeland Security has established a new National Risk Management Center to facilitate cross-sector information sharing and collaborative responses to cyber threats against critical infrastructure.

At a cybersecurity summit in New York City on Tuesday, DHS Secretary Kirstjen Nielsen described the center as the foundation of a new collective defense strategy led by the US government to respond more forcefully to threats against US interests in cyberspace. The center will bring together security experts from government — including those from intelligence and law enforcement agencies — and security experts from the private sector.

“We are facing an urgent, evolving crisis in cyberspace,” Nielsen said in a keynote address to cybersecurity leaders from government, the private sector, and academia at the DHS-led summit. “Our adversaries capabilities are outpacing our stove-piped defenses,” to the point where virtual threats now pose an even bigger threat to national security than physical threats, she said.

Nielsen, a senior Trump Administration official, used the event to warn foreign adversaries against continuing hostile activities against US interests noting that the country is fully prepared to take a range of deterrent actions to stop them. She pointedly called out Russia’s cyberattacks on the US energy grid and its “brazen campaign” to interfere in the 2016 Presidential election as examples of hostile state-sponsored activity against the US.

“Our intelligence community had it right. It was the Russians,” Nielsen said, referring to Russia’s role in the US elections. “We know that. They know that. It was directed from the highest levels.” Such attacks will not be tolerated going forward, she said.

The goal in establishing the new risk management center is to provide a focal point for information sharing between government and private industry as well as between organizations across different industry sectors.

Operators of critical infrastructure, most of who are in the private sector, often have a lot of the threat information that must be pieced together for a more complete understanding of cyber threats. But because the data is siloed, government and the private sector have hard a hard time putting cyber threats into proper context and understanding their full implications and effects, Nielsen said.

“The private sector can help us contextualize threats,” she noted. “We will look to their expertise to help us understand how the pieces work together,” in order to develop actionable responses to those threats.

Unlike previous attempts at fostering closer collaboration between government and the private sector, the new National Risk Management Center’s mission is not just about enabling better information sharing. The center will also facilitate 90-day sprints, when organizations from different critical sectors will conduct joint tabletop exercises and other threat operations to identify common vulnerabilities.

Sprints for Security

The center will assemble a national risk registry that will identify and prioritize the most critical threats across industry so they can be remediated quickly. The first of the 90-day sprints will involve organizations from the energy, financial services, and communications sectors. Representatives attending the summit from these industries expressed support for the DHS plan.

“This was an obvious thing to do for a decade but it didn’t happen,” said John Donovan, CEO of ATT Communications. Organizations that are in a defensive posture in cyberspace cannot rely on attacks and threats playing out exactly the way they might have prepared for them, he said.

In the future, “resilience is going to be a function of our ability to understand and share experiences,” across sectors, he said. Each organization in critical infrastructure sectors has a piece of what it takes to solve a larger threat puzzle and true threat mitigation can happen only through collective information-sharing.

Tom Fanning, CEO of gas and electric utility Southern Company, said that previous tabletop exercises have shown big vulnerabilities exist at the points of intersection with other sectors. A collective approach to cybersecrity of the sort that is being enabled by the new risk center is vital because of the interdependencies between organizations in different sectors, he said.

“When we do our biggest tabletop exercises, one of the things we learn very quickly is that as resilient as we think we may be, we can always be better,” he said.

A collective effort is also critical because attackers often are looking for the weakest link that provides a way to the strongest, said Ajay Banga, CEO of MasterCard. When an organization gets attacked, it does not always happen because the entity belongs to a specific industry, but because of the access they might provide to other organizations that are of interest to an attacker, Banga said.

But for truly collective defense to happen, government will need to change regulations to the point where organizations feel comfortable to say something if they see something without fear of legal repercussions, he said.

Related Content:

• White House Cybersecurity Strategy at a Crossroads
• Threat Intelligence Sharing: The New Normal?
• Rise of Nation State Threats: How Can Businesses Respond?
• 6 Steps for Sharing Threat Intelligence

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/dhs-establishes-center-for-defense-of-critical-infrastructure-/d/d-id/1332442?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Bugcrowd will manage new vulnerability disclosure award program for HP enterprise printers.

HP will pay up to $10,000 per vulnerability found in its enterprise printers under a new bug bounty program.

Bugcrowd is heading up HP’s new private bug bounty program, with award amounts based on the severity of the flaws. A recent report from Bugcrowd shows an increase of 21% in vulnerabilities discovered in printers.

Printers often get overlooked as potential attack vectors. But with rising threats targeting other Internet of Things (IoT) devices and printers getting outfitted with more advanced functions, they’re becoming a more attractive weak link.

“Like the PC, printers have become incredibly powerful devices, increasing in storage and processing power. However, we haven’t reached awareness to secure print devices, and all the good security practices that are employed to protect PCs and other important nodes in the network are not being deployed with consistency to printers,” says Shivaun Albright, chief technologist for printing security at HP. “HP’s goal is to continually improve and help our customers manage their devices.”  

HP previously had worked directly with researchers who discovered flaws in its printers. “We’ve always actively encouraged researchers to report vulnerabilities,” Albright says.

Its new printer bug bounty program calls for researchers to root out firmware flaws, such as cross-site request forgery (CSRF), remote code execution (RCE), and cross-site scripting (XSS). “Bugcrowd and HP have worked with one researcher to physically send [to them] an enterprise grade A3 printer to fully assess all components from the outside in,” Albright says.

The program initially is for HP LaserJet Enterprise printers and HP PageWide Enterprise printers and MFPs (A3 and A4 formats).

While IoT devices have received a lot of attention security-wise of late, printers have not. “There’s a big focus on connected devices like Web cameras or smart TVs, which are highly relatable to everyone, but not printers necessarily,” Albright says. “That said, printers may be the most common IoT device an individual uses.”  

The Mirai botnet attack in 2016 was a big wake-up call: “[It] took down the Internet in a major way. The botnet used hacked IoT devices, like webcams and DVRs, but printers were also a part of that mix,” she says.

Printers often get lost in the shuffle when it comes to enterprise security. “There is currently a gap in discussions between decision-makers and those implementing the technology,” Albright notes. “We’re also seeing mismanagement in the deployment of printers leaving critical ports and settings open. This makes it easy for attackers to remotely access the device.”

HP recommends that printer customers work closely with their channel partners to use managed print services programs, and that remote workers avoid printing via unsecure Wi-Fi networks, for example.

Related Content:

• DDoS Flaw Found in Brother Printers
• Printers: The Weak Link in Security
• Network Printer Scanner Spoofing Campaign Targets Millions 
• 8 Big Processor Vulnerabilities in 2018

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/hp-launches-printer-bug-bounty-program/d/d-id/1332443?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cryptojacking has hit the headlines in recent months. But what is it? And do you need to be worried?

Cryptojacking occurs when a computer is used to mine cryptocurrency without the permission of the user. There are two main ways that this is done: in-browser and via installed malware on the machine.

In-browser cryptominers vs installed cryptomining malware

With an in-browser approach, cybercriminals break into a web server and inject browser-based cryptomining code that mines whenever anyone visits the website. For example, researchers recently discovered that a Coinhive Monero miner had been running on an LA Times website. Any time a user visited the Homicide Report web page offered by the LA Times, the hacker was able to steal their CPU power to mine for Monero, a popular digital currency.

We saw a similar example of this recently when a whole raft of government websites was infected with a cryptomining script through browsealoud DOT com – a service that converts pages on a website to speech, to help out visitors who aren’t fluent in written English or good at reading.

The bad news for consumers is that in-browser cryptojacking is platform-agnostic. That means that all of your devices – including your phone – are potential targets. We’ve seen Coinhive-based miners added to popular apps, like Netflix and Instagram, and there have even been reports recently about mobile phones being physically damaged by cryptominers.

The good news, though, is that in-browser crypto software generally isn’t doing anything malicious to your system, other than general wear and tear. The software might make your laptop use slightly more juice, but you’d be hard-pressed to notice those fractions of a penny on your electricity bill. The fact that it’s all self-contained within the browser itself means that cryptominers never get near your data, they’re just jacking up your CPU.

On the other hand, cybercriminals may take the approach of breaking into a consumer’s network and installing cryptomining software directly on their machine to steal electricity and CPU power. An installed miner is indeed a threat – beyond the side effects of wear and tear on your machine, CPU, electricity, cooling, and so on, the bigger problem is that you have now been breached. If hackers can install one thing – like a cryptominer – on your machine, there’s a high likelihood that they can deploy other kinds of attacks, like ransomware or keyloggers.

Is cryptojacking a bigger threat to a business or a consumer?

Cybercriminals are targeting everyone. You might think “it won’t happen to me” but, interestingly enough, our research shows that cybercriminals are using the same cryptojacking tactics against businesses and employees as they are against consumers at home. This tells us just how opportunistic cybercriminals really are and reminds us that security can’t stop when we leave the office. Security is a lifestyle, and it’s incredibly important to have enterprise-strength security protection at the office and at home.

How to tell if you have a cryptominer installed

If your computer is being used by cryptojackers, then it’s likely to get slower and the fans will go into high gear due to increased CPU. There’s a physical reaction to the miner being on the machine.

What to do

There isn’t one specific thing you can do to stop cryptomining attacks, but good security hygiene in general is always a good line of defense. That means:

• Keep your software up-to-date. Patch early, patch often
• Only download software through approved sources
• Don’t open or click on things when you don’t know where they came from
• Always create strong, unique passwords and don’t share them with anyone
• Enable 2-factor authentication when it’s available
• Back up regularly and keep a recent backup copy off-site
• Secure your computer with advanced real-time security protection. (Sophos is currently offering Naked Security readers 40% off Sophos Home Premium until 27 August 2018.)

Follow @John_Shier
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/PDh6i0-cRH0/

Researchers have found a new variant of the Spectre CPU flaw that shows how attackers could steal data remotely without having to run malicious code on a local system.

Called NetSpectre by the team of Graz University engineers who discovered it, the weakness is a network-based version of the Spectre Variant 1 (bounds check bypass, CVE-2017-5753) flaw first publicised earlier this year.

That announcement also revealed Spectre Variant 2 (CVE-2017-5754), which like Variant 1 affected numerous microprocessors used from different vendors (Intel, AMD, ARM), and Meltdown (CVE-1027-5715), which was specific to Intel.

A steady trickle of Spectre variants has been discovered since then, all exploiting weaknesses in the speculative execution design used by modern CPUs, so why might NetSpectre be any more menacing?

Mainly because, as its name indicates, this is the first version of the family that allows an attacker to exploit this weakness over a local network or even between cloud servers.

The explanation in the paper is abstruse for anyone not familiar with the detail of microprocessor design but it’s essentially the same principle exploited in Spectre Variant 1 – that the contents of protected memory can be inferred using what is called a cache timing attack (a fuller explanation can be found in our original story on Spectre).

Via the network driver layer, this means:

The attacker only sends a series of crafted requests to the victim and measures the response time to leak a secret value from the victim’s memory.

Being able to exploit Spectre without having to sneak malware onto the target system sounds worrying but there is a big caveat here – it’s achingly slow.

When the researchers tested it, they achieved a data rate of 15 bits (yes, bits) per hour over a LAN, which rose to 60 bits per hour for recent Intel microprocessors using the Advanced Vector Extensions 2 (AVX2) X86 instruction.

Stealing useful data at that rate would take months at least, and even that assumes a fast connection with good latencies and the ability to reach the target inside a network. Attackers wouldn’t just be able to reach out across the internet and nab data without anyone knowing.

However, very small pieces of data might be vulnerable. For example:

In particular, APTs typically run for several weeks or months. Such an extended timeframe is clearly sufficient to leak sensitive data, such as encryption keys or passwords, using the NetSpectre attack in a cloud environment.

Intel, which was informed of the attack, said it wasn’t worried, pointing out that the Graz researchers’ findings can be mitigated in the same way as Spectre Variant 1.

But the real defence against NetSpectre is the same as was the case with Spectre, Meltdown and other so-called side-channel attacks based on inference – the world knows about them.

It shows how a group of diligent researchers (many at publicly-funded institutions) can for once put the defenders ahead of the attackers.

Chalk NetSpectre down as a rare weakness the world has been able to hear about before the fact rather than after it.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/vUdaklnk3wQ/

Researchers at EURECOM S3 Group found that they can extract crypto keys from a set of run-of-the-mill communications chips just by listening to the noise it makes.

This noise is sent out over radio signal via the transmitter on the device in question, which could be a Wi-Fi or Bluetooth device. As long as the chipset on a device shares the same physical space (the silicon die) as the device’s radio transmitter, the researchers found that the chip will leak what it’s doing to the radio transmitter – and that transmitter will both amplify and send that information over some distance.

In at least one proof-of-concept, the researchers were able to extract a full TinyAES 128 key from a 10-meter distance from a leaky Bluetooth dongle. In their tests, they also found that the maker of the chipset didn’t matter, as they were able to extract data from both a Qualcomm and a Nordic Semiconductor chip.

This is referred to as a side-channel attack, meaning the exploitable flaw is in the infrastructure and hardware that supports the computer system, and not a bug in the system or code itself. Since the data in this attack could be potentially picked up from a shout’s distance away, the researchers are calling this attack a “screaming channel” instead.

As the researchers note, this kind of issue could potentially have a huge impact as it’s not limited to one type of chip or device. Since real estate on a circuit board inside a device is at a premium, device makers have a cost-saving incentive to jam as much as they can into as small a space as possible.

In recent years, device makers have mixed digital (e.g. CPU) and analog (e.g. radio) components onto the same space, called a mixed-signal circuit. These mixed-signal circuits are the issue, the researchers say – and as long as a ‘noisy’ chip sits near a leaky radio transmitter on a device, an attacker with a relatively simple bit of kit could pick up what’s being transmitted.

Some side-channel attacks require the target machine to be already infected with malware to work – as in this example where a hacker could exfiltrate data from an infected machine just by manipulating an LED. The number of variables that have to fall in place for that attack to work certainly relegate it to the “technically cool, but extremely unlikely” category of attacks. But that doesn’t apply to all side-channel attacks – this ‘screaming channel’ flaw doesn’t require any direct intervention by an attacker.

If you are so inclined, the researchers shared their experiment’s code and setup on GitHub, so you can try to listen in on what a device’s chipset is broadcasting. The researchers will also be sharing their findings at the Black Hat conference in Las Vegas next week. In the meantime, they have called upon microelectronics manufacturers to implement better protections against this kind of attack.

Follow @mvarmazis
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/mVe6_nDwpyw/

A Florida high school is in trouble after football program staff used a college’s login to look up its opponents’ practice and game videos.

According to a local paper, the Herald-Tribune, the Sarasota County School District put out a statement on Friday about an investigation into improper access to the online coaching and resource tool, Hudl.

The investigation was triggered in May when the Sarasota County School District got a tip off about “improper use” of Hudl, which provides video review and performance analysis tools for sports teams and athletes and which can be used to store practice and game video footage.

Hudl has two services: one for high schools, plus a recruiting service for college coaches. The high school service is for coaches to upload video of players. The recruiting site enables college coaches to get an account that will give them access to high schools’ game footage as the colleges mull whether or not to recruit a given player.

The investigation concluded that Braden River High School coaches used a recruiting account from one or more colleges in order to check out the game and practice video footage from a quartet of their rivals: high school teams from Venice, North Port, Sarasota and Booker. Braden River played against all four teams during last year’s season.

Venice High football coach John Peacock told the Herald-Tribune that inappropriate access to Hudl – which contains his team’s game strategy – would give a rival team a “huge advantage.”

I’ve spoken at multiple coaching clinics the past two or three years on our offense, and it’s pretty common knowledge we run our first 20 plays on Tuesday, Wednesday and Thursday. If a team had access to our Hudl account, where we made the mistake of putting our practice film under the game file, and they are able to see our practice, it would be a huge advantage.

The strategy following the investigation: Braden River will self-report the incident to the Florida High School Athletic Association (FHSAA) to see if it violated any of the association’s policies.

The illegal Hudl account has since been deleted.

Braden River High is a part of the Manatee County school district, which said in a statement that disciplinary action is being left up to Braden River High.

We don’t know how Braden River High School staff managed to access a college recruiting account. But we do know that if the inappropriate access involved, say, guessing at somebody’s password, it’s a criminal offense.

We’ve seen this before. The lack of a strong password enabled Chris Correa, former scouting director for the professional US baseball team St. Louis Cardinals, to illegally access a competing Major League Baseball team’s player-personnel database and email system.

That unauthorized access enabled Correa to get into an internal network of the Houston Astros and to steal closely guarded information about players, including internal discussions about trades, proprietary statistics and scouting reports.

In short, it was a case of corporate espionage.

Correa pleaded guilty to five counts of computer hacking in January 2016, and he was sentenced to 46 months of jail time in June 2016.

Fortunately for Braden River High’s coaching staff, it sounds like everybody just wants to move past this and get back to playing football.

Sarasota County director of athletics James Slaton told the Herald-Tribune that the Hudl account is shuttered, and that’s as far as the district wants to pursue the matter:

This is not a positive thing, but it is something we want to move past. We’re about to be in football season. We want to be able to have healthy, positive competition. The fact the account has been deleted allows us to move forward in that direction.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/p1z4o_ayozg/

Whether you think he’s a principled patriot or a traitor to his country, you have to give him credit for something: thanks to the former contractor for the US National Security Agency (NSA) Edward Snowden, we learned a lot about secret spying programs.

Aside from the obvious – vast data collection programs that included PRISM, Tempura, Upstream, XKeyscore and the NSA’s powerful facial recognition program – we learned something crucial about the country’s elite spy agency: it had holes in its own data security big enough to let a contractor walk through with massive troves of sensitive data.

According to an audit from the NSA Inspector General’s office, as of March 2018, some of those holes were still open.

Of course, the audit, published for public consumption, contains only declassified information, and it doesn’t give details. Be that as it may, starting on page 29, the audit enumerates significant outstanding inspection recommendations regarding the NSA’s failure to secure the internet and the enterprise, as well as to address insider threats.

In a nutshell:

1. The NSA’s system security plans are “often inaccurate and/or incomplete.”
2. Two-person access controls haven’t been properly implemented at data centers and equipment rooms.
3. Removable media isn’t being properly scanned for viruses.

Snowden didn’t get his trove of documents via malware, so no. 3 – allowing things like random USB drives to be plugged into network computers – isn’t relevant in his particular case. But it’s certainly relevant to all the places that have inflicted themselves with malware by plugging in stray sticks.

Naked Security has been banging away at this nail for years. Seven years ago, Sophos bought a stash of USB keys from a lost property auction as an experiment. 66% of them contained malware, and not a single one was encrypted.

That’s so 2011, you might think. But Sophos’s very own CISO, Ross McKerchar, said removable storage as a threat vector is still as fresh as a dangerous daisy:

Removable storage is a massive concern. While it’s a less common (but still real!) malware infection vector now, the biggest risk these days is data leakage.

So the NSA isn’t scanning removable storage, eh? Perhaps it should follow IBM’s lead: in May, it banned USB drives entirely.

If the idea of banning these convenient pocket storage gizmos is too daunting, the NSA – and any organization, for that matter, be it large or small – should at least be encrypting the devices.

As far as no. 1 goes – inaccurate or incomplete security plans – we know that Snowden worked in an agency outpost in Hawaii that hadn’t been upgraded with modern security measures.

In 2014, the New York Times reported that NSA officials insisted that if Snowden had been working from NSA headquarters, in Maryland, his activity would likely have been flagged by monitors designed to detect when a huge volume of data was being accessed and downloaded.

One senior intelligence official told the Times that investigators had surmised that Snowden used cheap, widely available web crawler software designed to automatically search, index and back up a website in order to scrape data out of NSA systems while he went about his day job.

There were more details available in a damning report that came out last year: the August 2016 DOD Inspector General’s report on the National Security Agency’s (NSA) implementation of the “Secure-the-Net” initiative.

The “Secure-the-Net” (STN) initiative was launched post-Snowden and included 40 specific recommendations “focused on insider threats to NSA systems, data, and infrastructure”. Seven of those recommendations were designed to “secure network access, protect against insider threats and provide increased oversight of the personnel with privileged access”.

The seven STN initiatives were:

• Develop and document a new system administration model.
• Assess the number of system administrators across the enterprise.
• Implement two-person access control over data centers and machine rooms.
• Implement two-stage authentication control for system administration.
• Reduce the number of persons with Privileged Access.
• Reduce the number of authorized data transfer agents (those authorized to use removable media).
• Oversee privileged user activities.

It’s not that the NSA didn’t attempt to implement all that, the report found: rather, it did a half-assed job at it.

For example:

[The] NSA did not effectively implement the three privileged access related STN initiatives… because it did not develop an STN strategy that detailed a structured framework and methodology to implement the initiatives and measure completeness.

With respect to two-factor authentication (2FA), the NSA implemented it for system admins, but not for those with privileged access. As we well know, Snowden bypassed the then-present privileged access controls and conned his colleagues into giving him their credentials – which he then went on to use to expand his access.

As we noted at the time of the 2016 report – which was acquired by the Times through a Freedom of Information Act (FOIA) – 2FA would have required the owner of the credentials to have been participatory in Snowden’s use of their credentials. In other words, the NSA managed to leave open the very window that Snowden climbed through to harvest the data he stole.

Furthermore, the report chastised the NSA for not having a clue about how many individuals had privileged access in 2014, nor in 2016, and nor could the NSA document how the purge/pruning had been carried out. That meant the inspection team couldn’t find out exactly how many people had privileged access.

Edward Snowden isn’t the only fury that’s flown through the NSA’s open windows. In November, we learned that a group calling itself the Shadow Brokers has since 2016 been dumping exploits and tools collected, hoarded and used by the NSA hacking group Tailored Access Operations (TAO). The Shadow Brokers put the TAO tools up for auction a mere week before the DOD Inspector General’s damning report.

Preventing insider threats is an ongoing problem, as demonstrated by the arrest of NSA contractor Reality Winner in 2016. Winner managed to take a highly classified document assessing and discussing the Russian military intelligence entity’s (the GRU’s) hand in meddling in the US election and used her privileged access to print it out. Then, she mailed it to a media outlet. Once the NSA saw the document, the agency quickly determined who had access and printed the document, and who’d been in contact with a media outlet.

What they couldn’t figure out: why Winner had privileged access to information about which she had no “need to know”.

There’s definitely been progress made at the NSA. But has there been enough progress to stop another Edward Snowden? The most recent audit suggests the answer is no.

By the sounds of it, the holes Snowden walked through are still big and gaping – somebody else could well walk right through them.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/P0UImwJr704/

Extensive research by Sophos has uncovered a trove of new information on the notorious SamSam ransomware, revealing that it has affected far more victims than previously thought, and raised vastly more in ransom demands – almost $6 million.

Through original analysis, interviews and research, and by collaborating closely with industry partners and a specialist cryptocurrency monitoring organisation, Sophos has uncovered new details about how the secretive and sophisticated SamSam ransomware is used, who’s been targeted, how it works and how it’s evolving.

A different breed of malware

What sets SamSam apart from most other ransomware, and why detailed research about it is so important, is the way it’s used in stealthy, targeted attacks.

Most ransomware is spread in large, noisy and untargeted spam campaigns sent to thousands, or even hundreds of thousands, of people. They use simple techniques to infect victims and aim to raise money through large numbers of relatively small ransoms of perhaps a few hundred dollars each.

SamSam is very different – it’s used in targeted attacks by a skilled team or individual who breaks into a victim’s network, surveils it and then runs the malware manually. The attacks are tailored to cause maximum damage and ransom demands are measured in the tens of thousands of dollars.

Because the malware has been used so sparingly compared to other types of ransomware, details about how it works and how the attacks play out have been elusive since its first appearance in December 2015.

Although you are unlikely to be the target of a SamSam ransomware attack – attacks occur at a rate of about one per day – those who are can find the effects devastating.

New insights

The research paper reveals a host of fresh technical insights including new details about how SamSam scans victims’ networks and builds up the list of machines it’s going to encrypt.

Perhaps most eye-catching though is new information about how it spreads: Unlike WannaCry, which exploited a software vulnerability to copy itself to new machines, SamSam is actually deployed to computers on the victim’s network in the same way, and with the same tools, as legitimate software applications.

Sophos’s investigation also sheds new light on the number of attacks, how often they occur and who has been targeted.

Based on the known victims, it’s been widely speculated until now that SamSam attacks are directed specifically at the healthcare, government and education sectors. Sophos can reveal that this is not the case.

Working with cryptocurrency monitoring organisation Neutrino, Sophos followed the money and identified many ransom payments and victims that were previously unknown. Based on the much larger number of victims now known it seems that far from being unaffected, the private sector has actually borne the brunt of SamSam. Victims in that sector have simply been far more reluctant to come forward.

The money trail also revealed that SamSam has netted nearly $6 million in ransom payments – about six times more than the most recent best estimate.

From its new research, Sophos is also able to offer better protection and disaster recovery advice too. Thanks to an improved understanding of the way that SamSam targets files in the victim’s operating system, Sophos now recommends that backing up your business data is not enough. To recover swiftly from a SamSam attack, organisations need more than a plan for restoring data – they need a comprehensive plan for rebuilding machines.

How attacks unfold

The SamSam attacker gains access to victims’ networks via RDP (Remote Desktop Protocol) by using software like nlbrute to successfully guess weak passwords.

Sophos has identified that the timing of attacks changes to reflect the victim’s timezone. Whether the victim is on the west coast of the USA or in the UK, attacks happen at night time while the the victims are asleep.

Unlike other well-known ransomware such as WannaCry or NotPetya, SamSam doesn’t have any worm-like or virus capabilities, so it can’t spread by itself. Instead, it relies on the human attacker to spread it – an attacker who can adapt their tactics according to the environment and defences they discover as they surveil the target.

By working in this way, the attacker can try over and over again to work around defences and gain the access they want. If the SamSam attacker is on your network they will likely stay on it until they succeed, unless they’re kicked off.

Having gained access to a network, the SamSam operator uses a variety of tools to escalate their privileges to the level of Domain Admin. Then they scan the network for valuable targets and deploy and execute the malware as any self-respecting sysadmin might, using utilities such as PsExec or PaExec.

Once it has been spread far and wide, the many copies of the ransomware are triggered centrally, starting within seconds of each other. On each infected machine, files are encrypted in a way that’s designed to cause the most damage in the shortest time.

Once the attack has been launched, the attacker waits to see if the victim makes contact via a Dark Web payment site referenced in the ransom note.

Ransom demands have increased over time to about $50,000, vastly more than the three figure sums typical of untargeted ransomware attacks.

What to do?

To avoid becoming a victim, the best defence against SamSam or any other form of malware is to adopt a layered, defence in depth approach to security.

SamSam targets appear to be chosen on the basis of their vulnerability. Earlier attacks established a foothold on victims’ networks by exploiting known software vulnerabilities. More recently the attacks have begun with the brute forcing of RDP credentials.

Staying on top of your patching and maintaining good password discipline will therefore provide a formidable barrier to SamSam attacks. That barrier can then be strengthened significantly with these simple steps:

1. Restrict RDP access to staff connecting over a VPN.
2. Use multi-factor authentication for VPN access and sensitive internal systems.
3. Complete regular vulnerability scans and penetration tests.
4. Keep backups offline and offsite.

Of course SamSam is just one of millions of cyberthreats and this detailed examination of SamSam is just part of the constant, ongoing malware research undertaken by Sophos to improve and adapt its ability to protect against all forms of malware.

You can read more about the history of SamSam, how it works and how to protect against it in Sophos’s extensive new research paper, SamSam: The (Almost) Six Million Dollar Ransomware.

The investigation is ongoing – if you have information about SamSam or you are a security vendor interested in collaborating with our investigation, please contact Sophos.

Follow @NakedSecurity
Follow @MarkStockley

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dzpHokHkXsY/

The enterprise-focused SamSam ransomware has earned its handlers an estimated $5.9m (£4.5m) since it first appeared in the wild in December 2015.

Security software firm Sophos worked with Neutrino to arrive at the estimate, which is based on tracking Bitcoin addresses supplied on ransom notes and sample files.

Over the last two-and-a-half years SamSam has significantly affected the operations of some large organisations, including hospitals, schools and cities.

Sophos has determined that about three in four (74 per cent) of the known victims are based in the US. Other regions known to have suffered attacks include Canada, the UK, and the Middle East.

Although the most infamous SamSam victim was the city of Atlanta in March, disruptive attacks on medical practice management software provider Allscripts as well as Hancock Health hospital in Indiana have also been recorded.

“Many victims found that they could not recover sufficiently or quickly enough to ensure business continuity on their own, and reluctantly paid the ransom,” Sophos said.

SamSam victims per industry sector

The SamSam attacker has received ransoms as high as $64,000, based on analysis of payments to tracked Bitcoin wallets. The charges have increased dramatically, and the tempo of attacks shows no sign of slowing down.

Sophos has been investigating the SamSam campaign since its emergence. A study (PDF) based on this research – released on Tuesday – summarises its findings about the attacker’s tools, techniques and protocols.

The attack method is surprisingly manual, and more cat burglar than smash-and-grab, according to Sophos. As a result, the attacker can employ countermeasures (if needed), and is adept at evading many security tools. If the process of encrypting data is interrupted, the malware comprehensively deletes all trace of itself.

Many attacks begin with a Remote Desktop compromise of a machine inside the network. The attacker is also known to deploy exploits at vulnerable machines to perform remote code execution. The attacker maintains a presence on the compromised machine while scanning the internal network.

The hacker or hackers behind the attack harness conventional open-source and commercial tools normally used for systems administration or penetration testing to steal passwords, move ransomware installers to Domain Administrator machines, and push the ransomware to connected workstations.

Unlike many ransomware attacks, SamSam infections do not originate in a conventional malicious spam or drive-by download attack. Each attack is a manual break-in of a targeted network, Sophos said.

Once the malware can scan the internal network and compile a list of potential victims, the hacker waits until the middle of the night in the victim’s time zone before executing the attack – a command to distribute the malware and begin encrypting compromised machines.

Evolutionary timeline for the SamSam ransomware

SamSam is a particularly thorough encryption tool, rendering not only work data files unusable but also configuration and data files required to run applications (e.g. Microsoft Office), most of which are not routinely backed up.

As a result, recovery may require re-imaging and/or reinstalling software as well as restoring backups.

“The attacker is very good at covering their tracks and appears to be growing increasingly paranoid (or experienced) as time passes, gradually adding more security features into his tools and websites,” Sophos reported.

The researchers estimate that the attacker earned an average of just under $300,000 (£228,000) per month in 2018. Payment is in Bitcoin. Once full payment has been received, the hacker moves the cryptocurrency into a system of tumblers and mixers which attempt to launder the source of the Bitcoin through myriad micro-transactions.

SamSam ransom payments

Recent ransom notes have taken an apologetic, almost contrite tone, with one file named SORRY-FOR-FILES.html and an extension of .weapologize on every encrypted file.

Defences against the malware include regular backups, multi-factor authentication and restricted access to port 3389 (RDP). These and other countermeasures are explained in a post on Sophos’s Naked Security blog. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/31/samsam_enterprise_ransomware_scam_research/

Why website operators need to know with whom they are doing business and how to close the loop on third-party vulnerabilities.

In the digital world, a company’s website is a key touchpoint for its customers, but it also serves as an entry point for malicious actors. Thousands of websites operated by some of the world’s most recognized companies and government agencies have been compromised by malicious actors anxious to harvest web visitors’ CPU power for their mining operations. The root cause of these compromised websites in many cases is third-party code suppliers who usually have inadequate security and give access through a trusted connection to thousands of visitors of popular e-commerce sites.

The soaring number of cryptomining malware incidents reflects the growing interest in cryptomining itself. The most widely used tool is the Coinhive JavaScript for mining Monero digital currency, originally developed for website owners to make more money through mining. Immediately after Coinhive’s launch in late 2017, clones like Coinimp, deepMiner, Crypto-Loot, and Minr appeared in rapid succession to grab their share of a fast-growing market.

Today, cryptomining represents a new frontier for hackers to launch their attacks. One common hijacking method involves embedding cryptomining code under ad campaigns that appear on a webpage or run in a browser. Another involves the unauthorized installation of cryptomining code on a website. Regardless, whether victims browse the site or view the ad, the malicious code secretly harnesses the machine’s or device’s CPU power.

Cryptomining in Action
Recently, The Media Trust’s Digital Security Operations (DSO) team sounded the alarm when they detected a spate of incidents involving:

1. A web analytics provider that we will refer to as “Webcount”

2. A popular car research aggregator, referenced as “Carsearch”

While the team spotted a few incidents of cryptomining malware in the past, more recent incidents are different because they involve more sophisticated campaigns using the digital supply chain as a distribution channel to target brands trusted by consumers and businesses 

In the “Webcount” case, the DSO team identified the cryptomining code while scanning client websites for unauthorized code. Associated with a well-known file extension, the anomalous code was seen on every client website running the Webcount analytics. The same file extension coincided with previous Coinhive incidents identified and thwarted by the DSO team. The cryptojacking malware developers made no effort to obfuscate the malicious code. On the contrary, they avoided antivirus detection by using legitimate code throughout the entire file. Once the code made a call to a malicious domain never before seen in any major domain or IP verification analysis, the DSO team alerted the client and terminated the malware’s source.

Figure 1 shows how the Webcount cryptojacker works. A web user visits a restaurant website that runs the compromised Webcount analytics. Line two starts the homepage’s creative elements being combined to render the page. Line 38 makes the JavaScript URL call to the Webcount site, which is followed by a call to the malicious domain. Several calls are made from this domain to malicious JavaScript files that take over the user’s browser and initiate the cryptomining process. Instances involving the Webcount cryptojacker are distinct by their higher-than-average number of domain calls. The cryptojacker runs for as long as the user is on the restaurant’s site. It is worth noting that while Webcount analytics are widely used, Webcount’s web servers previously have fallen victim to hackers. This poor track record highlights the importance of closely monitoring the activities — authorized and otherwise — of third parties used in the highly dynamic digital environment.

The “Carsearch” incident involves the same Coinhive code but uses a slightly different attack method. (See Figure 2 below). When users browse through the Carsearch website, they are led to “CarloansRUs” to learn more about their financing options. As users visit the CarloansRUs pages and meet key conditions, such as location, browser, time of day, screen size, etc. (line 204), CarloansRUs serves a malicious JavaScript file. Line 205 shows repeated attempts to verify conditions. The code calls to a known malicious domain, “jqcdn.download,” which then launches an attack on the users’ browsers (line 136). Line 172 shows the point where the attack begins.

Webcount and CarloansRUs are ideal attack vectors because they give access to a large number of site visitors who will linger on the sites and give hackers enough time to mine for cryptocurrencies.

How to Avoid Cryptojacking
Websites depend on the support of third-party code providers. A typical commercial website has an average of 100 third parties supporting its various features, such as analytics, content management systems, customer recognition platforms, social widgets, and more. Third parties account for anywhere between 50% to 95% of website code execution. In effect, more than half of all code on a website lies outside a company’s direct control. To further complicate matters, the inventory of third parties can change each day.

The Webcount and CarloansRUs cases demonstrate why website operators need to know with whom they are doing business and how to close the loop on third-party vulnerabilities related to analytics, data management, customer identification, chat, image library, and widgets. Companies must create and implement an in-depth digital vendor risk management strategy to identify and decrease the potential security risk associated with third-party vendors. Today’s digital environment requires vendor management strategies that are able to adapt to the ever-changing nature of digital assets and provide compliance with a myriad of new digital privacy regulations.

Related Content:

• 7 Ways Cybercriminals Are Scamming a Fortune from Cryptocurrencies
• Software is Achilles Heel of Hardware Cryptocurrency Wallets 
• Ransomware vs. Cryptojacking
• New Threats, Old Threats: Everywhere a Threat

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info. 

Patrick Ciavolella is digital security operations director at The Media Trust. He has been working at the company for over 11 years, protecting clients’ digital ecosystems from the ever-evolving threat landscape. His team is at the forefront of exposing hard-to-detect … View Full Bio

Article source: https://www.darkreading.com/endpoint/accidental-cryptojackers-a-tale-of-two-sites/a/d-id/1332387?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple